Secure Mobile Device Management

WWDC 2025: Big MDM Updates Apple just shared a lot of important news for those of us managing Apple devices in organizations. Here are my top 5 takeaways from the MDM-related announcements: 1️⃣ Declarative Device Management everywhere MDM declarative management is now fully rolled out across all platforms - iOS, iPadOS, macOS, visionOS & Apple TV. The old MDM update mechanism is deprecated. 2️⃣ Device migration between MDMs - now native Admins can easily migrate devices between MDM servers via Apple Business Manager & Apple School Manager - with user notifications & automated flow. No need to wipe or reload devices - apps and data are preserved. After migration, the new MDM takes over Activation Lock and can also rotate and escrow the FileVault key using the bootstrap token. 3️⃣ Platform SSO streamlined - during setup! Platform SSO registration can now happen in Setup Assistant during Automated Device Enrollment - bringing tighter identity integration & improved user experience. 4️⃣ Tap to Login on Mac - perfect for frontline workers New Tap to Login allows users to authenticate on shared Macs with just an iPhone or Apple Watch tap - seamless & secure. 5️⃣ App version control - more power to IT IT can now pin specific app versions, block auto-updates, or require manual validation before rollout - critical for managing mission-critical apps.

Hypori vs. MAM: Is Your BYOD Strategy Truly Secure? Is it compliant? When securing sensitive data on personal devices, not all BYOD strategies are created equal. The critical difference comes down to one question: "is your data stored ON the device, or simply accessed THROUGH it?" This distinction fundamentally separates traditional Mobile Application Management (MAM) from a virtualized approach like Hypori. 1. Traditional MAM: "Data on Device" MAM solutions focus on creating secure containers to protect corporate data and apps on a personal device. While it's a layer of security, it means sensitive Controlled Unclassified Information (CUI) still resides on an unmanaged endpoint, creating risks of data spillage and complex sanitization challenges, fails at multiple DoD, NIST and Federal requirements, and puts that burden on the user. 2. Hypori's Virtual Approach: "Data Off Device" Hypori operates on a zero data-at-rest principle. CUI and applications are never stored or processed on the end-user's device. Instead, they run in a secure government enclave, and only a rolling encrypted pixel stream is delivered to the endpoint. Here’s why this architectural difference matters: Data Sanitization: With data physically on a device, true media sanitization (NIST SP 800-88) is a major challenge. With Hypori's model, destroying the server-side session guarantees no data is left behind, simplifying compliance. Incident Response: If a MAM-protected device is lost or stolen, you must assume sensitive data is on that hardware. With Hypori, access is instantly revoked, and any investigation is focused on the secure, controlled government enclave—not a complex, privacy-sensitive personal device. Legal Compliance: FAR 52.204-27, and OMB Memorandum M-23-13, "No TikTok on Government Devices Implementation Guidance" This creates a significant compliance issue as many BYOD management solutions, such as MAM-WE, lack the technical capability to block or inventory unmanaged applications on an employee's personal device, making it difficult to enforce the prohibition. Remember, it's a prohibition, not a reporting requirement. Spillage response: Are you telling your employees that if there is a classified information spillage they have to turn in their personal devices for destruction? With Hypori, there is no spillage on your device, so you will never have to turn it in! IL5 Compliance requires physical separation, but what about your phone?: For high-security DoD environments, IL5 mandates physical separation of data from public/untrusted tenants. Storing CUI on a personal device, even in a container, violates this principle. A zero data-at-rest architecture is designed to enforce this separation. The choice is between securing a container on an untrusted device versus ensuring the untrusted device never touches your sensitive data at all. #BYOD #Cybersecurity #ZeroTrust #CUI #DoD #GovCon #DataSecurity #MobileSecurity #NIST #MAM #Hypori #Army #USAF

Mobile Device security is a blind spot I see in a lot of organizations, they either have some level of management to meet compliance requirements, but no DLP or advanced security capabilities on them, or they are totally exposed in this area. Specific to BYOD, I always recommend taking a low friction approach to device management, using application management to containerize and manage just the Microsoft apps and corporate data on the device, rather than managing the whole thing at the device level with full mdm enrollment. It tends to be a great way to get users onboard and protected without any pushback related to the company "managing" their personal phone. Microsoft has released a new update for Defender for Endpoint on iOS that aligns with this low friction approach to management. Lets explore how it works: Implementing the Solution: A Step-by-Step Guide Intune Setup for User Enrollment: -Choose between account-driven or Company Portal-driven Apple User Enrollment in Microsoft Intune. This decision is pivotal as it defines how users will interact with their iOS devices in a BYOD context. Configuring Single Sign-On (SSO): -The Microsoft Authenticator app with SSO extension is essential for user enrollment on iOS devices. -Create a device configuration profile in Intune for the above and include two critical keys: i. App bundle ID: Add the Defender App bundle ID “com.microsoft.scmx”. ii. Additional configuration: Key “device_registration”; Type: String; Value: {{DEVICEREGISTRATION}}. Setting Up MDM Key for User Enrollment: -In Intune, go to Apps > App configuration policies > Add > Managed devices. -Select iOS/iPadOS as the platform and choose Microsoft Defender for Endpoint as the targeted app. -In the settings, use the configuration designer to add “UserEnrolmentEnabled” as the key, with the value type as String and value as True. Deploying Defender as a Required App: Push Microsoft Defender for Endpoint as a required app through the Volume Purchase Program (VPP) in Intune. This ensures that all user-enrolled devices have the necessary protection. Why This Matters for Your Organization Implementing Microsoft Defender for Endpoint on iOS devices is more than just a security measure; It ensures that your organization's data is protected on every device, while also respecting the privacy of your employees. This balance is key in maintaining trust and efficiency in a BYOD culture. I'm excited to see how this development enhances our approach to endpoint security. How do you plan to implement this in your organization? Check out the link in the comments to learn more. #MicrosoftDefender #EndpointSecurity #iOS #BYOD #Microsoft365 #CyberSecurity #DigitalWorkspace

