Hacker News new | past | comments | ask | show | jobs | submit login
Apple is making corporate ‘BYOD’ programs less invasive to user privacy (techcrunch.com)
208 points by walterbell 4 days ago | hide | past | web | favorite | 144 comments

An obvious solution is to carry two devices: one for work, on which the company can install whatever corporate spyware they want, and one for personal use. There's no way I'm letting my employer administer or install unknown programs on my personal laptop and cell even with this enrollment option.

This has nothing to do with trusting or distrusting Apple. It's due to avoiding complexity: having to think about a zillion cases of what the employer can and can't do. I don't want to study a 30-page security whitepaper and 300 pages of documentation that probably come with this new enrollment thingie. But if I have two devices--with physical separation--I don't have to think about all sorts of security and privacy gotchas.

Buying a cheap extra work phone and carrying two phones is not that big a burden. Plus you can turn off the work phone during personal time, and turn off the personal phone during work.

I agree in general. And I do not get the BYOD thing. As another commenter said, an employer should provide the tools necessary. Or live with the constraints.

I am in another camp. Until recently my employer had a policy of treating our devices somewhat like private devices. We are provided with the device, are allowed to use them at home at will, are full admins. We are only requested to encrypt the harddrive. My employee never had access to my data if I did not provide it to them.

So now two situations changed. Clients of ours force us to use endpoint management to ensure different "security" standards (some not as secure as I had before). Also we got bought by a bigger company and they have rules and regulations for their ~470k employees. These mean we will get some hefty spyware on our devices while still being officially allowed to take the devices home with us, use them privately and so on.

Well. I am not so sure, I will do this in the future. I am not willing to introduce spyware that also scans all devices within the network to my home network. I do not want some admin on the other side of the world to be able to download any file from my device. Or to upload any file onto my device.

So I will probably buy another computer (not having owned a private laptop for quite some time) to use at home. Same with my mobile phone.

On the other hand - I hate to carry two devices with me. For me separating out private/freelance stuff onto one machine and corporate stuff onto another makes things more complicated. And I know convenience kills security.

Sorry for my rant, without providing much to the discussion. I mean - it is my work device and my employer is within their full right to install whatever they wish - once the works council agrees.

> while still being officially allowed to take the devices home with us, use them privately and so on.

Who owns the rights to IP developed on these company-owned laptops? One of the biggest problems with this kind of ‘unspoken flexibility’ is that any side projects you work on are in-part owned by the company, under most standard agreements.

Me being in Germany and clearly not a lawyer. That said: I own all my intellectual property, of everything I develop in my free time on this device. And in Germany, at least as far as I am aware, these broad regulations some US employers try to force on their employees have been thrown out by court decisions. But not sure on that.

I would not work for a company that would try to ensure it owns all of what I do outside of company time.

> Me being in Germany and clearly not a lawyer. That said: I own all my intellectual property, of everything I develop in my free time on this device.

> I would not work for a company that would try to ensure it owns all of what I do outside of company time.

You might want to read the laws governing this, notably the "Gesetz über Arbeitnehmererfindungen" (https://www.gesetze-im-internet.de/arbnerfg/) It's fairly short and clear. Work contracts often don't mention that because a lot of what you can invent is already owned by your employer by law.

Notably everything that can be patented and primarily results from your work or your or your experience at work:

    (1) Erfindungen von Arbeitnehmern im Sinne dieses Gesetzes können gebundene oder freie Erfindungen sein.
    (2) Gebundene Erfindungen (Diensterfindungen) sind während der Dauer des Arbeitsverhältnisses gemachte Erfindungen, die entweder
    1. aus der dem Arbeitnehmer im Betrieb oder in der öffentlichen Verwaltung obliegenden Tätigkeit entstanden sind oder
    2. maßgeblich auf Erfahrungen oder Arbeiten des Betriebes oder der öffentlichen Verwaltung beruhen.
You need to be fairly compensated etc., but the employer gets first rights. (and fairly does not necessarily mean market value)

The rules apply independent of which device you're using though. Compensation might differ slightly, but the rules around that are longer than the law itself :)

> a lot of what you can invent is already owned by your employer by law

I recommend § 18 and § 19 of said "Gesetz über Arbeitnehmererfindungen". They state that inventions that are clearly not done on the employers payroll (to paraphrase this) are so called free (you have to enable your employer to make that call and you could dispute him, if he tries to claim said invention) (§§18).

But you need to enable your employer to use said (free) invention with reasonable terms - but you dictate the terms (§§19). Your employer can dispute the conditions and a court of law then has to decide.

So clearly this law does not enable your employer to claim nearly every invention you could make in your free time.

At least as far as my understanding goes. But I might be totally wrong here. I am somewhat out of my experience here.

