Motivation

When using mobile devices, data of all kinds is accessed. Data protection conformity must be guaranteed. A distinction is made between company-owned devices, so-called "corporate owned devices" (COD) and user-owned devices, so-called "bring your own devices" (BYOD). For both types of use, the manufacturers of the mobile device operating systems iOS and Android now offer their own technologies for data separation. In the following, these "on-board means" and their implementation in Relution are described in detail.


iOS – Corporate Owned Devices

Differentiation managed / unmanaged

Since iOS12 Apple basically distinguishes between "managed" and "unmanaged" for the following objects:

Managed Devices Unmanaged Devices
Apps pushed by Relution or installed via the Relution Enterprise Appstore, server configurable installed by the user from the Apple AppStore, non-server configurable
Mail Accounts configured by Relution via a policy configured on the device by user
Contacts loaded from managed mail account to the device (synchronized) created by user
Documents loaded from managed mail account to the device (synchronized) generated by user in unmanaged apps or received in unmanaged mail accounts


An unmanaged app can be converted into a managed app by being pushed by Relution again. It replaces the unmanaged app of the same name on the device. However, unmanaged mail accounts, contacts and documents cannot be transferred to managed.


Access restrictions

In iOS, the data is separated on the system side by means of a policy that allows you to set whether access to managed data from unmanaged apps should be allowed or not. For this purpose, the configuration "Restrictions" as part of a policy in Relution offers the following restriction options:

» Prohibit opening managed documents in unmanaged apps
» Allow opening of unmanaged documents in managed apps
» Deny unmanaged apps access to managed contacts
» Allow opening of unmanaged documents in managed apps
» Allow managed Apps to write unmanaged contacts
» Generally consider AirDrop targets as unmanaged
» Prohibit moving mails to unmanaged mail accounts

For example the following can be prevented:

» A private app (e.g. WhatsApp) that sees business (Exchange) contacts
» A business mail is forwarded at will
» An attachment of a business mail is opened in any app (e.g. Dropbox)


iCloud restrictions

In order to prevent the uncontrolled outflow of data, Relution offers the possibility to prohibit or at least restrict cloud accounts completely. The following functions can be switched off:

» iCloud backups
» iCloud keychain synchronization
» Allow managed apps to store data in the iCloud
» Saving photos in the iCloud
» Synchronization of iCloud documents


Functional restrictions

Finally, there are some iOS system functions that can be considered under data security criteria and can also be switched off by restriction:

» App Black-/Whitelisting
» Web-URL Black-/Whitelisting
» AirDrop (can be switched off completely)
» Share password
» Access to Apple AppStore
» Screenshots and recordings

» Camera (can be switched off completely, also for in-app functions)
» Creating and modifying accounts (Mail, Apple IDs)
» Bluetooth
» Installation of VPN profiles
» USB connections

Via app VPN

As an important data protection measure, iOS offers the option of permanently coupling the data connection of apps to a VPN connection, which in turn can be reconfigured by the Relution server. This ensures that certain apps only run over the company's own network and external access is prevented (intranet-only).


iOS – Bring Your Own Devices

Until now, it was common to use a container app on iOS-BYOD devices, which could be configured on the server side and thus ensured a separation of business and private data.

However, since iOS13, iOS has provided a built-in container for business applications and data, which is brought to the device via user enrollment using Relution. This turns the iOS device into a "dual persona" device, i.e. the container area and the rest of the device are completely separated. Technically this separation is even done on the filesystem level, i.e. there is a separate APFS volume with its own encryption for the container.

This volume can contain various components, which are managed independently of the rest of the iOS via Relution:

» Apps
» VPN configuration
» Notes (more system apps will follow in future iOS versions)
» iCloud account
» Keychain
» Mail accounts / attachments
» Calender accounts / attachments

If the container is removed (can be done by Relution or on the device itself), the entire volume is deleted.

Android – Corporate Owned Devices

Until Android 10: System Administrator Enrollment

Up to now, the classic enrollment as "System Administrator" is mainly used for the administration of Android devices in Relution. This means that the Relution Client App gets special rights on the device to execute the MDM functions. With this type of enrollment, the possibilities for MDM intervention are strongly dependent on the Android device used. Samsung offers the most functions here with its KNOX interface; the devices of all other Android manufacturers can only be configured very rudimentarily via MDM. For example, only Samsung offers the following options:

» Configure Exchange client
» VPN configuration
» "Silent push" of apps from the Relution App Store without asking on the device
» Fully automatic registration of the devices (KNOX Mobile Enrollment)


From Android 10: Android Enterprise Full Device Mode

With Android Enterprise, Google has published its own MDM stack, which, in contrast to the enrollment as a system administrator, no longer leaves the implementation of the MDM functions to the client app, but makes them available in the operating system. For the first time, this enables a largely manufacturer-independent, uniform MDM functionality on the Android platform. The Full Device Mode will replace the System Administrator Enrollment in the mid-term. Android 10 is the first Android version in which the Full Device Mode will be Google's preferred method of enrollment.


Android – Bring Your Own Devices

Work Profile Enrollment

Android Enterprise offers the so-called "Work Profile Enrollment", which is intended for employee devices and includes a container ("Work") on the device, which can be managed by Relution. This container contains a "Managed Play Store", i.e. a company-owned App Store that allows you to download apps from the Google Play Store into the container without having a local Google Account and also configure it via Relution (e.g. a mail client with a given server address and user identification). The container can also contain its own address book to separate business and private contacts.

Everything outside the container ("Personal") cannot be influenced by Relution, for example, the device cannot be reset or locked. However, the container can be removed via Relution, which will delete all data in it.

Relution supports Work Profile Enrollment in parallel to System Administrator Enrollment, so you can combine the two.

Functional restrictions

Furthermore, the following functions in the container "Work" can also be switched off by restriction:

» App Black-/Whitelisting
» Create new users and profiles
» Adding and removing accounts
» Install apps
» Deinstall apps
» Use camera
» Take screenshots
» Configuring and using Bluetooth

» Share contacts via Bluetooth
» Configure mobile network
» Configure VPN
» Configure default Wi-Fi networks
» Use Android Beam (NFC) to share app data
» Integrate external physical media
» Transfer files via USB

Summary

In their current versions Android and iOS offer comprehensive possibilities for secure use including separation of business and private data. These possibilities are further expanded with each new operating system version. Thus, the classic, app-based container has become obsolete as it does not allow such a strict separation on system level (e.g. no own file system) and has clear disadvantages compared to the separation of data on the operating system side, both on the cost side and from a usability point of view.

Mobile Device & App Management with Relution

Free for up to 5 devices & 5 apps forever. No payment information required.