Mobile device management security overview
Apple operating systems support mobile device management (MDM), which allows organisations to securely configure and manage scaled Apple device deployments.
How MDM works securely
MDM capabilities are built on operating system technologies, such as configurations, over-the-air enrolment and the Apple Push Notification service (APNs). For example, APNs is used to wake the device and trigger it to communicate directly with its MDM solution over a secured connection. No confidential or proprietary information is transmitted over APNs.
Using MDM, IT departments can enrol Apple devices in an enterprise or educational environment, wirelessly configure and update settings, monitor compliance, manage software updates and even remotely wipe or lock managed devices.
In iOS 13, iPadOS 13.1 and macOS 10.15, or later, Apple devices support a new enrolment option specifically designed for “bring your own device” BYOD programs. User Enrolment provides more autonomy for users on their own devices, while increasing the security of enterprise data by cryptographically separating managed data. This provides a better balance of security, privacy and user experience for BYOD programs. A similar data separation mechanism has been added for account-driven Device Enrolments in iOS 17, iPadOS 17 and macOS 14, or later.
Enrolment types
User Enrolment: User Enrolment is designed for devices owned by the user and is integrated with Managed Apple IDs to establish a user identity on the device. Managed Apple IDs are required to initiate the enrolment, and the user must successfully authenticate for the enrolment to succeed. Managed Apple IDs can be used alongside a personal Apple ID that the user has already signed in with. Managed apps and accounts use the Managed Apple ID, and personal apps and accounts use the personal Apple ID.
Device Enrolment: Device Enrolment allows organisations to have users manually enrol devices and then manage many different aspects of device use, including the ability to erase the device. Device Enrolment also has a larger set of configurations and restrictions that can be applied to the device. When a user removes an enrolment profile, all configurations, settings and managed apps based on that enrolment profile are removed. Similar to User Enrolment, Device Enrolment can also be integrated with a Managed Apple ID. This account-driven Device Enrolment also provides the ability to use a Managed Apple ID alongside a personal Apple ID and cryptographically separates corporate data.
Automated Device Enrolment: Automated Device Enrolment lets organisations configure and manage devices from the moment the devices are removed from the box. These devices are known as supervised and users have the option to prevent the MDM profile from being removed by the user. Automated Device Enrolment is designed for devices owned by the organisation.
Device restrictions
Restrictions can be enabled — or in some cases, disabled — by administrators to help prevent users from accessing a specific app, service or function of an iPhone, iPad, Mac, Apple TV or Apple Watch that’s enrolled in an MDM solution. Restrictions are sent to devices in a restrictions payload, which is part of a configuration. Certain restrictions on an iPhone may be mirrored on a paired Apple Watch.
Passcode and password settings management
By default, the user’s passcode can be defined as a numeric PIN on iOS, iPadOS and watchOS. In iPhone and iPad devices with Face ID or Touch ID, the default passcode length is six digits, with a minimum of four digits. Because longer and more complex passcodes are harder to guess or attack, they are recommended.
Administrators can enforce complex passcode requirements and other policies using MDM or, on iOS and iPadOS, Microsoft Exchange. An administrator password is needed when the macOS passcode policy payload is installed manually. Passcode policies can require a certain passcode length, composition or other attributes.
Apple Watch uses numeric passcodes by default. If a passcode policy applied to a managed Apple Watch requires the use of non-numeric characters, the paired iPhone needs to be used to unlock the device.