You should reread the part I quoted above. It defines the terms used in §18/19: It’s §4(2) https://www.gesetze-im-internet.de/arbnerfg/__4.html it doesn’t talk about payroll or not payroll, it’s all about how related to your work assignment the invention is. The rules and regulations around calculating a fair compensation even grade on that exact metric among other things. So it’s essentially what the work contracts stipulate: inventions related to your work belong to your employer, even if done in your off time.

The problem in IT is that depending on what you do, everything might be related to a varying degree.

> And in Germany, at least as far as I am aware, these broad regulations some US employers try to force on their employees have been thrown out by court decisions. But not sure on that.

Would be interested to hear about specific court decisions!

In general, this topic is not quite so clear, even in Germany. For a contrary argumentation, have a look at: https://www.lieb-online.com/files/luxe/publikationen/Urheber... (covers both Urheberrecht and Patentrecht, 15 pages, argues seemingly mostly in favour of the employer, but that does not mean they are wrong)

Keywords to search for, if you don't have the time now to read it as a whole:

- Freizeitwerk / freiwilliges Werk (it's a difference! but just because you do something in your freetime it is not necessarily a Freizeitwerk, in case your job is to produce such works and it could be of use to your employer, this is arguably not the case)

- Beweislast (just because you say or mean it to be unrelated to work, does not automatically mean it is -- side note: the bigger your employer, the less you can know about what is in their interest or not)

- Anbietungspflicht (describes the case using work ressources / work time)

- Pflicht zur Anbietung (for the free time stuff which is not "totally unrelated to the interests of your employer" -- so "automatic transition of usage rights via contract" is indeed suspicious and likely to be undermined in court, but they have a say if they want it)

Sounds somewhat like slavery indeed. ;)

Isn't that the case regardless of what laptop you're using? As far as I can tell you should assume any side projects are Copyright (c) your employer unless you talk to legal first and make an arrangement (for each project).

See for example: https://www.joelonsoftware.com/2016/12/09/developers-side-pr...

No, what you do on your own time (not company time) with your own resources can't be owned by the company, because otherwise everything you do would be owned by the company, which is absurd; suppose I went to a friend or relative and helped him/her out by writing a simple script, does that belong to the company now? How about posts you make on HN outside of work (if you do it at work, that's... questionable)?

The possibility of companies disagreeing is why I keep my work and private life completely separate, and the online portion of the latter does not even use my name nor anything that could be associated with my "offline" identity.

> [S]uppose I went to a friend or relative and helped him/her out by writing a simple script, does that belong to the company now?

That's a good question, and only answerable by checking what you've signed and what the laws in your jurisdiction are.

Some of the agreements, even in the US, are pretty aggressive about grabbing as much IP from an employee as possible.

Please see the link I added. You should check your employment contract to see the exact terms of the copyright assignment clause you signed, but it's definitely very common to have to assign any inventions you make that are "related to your employers area of work", regardless of what hardware you use or if you do it in the office or at home.

Well who signs contracts like these? I mean really? And why? I really cannot understand anybody giving away that much of their live for an employer/the next paycheck.

Yeah - if I am really, really in a tight spot financially - for as long as it takes to crawl out of such a mess - ok. But regularly? Long term?

Help me to understand.

And I also do not understand how a company could find this morally acceptable to have this idea.

I mean is this really the norm in the US?

> Well who signs contracts like these? I mean really? And why? I really cannot understand anybody giving away that much of their live for an employer/the next paycheck.

The outrage is a bit funny, because that's actually the law in Germany. It doesn't even need to be in the contract. (1) And if you think about it, it makes sense: Otherwise every employee who finds something patentable during working hours just clocks out, goes home and invents it "on his own time." And that would be a problem for an employer, too. So the deal is "employer pays you, and gets first dibs on whatever you invent in the general area that the employer pays you to work in."

(1) https://www.gesetze-im-internet.de/arbnerfg/index.html

As already answered on another comment. This law does not enable an employer to claim every employees (patentable) invention. Please read the text - especially on the so called free inventions.

This is essentially in line what the article linked and the post to which you responded claims: inventions related to your assigned field of work are claimable.

99% of people sign them. Almost everyone will barely read it. The rest assume that it won't affect them.

A bird in the hand is worth two in the bush.

I'd rather get paid more today than take a lower salary with the potential to possibly, if I'm really lucky, strike gold with my own invention.

Unfortunately it is the norm. (With tech companies)

AFAIK, despite your work contract, CA protects personal projects even done on a company laptop. It just can’t be done on work hours or with a novel tool provided by work.

I’m paraphrasing an attorney’s explanations so I can’t cite the code.

I want to be clear that my question relates to artifacts you produce on company-owned resources - not just in your own time on your own machine.

Legal precedence around IP ownership - when you've used company-owned machines - is far less clear.

