Apple for business customers: How to separate private and business usage on iPhones
Many companies offer the option of using personal iPhones or iPads for work. This model is called BYOD (Bring Your Own Device) and offers numerous advantages: lower hardware costs, no need to adjust to a new device, and quick and easy access to business data at any time. But how well does BYOD actually work on Apple devices? Can personal and business data be kept strictly separate? What rights does the IT department have, and where do the limits of management reach theirs? This article shows how BYOD works in practice on the iPhone, what risks exist, and for which types of companies BYOD is suitable.
Business use of the personal iPhone: BYOD with Apple devices
With BYOD, an employee uses their personal iPhone for work purposes. The device remains the employee’s property. Companies manage only the business aspects via a Mobile Device Management (MDM) solution, such as MobiVisor MDM.
The smartphone is not centrally controlled, as Apple severely restricts administrator permissions for managing personal Apple devices. However, devices set up as BYOD appear in the MDM’s device overview and can therefore be listed in the inventory.
How do I set up a BYOD iPhone for business customers?
A personal iPhone is not typically registered with Apple Business Manager. Instead, the user downloads the MDM app or management profile themselves and installs it manually in Settings. However, the system still requires the linking of APNS (for sending commands) and VPP (for installing enterprise apps). The personal Apple ID is always used.
That means:
- Users must actively consent.
- The profile can usually be removed again.
- Many administrative actions require confirmation on the device.
Using BYOD devices in a business setting is convenient for companies, but significantly less controllable than with managed company iPhones.
Which MDM features can be used on BYOD devices?
The range of functions for administrators is very limited on BYOD devices. Since the device is primarily set up for private use, the end user has complete control over all restrictions and actions. Users must actively approve every app installation via MDM, can uninstall business apps at any time, and can also remove the MDM profile with all its restrictions. In this case, a notification appears in the MDM portal indicating that the user has deleted the profile. However, the administrator cannot prevent this.
Nevertheless, some basic functions/limitations are available with BYOD:
- Data separation (personal/business)
- iCloud settings (backup, keychain, photos)
- Wi-Fi configurations
- Password policies
- Exchange accounts
- Distributing certificates
- Delete passcode
- Siri, personalized advertising, etc.
Important missing features:
- Account modification (adding accounts/Apple ID)
- Configure system apps
- App blacklists & whitelists -> Kiosk mode/Single app mode
- Manage software updates (push or delay)
- Web content filter
- Home screen layout & wallpapers
- Prevent or force factory reset
- Shared iPad
- Lost Mode
Can business customers install apps on a BYOD iPhone?
The company administrator can only initiate app installations. Unlike with fully managed devices, however, the installation does not happen silently in the background. Users receive a request and must confirm it.
There are two options for installing apps on BYOD devices:
1. Sending installation requests for personal apps:
This does not happen via VPP, but via the personal Apple ID. Therefore, the app is not located in the business container.
2. Sending installation requests for business apps (VPP):
These apps are fully managed by the company. Their data resides in a separate container/area and is isolated from personal apps.
Note:
Container separation on Apple devices happens only in the background. All apps are displayed equally on the screen, and there are no visual indicators of a separation between business and personal data. For more information on data separation in iOS, see this video: Data Separation on Apple.
Is it still possible to manage apps with VPP in a BYOD situation?
MDM offers a setting for VPP apps: “Take over management if the app is already installed.” This setting is configured when the application is added to the company’s app catalog. If “Take over management” is enabled, the installation command can move an already installed personal application from the personal to the business environment.
The end user then effectively receives two requests:
1. Is the MDM allowed to install the app?
2. If the app is already installed, is the MDM allowed to take over management of the app?
It’s important to note that this action also moves the app data and accounts. For example, if a personal Outlook app with a personal email account is moved to the business environment using the above-mentioned action, the personal data will subsequently reside in the business environment. A clean separation is only possible in this case if the application, including all data, is first completely uninstalled and then installed as a VPP app in the business environment. Alternatively, the company must switch to a different application, since Apple software can only be used for private or business purposes.
