Right, but on Android at least, you can either have the whole device be under MDM (#2) or just a work profile (#3). In the latter, if your sysadmin decides to wipe your device, it only wipes your Work profile and not your entire phone, from my understanding. Is that not correct?
My assumption was that any apps installed on the personal partition were off limit for the MDM.
We use MDM for a lot more than that, though we don't block any apps. And it isn't all about security either.
Some of the things
- Auto app installs: We have a lot of apps people need for work, like the VPN, Outlook, Teams etc. And apps they need for their specific location or job role. The MDM takes care of installing those so the user doesn't have to figure all this out.
- Autoconfiguration: There's a facility called AppConfig where you can push config settings to apps that support it, making things easier on the end user.
- Network (and other settings) configuration: Pushing all the certs people need to connect to our wifi. And we push Per-app-vpn settings for the apps that need it.
- Security validation: Do people not have outdated company apps or OS? Do they have the security app (Lookout)?
- Security settings management: Make sure people have their phone encrypted and a pincode set so important data is not lost in a taxi.
In fact wiping is one of the things that happens very rarely. Especially as we enforce encryption and a decent PIN, it's not as much of an issue anymore to wipe a phone as soon as we can. A lot of users get hung up over our ability to do this, but on Android we can only wipe the work profile anyway (and even on Apple we don't normally wipe the whole device, just the company apps). Unless they call us and ask us to wipe it because they lost it :P But a lot of them seem to think we're just sitting there all day wiping phones for fun.
Cisco had their Meraki MDM free for small numbers of devices - but that was a while ago and I'm not sure if they still offer it. Was only compatible with I believe Samsung phones as they had the best hardware security built in (KNOX?). Apple phones required (still do?) a Mac in order to deploy specific certificates to devices to enroll in MDM as well.
In the 'old' days, there was an app called device admin which would control the phone. This app would be supplied by the MDM vendor. This could leverage APIs from various vendors. Samsung had Knox but almost every phone vendor had their own plugin.
This was a huge PITA because each MDM feature only worked on manufacturers A and B and very often was limited to OS versions Y and Z. It meant we had to validate each phone and OS version and have a long list of what phones people could and couldn't use. It was a nightmare as an admin. Users hated it because they often only found out after they'd bought the phone. Samsung was indeed one of the best here, I have to agree.
Since then Google has thrown this overboard and started afresh with Android Enterprise. Controlled only by Google, and offering new ways of management like the work profile which is basically a kind of "phone inside a phone". Have your work profile managed by work and the rest of your phone to yourself.
For company-owned phones they also still have more comprehensive management options like COBO and COPE. But as long as the phone supports Android Enterprise, it supports everything.
Sadly some vendors in particular Samsung are fighting this approach because they feel they have invested too much in the old method. For example Samsung won't support Google Zero Touch auto-enrolment, having instead their own alternative Knox Mobile Enrolment. This is again making things more difficult for admins. But because Samsung is such a big party, and KME is free, we have gone for it anyway (Also Google Zero Touch is not available very widely yet, each reseller has to support it)
As an Admin I'm glad to see the end of the old management model. It's deprecated as of Android 11 (and already severely limited in 10) but we've already dropped it altogether.
And no, for managing Apple phones you don't need a Mac. You just need this for manual installation of management profiles, if you use an MDM you don't need it.
However if you want to manually supervise phones (instead of using Apple DEP / or Automated Device Enrolment as they call it now), you do need one. But this is really rare now.
For iOS you can use Apple Configurator for profile-based M2M. For remote management you need a server-based solution and I believe there's an open-source implementation of that out there.
I've been using Intune at home because I use it at work too and I already had a personal O365 setup. It was nice to have a fully owned instance when I was learning it, but I'm trying to scale back my costs now so something like this might just suffice.
Is this any different from the Find My Apple Stuff feature on modern iDevices? One of the options is remote wiping. I assume android as a similar feature.
A lot of companies with MDM have it just because they need to check a box saying they have it, and so that they can remote wipe and make sure users put a PIN on their device at least. Extra capabilities like authorized software lists, URL filtering, etc add admin overhead and are just not worth it for the company to get into.
I don't get why people are OK with a company being able to wipe a personal device on a whim. If you want full control of my mobile, then provide a mobile.
In Work Profile mode they absolutely can't do that. They can only remove the work profile side and all apps and data contained therein. Not the personal side.
Of course most companies provide phones, but many users prefer to use their own, both for the benefit of having to carry only one, and because they have more choice.
Another big benefit of work profile is that you can switch all work stuff and notifications off with one click! I really like it overall, it gives great separation.
Many companies make MDM mandatory and refuse to pay for a phone. Most people will just comply rather than have _no mobile access_ to their work email at all (which will cause conflict with managers, and may even lose you a job)
Many companies do provide a mobile, but then your choice is to carry 2 devices, or let your company control the only device you carry and use all day for personal communication. I chose the former but even that’s not ideal
In other modes (COBO, COPE) it's not but those are much more difficult to enrol, as you have to do it from the setup wizard on a new phone or after a factory reset. So you don't happen to get into this mode by accident. They're only used for company owned phones (this is what the CO part stands for).
Everything on my phone is automatically backed up. Whether I would accept the tradeoff of them being able to remotely wipe my phone or wanting to carry two devices is up in the air.
1. Devices owned by Amazon, for work
2. Personal devices with the amazon email added directly
3. Personal devices with amazon email added on Work profile
Could not find this info in the articles or tweet.