If the machine is company owned then the designation is usually whether the artifact or area of work is related to the main course of work. If you freelance in the same industry as your employer, you may have a tough time proving the distinction. Most of these agreements are only enforceable, though, when there's an overlap of work area regardless of who owns the machine. If the company is giving the employee the ability to use the hardware for personal use then the point of the hardware being company-owned is irrelevant to whether the work is being done on behalf of the company and, therefore, owned by the company.

Fortunately, not in California.

Depends. California’s law only applies if you aren’t working in the same business as your employer, which means if you work for any large company you almost certainly can get in trouble with pretty much anything.

I’m going to guess the new employer is Deutsche Post DHL Group?

I’m basing this on you mentioning being in Germany and company size. Off topic, but I just went down a small rabbit hole of employers with >400k employees and there’s not many, most of them are either state owned/militaries (I’m assuming Russia’s Gasprom doesn’t have many German employees) or Walmart/McDonald’s (which has far more employees than 470k).

For anyone interested I guessed based on this article. https://www.lovemoney.com/galleries/amp/67573/the-worlds-30-...

> I am not willing to introduce spyware that also scans all devices within the network to my home network.

In the EU I would seriously doubt that your employer is allowed to do this.

> In the EU I would seriously doubt that your employer is allowed to do this.

Sadly they are. At least as far as any lawyer on this topic currently stated.

Why not? It’s a company device, if you don’t want your employer to access your network through it, don’t connect it to your network. You can hardly blame them for administering their own device.

If an employer expected me to use such a device I would assume that they would also pay for me to have a separate internet connection (this could easily be tethering to my work provided mobile data).

If you have a decent router you can just create an isolated network for devices you don’t trust.

>And I do not get the BYOD thing.

I get it. My employer provided phone is a Blackberry Leap.

Can it receive calls and read e-mails?

If so, that should be all my employer expects of me when I'm provided with a company phone. I can't imagine what they would want me to do that would require a smartphone. Anything more complicated would be better accomplished on a laptop.

>Can it receive calls and read e-mails?


But there's more to it than that. I can't use the browser to look work-related things up because the blackberry browser hasn't been updated in years. I end up using my own device which defeats the purpose.

I don't get it. My employer provided phone was a Blackberry Bold. I need a work phone to make and receive work related calls, and to keep work related matters off my personal phone, enabling me to not have to think about work once I leave the office unless someone phones me.

I am the employer in this situation. The problem was that

1 - some employees do not read policies (despite some really explicit training during onboarding) and disable the password so they don't have to type it during login;

2 - apple software is hot shit and somehow filevault disabled itself on an employee laptop. I'm 100% sure that it was previously enabled. It required multiple support calls, an OS reinstall, and a full machine wipe performed at an apple store to get it re-enabled, so I believe the employee who says he didn't disable it.

Either way, I had to install an mdm to make sure that there always is a password on the machine, a lockout time, and filevault enabled. That mdm, unfortunately, gives me far more control than I want, but there's nothing I can do about that; it's a package deal. I'd prefer not to install them, but one idiot disabling passwords, even after very specific training, because it's inconvenient to type them ruined it for everyone.

Why not let go of said idiot and keep the culture as it was? Why ruin it for everybody because of one bad apple? Why punish everybody and send a sign of mistrust to everybody for one idiot?

one idiot, and one serious macos bug (re: disabling filevault)

And the answer roughly comes down to (1) it trained me out of trusting, even in a small shop; and (2) now that I know these things happen, I have to protect against them. If I abuse what the mdm gives me, I expect my employees to fire me. ie quit.

Yeah that never happened with Microsoft’s Bitlocker

what company has 470k employees?

Amazon had 647,500 as of 2018...

Well the NHS has nearly 1.5 million employees, so I guess there's a few!

My guess is that he is talking about Accenture

I’m also curious about this, I’m guessing DHL because he’s in Germany but Accenture matches up too.


I never got the BYOD thing.

My employer should provide the required tools, if not, then the work is done within the constraints of what is available.

The problem with employer-provided tools is that they sometimes barely meet the minimum requirements. Sure it gets the job done, but it’s no fun.

I’d rather buy and manage my own device, which is then powerful enough for my needs.

If your employer doesn't provide the tools you need it's time to talk to them about how much time you lose due to crappy hardware and how many hours of your salary would pay for a better machine.

From experience it's usually that the employee thinks they need the most powerful 15" Macbook pro when their job entails something like writing blog posts or running code in AWS

And from experience, those squeaky wheels get the grease and the engineers flog along with what they have because they are too busy to put the necessary amount of complaining in.

Can confirm. The ergonomic setups of some non-tech staff I've worked with has definitely out-paced myself.

But some of the differences lie in understanding how to work around constraints.

