Eugene Raynor

A quick guide to BYOD management on Android and iOS

Eugene Raynor

Mar 30, 2023

10 min read

Smartphones have become increasingly popular at work. It is a well-known fact that hardly anyone finds surprising. Their convenience, portability, instant connectivity, efficient tools, and cost-effective design have significantly contributed to their rapid rise in popularity.

Among the billions of smartphones manufactured, Android and iOS dominate the market with a combined market share of 99.1% globally, out of which iOS takes up 26.9%, while Android takes 72.2%.

With the Bring Your Own Device (BYOD) trend rapidly rising in popularity, these Android and iOS devices have navigated their way into the workplace, and it has become the job of the IT admins to ensure these devices conform to the security and management practices enforced by the organization.

Secure your BYO devices with Hexnode UEM

Is BYOD beneficial in the workplace?

The opportunity to adopt and use personal devices for work purposes is an attractive offer that both employers and employees find appealing.

Employers are relieved of the obligation to provide work devices for their staff. This subsequently enables the organization to minimize expenses. In fact, businesses generate approximately $350 in savings per year, per employee, when implementing a basic BYOD policy in the workplace.

Employees on the other hand, are already familiar with their own devices. This in turn, enables them to perform work-related tasks with significant efficiency. It’s been found that the average BYOD user experiences a 34% increase in productivity when using Bring Your Own Device (BYOD) smartphones to get work done.

However, there is a catch to adopting a successful BYOD policy in the workplace.

The catch

When bringing in personal devices and potentially – personal data – into the corporate environment, IT must address the issues of data leakage and user privacy.

To ensure device and data protection, IT teams usually rely on a Unified Endpoint Management solution that can securely onboard, manage, monitor, and protect corporate devices and data.

However, up until recent times, the UEM functionalities supported by Android and iOS were insufficient to successfully isolate and containerize corporate data from personal data.

Hence, UEMs ended up offering the IT department more power over personal devices and data than what users were comfortable with, which effectively became detrimental to implementing BYOD policies at work – But not anymore.

Here’s where two key technologies, ‘iOS User enrollment’ and ‘Android Enterprise Profile Owner enrollment’, offered by Apple and Android respectively, comes into play. Let’s have a closer look.


What is Android Enterprise Profile Owner enrollment?

Android Enterprise was first introduced in 2014 with Android 5.0 (Lollipop) and became mandatory for all GMS-certified devices running Android 6.0 (Marshmallow) and above.

Along with new features and functionalities including kiosk lockdown, zero-touch enrollment, silent app installation, OEM config, and more, Android Enterprise offers two distinct device enrollment strategies:

  • Android Enterprise Device Owner enrollment – which focuses on configurations and policies for securing corporate owned and fully managed devices.
  • Android Enterprise Profile Owner enrollment – which focuses on configurations and policies for securing personally-owned/BYO devices.

(In this blog, we shall focus only on Profile Owner enrollment. Check out the following blogs for more information on Android Enterprise, and Device Owner enrollment.)

Android Enterprise Profile Owner enrollment offers new configurations and APIs to effectively secure, manage, and monitor the corporate apps and data on BYO devices.

It creates a containerized work profile with separate encryption keys and offers IT teams with complete control over the work profile, while ensuring they have zero visibility and control over the user’s personal apps and data on the device.

Furthermore, IT admins are equipped with additional capabilities including the ability to,

  • Configure DLP policies to prevent the transfer of corporate data outside of the work profile or vice versa.
  • Configure a separate work profile password to authenticate access to the corporate apps within the profile.
  • Temporarily disable the work container on managed Android devices on instances of device non-compliance/inactivity.
  • Remotely wipe the data within the work profile on compromised devices, while leaving user’s personal data untouched.

What is Android work profile?

What is Managed Google Play?

In addition to BYO device management, Android Enterprise introduces Managed Google Play services to assist IT admins with onboarding apps and data to Android BYO endpoints.

Managed Google Play offers a personalized app store for your business, where admins can select and approve apps for use within the organization, thereby enabling streamlined app distribution among the end-users.

Moreover, admins can customize the configurations and permissions for these apps and enable users to download the approved apps from the custom app store.

The apps installed/deployed from the Managed Google Play app store are effectively sandboxed such that the same app (if) installed in the device’s personal space, are not granted visibility into the configurations and work accounts used by the app in the work profile, and vice versa.

How to manage BYOD on Android?

As outlined in the previous sections, BYOD management on Android begins with the device onboarding process.

Enroll Android BYO endpoints

To carry out Android Enterprise Profile Owner enrollment, it is mandatory to have access to a Unified Endpoint Management solution that supports the use of Android Enterprise enrollment.

If you’d like to test out this enrollment method, you can request a 14-day free trial for Hexnode UEM.

This documentation provides detailed information regarding enrolling Android endpoints to Hexnode UEM via AE Profile Owner enrollment.

Configure Android policies and restrictions

IT admins can enforce a range of policies and configurations to customize the Android BYOD environment according to their enterprise requirements.

This includes the enforcement of a work-profile password, restrictions on screen capture, app runtime permission, accessibility, and more.

Furthermore, admins can deploy Wi-Fi and VPN configurations, prevent users from sharing location data with apps in the work profile, and restrict file sharing via Bluetooth and external media.

