Data separation on company-owned devices (Corporate Owned Devices) and user-owned devices (Bring Your Own Device)
Motivation for data protection and separation
When using mobile devices, data of all kinds is accessed. Data protection conformity must be guaranteed. A distinction is made between company-owned devices, so-called "corporate owned devices" (COD) and user-owned devices, so-called "bring your own devices" (BYOD). For both types of use, the manufacturers of the mobile device operating systems iOS and Android now offer their own technologies for data separation. In the following, these "on-board means" and their implementation in Relution are described in detail.
iOS – Corporate Owned Devices
Differentiation managed / unmanaged
Since iOS12 Apple basically distinguishes between "managed" and "unmanaged" for the following objects:
Managed Devices
- Apps- pushed by Relution or installed via the Relution Enterprise Appstore, server configurable
- Mail Accounts - configured by Relution via a policy
- Contacts - loaded from managed mail account to the device (synchronized)
- Documents - loaded from managed mail account to the device (synchronized)
Unmanaged Devices
- Apps - installed by the user from the Apple AppStore, non-server configurable
- Mail Accounts - configured on the device by user
- Contacts - created by user
- Documents - generated by user in unmanaged apps or received in unmanaged mail accounts
An unmanaged app can be converted into a managed app by being pushed by Relution again. It replaces the unmanaged app of the same name on the device. However, unmanaged mail accounts, contacts and documents cannot be transferred to managed.
Access restrictions
In iOS, the data is separated on the system side by means of a policy that allows you to set whether access to managed data from unmanaged apps should be allowed or not. For this purpose, the configuration "Restrictions" as part of a policy in Relution offers the following restriction options:
- Prohibit opening managed documents in unmanaged apps
- Allow opening of unmanaged documents in managed apps
- Deny unmanaged apps access to managed contacts
- Allow opening of unmanaged documents in managed apps
- Allow managed Apps to write unmanaged contacts
- Generally consider AirDrop targets as unmanaged
- Prohibit moving mails to unmanaged mail accounts
For example the following can be prevented:
- A private app (e.g. WhatsApp) that sees business (Exchange) contacts
- A business mail is forwarded at will
- An attachment of a business mail is opened in any app (e.g. Dropbox)
iCloud restrictions
In order to prevent the uncontrolled outflow of data, Relution offers the possibility to prohibit or at least restrict cloud accounts completely. The following functions can be switched off:
- iCloud backups
- iCloud keychain synchronization
- Allow managed apps to store data in the iCloud
- Saving photos in the iCloud
- Synchronization of iCloud documents
Functional restrictions
Finally, there are some iOS system functions that can be considered under data security criteria and can also be switched off by restriction:
- App Block-/Allowlisting
- Web-URL Block-/Allowlisting
- AirDrop (can be switched off completely)
- Share password
- Access to Apple AppStore
- Screenshots and recordings
- Camera (can be switched off completely, also for in-app functions)
- Creating and modifying accounts (Mail, Apple IDs)
- Bluetooth
- Installation of VPN profiles
- USB connections
Via app VPN
As an important data protection measure, iOS offers the option of permanently coupling the data connection of apps to a VPN connection, which in turn can be reconfigured by the Relution server. This ensures that certain apps only run over the company's own network and external access is prevented (intranet-only).
iOS – Bring Your Own Devices
Until iOS 12, it was common to use a container app on iOS BYOD devices that could be configured on the server side and thus ensured separation of business and private data.
In the meantime, however, iOS offers a built-in "container solution" to separate business from private applications and data. For this purpose, an iOS device is added to Relution via a (BYOD) enrollment in the inventory. This installs an MDM profile on the device, allowing it to be managed via Relution. Technically, a distinction is then made between "managed" and "unmanaged" apps and content. This turns the iOS device into a "dual persona" device and completely separates the data. Restrictions can also be used to control whether data can be shared between "managed" and "unmanaged" apps.
Different configurations can be loaded on the devices and managed via Relution:
- Apps
- VPN configuration
- Notes (more system apps will follow in future iOS versions)
- iCloud account
- Keychain
- Mail accounts / attachments
- Calender accounts / attachments
If the MDM profile is removed, all managed apps and content are deleted. This action can be performed via relution or on the device itself.
Android – Corporate Owned Devices
From Android 9: Android Enterprise Enrollment (Fully Managed Device)
Since Relution 5 at the latest, Android Enterprise enrollment as a fully managed device (device owner) has become increasingly common for managing Android devices in Relution. The MDM functions are integrated and standardized in the operating system. This enables a largely vendor-independent, uniform MDM functionality on the Android platform. The Android Enterprise functions are only available for certified devices. Samsung devices can be administered and secured even more extensively using the KNOX functions. The Relution Client App is no longer mandatory for Android Enterprise enrollment. In addition, the classic enrollment as "Device Administrator" is still available. In this case, the Relution Client App is given special rights on the device so that it can execute the MDM functions. However, with this type of enrollment, the possibilities of MDM intervention are highly dependent on the Android device used. A wide range of configurations and functions are available when managing Android devices:
- Installation and configuration of apps (e.g. Exchange client)
- Managed Google Play Store
- WiFi and VPN configuration
- Fully automatic registration of the devices (KNOX Mobile Enrollment)
Android – Bring Your Own Devices
Work Profile Enrollment
Android Enterprise additionally offers the so-called "work profile", which is intended for private devices and sets up a container ("work") on the device that can be managed by Relution. This container contains a "Managed Play Store", which only provides approved apps for installation. Installing apps from the "Managed Google Play Store" is possible without a local Google account. In addition, the apps can be configured via Relution if a "Managed App Configruation" is supported by the respective app (e.g. an email app with a predefined server address and user ID). The container can also contain its own address book to separate business and private contacts.
Everything outside the container ("Personal") cannot influence Relution, so for example the device cannot be reset or locked. However, the container can be removed via Relution, which then deletes all data in it.
Relution supports the work profile in an organization in parallel with the full device management of Android Enterprise and the classic enrollment as a system administrator. In Relution, mixed operation with different devices is thus possible.
Functional restrictions
Furthermore, the following functions in the container "Work" can also be switched off by restriction:
- App Block-/Allowlisting
- Create new users and profiles
- Adding and removing accounts
- Install apps
- Deinstall apps
- Use camera
- Take screenshots
- Configuring and using Bluetooth
- Share contacts via Bluetooth
- Configure mobile network
- Configure VPN
- Configure default Wi-Fi networks
- Use Android Beam (NFC) to share app data
- Integrate external physical media
- Transfer files via USB
Summary
In their current versions Android and iOS offer comprehensive possibilities for secure use including separation of business and private data. These possibilities are further expanded with each new operating system version.
Thus, the classic, app-based container has become obsolete as it does not allow such a strict separation on system level (e.g. no own file system) and has clear disadvantages compared to the separation of data on the operating system side, both on the cost side and from a usability point of view.