
Apple is making corporate ‘BYOD’ programs less invasive to user privacy - walterbell
https://techcrunch.com/2019/06/10/apple-is-making-corporate-byod-programs-less-invasive-to-user-privacy/
======
mysterypie
An obvious solution is to carry two devices: one for work, on which the
company can install whatever corporate spyware they want, and one for personal
use. There's no way I'm letting my employer administer or install unknown
programs on my personal laptop and cell even with this enrollment option.

This has nothing to do with trusting or distrusting Apple. It's due to
avoiding complexity: having to think about a zillion cases of what the
employer can and can't do. I don't want to study a 30-page security whitepaper
and 300 pages of documentation that probably come with this new enrollment
thingie. But if I have two devices--with physical separation--I don't have to
think about all sorts of security and privacy gotchas.

Buying a cheap extra work phone and carrying two phones is not _that_ big a
burden. Plus you can turn off the work phone during personal time, and turn
off the personal phone during work.

~~~
sdoering
I agree in general. And I do not get the BYOD thing. As another commenter
said, an employer should provide the tools necessary. Or live with the
constraints.

I am in another camp. Until recently my employer had a policy of treating our
devices somewhat like private devices. We are provided with the device, are
allowed to use them at home at will, are full admins. We are only requested to
encrypt the harddrive. My employee never had access to my data if I did not
provide it to them.

So now two situations changed. Clients of ours force us to use endpoint
management to ensure different "security" standards (some not as secure as I
had before). Also we got bought by a bigger company and they have rules and
regulations for their ~470k employees. These mean we will get some hefty
spyware on our devices while still being officially allowed to take the
devices home with us, use them privately and so on.

Well. I am not so sure, I will do this in the future. I am not willing to
introduce spyware that also scans all devices within the network to my home
network. I do not want some admin on the other side of the world to be able to
download any file from my device. Or to upload any file onto my device.

So I will probably buy another computer (not having owned a private laptop for
quite some time) to use at home. Same with my mobile phone.

On the other hand - I hate to carry two devices with me. For me separating out
private/freelance stuff onto one machine and corporate stuff onto another
makes things more complicated. And I know convenience kills security.

Sorry for my rant, without providing much to the discussion. I mean - it is my
work device and my employer is within their full right to install whatever
they wish - once the works council agrees.

~~~
forgone
what company has 470k employees?

~~~
aidanlister
My guess is that he is talking about Accenture

~~~
wincy
I’m also curious about this, I’m guessing DHL because he’s in Germany but
Accenture matches up too.

------
jakobegger
This is nice and all, but I really wish that Apple would allow some real
multi-account functionality. Especially for iPads, but also for iPhones.

When I hand my phone to my kids to play a game, I don't want them to have
access to my email / text messages / contacts etc.

It's ridiculous that a 1000€ device is restricted to single user mode.

It's even worse for iPads -- they are perfect devices for sharing in the
family, but only a single person can use them for Email / iMessage / Whatsapp
/ Facetime / ...

But I don't have any hopes that Apple will fix this. They want everyone in the
family to own their own set of iDevices.

~~~
MartyMartyn
The function is there, just not enabled for end users. Enterprise and
Education can use multi user switching on iPads, plus a whole lot more.

~~~
ihuman
Doesn't that work by deleting your profile and downloading the new one? It
doesn't save the profiles on-device like desktop computers.

------
jchw
This is a welcome step. I moved (back) to iPhone recently and one thing I miss
from Android is Work Profiles that can be turned on and off and act as pretty
much a separated user. It sounds like this is slightly more limited than that,
but it’s a good start. At least being able to easily turn work stuff off on
the weekend is a huge deal for work life balance (and I feel a bit
uncomfortable when my work stuff is effectively not isolated from my personal
stuff.)

~~~
vageli
> This is a welcome step. I moved (back) to iPhone recently and one thing I
> miss from Android is Work Profiles that can be turned on and off and act as
> pretty much a separated user. It sounds like this is slightly more limited
> than that, but it’s a good start. At least being able to easily turn work
> stuff off on the weekend is a huge deal for work life balance (and I feel a
> bit uncomfortable when my work stuff is effectively not isolated from my
> personal stuff.)

Did Android do away with work profiles recently? I used to have one and then
following an update from the Enterprise, the apps were commingled and there
was no way to explicitly "turn off work".

