But what does the BSI's classification that Apple's data protection is sufficient for authorities mean?
Information marked 'V-NfD' may only be processed by authorized persons. The applications used to process this information must meet the requirements for 'V-NfD'.
Information can be made accessible to different persons via an MDM.
If the information is stored in a separate folder structure, the MDM gains access to this interface. By assigning usage rights with the help of the MDM, access for unauthorized persons is prevented.
Access can also be partially prevented, e.g. if certain information can be accessed but not others.
Role management and the division of users into groups make it possible to set up different access rights via the MDM.
This means that all users who need access to certain applications and information can be assigned to the same group. The required applications can be sent directly to the mobile devices via an installation command.
Apple's data protection is basically suitable for public authorities. To further safeguard the use of mobile devices for work, it is advisable to define not only which applications may be used by whom, but also what may not be used for data protection reasons.
This challenge is more complex than one might first assume:
On the one hand, it is necessary to ensure that the restrictions that inevitably have to be imposed do not limit employees to such an extent that work cannot be done (or workarounds are used to try to escape the security precautions); on the other hand, only defaults can ensure that security and data protection regulations are complied with.
Defaults can be, for example, the definition of secure WI-FI connections to which the device is allowed to connect and the exclusion of all unsecured or unknown networks. Furthermore, certain websites can be completely blocked and only work-related online applications can be allowed.
Apps can also be completely excluded from download and use.
Desired apps do not have to be downloaded from the app store, but can also be sent directly to the device as a file, where they install automatically.
An important interface that is readily attacked by attackers is the transfer of data within the authority and/or with outsiders, such as clients or other public institutions. Therefore, data transfer must be specially secured.
Data transfer and information exchange are activities that make up a large part of the work in a public authority. Since this involves working with important and sometimes sensitive data, it is essential that this data is sent in a secure manner. To this end, certain data protection configurations can be made with the help of an MDM.
However, the direct use of a secure e-mail application, e.g. MobiVisor Secure Mail, which is embedded in the MDM and functions as a standalone e-mail application, is particularly recommended.
To communicate internally even more quickly and easily, a messenger can also be used. If this is part of the MDM, such as MobiVisor Messenger, secure communication is guaranteed.
Using a secure calendar app is also particularly important for data protection. It is often not considered that calendar apps store private and sensitive data, as they are linked to contact data, for example. Malicious calendar apps can tap the data in the process and pass it on to third parties.
Accordingly, the BSI's assessment that Apple's calendar app is sufficient for data protection for public authorities and that the devices are considered secure is particularly significant, because mobile work is almost impossible without a secure calendar app.
Apple's data protection is sufficient for public authorities. But in order to be able to use mobile devices such as iPhones or iPads there and in other institutions with particularly strict data protection regulations, they must be supplemented with security-relevant functions.
For device administration and security, it is important that the devices can be accessed quickly in the event of an emergency or for troubleshooting.
An MDM provides a central management platform for this purpose, via which administrators receive notifications in the event of a breach of usage guidelines. This makes it possible to determine at any time from which device the violation originated and to react quickly. The smartphone or tablet in question can either be blocked directly to prevent further breaches and access to the corporate network, or all data can be deleted remotely. The latter is also helpful should the mobile device be lost or stolen.
Since Apple's data protection is sufficient for government agencies, this means that there is automatically a higher level of data security due to the way the devices are set up. Still, it might make sense to set up the device specifically for work use only.
Mobile devices require a great deal of administrative effort in order to always remain technically up-to-date and to function without errors. Nevertheless, failures or errors can occur and must be rectified as quickly as possible.
The use of mobile devices, which are connected via various interfaces to the corporate network and all the resources available in it, requires a certain amount of practice, even for technically skilled employees. But it is not always the user who is at fault: sometimes the devices themselves do not work as they should. In this case, it is harmful to report the error too late and/or to allow too much time to elapse before correcting it, as this could increase the security gaps that have arisen. In order to be able to provide quick assistance, administrators can remotely connect to the device via MobiVisor MDM with the user's consent and identify the source of the error 1:1.
For an MDM to be used in an authority, it must meet certain requirements. Personal data must not be collected, nor must it be processed in any way.
When an MDM is used in a public institution or a public authority, it must be ensured that the hosting is secure and that no company data can be leaked to unauthorized persons. A first important step is hosting in Germany, as stricter protection applies here than in many other countries. MobiVisor MDM is also hosted in Germany. Furthermore, the MDM does not store any device or personal data, but only the data necessary to use and manage the device. This ensures that no data is disclosed in the event of access.