Data Separation on iOS devices: a necessary chore?

mdm faq

Data Separation on iOS is necessary, due to security regulations. When using a service device for both private and business purposes, the GDPR stipulates a clear data separation - as this prevents data from being compromised. This is because there are different usage scenarios for mobile business devices, such as smartphones and tablets. They can be used as a classic work device with only business data, or they can be approved for both private and business use. This is made possible by the technical data separation.

Not all data separation is the same


The way in which data is separated, however, depends on the type of devices that are used. Accordingly, data separation always works differently. While Android devices set up two different profiles on the device, iOS devices separate data by splitting it into managed (managed) and unmanaged (unmanaged).

The advantage of this approach is a clear and concise operation of the device, since the user interface is not occupied with two sets of apps each and thus remains streamlined. It is also not necessary to log in or out of one of the two accounts. Thus, the familiar use of iPhone and iPad remains.


Data separation for iOS only works via MDM 


To ensure that the data is actually separated, the mobile devices must first be connected to an MDM (Mobile Device Management System) and the Apple Business Manager. The Apple Business Manager functions as an online portal that enables the IT administrators of a company to centrally manage all devices. However, it does not serve as a full-fledged MDM, as no restrictions or authorizations for the use of the devices can be implemented via this. Rather, it supports Apple's VPP (Volume Purchase Programme), which can be used to obtain apps and books for the devices. This linkage is possible so that the managed apps purchased via the VPP can also be sent to the devices via the MDM.

As mentioned earlier, Apple distinguishes between Managed Data and Unmanaged Data. 'Managed data' refers to all apps, contacts, accounts or documents that have been uploaded to the device via MDM. Accordingly, 'Unmanaged Data' is everything that has been installed by the user themselves, as this option is retained during data separation in iOS.

An 'Unmanaged App' can also be converted into a 'Managed App' by sending it to the device again through the MDM. However, 'Unmanaged Data' cannot be converted into 'Managed Data.' Nevertheless, this type of use is recommended for companies that appreciate the simplicity of iOS user interfaces and want to continue using them.

Managed apps: Data separation with iOS in practice


To ensure complete data segregation and device security, more advanced policies can be set up for iOS devices. These can be used, for example, to prevent 'managed documents' from being opened in 'unmanaged documents' (and vice versa), etc. Furthermore, it is possible to use MDM to prevent certain Apple-specific functions from being used, such as AirDrop. Also, the web browser should be restricted if it is not intended that users should have unrestricted access to all content on the Internet.
A detailed description (in English) of which restrictions are recommended can be found here.

Ultimately, however, it is always necessary to test independently which guidelines and restrictions make sense individually. If the device is restricted to such an extent, the user-friendliness may well be lost. Employees then tend not to feel inclined to actually use the devices.


Advantages of data separation with iOS


As mentioned above, probably the biggest advantage of this type of data separation is that there is only ever one profile on a device that needs to be managed. Another advantage lies in app distribution: by separating into managed and unmanaged apps, the company always remains the owner over the apps it installs. Even if the device becomes the property of the user, e.g. through leasing, the company apps, including all data, can simply be uninstalled. Furthermore, it ensures that data that is private stays private and vice versa. This also means that the company cannot gain access to the unmanaged apps (and cannot see which ones have been installed), but the employee, in turn, cannot simply uninstall the company apps if they do not suit them. Ultimately, colleagues and management should be concerned with a fair approach to the use of mobile devices. This also means accepting this separation.




For companies whose employees are to be equipped with Apple devices, (Psst! Also check back here to see if iPhones really fit your company) the form of data separation that iOS uses is ideal. It combines all the necessary personal and business apps on one device, but without ever limiting usability. With the company having sole access to the managed apps, there is no risk of private apps ever being deleted. At the same time, corporate apps can also not be deleted and the use of the device can be restricted to a certain extent.
This maintains good usability of the device for work.

Would you like to know more about data separation on iOS?
You can contact us anytime [email protected]