I've been putting off requesting some specific administered software removal from my own machine for months because I keep getting caught up in much more pressing work. In most cases I'm able to just work around it. In other cases, it just eats up time. But I can see the path through to a solution more clearly than any corporate wrangling.

Different budgets, different departments, different people.

In smaller or more nimble companies you or rather your line manager can influence hardware budget as an offset of your salary v productivity. Also in some larger organisations where departments/teams are more autonomous and have more slack your manager may be able to influence that.

But in many large organisations, those who decides what standardised underpowered hardware you shall have may never have even met your line manager and they can not influence that policy.

I have once worked with a client that handed out a completely hamstrung laptops with barely any memory and slow disks to all contractors. Project builds would take 30 minutes or more, and I'd watch paint dry by reading slashdot(a long time ago), jousting on chairs in the corridor etc... Plus more time lost as you don't realise instantly when the build has finished and the time to reload all the context back into your own brain's memory...

The difference in cost between a top spec machine and the one they handed out was less than the invoice cost of the lost productivity in a day or two. I was there for two years... Granted after a while I did get better and better machines but never good.

Though I no longer really work for clients that do that, and my last few contracts have been BYOD which is fine by me. As long as they provide a quality external monitor and the sit-stand desk then I'll bring my own macbook.

Which is nice in theory, but irrelevant to the employer when they can just tell you to 'work smarter' or face a PIP. Expenditure: $0. Of course the long-term cost is higher, but that's not a line-item expense.

Honestly, I've been there; coding on a single 15" screen. Eventually most employees brought in a second monitor from home.

It's a good signal, these people are cheap and are going to nickel and dime you time to move on.

People who are willing to bring their own device are helped by a few people who refuse to and just work less efficiently as a result. This puts a limit on how much surplus the employer can squeeze out of the more efficient employees as the less efficient ones set a lower floor for productivity.

Then it is time to change employer.

That’s a stupid hill to die on. Pick your employer based on important things like comp, work life balance, advancement opportunities, etc. If you have to fork over $300 to buy your own work phone then so be it, buy one and move on with your life.

Yep, move on with my life to another employer.

If the other employer pays more or works you less you should move anyway, BYOD or not. If the other employer e.g pays less then you’re an idiot to take a 5 figure paycut or work 10 extra hours a week just to avoid buying a $300 phone. BYOD policies are irrelevant in the grand scheme of career planning.

In the grand scheme of things, one should not weight only BYOD policies, but they are certainly a red herring, a sign of employers that don't give a damn.

That’s not what a red herring is, but you are correct that it is a red herring.

wouldn't the ideal be that the employee gets to pick his own tools in coordination with the employer. And the "minimum requirements" is often so short sighted, compared to what an employee costs, spending 500 or 1000 Dollar/Euro more on a proper device should be net positive given increased productivity (both from device being more productive and employee being more happy)

You're doing it on their time, not yours. If they don't want you to be productive, you don't have to be.

I very much agree. I'd still look for a different job sooner or later. My time is much too valuable to spend it on underpowered computers.

It's kind of weird that the employer wants the employee to bring their device, but don't want to trust the employee's device anyway.

Sometimes it is not about trust. It is about regulations within the industry one works/contracts in.

But if this is the case I believe strongly, that the employer must provide the necessary tooling.

Which regulation requires spyware on endpoints, and where in the text does it say that?

In Germany for example most companies in the automotive space require all contractors to conform to the [TiSAX](https://enx.com/tisax/tisax-en.html) regulations.

These state, that there needs to be proof of several data security aspects on all devices of all people working in a facility for one of these companies/clients as a contractor:

- Anti Virus software up to date - Firewall active - Harddisk encrypted - Ability to remotely lock device - Ability to remotely wipe device

To ensure that this is in place at all times on all devices one needs a programatic solution - Endpoint Management. And as this needs to be root (for remote wipe) - this could be seen as spyware (as I like to call it internally).

So yeah - there are a lot of companies/industries enforcing this. As someone above said - banking is another industry, insurance, medical and other high profile stuff with sensitive data might come to mind.

The text does not say this - but this I added just from experience. And I actually hope that someday companies like mine could go the Apple way and ensure Endpoint Management on a per user account basis. That way I could still take home my company laptop and use it privately with a different user.

What kind of anti-virus is required on a Mac? (Not debating, just curious.) I work for a FAANG on fairly sensitive projects and I’ve never heard of anyone in my org having anti-virus. FileVault, remote wipe, etc., but not anti-virus. Are their credible anti-virus systems form Mac and Linux?

Don't ask me. It is in the enrollment standard.

I strongly believe all this software only enlarges the potential attack surface.

Not sure if this "zoo" of software is more of a security theater and a legal protection to be able to tell everybody "we did all we could possibly do" in case of an attack/hack/what not.

