Data separation

Motivation

When using mobile devices, data of all kinds is accessed. Data protection conformity must be guaranteed. A distinction is made between company-owned devices, so-called “Corporate Owned devices” (COD) and user-owned devices, so-called “Bring Your Own Devices” (BYOD). For both types of use, the manufacturers of the mobile device operating systems iOS and Android now offer their own technologies for data separation. In the following, these “on-board means” and their implementation in Relution are described in detail.

iOS – Corporate Owned Devices

Differentiation managed / unmanaged

Since iOS12, Apple basically distinguishes between “managed” and “unmanaged” for the following objects:

Managed Devices

  1. Apps- pushed by Relution or installed via the Relution Enterprise Appstore, server configurable.
  2. Mail Accounts - configured by Relution via a policy.
  3. Contacts - loaded from managed mail account to the device (synchronized).
  4. Documents - loaded from managed mail account to the device (synchronized).

Unmanaged Devices

  1. Apps - installed by the user from the Apple AppStore, non-server configurable.
  2. Mail Accounts - configured on the device by user.
  3. Contacts - created by user.
  4. Documents - generated by user in unmanaged apps or received in unmanaged mail accounts.

An unmanaged app can be converted into a managed app by being pushed by Relution again. It replaces the unmanaged app of the same name on the device. However, unmanaged mail accounts, contacts and documents cannot be transferred to managed.

Access restrictions

In iOS, the data is separated on the system side by means of a policy that allows you to set whether access to managed data from unmanaged apps should be allowed or not. For this purpose, the configuration “Restrictions” as part of a policy in Relution offers the following restriction options:

  • Prohibit opening managed documents in unmanaged apps.
  • Allow opening of unmanaged documents in managed apps.
  • Deny unmanaged apps access to managed contacts.
  • Allow opening of unmanaged documents in managed apps.
  • Allow managed Apps to write unmanaged contacts.
  • Generally consider AirDrop targets as unmanaged.
  • Prohibit moving mails to unmanaged mail accounts.

For example the following can be prevented:

  • A private app (e.g. WhatsApp) that sees business (Exchange) contacts.
  • A business mail is forwarded at will.
  • An attachment of a business mail is opened in any app (e.g. Dropbox).

iCloud restrictions

In order to prevent the uncontrolled outflow of data, Relution offers the possibility to prohibit or at least restrict cloud accounts completely. The following functions can be switched off:

  • iCloud backups
  • iCloud keychain synchronization
  • Allow managed apps to store data in the iCloud
  • Saving photos in the iCloud
  • Synchronization of iCloud documents.

Functional restrictions

Finally, there are some iOS system functions that can be considered under data security criteria and can also be switched off by restriction:

  • App Block-/Allowlisting
  • Web-URL Block-/Allowlisting
  • AirDrop (can be switched off completely)
  • Share password
  • Access to Apple AppStore
  • Screenshots and recordings
  • Camera (can be switched off completely, also for in-app functions)
  • Creating and modifying accounts (Mail, Apple IDs)
  • Bluetooth
  • Installation of VPN profiles
  • USB connections.

Via app VPN

As an important data protection measure, iOS offers the option of permanently coupling the data connection of apps to a VPN connection, which in turn can be reconfigured by the Relution server. This ensures that certain apps only run over the company’s own network and external access is prevented (intranet-only).

iOS – Bring Your Own Devices

Until iOS 12, it was common to use a container app on iOS BYOD devices that could be configured on the server side and thus ensured separation of business and private data.

In the meantime, however, iOS offers a built-in “container solution” to separate business from private applications and data. For this purpose, an iOS device is added to Relution via a (BYOD) enrollment in the inventory. This installs an MDM profile on the device, allowing it to be managed via Relution. Technically, a distinction is then made between “managed” and “unmanaged” apps and content. This turns the iOS device into a “dual persona” device and completely separates the data. Restrictions can also be used to control whether data can be shared between “managed” and “unmanaged” apps.

Different configurations can be loaded on the devices and managed via Relution:

  • Apps
  • VPN configuration
  • Notes (more system apps will follow in future iOS versions)
  • iCloud account
  • Keychain
  • Mail accounts / attachments
  • Calender accounts / attachments.

If the MDM profile is removed, all managed apps and content are deleted. This action can be performed via Relution or on the device itself.