Apple @ Work is brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that fully integrates 5 different applications on a single Apple-only platform, allowing Businesses and Schools to easily and automatically deploy, manage & protect all their Apple devices . Over 32,000 organizations leverage Mosyle solutions to automate the deployment, management and security of millions of Apple devices daily. Request a FREE account today and discover how you can put your Apple fleet on auto-pilot at a price point that is hard to believe.

Apple’s stance on end-user privacy is well known at this point. What might not be known is that commitment extends to end-users using Apple products at work as well. When it comes to your personal data on Apple devices being used for work, Apple’s commitment is the same. This week, I want to look at how Apple’s Enterprise Privacy ensures employees know which data can be accessed by their company IT teams.

About Apple @ Work: Bradley Chambers managed an enterprise IT network from 2009 to 2021. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise grade Wi-Fi, 100s of Macs, and 100s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.

Here’s what Apple says on their website about privacy.

Apple products and features include innovative privacy technologies that minimize how much data they – or your IT department – can access. The latest versions of iOS and macOS include powerful security features to help keep your personal information safe. 

Privacy is a fundamental human right. It’s also one of our core values. Which is why we design our products and services to protect it. That’s the kind of innovation we believe in.

iMessage Encryption

iMessage and FaceTime are designed so that no one can read your conversations – not even Apple. You can choose to automatically delete messages from devices after 30 days or a year, or keep them on indefinitely if you want. The only way your IT department could have access to your iMessage on your Mac is if they install remote access programs and physically screen share while you’re using iMessage. There is no device management functionality to monitor iMessage for particular words, upload content from a device, or view media sent and received. 

In addition, Apple doesn’t store your messages on its servers in a way that the company can view. When you send or receive a message, it’s encrypted and sent directly from one device to another. The company can’t read what passes between two devices that use iMessage.

iMessage encryption is end-to-end, which means that only the sender and receiver can access the content of messages. This also means Apple cannot decrypt messages for law enforcement or other third parties.

iCloud Photos

You can sync your iCloud Photos and the database on your work Mac to iCloud. Photo data, like location information or albums organized by places, may be shared between your devices with iCloud Photos enabled, but its encrypted in transit. Similar to iMessage, the only way your IT department would have access is if they remotely control your Mac.

User Enrollment for BYOD

Apple’s User Enrollment feature allows employees to protect their privacy while IT keeps corporate data safe. Its ideal in a situation where employees want to securely access work data on a personal device. Behind the scenes, a separate volume keeps everyone’s managed data cryptographically separated – including iCloud Drive accounts for each employee.

Although it can manage a subset of configurations and policies, the device restricts certain management tasks like completely wiping a personal device. Employees can use their own devices for work and use both a personal Apple ID and a Managed Apple ID for company data. The two accounts remain separate, protecting everyone’s privacy.

What can IT look at with User Enrollment?

I think considering what IT can look at is the wrong question. The big question is what are they not permitted to do. With User Enrollment, IT cannot access personal information, see which personal apps you have installed, remove personal data, collect logs, access location information, remotely wipe the device, install managed versions of personal apps, or do a screen share of the device.

IT can enforce certain restrictions, install managed apps, manage accounts, require a passcode, configure per-app VPN, and remove work information and apps remotely. 

Wrap up on Apple Enterprise Privacy

By understanding how Apple thinks about privacy, you can see why they’ve designed the systems they have. When you use a personal device for work, your IT team cannot completely take over this device. Obviously, a work-owned Mac or work-owned iOS device gives IT more control, but Apple’s MDM APIs don’t allow an IT team to access your personal iCloud data at any time.

Apple’s commitment to end-user privacy in the enterprise should be commended. Personal data should always remain private – even on work devices.