Marry MDM and Managed Open In for better iOS data security

Mobile device management just isn't enough anymore for some enterprises. Apple's open-in management feature can provide an extra layer of app security on iOS devices.

Apple's Managed Open In helps IT safely enable more than just email and intranet access on users' personal mobile devices, but it's best used in conjunction with mobile device management.

Employees want remote access to company data, but how can IT ensure security while still providing the information workers need to be productive? Managed Open In, a mobile application management feature introduced in iOS 7, can restrict the flow of corporate data on iOS devices to only apps that are under IT control. Admins can prevent users from opening data from an IT-managed app in an unmanaged app, and vice versa.

Still, IT should only consider Managed Open In as one piece of an iOS data security strategy. There's a joke among IT folks that nine out of 10 employees will admit to sending corporate content to an unmanaged app in order to get their job done; the tenth is wise enough not to admit it. That's why IT needs mobile device management (MDM) to get the most out of Managed Open In for iOS mobile application management (MAM). By setting rules for managed and unmanaged apps on MDM-enrolled devices, IT can provide more complete security coverage of both apps and devices.

Why you need MDM, too

Companies today want their employees to get their job done in a timely fashion no matter where they are located. With the best of intentions, workers circumvent policy and send content to a place that they know they can complete the work. Without MDM, employees can easily email company data from their work desktop or laptop to their personal email address and then open, edit and share the content with other applications on their mobile device. This is a huge policy violation and introduces significant risk of losing sensitive corporate material.

Managed Open In is not equivalent to MAM methods such as containerization.

There are two ways to mitigate such a risk. The first is to lock down the content in every way possible and to not allow personal devices to access the corporate network. That strategy doesn't work. Employees will always find a way around policies when they need to complete an assignment.

The second method is to embrace what MDM can do for you. Use an MDM tool to enforce data security policies such as requiring data encryption, restricting the use of specific APIs, and denying network access to older versions of iOS. A quality MDM product can allow or deny access to the corporate network and content by user and/or mobile device. It should also encrypt content and data in transit to the mobile device, and then validate and enforce that the content is encrypted while at rest on the device.

From there, provide employees with IT-approved mobile apps that allow them to view, edit and create work-related content on mobile devices. Using MDM will help you accomplish this in a manner that guarantees both data protection and control.

Where open-in management fits in

IT can use MDM to set rules for which apps employees can use to access corporate content. In coordination with Managed Open In, admins can whitelist managed apps that they will control and secure and blacklist apps they view as risky on MDM-enrolled devices. When an employee wants to access content from a corporate email or network, for instance, the Open-In management feature will show that only enterprise-approved applications are available. IT can also add iOS security mandates and features such as encryption on those approved, managed apps.

Managed Open In does have some holes, though. For example, IT will need to find another way to prevent users from transferring corporate content through sharing features such as Apple's AirDrop. Managed Open In only restricts sharing between managed and unmanaged apps, so it is not equivalent to MAM methods such as containerization that put a security barrier between work and personal profiles.

By using a combination of MDM and Managed Open In for iOS management, organizations can allow employees to be productive on their iOS devices within the guidelines of the IT's policies. The end result is a productive workforce and a much lower risk of intellectual property loss.

Next Steps

How Managed Open In secures iOS data

New iOS MAM additions focus on data

Three iOS enterprise features IT still needs

Dig Deeper on EMM tools | Enterprise mobility management technology