When using mobile devices, data of all kinds is accessed. Data protection conformity must be guaranteed. A distinction is made between company-owned devices, so-called "corporate owned devices" (COD) and user-owned devices, so-called "bring your own devices" (BYOD). For both types of use, the manufacturers of the mobile device operating systems iOS and Android now offer their own technologies for data separation. In the following, these "on-board means" and their implementation in Relution are described in detail.
Differentiation managed / unmanaged
Since iOS12 Apple basically distinguishes between "managed" and "unmanaged" for the following objects:
|Managed Devices||Unmanaged Devices|
|Apps||pushed by Relution or installed via the Relution Enterprise Appstore, server configurable||installed by the user from the Apple AppStore, non-server configurable|
|Mail Accounts||configured by Relution via a policy||configured on the device by user|
|Contacts||loaded from managed mail account to the device (synchronized)||created by user|
|Documents||loaded from managed mail account to the device (synchronized)||generated by user in unmanaged apps or received in unmanaged mail accounts|
An unmanaged app can be converted into a managed app by being pushed by Relution again. It replaces the unmanaged app of the same name on the device. However, unmanaged mail accounts, contacts and documents cannot be transferred to managed.
In iOS, the data is separated on the system side by means of a policy that allows you to set whether access to managed data from unmanaged apps should be allowed or not. For this purpose, the configuration "Restrictions" as part of a policy in Relution offers the following restriction options:
For example the following can be prevented:
In order to prevent the uncontrolled outflow of data, Relution offers the possibility to prohibit or at least restrict cloud accounts completely. The following functions can be switched off:
Finally, there are some iOS system functions that can be considered under data security criteria and can also be switched off by restriction:
As an important data protection measure, iOS offers the option of permanently coupling the data connection of apps to a VPN connection, which in turn can be reconfigured by the Relution server. This ensures that certain apps only run over the company's own network and external access is prevented (intranet-only).
Until now, it was common to use a container app on iOS-BYOD devices, which could be configured on the server side and thus ensured a separation of business and private data.
However, since iOS13, iOS has provided a built-in container for business applications and data, which is brought to the device via user enrollment using Relution. This turns the iOS device into a "dual persona" device, i.e. the container area and the rest of the device are completely separated. Technically this separation is even done on the filesystem level, i.e. there is a separate APFS volume with its own encryption for the container.
This volume can contain various components, which are managed independently of the rest of the iOS via Relution:
If the container is removed (can be done by Relution or on the device itself), the entire volume is deleted.
Until Android 10: System Administrator Enrollment
Up to now, the classic enrollment as "System Administrator" is mainly used for the administration of Android devices in Relution. This means that the Relution Client App gets special rights on the device to execute the MDM functions. With this type of enrollment, the possibilities for MDM intervention are strongly dependent on the Android device used. Samsung offers the most functions here with its KNOX interface; the devices of all other Android manufacturers can only be configured very rudimentarily via MDM. For example, only Samsung offers the following options:
With Android Enterprise, Google has published its own MDM stack, which, in contrast to the enrollment as a system administrator, no longer leaves the implementation of the MDM functions to the client app, but makes them available in the operating system. For the first time, this enables a largely manufacturer-independent, uniform MDM functionality on the Android platform. The Full Device Mode will replace the System Administrator Enrollment in the mid-term. Android 10 is the first Android version in which the Full Device Mode will be Google's preferred method of enrollment.
Android Enterprise offers the so-called "Work Profile Enrollment", which is intended for employee devices and includes a container ("Work") on the device, which can be managed by Relution. This container contains a "Managed Play Store", i.e. a company-owned App Store that allows you to download apps from the Google Play Store into the container without having a local Google Account and also configure it via Relution (e.g. a mail client with a given server address and user identification). The container can also contain its own address book to separate business and private contacts.
Everything outside the container ("Personal") cannot be influenced by Relution, for example, the device cannot be reset or locked. However, the container can be removed via Relution, which will delete all data in it.
Relution supports Work Profile Enrollment in parallel to System Administrator Enrollment, so you can combine the two.
Furthermore, the following functions in the container "Work" can also be switched off by restriction:
In their current versions Android and iOS offer comprehensive possibilities for secure use including separation of business and private data. These possibilities are further expanded with each new operating system version. Thus, the classic, app-based container has become obsolete as it does not allow such a strict separation on system level (e.g. no own file system) and has clear disadvantages compared to the separation of data on the operating system side, both on the cost side and from a usability point of view.