But even if I strongly suspect my device was more secure before, I know, that lot's of less tech-savvy people will have at least some standard (encrypted SDD, and such) enforced. So I am not yet decided if in the end the net benefit is positive.

Symantec or Macfee come to mind, regardless what we might think about them.

It all about fulfilling IT and law checklists.

iOS allows remote wipe functionallity in the standard mail client. Hopefully this doesn't enable any spying... Personally, I'm happy for my employer to have this functionality (trusting them not to abuse it)... My personal data is backed to the cloud anyways, so if I lose my phone I want it to be wiped.

Lots of them. It's under reasonable and appropriate security measures.

You say spyware; I say software that guarantees there is a password, that there is a reasonable lock-out time, that encryption is enabled, etc. Leaking data because you let your most gullible employee install whatever he or she liked on their laptop and phone (eg facebooks spyware certs so they can read all your traffic) is going to get you in trouble in a hurry.

For example, CCPA. Which applies to a lot of us in 6 months.

> duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information


> You say spyware; I say software that guarantees there is a > password, that there is a reasonable lock-out time, that > encryption is enabled, etc.

I am undecided if in the end the additional software is a net positive. I am totally on your side that some basic security measures need to be enforced. And I know that this might be possible in terms of culture and processes like onboarding with a small number of employees.

And I know, that in a global corp this isn't feasible.

Non the less am I not sure that just throwing software at a basic problem of awareness really helps in the end. Esp. if the to be enforced standards like ISO 27001 are in some cases weakening the security.

I am enforced to use shorter passwords now. And I need to rotate them after a specific amount of time. I automatically have software installed (because next to security stuff we get some additional software) that does not exactly have a reputation of being secure.

So while there is light there is also quite some shadow.

If in the end this proves to be net positive. We will have to wait and see.

Any yes: I call it spyware. It has its own SSL certs, could potentially open my connections, monitors all and every connection my device makes, can (without me knowing) download any file on my device. And also can plant any file on my device without my knowledge.

As root it can add any additional functionality without my knowledge. And it does, as far as I have been told, scan any network I connect to for unmanaged devices and transmits (to quote) "a rich set of information for the located assets, including the hostname, MAC and IP addresses, device manufacturer, operating systems, open ports, applications, and historical information such as the first and last time the asset was seen on the network."

And it is not only being marketed as being compliant to GDPR, but actively helping and supporting companies to become compliant with this exact feature.

fwiw, I've done SOC-x stuff, and I talked our auditors out of requiring routine password changes. That said, we seriously invested in 2fa, with high-pri stuff protected via yubicos.

I also talked them out of requiring virus detection on our macs, but this took a lot of work to avoid trusting (most) laptops.

I can see this approach as something quite interesting. Suspect it would not work in our current environment. But we will have to see.

But also thanks a lot for the idea to do this and try that. Not sure if it works with being ISO 27001 certified - but at least one can try.

Anything in financial services and probably health requires you to secure company data.

A regulation is a specific text, not a general idea about the importance of security or the sensitivity of an industry.

This is common anywhere you work with ITAR-controlled data.

My employer offered to buy me a laptop. It was a perfectly good laptop in most respects, but I turned it down because I didn’t like the keyboard.

> Buying a cheap extra work phone and carrying two phones is not that big a burden. Plus you can turn off the work phone during personal time, and turn off the personal phone during work.

They (the company) better be the ones buying it. You shouldn’t have to pay to give your employer the ability to contact you outside of normal work hours.

> They (the company) better be the ones buying it.

In which case it's not really BYOD anymore. :)

Why buy a phone for your employer surly its up to them to provide the right equipment.

People seem to forget companies want to use BYOD because it saves them money. They don't have to pay for a phone for you to use, you've paid for it yourself.

It isn't just saving money: in the case of phones it is keeping you in easy contact. Having Teams/Slack/other on your phone so it will beep you when the company has a problem you could look at. A good company will be flexible in reverse so you can take that bit of time back when you need to, but many are not this decent so you are giving them your attention/time/effort for free.

The company could provide a device for that of course, but people often don't want that or it isn't reliable: they don't want an extra device to carry around, they don't remember to keep it charged, they forget to take it with them far more often than their own phone, ... So as well as the cost aspect BYOD can make thing more convenient in other ways.

I have done this as well, it definitely helps you sleep better. It also prevents work from intruding on personal time, as long as you're not on call--just leave the work device at home.

It's also worthwhile to set up a separate home LAN for work stuff. This not only protects you, but it also ensures that work data is kept away from roommates, guests, etc. Prosumer-level routers and access points like Ubiquiti can broadcast multiple SSIDs and tag traffic on each with a different VLAN. Not at all hard to set up and definitely worth the peace of mind.