>> Enhancing Government Security: Apple Indigo & BlackBerry UEM Partnership   In today’s fast-paced digital world, the stakes for securing sensitive information are higher than ever, especially within government agencies. Enter Apple Indigo, a robust security solution with certification-ID by Germany’s Federal Office for Information Security (BSI), designed specifically for Apple iOS devices like iPhones and iPads used in high-security government environments. This solution, coupled with BlackBerry's Unified Endpoint Management (UEM), presents an unprecedented level of security without sacrificing user experience. 🔍  What makes Apple Indigo & BlackBerry UEM so revolutionary? 1️⃣ High Security, Zero Specialized Hardware: Apple Indigo allows organizations to leverage standard Apple devices while meeting strict security demands up to VS-NfD (for official use only). 2️⃣ Streamlined Administration: With BlackBerry UEM’s approach, sensitive data is safeguarded on both corporate and personal devices. Its architecture, requiring only outbound firewall ports, simplifies secure installation. 3️⃣ Seamless Integration: The Apple ecosystem—including Mail, Calendar, and Contacts apps—can be securely used for official communication, eliminating the need for extra hardware or complex setups. 4️⃣ Comprehensive Solutions in One Place: BlackBerry’s expertise in secure mobile solutions, combined with Apple’s devices, offers a one-stop-shop for high-security mobile work requirements. 5️⃣ Expanding Use Cases beyond Apple Indigo: Using BlackBerry’s MDM solution for other brighsite deployments, e.g. SecuSUITE for Samsung Knox    💡 Why This Matters: In an era where data breaches can impact national security, solutions like Apple Indigo & BlackBerry UEM provide organizations with high security, usability, and ease of management.   📢  Ready to learn more? Explore how this innovative solution can empower secure communication in high-stakes environments.   🔗 Indigo Webpage: https://lmy.de/uFFiw   🔗 Nehmen Sie an diesem deutschen Webcast teil, um weitere Einzelheiten zu erfahren: https://lmy.de/uqvQB   ❓ Thought-provoking question: How are you preparing your organization for the growing demands of digital security in today’s unpredictable landscape? #GovernmentSecurity #CyberSecuritySolutions #MobileSecurity #AppleIndigo #BlackBerryUEM

Organizations managing 500+ devices save up to 60% in IT workload. An FMCG company’s procurement manager walked into our office at QuickTech with a concern. “We want to upgrade to Apple devices, but managing hundreds of them seems like a nightmare.” They needed different setups for their sales and tech teams, pre-installed apps, security settings, and minimal IT intervention. Configuring each device manually wasn’t an option. That’s when we introduced them to Apple Business Manager (ABM) and Mobile Device Management (MDM). With Zero-Touch Deployment, their employees could receive a sealed Apple device, turn it on, and everything would be pre-configured, right from apps to security policies. "So, no manual setup? No IT headaches?" he asked. Here are three key features of Apple Business Manager (ABM), which we explained to him: 📍Zero-Touch Deployment – Devices arrive pre-configured and ready to use, with all apps and settings automatically installed. 📍Centralized Device Management – Manage and assign different profiles for sales, tech, or any team from a single platform. 📍Enhanced Security & Compliance – Enforce security policies, remotely wipe data, and ensure all devices stay updated. Today, their teams work seamlessly, and IT no longer spends hours setting up devices. If your business is confused about whether this setup would be helpful to you or not, let’s have a chat :)) #procurement #apple #procurementmanagers #quicktech #it #fmcg

You have MAM for BYOD devices —Do you need Mobile App Vetting (MAV)? Good question. Think about this. MAM (Mobile Application Management) helps secure corporate apps on BYOD devices, but malware can bypass these controls, putting corporate data at risk. Here are a few things to think about: Third-Party Work Apps: These apps are processing your enterprise data. How safe are they? Are they doing something they shouldn't be doing with your enterprise data? Malware Outside Your MAM Container: Malware uses screen overlays, keylogging, and clipboard monitoring to steal sensitive information before it enters the secure container. Bots Impersonating User Actions: Malware bots simulate taps and swipes to approve fraudulent transactions and modify app settings—bypassing MAM’s copy/paste restrictions. How can MAV can help here: 🔹 App Vetting Before Deployment: Identify vulnerabilities and unexpected behaviors before rolling out apps to employees. Understand risks to corporate data and access. 🔹 Malware Detection & Access Control: Monitor personal apps for excessive permissions or unwanted behaviors and dynamically adjust corporate access to be proactive. 🔹 User Awareness Training: Inform employees about the risks and malicious apps they can encounter on BYOD devices to keep them safe, and the enterprise as well. Conclusion: MAM alone isn’t enough. Mobile App Vetting (MAV) adds a critical layer of security to identify and mitigate risks before they impact corporate data. #BYOD #MobileSecurity #MAM #MAV #CyberSecurity #ZeroTrust #CISO #MTD #AppVetting #zimperium