Test now

Data separation on iOS devices: GDPR-compliant and secure

Especially with very high-quality devices, such as iPhones or iPads, employees often want to use them privately. Companies can easily fulfill this wish for their employees in compliance with the GDPR by separating data on iPads and iPhones.

How do I use Apple devices in my company?

In companies, Apple devices are registered as so-called DEP devices via the Apple Business Manager. This means that the devices belong to the company and all apps are managed via the Apple Business Manager. We explain exactly how this works on our YouTube channel. Apple Business Manager can be used to centrally manage the company’s iPhones, iPads and MacBooks and assign them to users. However, it does not serve as a fully-fledged MDM, as it cannot be used to implement any restrictions or authorizations for the use of the devices.

For this reason, an MDM (Mobile Device Management System) is linked in the Apple Business Manager. All of the company’s Apple devices can be assigned security policies here. Apple devices that can be fully managed by the company are referred to as “managed devices”. In addition, there are BYOD devices that belong to employees but are used for work.

How the separation of private and business data works

Apple provides two models for using Apple devices for both private and business purposes: One is the Apple DEP device, which belongs to the company, and the BYOD device, which belongs to the employee.

Setting up a private area on the DEP device

In the case of Apple DEP devices, the iPhone, iPad or MacBook is registered via the Apple Business Manager and the MDM profile is installed on the device. It is not possible for the user to simply remove this profile. The company also retains full control over the device settings. Employees can store their private Apple ID on the device and thus have the option of installing apps for their private use. This system divides the apps on an Apple device into “managed” and “unmanaged” apps. The user uses the managed apps, while they are installed and managed via the MDM.

However, users do not enjoy complete freedom: with Apple DEP devices, the company retains the option of placing apps on a blocklist. These cannot then be installed and used by the user. An “unmanaged app” can also be converted into a “managed app” by sending it to the device again through the MDM. However, unmanaged data cannot be converted into managed data. Nevertheless, this type of use is recommended for companies that appreciate the simplicity of the iOS user interface and want to continue using it.

Setting up a business area on the BYOD device

With BYOD devices, the process is basically reversed. The Apple device is set up with a private Apple ID. The MobiVisor MDM client app is then installed and the user can register in MDM. The Apple device then appears in the MDM device list, allowing the admin to maintain an overview at all times.

When implementing a BYOD policy, companies should always ensure that users actually register in order to rule out the risk of shadow IT. During the installation of the MDM app, the MDM profile is installed on the Apple device. This can be removed by the user at any time. When installing the app, the separation into “unmanaged” and “managed” apps also applies again. The IT admin can install apps on the device and set whether they should remain installed if the MDM profile is deleted.

GDPR-compliant data separation on iOS devices with MDM

In addition to the proper setup of iPhones and iPads for the company, there are also some security guidelines that can be applied to ensure the complete separation of private and business data. For example, IT admins should use policies to prevent data transfer from “managed” to “unmanaged” to prevent data from being mixed. This is particularly important in industries where increased security must be guaranteed, such as the healthcare sector.

The GDPR also requires clear purpose limitation and data minimization. This means that companies may only access professional data – not private photos, chats or apps. With MDM and Managed Apps, this is exactly what is technically ensured: clear separation, clear responsibility. Companies must also be able to prove that data can be processed securely. Control over managed apps and data processing guidelines shows that technical and organizational measures are being taken.

The psychological aspect should not be underestimated either, as allowing employees to use their iPads and iPhones privately increases employee satisfaction. The complete separation of all data also ensures a feeling of security and trust in the company.

With the help of an MDM, companies can ensure clean data separation on iOS devices. The separation of managed/unmanaged apps is a key technical building block for complying with GDPR requirements on iOS devices, avoiding data leaks and ensuring clear control over business data on mobile devices.

Discover our blog

Data separation on iPhones and iPads: GDPR-compliant and secure

Data separation on iPhones and iPads: GDPR-compliant and secure

Setting Up a Shared iPad: What You Need to Know

Setting Up a Shared iPad: What You Need to Know

The NIS-2 requirements and their implementation with MDM

The NIS-2 requirements and their implementation with MDM

Contact us now:​

✔ Free requirements analysis
✔ Creation of an individual step-by-step process for you to take with you
✔ Free demo to secure your devices


    By submitting this form, you agree that your personal data will be processed and stored in accordance with our privacy policy for the specified purposes, to the extent described therein, and for the defined duration.

    Alternatively, please send us an email to [email protected].

    powered by IOTIQ
    Copyright: © 2020 IOTIQ

    Become a partner

    Work phone

    Help for customers

    Imprint

    Privacy policy

    Log in to your account