Most people I know don’t want to carry two devices, nor do I want to switch from iOS to Android or vice versa. All I really want is to be able to do my emails and calendars on my iPhone using the tools I already use without my employer having access to my phone. If this lets me do that, then I’m all for it.

If you need it for work and are not an independent contractor then should pay for it.


BYOD are a cost cutting measure by the office, but if you buy a second device then the cost isn't cut, it's transfered. To you. So congratulations on your pay decrease.

>An obvious solution is to carry two devices: one for work, on which the company can install whatever corporate spyware they want, and one for personal use.

I've lived under both regimes, and definitely preferred the multiple device one. It had its moments of inconvenience, but I loved putting the work phone in a drawer on Friday night and leaving it there until Monday morning.

It is a burden however, and one that isn't necessary if your company has a sane BYOD policy that protects them while not being too invasive.

The reality is, convenience wins again here. I, for one, don't give a shit what control my company has over my phone. Not only has nothing ever happened as a result of me using a BYOD policy, the overall rate in the industry seems acceptably low too.

I only have 24 hours in my day, I can't be worrying about things that aren't likely to effect me in any material way. I simply don't have time.

That policy relates to your whole working career. If you somehow managed to violate the policy you will deal with the people who have the power and/or duty to enforce this policy.

What do you consider an acceptably low rate, and what is the actual rate? I hear stories all the time about companies that are tracking their employees' GPS locations. Many of the stories involve people getting fired.

Literally no you don't.

What happens more often: car accidents due to speeding or people being fired because their company tracks where they are and doesn't approve? Do you still speed?

The burden of having two devices seems lower than the burden of having to separate work from private life on a single device.

It's not, by far.

But then how can we install the right certificates for the enterprise ssl man in the middle proxy? Which we obviously need to check your traffic for viruses and we definitely don’t log anything that will ever leak! Besides, if you aren’t doing anything wrong, why do you have so much to hide anyway? /s

I just read through the list of profiles that my employer installed on the device, decided they were not invasive and then started using it as my normal phone.

This is nice and all, but I really wish that Apple would allow some real multi-account functionality. Especially for iPads, but also for iPhones.

When I hand my phone to my kids to play a game, I don't want them to have access to my email / text messages / contacts etc.

It's ridiculous that a 1000€ device is restricted to single user mode.

It's even worse for iPads -- they are perfect devices for sharing in the family, but only a single person can use them for Email / iMessage / Whatsapp / Facetime / ...

But I don't have any hopes that Apple will fix this. They want everyone in the family to own their own set of iDevices.

The function is there, just not enabled for end users. Enterprise and Education can use multi user switching on iPads, plus a whole lot more.

Doesn't that work by deleting your profile and downloading the new one? It doesn't save the profiles on-device like desktop computers.

You don't need multiaccount functionality for the use case you describe, just app pinning.

Of course, Android has both.

"App Pinning" sounds like it's similar to "Guided Access" which has been available on the iPhone forever. That is not what I want. My kids are old enough to navigate the phone on their own, and they use multiple apps.

I just want Face ID to recognize that it's my kid, and not show them notifications for my work related stuff, and just let them play Minecraft and Monument Valley or whatever they want.

But Apple wants you to buy your kids their own devices.

True, but it's also a pretty obnoxious form of nickle and diming for a company selling $1,000+ iPhones, and well worth complaining about.

It’s also yet another way that locked-down devices allow manufacturers to advance their interests at the expense of consumers. There’s a Jailbreak tweak that enables multiple profiles...

They also sell $200 iPod touches.

This is a welcome step. I moved (back) to iPhone recently and one thing I miss from Android is Work Profiles that can be turned on and off and act as pretty much a separated user. It sounds like this is slightly more limited than that, but it’s a good start. At least being able to easily turn work stuff off on the weekend is a huge deal for work life balance (and I feel a bit uncomfortable when my work stuff is effectively not isolated from my personal stuff.)

> This is a welcome step. I moved (back) to iPhone recently and one thing I miss from Android is Work Profiles that can be turned on and off and act as pretty much a separated user. It sounds like this is slightly more limited than that, but it’s a good start. At least being able to easily turn work stuff off on the weekend is a huge deal for work life balance (and I feel a bit uncomfortable when my work stuff is effectively not isolated from my personal stuff.)

Did Android do away with work profiles recently? I used to have one and then following an update from the Enterprise, the apps were commingled and there was no way to explicitly "turn off work".

I'm using Android (Pixel 3), and the work profile works for me. IMO it is much better than having to carry two phones.

Is it something different than just a separate local account?

They allow your workplace to remotely administer your work account without giving them full control over your whole device.

> Apple also noted that one of the big reasons users fear corporate BYOD programs is because they think the IT admin will erase their entire device when the enrollment ends — including their personal apps and data.

