The most frequent questions during my training sessions revolve around device privacy, often pertaining to supervised devices. A supervised device is one that a company or institution provides to employees and over which they exert a certain degree of control, from remotely installing updates to enforcing the use of a specific corporate email service, or even preventing, for instance, students from using their iPad to download games.
When a company or school has hundreds or thousands of devices “borrowed” It is natural that you want to be able to manage them, locate them, update them, and generally ensure that they function properly in the environment for which they are intended to be used. In the same way, it is natural that users of these devices have questions about the privacy of their data.
What is an MDM device?
An MDM device is a device enrolled in what we call Mobile Device Management or Mobile Device Management. It’s a platform that Apple provides to a company or institution’s technical team to manage the various enrolled devices. This enables actions to be taken on all of them at once without the need to physically intervene on each one individually.
Supervised or unsupervised
The first step, before starting, is to determine whether the device enrolled in the MDM is supervised or not. Identifying a supervised device is quite simple. When we enter the Settings app, at the top, the following message appears: ‘This iPhone is supervised and managed by [X].’ It’s important to note that by default, devices are not enrolled as supervised. Additionally, if it’s not supervised, it needs to be completely erased and reconfigured from scratch to become supervised.
And why is supervision used? Because it gives the company or institution greater control over its devices. With supervision, administrators can, for example, prevent the use of AirDrop, avoid purchases through the App Store, update applications, or filter the use of Safari.
If the device in question is supervised, we will open Settings > General > Device Management to see exactly what changes (compared to the factory settings) the company has made. Although a supervised device is much more accessible to the company’s technical team, in both cases, this access is not to the data but to the ability to restrict what we can do with the device.
Can my company track my location?
The top question for users of a corporate iPhone. Your response has three parts:
- If we connect to the company’s Wi-Fi, the IT department can know that we’ve done so and from which access point.
- If the company has device tracking capabilities through mobile networks, similar to telecommunications companies, they can locate the device when it’s not in Airplane Mode.
- Access to the exact location is only possible when the device is in Lost Mode (and becomes unusable), and this can only be done on supervised devices, similar to what we would do with the Find My app.
Can my company read my iMessages?
No, SMS and iMessage content are never visible to anyone at any time. What can be seen is the number of messages sent or received, but never to whom they’re sent or the content itself. It’s worth noting that SMS messages (not iMessage) can be obtained through the service provider, but this is beyond Apple or the Messages app.
Message usage, on the other hand, can be completely disabled. Also, it’s important to note that if the company requests the device and unlocks it, they will see sent messages, but never remotely.
Can my company see my photos from the Photos app?
Similar to iMessage, there isn’t any MDM protocol to view, modify, or delete any photos from the Photos app (including photos in iCloud). The technical department can only see how many photos the device contains or deactivate functions like iCloud Photos (useful when using a free Apple ID with a 5GB storage limit).
Let’s bear in mind that third-party apps requesting access to Photos have free access to all the content, including their locations, and can use them as they wish.
Can my company read the emails from my personal account?
Whether we use Safari or the Mail app to access our email, the technical department can know that we’ve accessed it, but they cannot read what we’ve sent or received. In the case of the Mail app, we might find the option to add personal accounts restricted.
Can my company remotely control my device?
In iOS or iPadOS, no. On Mac, there are some control options, but always with prior notice that the device is being controlled remotely. For Macs, the tech department can use some more aggressive tools to control the machine. Apple doesn’t provide any official API for this. As a general rule, if the Mac belongs to us, we should never allow anything to be installed other than an MDM profile.
Can my company see my browsing history?
Using MDM, no. It can only prevent access to certain web pages. On the other hand, it can enforce the use of a corporate VPN that can monitor traffic from the company’s network.
More privacy than it might seem
MDM tools are used to configure and manage the device, not to control it, much less access the data it contains. Apple has always cared for and continues to care for user privacy, and the design of its MDM tools is proof of this.
In the case of iOS, MDM policies are strict because the ecosystem is more closed. On Mac, the ability to install any application or make modifications to the system allows for the use of unofficial tools that do not follow Apple’s privacy policies.
Let’s remember to remove all personal accounts we might have logged into before handing the device to the technical department for repair or return. Once done, considering everything we’ve discussed, we can be at ease because we have much more privacy than it might seem.