How to manage containerized corporate data in managed devices?

Description:

The foremost priority of any organization is to keep the corporate data on the mobile devices secure. Most organizations configure corporate devices with required settings to securely access corporate data. But organizations cannot take complete control over user-owned devices in a BYOD environment since these devices can have personal data and apps along with corporate data and apps. This increases the risk of data breach from BYOD devices.

A data breach can occur in any of the following cases

  • If the personal apps present in the devices access the corporate data present on corporate apps.
  • If the confidential data downloaded from the corporate websites are accessed using personal apps.
  • If the corporate data is transferred from the managed devices to unmanaged devices
  • If the e-mail attachments available in the corporate e-mail account is accessed using personal apps
  • If the data available in the corporate accounts are backed up into the user's personal accounts

To prevent a data breach, the personal and corporate space on the device must be segregated. This logical containerization can prevent the apps in the personal space of the device from accessing the data present in the corporate space.

Resolution:

Follow the steps given below to achieve containerization of devices:

Android Devices

In case of Android devices provisioned as Profile Owner, a Work Profile is automatically created. This Work Profile logically containerizes the device without any manual steps.

This container ensures that the admin has complete control of the Work Profile which contains all the corporate data and apps. These apps in the Work Profile do not interfere or communicate with the apps in the personal space. Additionally, it also ensures that the corporate data cannot be transferred from the corporate space to the personal space or to other devices using USB,  thus ensuring complete data security. 

Containerization also ensures that the user cannot modify the corporate e-mail account configured by the organization. Thereby preventing users from adding their personal account to the corporate e-mail app. For the personal accocunt, an additional app can be downloaded in the personal device space.

iOS Devices

In case of iOS devices, the containerization does not happen automatically. Certain restrictions need to be applied to the devices to ensure data on the corporate apps and accounts remains completely secure on personal devices. Here is a list of suggested restrictions that can be applied to the devices to create a virtual container-

  • Share data from managed apps to unmanaged apps
  • Share data from unmanaged apps to managed apps
  • Screen capture and screen recording
  • Allow USB connections and pairing with iTunes
  • Sync data and documents of managed apps to iCloud

These are the major settings that need to be restricted on personal devices to ensure containerization, you can also restrict the other settings by navigating to Device Management -> Profiles -> Restrictions, based on your organizations requirements.

NOTE: When the restriction Share data from managed apps to unmanaged apps is enabled, the unmanaged apps would be unable to access managed contacts on iOS 11 devices. On devices running iOS 12 and above, the admin can allow access to managed contacts by enabling the option Allow unmanaged apps to access managed contacts.

Managed Web Domain

Managed Web Domain can be configured to ensure that any document downloaded from specific websites can be viewed or stored only in the ME MDM app in the devices. This is essential when users download confidential documents from corporate websites onto their personal devices. Configuring Managed Web Domain prevents unauthorised or personal apps from accessing the corporate data.

Document Viewer

Document Viewer is available in the ManageEngine MDM app present in the devices. It allows useres to view the content shared from the MDM servers, e-mail attachments or documents downloaded from pages configured in the Managed Web Domain profile. Since the document is downloaded in the ManageEngine MDM app, none of the personal or unauthorized apps can access these documents.The document viewer prevents the content from being uploaded to third-party cloud services.

Virtual Private Network (VPN)

Configuring a VPN grants secure access to the corporate data on the internet. Most organizations mandate the use of a VPN to access corporate data using personal devices. While VPN protects the data on the internet, the data available on the corporate apps can be protected by configuring per-app VPN, which creates a VPN when data on the specified apps is accessed.