When using mobile devices, data of all kinds is accessed. Data protection conformity must be guaranteed. A distinction is made between company-owned devices, so-called "corporate owned devices" (COD) and user-owned devices, so-called "bring your own devices" (BYOD). For both types of use, the manufacturers of the mobile device operating systems iOS and Android now offer their own technologies for data separation. In the following, these "on-board means" and their implementation in Relution are described in detail.
Differentiation managed / unmanaged
Since iOS12 Apple basically distinguishes between "managed" and "unmanaged" for the following objects:
|Managed Devices||Unmanaged Devices|
|Apps||pushed by Relution or installed via the Relution Enterprise Appstore, server configurable||installed by the user from the Apple AppStore, non-server configurable|
|Mail Accounts||configured by Relution via a policy||configured on the device by user|
|Contacts||loaded from managed mail account to the device (synchronized)||created by user|
|Documents||loaded from managed mail account to the device (synchronized)||generated by user in unmanaged apps or received in unmanaged mail accounts|
An unmanaged app can be converted into a managed app by being pushed by Relution again. It replaces the unmanaged app of the same name on the device. However, unmanaged mail accounts, contacts and documents cannot be transferred to managed.
In iOS, the data is separated on the system side by means of a policy that allows you to set whether access to managed data from unmanaged apps should be allowed or not. For this purpose, the configuration "Restrictions" as part of a policy in Relution offers the following restriction options:
For example the following can be prevented:
In order to prevent the uncontrolled outflow of data, Relution offers the possibility to prohibit or at least restrict cloud accounts completely. The following functions can be switched off:
Finally, there are some iOS system functions that can be considered under data security criteria and can also be switched off by restriction:
As an important data protection measure, iOS offers the option of permanently coupling the data connection of apps to a VPN connection, which in turn can be reconfigured by the Relution server. This ensures that certain apps only run over the company's own network and external access is prevented (intranet-only).
Until iOS 12, it was common to use a container app on iOS BYOD devices that could be configured on the server side and thus ensured separation of business and private data.
In the meantime, however, iOS offers a built-in "container solution" to separate business from private applications and data. For this purpose, an iOS device is added to Relution via a (BYOD) enrollment in the inventory. This installs an MDM profile on the device, allowing it to be managed via Relution. Technically, a distinction is then made between "managed" and "unmanaged" apps and content. This turns the iOS device into a "dual persona" device and completely separates the data. Restrictions can also be used to control whether data can be shared between "managed" and "unmanaged" apps.
Different configurations can be loaded on the devices and managed via Relution:
If the MDM profile is removed, all managed apps and content are deleted. This action can be performed via relution or on the device itself.
From Android 9: Android Enterprise Enrollment (Fully Managed Device)
Since Relution 5 at the latest, Android Enterprise enrollment as a fully managed device (device owner) has become increasingly common for managing Android devices in Relution. The MDM functions are integrated and standardized in the operating system. This enables a largely vendor-independent, uniform MDM functionality on the Android platform. The Android Enterprise functions are only available for certified devices. Samsung devices can be administered and secured even more extensively using the KNOX functions. The Relution Client App is no longer mandatory for Android Enterprise enrollment. In addition, the classic enrollment as "Device Administrator" is still available. In this case, the Relution Client App is given special rights on the device so that it can execute the MDM functions. However, with this type of enrollment, the possibilities of MDM intervention are highly dependent on the Android device used. A wide range of configurations and functions are available when managing Android devices:
Android Enterprise additionally offers the so-called "work profile", which is intended for private devices and sets up a container ("work") on the device that can be managed by Relution. This container contains a "Managed Play Store", which only provides approved apps for installation. Installing apps from the "Managed Google Play Store" is possible without a local Google account. In addition, the apps can be configured via Relution if a "Managed App Configruation" is supported by the respective app (e.g. an email app with a predefined server address and user ID). The container can also contain its own address book to separate business and private contacts.
Everything outside the container ("Personal") cannot influence Relution, so for example the device cannot be reset or locked. However, the container can be removed via Relution, which then deletes all data in it.
Relution supports the work profile in an organization in parallel with the full device management of Android Enterprise and the classic enrollment as a system administrator. In Relution, mixed operation with different devices is thus possible.
Furthermore, the following functions in the container "Work" can also be switched off by restriction:
In their current versions Android and iOS offer comprehensive possibilities for secure use including separation of business and private data. These possibilities are further expanded with each new operating system version. Thus, the classic, app-based container has become obsolete as it does not allow such a strict separation on system level (e.g. no own file system) and has clear disadvantages compared to the separation of data on the operating system side, both on the cost side and from a usability point of view.