Separate private and business data on Apple BYOD devices
When using BYOD devices in a company, it is particularly crucial to understand how data is separated. Since Apple devices don’t allow apps to be installed for both personal and business use, the question arises as to which area system apps are assigned and how data separation actually works. Some system apps offer in-application data separation.
These include:
- Contacts
- Calendar
- Reminders
- Notes
All other applications lack a separation and are therefore considered private. This often becomes problematic when photos or videos need to be sent for work purposes, as business apps cannot access private data by default. Companies can work around this by installing separate gallery and camera apps. MDM (Mobile Device Management) can also be used to authorize access to business data over private data. However, we do not recommend this for data privacy reasons.
How do I separate business and private contacts, calendars, and emails in a BYOD environment?
Apple’s system apps are separated by account. If contacts are pushed to the device via MDM from a business Exchange account, the device recognizes that these contacts are assigned to the business account. If contacts are created locally (manually) or via a personal account (e.g., Google) that is not distributed through MDM, then the contacts are in the personal sphere. The same applies to Mail, Calendar, Reminders, and Notes. Within the Contacts app, the end user sees no difference, as all contacts are displayed together. The separation happens in the background, so, for example, a privately installed WhatsApp cannot access Exchange contacts added via MDM. A benefit of this setup is that multiple calendars, contact lists, and email accounts can run simultaneously on the device. Multiple business accounts can also be distributed via MDM.
Apple BYOD devices: Here’s what else you should know!
The technical separation of data on BYOD devices is one thing, but employees also need clear instructions and guidelines regarding the use of personal devices for work. Ideally, this should be regulated in a company agreement.
Among other things, the following points should be clearly addressed:
- Ownership & Damage Case
- Scope of IT Access (What can the admin see/do?) → Data Protection
- Reporting and Deletion Obligations in Case of Loss
- Security Policies & Restrictions
- Data Separation (Where/How is new data transferred to the device to ensure it’s in the correct container?)
- App Usage (Which apps are necessary for work, and what happens if the app is already being used privately?)
- Handling Data from System Apps That Cannot Be Natively Separated, Especially Photos
When using Apple BYOD devices, it’s important to remember that these are still employees’ personal devices. Therefore, employees must agree to the points mentioned above in the company agreement. Employees must not feel that using their personal devices for work will put them at a disadvantage.
What happens if the employee leaves the company?
As long as the end user is employed by the company, the use of the mobile device is subject to company agreements. Furthermore, the BYOD model with Apple devices can only be implemented if employees handle company data responsibly. However, as soon as an employee leaves the company, it must be ensured that company data can also be securely deleted to guarantee data protection.
For iPhones and iPads operated as BYOD devices, restrictions are applied via the Apple profile on the device. The IT administrator can delete this profile from the respective smartphone or tablet via MDM. This removes all settings configured by the MDM.
Conclusion: Is BYOD with Apple devices suitable for your company?
Of particular importance for data protection in companies is the clear separation of private and business contacts, calendar entries, emails, etc., on iPhones or iPads. While Apple offers solutions for this, they always come with a slight drawback, either for end users or the company. By using BYOD (Bring Your Own Device), the company grants employees a certain degree of freedom, but accepts that particularly strict data protection guidelines cannot be implemented. Therefore, the BYOD model is not recommended for companies in critical infrastructure sectors – such as healthcare or IT. Even if companies have to retain a lot of important and valuable client or customer data, we advise against this model, as it cannot be guaranteed that work-related data will never be accessed outside of working hours. Furthermore, if an employee leaves the company, the company must rely on all data being deleted in accordance with regulations.
While MDM can delete all settings applied to the device via the Apple profile, there remains a residual risk that important contacts may have been transferred or screenshots taken beforehand. Generally, the BYOD model is more suitable for companies with only a few devices, no strict data protection requirements, and no need to use their phones to document customer data