~~~
yati
I'm using Android (Pixel 3), and the work profile works for me. IMO it is much
better than having to carry two phones.

~~~
john-radio
Is it something different than just a separate local account?

~~~
plushpuffin
They allow your workplace to remotely administer your work account without
giving them full control over your whole device.

------
Kalium
> Apple also noted that one of the big reasons users fear corporate BYOD
> programs is because they think the IT admin will erase their entire device
> when the enrollment ends — including their personal apps and data.

Yes. This is a true thing that users fear. It tends to happen because they're
using phones that don't allow any more constrained option.

It's nice to see iOS catching up with Android in this.

~~~
GordonS
I've had InTune and also some VMWare device management installed on my device
in the past, and during installation you do get a warning that your admins
will be able to delete everything on your device.

It kind of makes sense for them to do that if your device is stolen, but I
still just don't like handing over control of my device like that.

They typically also enforce other annoying policies, such as not allowing
rooted devices, not allowing swipe patterns and requiring a PIN/password. The
VMWare one even required that _all_ browsing went through their shitty browser
app (and presumably they got all my history).

Again, some of this makes sense from an enterprise point of view, but as a
user it's annoying and feels invasive.

~~~
Kalium
Oh, it definitely feels annoying and invasive. Without sandboxing, the options
are invasive MDM (because that's the only kind possible) and no MDM at all.

I once watched an employer go from unwilling to adopt MDM to requiring it for
accessing substantive systems on personal devices. The CEO lost his phone, and
suddenly appreciated what MDM was good for.

Users were given a choice: MDM, sandboxed if they had a device with modern
technology, or no significant access on personal devices. A lot of users had
phones that didn't offer sandboxing, so myself and several others found
ourselves explaining quite often that there literally was no option available
where remote wipe wasn't possible. If they didn't like that, well, they didn't
actually _need_ access from their phones, so...

Anyway. I'm quite glad Apple is starting to actually catch up a bit.

------
Quequau
I am not a wealthy man but there is no way I'd sign up for using any of my
employer's comms infrastructure for personal use or use any of my personal
equipment for business use.

I don't live to work and there's no reason to hand over any more info about my
personal life than necessary.

------
dewiz
It feels like an over engineered solution for a simple problem. If Apple were
instead to add multi-users support to iOS then it would be as simple as having
a work identity with dedicated apps and segregated data, and a personal
identity as such, invisible to IT.

~~~
aNoob7000
The problem is that most MDM solutions want to take over your device. At my
employer, the MDM solution literally takes over your entire device. I've
installed the solution on an iPhone, and a Samsung Galaxy S8 (with and without
Knox) with the same result. Unfortunately, the result is I carry two phones
instead of one.

I think Apple's solution to the problem might work. As long as the companies
data is separate from mine, what I do on my phone is private, and basic
functionality like screenshots are available on my phone, the solution looks
good to me.

~~~
wool_gather
> I think Apple's solution to the problem might work.

It might. As long as IT/Security can be convinced that it fulfills their
goals. That doesn't seem like a sure thing.

------
threeseed
> Using the per-app VPN feature, traffic from the Mail, Contacts and Calendars
> built-in apps will only go through the VPN if the domains match that of the
> business.

Shame that Apple doesn't take this one step further and do it system-wide.

~~~
synaesthesisx
Given their commitment to privacy as a selling point, it would be nice if
Apple provided an integrated VPN service (say included with the upper iCloud
tiers). For now I’m on the waitlist for Cloudflare’s offering - their DNS
works fantastic.

