Mobile device management security overview
Apple operating systems support mobile device management (MDM), which allows organizations to securely configure and manage scaled Apple device deployments.
How MDM works securely
MDM capabilities are built on operating system technologies, such as configurations, over-the-air enrollment, and the Apple Push Notification service (APNs). For example, APNs is used to wake the device and trigger it to communicate directly with its MDM solution over a secured connection. No confidential or proprietary information is transmitted over APNs.
Using MDM, IT departments can enroll Apple devices in an enterprise or educational environment, wirelessly configure and update settings, monitor compliance, manage software updates, and even remotely wipe or lock managed devices.
In iOS 13, iPadOS 13.1, and macOS 10.15, or later, Apple devices support a new enrollment option specifically designed for “bring your own device” BYOD programs. User Enrollment provides more autonomy for users on their own devices, while increasing the security of enterprise data by cryptographically separating managed data. This provides a better balance of security, privacy, and user experience for BYOD programs. A similar data separation mechanism has been added for account-driven Device Enrollments in iOS 17, iPadOS 17, and macOS 14, or later.
Enrollment types
User Enrollment: User Enrollment is designed for devices owned by the user and is integrated with Managed Apple IDs to establish a user identity on the device. Managed Apple IDs are required to initiate the enrollment, and the user must successfully authenticate for the enrollment to succeed. Managed Apple IDs can be used alongside a personal Apple ID that the user has already signed in with. Managed apps and accounts use the Managed Apple ID, and personal apps and accounts use the personal Apple ID.
Device Enrollment: Device Enrollment allows organizations to have users manually enroll devices and then manage many different aspects of device use, including the ability to erase the device. Device Enrollment also has a larger set of configurations and restrictions that can be applied to the device. When a user removes an enrollment profile, all configurations, settings, and managed apps based on that enrollment profile are removed. Similar to User Enrollment, Device Enrollment can also be integrated with a Managed Apple ID. This account-driven Device Enrollment also provides the ability to use a Managed Apple ID alongside a personal Apple ID and cryptographically separates corporate data.
Automated Device Enrollment: Automated Device Enrollment lets organizations configure and manage devices from the moment the devices are removed from the box. These devices are known as supervised, and users have the option to prevent the MDM profile from being removed by the user. Automated Device Enrollment is designed for devices owned by the organization.
Device restrictions
Restrictions can be enabled—or in some cases, disabled—by administrators to help prevent users from accessing a specific app, service, or function of an iPhone, iPad, Mac, Apple TV, or Apple Watch that’s enrolled in an MDM solution. Restrictions are sent to devices in a restrictions payload, which is part of a configuration. Certain restrictions on an iPhone may be mirrored on a paired Apple Watch.
Passcode and password settings management
By default, the user’s passcode can be defined as a numeric PIN on iOS, iPadOS, and watchOS. In iPhone and iPad devices with Face ID or Touch ID, the default passcode length is six digits, with a minimum of four digits. Because longer and more complex passcodes are harder to guess or attack, they are recommended.
Administrators can enforce complex passcode requirements and other policies using MDM or on iOS and iPadOS, Microsoft Exchange. An administrator password is needed when the macOS passcode policy payload is installed manually. Passcode policies can require a certain passcode length, composition, or other attributes.
Apple Watch uses numeric passcodes by default. If a passcode policy applied to a managed Apple Watch requires the use of non-numeric characters, the paired iPhone needs to be used to unlock the device.