Yes. This is a true thing that users fear. It tends to happen because they're using phones that don't allow any more constrained option.

It's nice to see iOS catching up with Android in this.

I've had InTune and also some VMWare device management installed on my device in the past, and during installation you do get a warning that your admins will be able to delete everything on your device.

It kind of makes sense for them to do that if your device is stolen, but I still just don't like handing over control of my device like that.

They typically also enforce other annoying policies, such as not allowing rooted devices, not allowing swipe patterns and requiring a PIN/password. The VMWare one even required that all browsing went through their shitty browser app (and presumably they got all my history).

Again, some of this makes sense from an enterprise point of view, but as a user it's annoying and feels invasive.

Oh, it definitely feels annoying and invasive. Without sandboxing, the options are invasive MDM (because that's the only kind possible) and no MDM at all.

I once watched an employer go from unwilling to adopt MDM to requiring it for accessing substantive systems on personal devices. The CEO lost his phone, and suddenly appreciated what MDM was good for.

Users were given a choice: MDM, sandboxed if they had a device with modern technology, or no significant access on personal devices. A lot of users had phones that didn't offer sandboxing, so myself and several others found ourselves explaining quite often that there literally was no option available where remote wipe wasn't possible. If they didn't like that, well, they didn't actually need access from their phones, so...

Anyway. I'm quite glad Apple is starting to actually catch up a bit.

I didn't read TFA fully but I suppose from your quote, what they didn't say was what corporate IT fears.

I don't know how many corps care about this, but when I did that kind of job, I refuse to have my corp have access to a user's personal data, and be able to brick their personal device, etc. It's not acceptable from a privacy POV and not acceptable from an employee backlash POV. Anyway it was an easy choice because we never had sensitive data that could make it to a phone/tablet. In an environment more like that, I would probably have instituted some kind of privacy waiver that an employee would have to sign in order to BYOD (apple brand). That probably wouldn't fly today, in europe. GDPR and all that.

In addition, customers are starting to require their vendors who have access to their data institute MDM. So it's increasingly MDM or two separate devices.

The requirements I've read (obvi not comprehensive superset) all require this only for, as you say, access to their data. If you're not accessing the customer data via mobile device, you don't need MDM.

I say my view of it isn't comprehensive, but a requirement that all devices be under MDM even if those devices don't have access to customer data, is quite an overreach.

That may be, but at many companies, many if not the majority of their employees are going to have access to some information that their customers consider confidential. As a result, it's easier to have a blanket policy.

Given the general situation with data breaches and so forth, I wouldn't be shocked if, down the road, more and more companies decide that there's just too much risk with BYOD and require employees to use locked-down company-provided devices.

Agree, it's easier for the company to have a blanket policy. And most companies will do that because, ain't nobody got time for [being overly competent]. But what I said was that the actual requirement given to vendors is, in my limited experience, written to apply only for access to customer data. That is, it is the implementation that is overly broad, not the requirement being passed down.

I am not a wealthy man but there is no way I'd sign up for using any of my employer's comms infrastructure for personal use or use any of my personal equipment for business use.

I don't live to work and there's no reason to hand over any more info about my personal life than necessary.

It feels like an over engineered solution for a simple problem. If Apple were instead to add multi-users support to iOS then it would be as simple as having a work identity with dedicated apps and segregated data, and a personal identity as such, invisible to IT.

The problem is that most MDM solutions want to take over your device. At my employer, the MDM solution literally takes over your entire device. I've installed the solution on an iPhone, and a Samsung Galaxy S8 (with and without Knox) with the same result. Unfortunately, the result is I carry two phones instead of one.

I think Apple's solution to the problem might work. As long as the companies data is separate from mine, what I do on my phone is private, and basic functionality like screenshots are available on my phone, the solution looks good to me.

> I think Apple's solution to the problem might work.

It might. As long as IT/Security can be convinced that it fulfills their goals. That doesn't seem like a sure thing.

Such a "solution" would be a PITA. I for one am using my phone many times during a work day for personal stuff (e.g. messaging with my wife), and I am also often using it for work stuff in my free time (e.g. replying to email from my boss). I would go insane if I had to switch profiles every other time I had to do accomplish simple task in my phone.

> Using the per-app VPN feature, traffic from the Mail, Contacts and Calendars built-in apps will only go through the VPN if the domains match that of the business.

Shame that Apple doesn't take this one step further and do it system-wide.

They will eventually, like they always do. They start with in house apps effectively to prove out the process, then publish the updated APIs required to use the functionality.

Other examples: App Store itself, Siri, cross-app sharing... it always starts with just-Apple-apps before expanding.

If you mean you want a VPN to auto-connect when certain domains are used, I'm pretty sure this feature already exists since at least iOS 8.

