Mobile device management security overview
Apple operating systems support mobile device management (MDM), which allows organizations to securely configure and manage scaled Apple device deployments.
How MDM works securely
MDM capabilities are built on existing operating system technologies, such as configuration profiles, over-the-air enrollment, and the Apple Push Notification service (APNs). For example, APNs is used to wake the device so it can communicate directly with its MDM solution over a secured connection. With APNs, no confidential or proprietary information is transmitted.
Using MDM, IT departments can enroll Apple devices in an enterprise environment, wirelessly configure and update settings, monitor compliance with corporate policies, manage software update policies, and even remotely wipe or lock managed devices.
In addition to the traditional device enrollments supported by iOS, iPadOS, macOS, and tvOS, an enrollment type has been added in iOS 13 or later, iPadOS 13.1 or later, and macOS 10.15 or later—User Enrollment. User enrollments are MDM enrollments specifically targeting “bring your own device” (BYOD) deployments where the device is personally owned but used in a managed environment. User enrollments grant the MDM solution more limited privileges than unsupervised device enrollments do, and provide cryptographic separation of user and corporate data.
Enrollment types
Automated Device Enrollment: Automated Device Enrollment lets organizations configure and manage devices from the moment the devices are removed from the box (in a process known as Auto Advance deployment). These devices are known as supervised, and users have the option to prevent the MDM profile from being removed by the user. Automated Device Enrollment is designed for devices owned by the organization.
Device Enrollment: Device Enrollment allows organizations to have users manually enroll devices and then manage many different aspects of device use, including the ability to erase the device. Device Enrollment also has a larger set of payloads and restrictions that can be applied to the device. When a user removes an enrollment profile, all configuration profiles, their settings, and managed apps based on that enrollment profile are removed with it.
User Enrollment: User Enrollment is designed for devices owned by the user and is integrated with Managed Apple IDs to establish a user identity on the device. Managed Apple IDs are part of the User Enrollment profile, and the user must successfully authenticate in order for enrollment to be completed. Managed Apple IDs can be used alongside a personal Apple ID that the user has already signed in with. Managed apps and accounts use a Managed Apple ID, and personal apps and accounts use a personal Apple ID.
Device restrictions
Restrictions can be enabled—or in some cases, disabled—by administrators to help prevent users from accessing a specific app, service, or function of an iPhone, iPad, Mac, or Apple TV that’s enrolled in an MDM solution. Restrictions are sent to devices in a restrictions payload, which is part of a configuration profile. Certain restrictions on an iPhone may be mirrored on a paired Apple Watch.
Passcode and password settings management
By default, the user’s passcode can be defined as a numeric PIN. In iOS and iPadOS devices with Face ID or Touch ID, the minimum passcode length is four digits. Because longer and more complex passcodes are harder to guess or attack, they are recommended.
Administrators can enforce complex passcode requirements and other policies using MDM or Microsoft Exchange ActiveSync, or by requiring users to manually install configuration profiles. An administrator password is needed for the macOS passcode policy payload installation. Some passcode policies can require a certain passcode length, composition, or other attributes.