Mobile device management security overview
Apple operating systems support mobile device management (MDM), which allows organisations to securely configure and manage scaled Apple device deployments.
How MDM works securely
MDM capabilities are built on existing operating system technologies, such as configuration profiles, over-the-air enrolment and the Apple Push Notification service (APNs). For example, APNs is used to wake the device so it can communicate directly with its MDM solution over a secured connection. With APNs, no confidential or proprietary information is transmitted.
Using MDM, IT departments can enrol Apple devices in an enterprise environment, wirelessly configure and update settings, monitor compliance with corporate policies, manage software update policies and even remotely wipe or lock managed devices.
In addition to the traditional device enrolments supported by iOS, iPadOS, macOS and tvOS, an enrolment type has been added in iOS 13 or later, iPadOS 13.1 or later, and macOS 10.15 or later — User Enrolment. User enrolments are MDM enrolments specifically targeting “bring your own device” (BYOD) deployments where the device is personally owned but used in a managed environment. User enrolments grant the MDM solution more limited privileges than unsupervised device enrolments do and provide cryptographic separation of user and corporate data.
Automated Device Enrolment: Automated Device Enrolment lets organisations configure and manage devices from the moment the devices are removed from the box (in a process known as Auto Advance deployment). These devices are known as supervised, and users have the option to prevent the MDM profile from being removed by the user. Automated Device Enrolment is designed for devices owned by the organisation.
Device Enrolment: Device Enrolment allows organisations to have users manually enrol devices and then manage many different aspects of device use, including the ability to erase the device. Device Enrolment also has a larger set of payloads and restrictions that can be applied to the device. When a user removes an enrolment profile, all configuration profiles, their settings and managed apps based on that enrolment profile are removed with it.
User Enrolment: User Enrolment is designed for devices owned by the user and is integrated with Managed Apple IDs to establish a user identity on the device. Managed Apple IDs are part of the User Enrolment profile, and the user must successfully authenticate in order for enrolment to be completed. Managed Apple IDs can be used alongside a personal Apple ID that the user has already signed in with. Managed apps and accounts use a Managed Apple ID, and personal apps and accounts use a personal Apple ID.
Restrictions can be enabled — or in some cases, disabled — by administrators to help prevent users from accessing a specific app, service or function of an iPhone, iPad, Mac or Apple TV that’s enrolled in an MDM solution. Restrictions are sent to devices in a restrictions payload which is part of a configuration profile. Certain restrictions on an iPhone may be mirrored on a paired Apple Watch.
Passcode and password settings management
By default, the user’s passcode can be defined as a numeric PIN. In iOS and iPadOS devices with Face ID or Touch ID, the minimum passcode length is four digits. Because longer and more complex passcodes are harder to guess or attack, they are recommended.
Administrators can enforce complex passcode requirements and other policies using MDM or Microsoft Exchange ActiveSync, or by requiring users to manually install configuration profiles. An administrator password is needed for the macOS passcode policy payload installation. Some passcode policies can require a certain passcode length, composition or other attributes.