Manage Android apps and data

Admins can select, add, and manage apps for their organization with Managed Google Play.

This documentation provides detailed information on how to set up Managed Google Play for your organization.

You can build a custom app store with approved apps and silently distribute these apps to the devices enrolled in the Android Enterprise program.

Monitor Android Work Profile

Once the policies and apps are configured and deployed, admins must monitor the device status and set up processes to automate remedial actions on issues of non-compliance. Remote actions can be used to clear app data, ring, remotely launch apps, remotely set and clear the work profile password, and more.

Furthermore, admins can temporarily disable the work container on instances of device non-compliance/inactivity, and in worst cases, completely wipe the data in the work container.

What is iOS User Enrollment?

User Enrollment was first introduced in 2019 for iPhones running iOS 13.0+ and iPads running iPadOS 13.1+ versions. It was designed to support the adoption of Bring Your Own Device (BYOD) deployments within an Apple ecosystem. The User Enrollment process is based on achieving two key functionalities:

The containerization of personal and corporate data with the help of Managed and Personal Apple IDs.

The limitation of management capabilities for IT admins on BYO devices.

User Enrollment requires Managed Apple IDs. During User Enrollment, a separate APFS (Apple File System volume) is established, and all User Enrollment-related data is stored on this Business Container.

When an iOS device is enrolled via User Enrollment, no identification IDs are shared with the MDM/UEM server. Instead, when enrollment is initiated, an Enrollment ID is created and used as the primary identifier by the MDM/UEM server for communication.

Moreover, admins are offered limited management capabilities, restricted to the following:

  • Configure managed accounts
  • Access inventory of Managed Apps
  • Remotely wipe managed data
  • Install and configure managed apps
  • Enforce a password policy
  • Enforce specific restrictions
  • Configure Per App VPN on managed apps

What is Apple Apps and Books?

Similar to Android’s Managed Google Play, Apple Apps and Books is a tool that helps admins distribute apps and content to managed Apple users and devices without requiring an Apple ID. It comes bundled with Apple School Manager, Apple Business Essentials, and Apple Business Manager.

Admins can purchase licenses for the required apps and content and remotely distribute them to the end-users and devices. (The distribution process may vary depending on the tool used. They can make use of the User Assignment/Device Assignment features that come under managed distribution, or the redemption codes feature offered by ABM.

  • User assignment: The purchased apps and content are deployed to the specified user account.
  • Device assignment: The purchased apps and content are deployed to the specified Apple devices.
  • Redemption codes: Admins generate a list of redeemable codes for their purchased apps and content, and distribute it to the necessary users/devices.

Redemption codes are only available in Apple Business Manager. Moreover, deploying apps and content via redemption code is not recommended as the organization loses ownership of the app after the codes are used.

On BYO iOS devices (devices enrolled via User Enrollment), the apps distributed via Apple Apps and Books are set as managed. Additionally, you can make use of Apple’s Business Container feature to configure DLP policies for these managed apps.

How to manage BYOD on iOS?

On iOS, BYOD management begins with the device onboarding process.

Enroll iOS BYO endpoints

Before enrolling iPhones via iOS User Enrollment, admins must ensure the following pre-requisites are met:

  • Access to an MDM/UEM solution that supports iOS User Enrollment
  • An Apple School Manager or Apple Business Manager account
  • Managed Apple IDs to help establish a user identity on the device.
  • Ensure APNs is configured on the device management portal.
  • Ensure that the device is unsupervised and running iOS 13.0+ or iPadOS 13.1+.

If you’d like to test out the iOS User Enrollment feature, you can request a 14-day free trial for Hexnode UEM.

The following documentation provides detailed information regarding enrolling iOS endpoints to Hexnode UEM via iOS User Enrollment.

Configure iOS policies and restrictions

To set up the iOS BYOD environment to meet the organization’s requirements, IT administrators must impose a variety of restrictions and configurations.

This includes deploying network configurations including Wi-Fi and per-app VPN, preventing users from saving corporate data on iCloud, configuring corporate accounts including email, calendar, contacts, and more.

Manage iOS apps and data

Admins can make use of Apple’s Apps and Books tool along with a Unified Endpoint Management solution to deploy, manage and update apps and data on iOS devices. Admins can also upload and deploy custom/enterprise iOS apps with the help of this tool.

Furthermore, admins can set up policies to track data usage for managed apps on the device.

This documentation provides detailed information on how to set up and configure Apple Apps and Books (formerly VPP) for your organization.

Monitor iOS Business Container

Admins can set up iOS Managed Domain and iOS Business Container policies to help form a discrete partition between corporate and personal apps and data. Suitable restrictions can be then enforced to control the flow of data between managed and unmanaged apps and accounts on the device.

Furthermore, admins can remotely wipe the managed data stored on an iOS device on instances of non-compliance, while ensuring personal data remains intact.

The final note

Android and iOS devices are both practical options in the workplace. Adopting BYOD policies with these devices ensures your users can perform tasks with more efficiency, while also reducing potential costs for your organization.

Admins can enforce BYOD security policies by adopting Android Enterprise Profile Owner enrollment and iOS User Enrollment techniques (respectively for Android and iOS) into their IT organizational practices.

Eugene Raynor

Seeking what's there lurking over the horizon.

Share your thoughts