See https://developer.apple.com/business/documentation/Configura... and go to page 95, where it describes the OnDemandRules key for VPN configuration, which supports matching criteria based on domain names, SSID, interface type, and server reachability.

EDIT: I misunderstood. The point is not to get the VPN to auto-connect, but to use the VPN for only certain domains.

This should also be possible AFAIK, though I haven't put it into practice: https://developer.apple.com/documentation/networkextension/n...

Given their commitment to privacy as a selling point, it would be nice if Apple provided an integrated VPN service (say included with the upper iCloud tiers). For now I’m on the waitlist for Cloudflare’s offering - their DNS works fantastic.

VPN's are not a privacy panacea. Hiding your internet traffic from e.g. your ISP comes at the cost of divulging it to the VPN provider. Apple has been very clear that they don't want to be in a position where they would have to turn over sensitive information about their users to authorities, a position they can avoid by not providing such a service.

I doubt if Apple would start a VPN service. Even if it did, it’d have restrictions, like not allowing the user to break out of their geography since that could allow users to violate policies of content sellers on Apple’s store and also any geographical content segregation that Apple may do for its own shows and movies in the future.

I’d use it but it prevents me using a Pihole (via VPN). The Pihole points at Cloudflare though, so they get me either way.

Wish they would enable per-app VPNs without MDM, e.g. with a profile generated by Apple Configurator or open-source tool.

Per-site VPNs are possible in Safari, which is a poor approximation that keeps the VPN active (consuming battery) as long as Safari is active.

Will Apple employees will be allowed to use this program? They're notoriously paranoid about maintaining secrets. Wonder if their IT department would give up the control.

I worked for Apple about 5 years ago, and there almost everyone I interacted with carried an Apple-owned iPhone that was specially setup for running internal in-development software. This was Apple's way of getting those builds tested by a large number of people before they went out.

There were a few (software) restrictions placed on the devices, namely that you had to have password lock turned on, and a password complexity policy. But after that they really did not interfere at all. When I left I reset that phone myself, and then bought a new iPhone and used the backup (not including OS) of that phone off of iCloud (of course minus the Apple email account they just turned off, and a couple of Apple-only apps I was using).

Other than some basic access controls on systems (especially around iOS sources), and a lot of prototype-asset-tracking (I ran a lab with a lot of that), Apple really does trust their developers to do the right thing. If they trust you to have the information, then they trust you not to share it without a lot of big-brother monitoring.

And there really is very little in the way of an IT department at Apple as you would normally think of it. They provided the network and the printers, but setting up your own computer was usually up to you and whatever help you got from your team (who really were the ones who knew what you needed for resources).

I've experienced law enforcement raiding offices and confiscating technology for evidence collection. They will return the devices but not for years. I don't want anything work related on my personal device.

BYOD is also a driver for dual sim phones, which Apple has finally introduced (they have been common in China for some time). When Apple announced them the us press discussion was all about international travel.


it's a thrice-removed description, but at a surface level it sounds better than android profiles, at least for work/home device sharing.

for sharing with family members (parents/kids, eg) it doesn't sound so awesome. hey, if it means kids have to have their own tablet, well more power to apple then!

I wonder if this lays the groundwork for multiuser support in iPadOS at least?

Groundwork has been there for years, called 'Shared iPad' - but its for Education use only... Via an enterprise or education MDM solution you can restrict and configure the iPad in many, many different ways; again, its not for the consumer.

Apple is the only major player moving in the right direction when it comes to privacy. I'm so glad we have them!

I could be mistaken, but I think this is a somewhat weaker version of Android for Work, which shipped about two years ago, I believe (couldn't find the exact date). Perhaps Apple is doing something that AfW isn't already doing, but it's hard to tell from this article, which doesn't mention AfW at all.

I'm not sure of the differences between AfW and this either but I don't think it matters in the big picture. Instead, I see this as just one step in many that Apple has taken in designing their products around user privacy, when possible.

Ah, so this is why they killed all the other MDM based school management apps. Well played Apple.

As someone who has managed 10k endpoints, BYOD is a very niche solution. The security threats that any company with data worth stealing has is non-trivial. Those folk in this thread moaning about corporate spyware, are living on another planet. Nobody has the resources, or the motivation to spy on anyone. When Oracle, Adobe and Microsoft come a knocking, knowing what is installed and being able to uninstall it save a $1 million, easy.

There is some motivation. Imagine you're Tim Apple and you wake up one day to find The Verge has a front page story detailing all of your secret Apple Car technical details and plans through 2022 courtesy of a "source with firsthand knowledge of the project". I don't doubt for a minute that Apple has a corporate security team with the empowerment and resources to dig through employees' personal iMessages to find the leaker.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact