Every year there is another acronym for Mobile Device Management (MDM). Mobile operating systems require software management companies to look at built-in APIs and design unique features that fit into what is allowed on that platform. This very competitive market has caused lots of confusion and uncertainty for customers. With this post, I hope to explain what all these acronyms are and why you should look to native technologies within iOS instead of custom solutions that are designed to support iOS, Android, and other mobile operating systems.
Disclaimer: I currently work for JAMF Software and prefer Apple products over Windows and Android. I believe that the curated ecosystem of macOS and iOS enables a better and more secure environment for organizations. Some of the technologies below have value if deploying a less secure operating system like Android.
Mobile Device Management (MDM)
This is what the space was initially called several years ago. Apple added MDM into iOS in version 4.2.1 in 2010. MDM can send commands, modify settings, and install content thru opt-in enrollment or the Device Enrollment Program (DEP). Most MDM companies can address all of the three letter acronyms below by using native technologies in iOS (if they so choose).
Mobile Application Management (MAM)
MAM encompasses things like app wrapping from a MDM vendor or containerization of data within a proprietary app. Typically companies pushing MAM will recommend email and contacts stay within their app instead of using native Mail and Contacts in iOS due to “security” concerns. This fad started due to limits within iOS and control over the flow of data. With iOS 7’s release in 2013, most of the need for apps in this category has been reduced to zero. Marketing and the lack of knowledge around Managed Open-In have made it difficult for the market to move forward. Below we will take a look at how data can be segmented on the device without having to use a separate app.
Managed Open-In is a framework of settings on iOS, Apps deployed via MDM, and content deployed via MDM. Basically what happens is that settings on the device set it up to segment personal and organizational data. When apps and content are installed via MDM they are flagged as managed which then the device considers organizational. These settings have now created a barrier that data cannot move between.
Mobile Content Management (MCM)
This area is focused on management of data, where it is hosted, and how users access it. For example, many companies use tools like Box, Google Drive, OneDrive, or Dropbox for cloud hosted files and content. Some MDM solutions also allow for PDF, iBook, or ePub file deployment. If a solution allows for content distribution, make sure they support Managed Open-In.
Enterprise Mobile Management (EMM)
This one is thanks to industry marketing and analysts. EMM is considered the over-arching system that then controls MDM, MAM, and MCM. However, we will see below that iOS has built-in tools to handle many of these three letter acronyms nativity.
Why The Outcome is More Important than the Acronym
At the end of the day, schools and organizations are just trying to ensure a level of security for their data. Customers that I work with typically want the following things:
- Passcode on the device of some complexity
- Email for end users configured
- Necessary apps for productivity
- Settings to ensure corporate email cannot be moved to a personal email account
- Documents distributed (like employee or student handbook) that cannot be backed up to any unauthorized locations
Great News! All of these things can be accomplished with a good MDM that supports all of Apple’s latest features. No app wrapping MAM system, no secure content locker that forces end users to use separate mail clients, and all using native apps or familiar apps from the App Store!
Once a device is managed via MDM, you can deploy out a Configuration Profile to specify the minimum requirements for a passcode. If the device already has a passcode, these settings will supersede the current passcode if it is deemed not strong enough. Additionally, setting a passcode on an iOS device automatically triggers changes in encryption within iOS. Data will not be able to be extracted from the device at rest unless the passcode is used to unlock the device. Other items that can be configured are:
- Minimum passcode length
- Minimum number of complex characters
- Maximum passcode age
- Maximum Auto-Lock
- Passcode history
- Maximum grace period for device lock
- Maximum number of failed attempts
You can also use the Restrictions payload for added security around Passcode and unlocking devices. Some of these restrictions are:
- Allow voice dialing while device is locked
- Allow Siri while device locked
- Allow Touch ID to unlock device
- Force Apple Watch wrist detection
- Show Notification Center in Lock screen
Now that a passcode has been enforced, we can report on what devices have the profile in place and use the presence of that profile as a requirement for deploying email, apps, and content.
For this example we will look at setting up Exchange / Office 365. This can also be done with POP/IMAP accounts with some minor differences. By using the default Mail, Calendar, and Contacts clients in iOS you get a solution that you don’t have to worry about when the next version of iOS comes out. Since these tools are maintained by Apple and are part of iOS, you feel safe that those apps won’t break during an upgrade. If using a container app for these services, you might have to wait to upgrade your iOS devices.
The keys to deploy corporate email security are to uncheck Allow messages to be moved and uncheck Allow Mail Drop. By unchecking messages to be moved you are forcing all emails to stay within that account. Mail Drop is a technology designed by Apple for large file transfers. This data is stored on Apple’s server for 30 days. Additionally, you can enhance the end user experience by configuring variables for email and username. In the Casper Suite, these are $EMAIL and $USERNAME. Other options when configuring email are:
- Account Name
- Exchange ActiveSync Host
- Email Address
- Past Days of Mail to Sync
- Authentication Credential
- Communication Service Rules
Deploying Apps Securely
Content that is stored within apps on your iOS device is critical for data security. Thankfully, Apple has built functionality around this to allow data to flow between apps for your organization but not be a hindrance for the end user. The setup for Managed Open-In is to first deploy a configuration profile with restrictions on the flow of data and then to deploy corporate apps as managed applications.
The four settings you are looking for within the Restrictions payload are Allow documents from managed sources in unmanaged destinations, Allow documents from unmanaged sources in managed destinations, Allow managed apps to store data in iCloud (supervised only), and Treat AirDrop as unmanaged destination. These settings control the flow of content in and out of an app in a managed state and the only way an app can be considered managed is by MDM. Disabling documents from managed sources to be in unmanaged destinations is the most important but typically folks look to the other ones as well to ensure private data stays separate from corporate data.
For apps that an organization uses and wants to keep their data separate from the end users data you will need to ensure that you are deploying apps from MDM as well as checking the box to make that app a managed app. Other things can be done to enhance this workflow like adding in Apple’s Volume Purchase Program (VPP). These are the options to consider when deploying a managed app:
- Make app managed when possible – trigger for not allowing data to move between unmanaged apps (what end users would have if they install apps from the App Store)
- Make app managed if currently installed as unmanaged – “Take Over Management” this was added in iOS 9 so that organizations could migrate an app to managed without effecting end user data. This will have no alert to the end user if the device is Supervised. If not supervised, the end user will have to accept via a prompt
- Remove app when MDM profile is removed – app will be removed with the MDM profile. Nice for a seletive or “Enterprise” wipe.
- Prevent backup of app data – does not allow any data from the app to be in an iCloud Backup
A selective or "enterprise" wipe removes only settings, apps, and content that was distributed by the organization. This leaves user data in place which is good for a Bring Your Own iDevice program (BYOiD).
Now that we have settings and apps in place with Managed Open-In, we can take the last step of publishing documents to our secured apps within iOS.
There are a few different ways we can publish documents to iOS and control the movement of files. Each of these methods uses different techniques within Managed Open-In and are valid workflows depending on what outcome you are looking for. First, we could use Self Service to deploy content like PDFs or iBooks into the iBooks app. Secondly, we could use Self Service to publish the data to a separate app like Acrobat. Lastly, we could have the content in a tool like Dropbox and then move it into another app like Word.
Self Service to iBooks
- Self Service app installed and set to Managed
- (Optional) Configuration profile disabling: Allow backup of enterprise books
- (Optional) Configuration profile disabling:
Allow notes and highlights sync for enterprise books
- iBook, ePub or PDF document
First, we will need to upload our content to a server or use JAMF Cloud. Once uploaded, we will want to ensure that we check the box, Make ebook Managed when possible. Lastly, assign the eBook to your users and save. When that eBook is pushed or installed from Self Service, it will be added as a managed book and can be removed at any time or if the MDM Profile is removed.
Self Service to Acrobat
- Self Service app installed and set to Managed
- Acrobat app installed and set to Managed
- iBook, ePub or PDF document
First, we will need to upload our content to a server or use JAMF Cloud. Once uploaded, we will want to ensure that we DO NOT check the box, Make ebook Managed when possible. By leaving that checkbox empty, Self Service will display a list of apps that are managed which we can open our content with. Lastly, assign the eBook to your users and save Users can only get content this way via Self Service.
Dropbox to Word
- Dropbox app installed and set to Managed
- Word app installed and set to Managed
- iBook, ePub or PDF document in Dropbox
- (Recommended) Configuration profile limiting the flow of data from managed to unmanaged sources
This workflow is largely left to the setup process. First, double check that your apps are being deployed as managed. Then the end user can find their content and use the Open in option to move the data out to Word.
Why is Managed Open-In Better?
Native Tools = Easier Upgrades
Because we are using apps and management frameworks built into iOS, we can be fairly safe with allowing our end users to upgrade to the latest versions of iOS without concern. Apple historically has done a good job of maintaining backwards compatability while adding new features with iOS. Another thing to point out is that there is no way to restrict iOS devices from upgrading to the latest version of iOS. Yes there maybe some network level changes you can make but what happens when a device is taken home? or a coffee shop? If you use native tools, you also don’t have to worry about if a MDM vendor will update their custom app to support new iOS versions or features.
While this one gets left out of many implementation plans, the easiest way to cut Help Desk calls and tickets is to design a solution that is easy for the end users to learn or that they are familiar with. If your users are already comfortable with Mail and Calendar on iOS why would you want to introduce another tool for them to learn? Also, Apple has already published many support articles and videos on how to use these tools. This helps you by reducing the features that you need to document. Lastly, you can use Apple Stores to your advantage if your organization is part of Joint Venture.
Support Built into to Every App
Every app that is published in the App Store or made for in-house distribution supports the examples above. There is no need for app wrapping or requiring the apps you use to support a specific MDM vendor. This give your organization the freedom to choose the best apps for productivity and to not be tied to a custom build or solution of apps.