Hey Siri: How does Apple MDM keep you from accessing corporate data?

We looked at Alexa for Business management a few weeks back, and to follow up, we thought we’d review the other major digital assistants and how to manage them in the enterprise.

With Apple’s Worldwide Developers Conference now over, let’s take a look at Siri and the current Apple MDM options available. How easy is it for those in the enterprise to restrict or prevent access Siri to ensure it’s not a weak point in your security plan? How do you make sure the digital assistant can only access non-sensitive data on your employee’s device?

Turns out, it’s very easy to keep Siri managed, thanks to Apple’s iOS MDM protocol, which is supported by basically every third-party EMM solution on the market. So, what restrictions are currently available for Siri?

With MDM, admins can:

• Allow or Disable Siri
• Allow or Disable Siri access from the lock screen
• Allow or Disable Siri Suggestions

If the device is placed in supervised mode, admins can also:

• Allow or Disable Siri access to user-generated content (e.g., Wikipedia)
• Enable Siri profanity filter (disabled by default)

The above restrictions will change next year, though. At WWDC 2018, Apple announced that starting sometime in 2019, all Siri management capabilities will require devices be in supervised mode. For those who don’t know, enabling supervised mode gives organizations greater control over devices, managing what users can see, access, and do; this feature is for institutional devices, not BYOD.

Some companies might want to disable Siri access from the lock screen; but it’s good to know that Siri already has limited access in general from the lock screen. With my own testing, I could get the voice assistant to provide simple information queries (i.e., “what’s the weather?”) and read out texts (and allowing me a chance to send a reply), but trying to access Settings or the Mail app required that I unlock the device before it could complete my request.

Apple MDM has additional restrictions that allow companies to further control what data is accessible when the device is locked, such as preventing Control Center, Notifications, or Passbook access and the Today view, making it even more difficult for just anyone to get access to sensitive info.

For companies with BYOD policies and worried about Siri access to email, one way to get around that is to require users to access company email from third-party mail apps. Siri can read email (when unlocked anyway) from Apple Mail, but as of iOS 11, not from third-party apps like Outlook, Citrix Secure Mail, VMware Boxer, and other email clients. iOS 12 Siri Shortcuts will bring new options, but app developers could choose to add enterprise controls around these, as well.

When we were discussing this topic, Jack suggested that another thing that Apple could potentially do would be to create a Siri restriction that only applies to MDM-managed apps and accounts, similar to “managed open in.” However, as he wrote on Monday, Apple doesn’t seem to be headed in that direction yet.

Anyway, that’s pretty much it—it’s fairly straightforward to keep Siri on lock down with the Apple MDM protocol. While Amazon is trying to get Alexa onto every device they can and that opens its own can of EMM worms, Siri’s device-centric nature makes it easier to control with existing tools.