~~~
adamlett
VPN's are not a privacy panacea. Hiding your internet traffic from e.g. your
ISP comes at the cost of divulging it to the VPN provider. Apple has been very
clear that they don't want to be in a position where they would have to turn
over sensitive information about their users to authorities, a position they
can avoid by not providing such a service.

------
dclusin
Will Apple employees will be allowed to use this program? They're notoriously
paranoid about maintaining secrets. Wonder if their IT department would give
up the control.

~~~
larkost
I worked for Apple about 5 years ago, and there almost everyone I interacted
with carried an Apple-owned iPhone that was specially setup for running
internal in-development software. This was Apple's way of getting those builds
tested by a large number of people before they went out.

There were a few (software) restrictions placed on the devices, namely that
you had to have password lock turned on, and a password complexity policy. But
after that they really did not interfere at all. When I left I reset that
phone myself, and then bought a new iPhone and used the backup (not including
OS) of that phone off of iCloud (of course minus the Apple email account they
just turned off, and a couple of Apple-only apps I was using).

Other than some basic access controls on systems (especially around iOS
sources), and a lot of prototype-asset-tracking (I ran a lab with a lot of
that), Apple really does trust their developers to do the right thing. If they
trust you to have the information, then they trust you not to share it without
a lot of big-brother monitoring.

And there really is very little in the way of an IT department at Apple as you
would normally think of it. They provided the network and the printers, but
setting up your own computer was usually up to you and whatever help you got
from your team (who really were the ones who knew what you needed for
resources).

------
jdofaz
I've experienced law enforcement raiding offices and confiscating technology
for evidence collection. They will return the devices but not for years. I
don't want anything work related on my personal device.

------
gumby
BYOD is also a driver for dual sim phones, which Apple has finally introduced
(they have been common in China for some time). When Apple announced them the
us press discussion was all about international travel.

------
jiveturkey
finally.

it's a thrice-removed description, but at a surface level it sounds better
than android profiles, at least for work/home device sharing.

for sharing with family members (parents/kids, eg) it doesn't sound so
awesome. hey, if it means kids have to have their own tablet, well more power
to apple then!

------
jimmcslim
I wonder if this lays the groundwork for multiuser support in iPadOS at least?

~~~
MartyMartyn
Groundwork has been there for years, called 'Shared iPad' \- but its for
Education use only... Via an enterprise or education MDM solution you can
restrict and configure the iPad in many, many different ways; again, its not
for the consumer.

------
6nf
Apple is the only major player moving in the right direction when it comes to
privacy. I'm so glad we have them!

~~~
novas0x2a
I could be mistaken, but I think this is a somewhat weaker version of Android
for Work, which shipped about two years ago, I believe (couldn't find the
exact date). Perhaps Apple is doing something that AfW isn't already doing,
but it's hard to tell from this article, which doesn't mention AfW at all.

~~~
bestnameever
I'm not sure of the differences between AfW and this either but I don't think
it matters in the big picture. Instead, I see this as just one step in many
that Apple has taken in designing their products around user privacy, when
possible.

------
jaimex2
Ah, so this is why they killed all the other MDM based school management apps.
Well played Apple.

------
DEADBEEFC0FFEE
As someone who has managed 10k endpoints, BYOD is a very niche solution. The
security threats that any company with data worth stealing has is non-trivial.
Those folk in this thread moaning about corporate spyware, are living on
another planet. Nobody has the resources, or the motivation to spy on anyone.
When Oracle, Adobe and Microsoft come a knocking, knowing what is installed
and being able to uninstall it save a $1 million, easy.

~~~
masto
There is some motivation. Imagine you're Tim Apple and you wake up one day to
find The Verge has a front page story detailing all of your secret Apple Car
technical details and plans through 2022 courtesy of a "source with firsthand
knowledge of the project". I don't doubt for a minute that Apple has a
corporate security team with the empowerment and resources to dig through
employees' personal iMessages to find the leaker.

