igor - Fotolia
Open-in management, a security feature Apple debuted in iOS 7, gives IT more control over data accessed by iOS apps.
As employers strive to balance security, productivity and agility, protecting business data from loss or theft remains a top concern. The most common mobile security controls -- passcodes, encryption and remote wipe -- do not fully address the tremendous potential for business data leakage. IT can secure iOS data using the open-in management feature, which is officially known as Managed Open In.
iOS data security and management options
IT has many options to secure and control iPhones and iPads, from user-configured settings to USB-tethered applications to over-the-air mobile device management (MDM). Enterprise IT administrators use the latter to deploy application and configuration profiles to devices from a central location. IT can flag any app installed to an iOS device via MDM as a managed app and further configure it using profiles.
For example, a feature known as enterprise wipe can automatically remove all managed apps installed via MDM from an iOS device. Restrictions, like per-app VPN tunnels and preventing app data or enterprise book sync with iCloud, can be added to managed apps. Starting in iOS 7, Apple introduced open-in management, a type of mobile application management (MAM) that can help prevent managed apps from leaking business data.
Managing data flow between iOS apps
Open-in management gives IT the ability to compartmentalize data by controlling data flow between managed and unmanaged apps. For example, admins can block users from taking data created in a managed app and opening it in an unmanaged app, or vice versa. IT can also control opening a managed Web domain from an unmanaged app, such as the native Safari browser.
Open-in management restrictions are set with configuration profiles, and their effects ultimately depend upon whether a given app was installed as a managed app. For example, if IT installs a corporate email client and disables allowOpenFromManaged-ToUnmanaged through the configuration profile, only other managed apps can open email attachments -- for example, IT-installed QuickOffice or secure container apps. With that command disabled, native or user-installed apps such as Pages or Google Drive can't open those email attachments or, in short, open-in management creates two logically isolated document-handling environments.
The limitations of open-in management
Configuration profile restrictions only affect documents opened by apps. This goes a long way towards preventing document leakage, but it does not prevent all data leakage. For example, managed apps may still print documents, relay them over AirDrop or share them via email, all without open-in management affecting them. To control these potential leak vectors, you'll need something else, such as a configurable secure container to block copy/paste, sharing, printing and more.
Open-in management restrictions are also limited to dividing an iOS device into two logical environments. This is a logical solution for devices that support business and personal activities, but it does not necessarily address multi-user tablet scenarios.
Moreover, this split can present challenges when IT installs a managed app and the user has already installed that app. IT must remove the user-installed unmanaged app and then reinstall the managed app. Reinstallation could lose previously stored or synchronized documents; for example, IT-installed QuickOffice might no longer open personal documents. In this case, the user can just install another unmanaged office app to handle that type of document, but in other cases, an obvious alternative may not exist.
Open-in management and DLP
Open-in management is best viewed as just one very useful piece of a more holistic approach to data leak prevention (DLP). For example, you could use enterprise cloud services to reduce the amount of data stored on iOS devices in the first place. MAM and containers can further secure iOS data in managed apps.
Recognize that where there's a will, there's a way. Aim to reduce data leaks, but don't expect to prevent them entirely. Combine VPN tunneling with network DLP to detect, log and block any business data that slips through your data defenses.