How to achieve containerization in iOS using restrictions?

Description

Unlike Android which provides containerization by default when provisioned as Profile Owner, Apple doesn't offer containerization on iOS devices by default. However, with more organizations adopting a mobile-only workforce containerization on mobile devices is increasingly becoming a necessity. Containerization isolates personal and corporate data through a logical container ensuring there's no unauthorized access of corporate data. Containerization further helps in case of personal devices, whereby it ensures enterprises can control only the corporate data and enterprise apps while having zero control over te personal space. Though Apple doesn't provide containerization by default, MDM lets you achieve a logical container-like setup using multiple restrictions as explained below:

Steps

  • On your MDM console, click on Device Mgmt and select Profiles from the left menu.
  • Click on Create Profile and select Apple from the dropdown.
  • Click on Restrictions from the policy list. You can know more about Restrictions here.
  • Configure below given restrictions to achieve a container-like setup on managed devices. This is thhe recommended setup though it can be modified based on the needs of your organization. 

Restrictions marked with * are applicable only if the devices are Supervised.

AVAILABILE UNDER PARAMETER TO BE RESTRICTED PRE-REQUISITES COMMENTS
SECURITY

Share data from managed apps to unmanaged apps

Applicable for devices running 7.0 or later versions These restrictions prevent unauthorized access of corporate data by unapproved apps and also prevent users from removing the existing configurations by factory resetting the device.

Share data from unmanaged apps to managed apps

Applicable for devices running 7.0 or later versions

Allow user to wipe device by erasing all content and settings*

Applicable for devices running 8.0 or later versions

ADVANCED SECURITY

Install configuration profiles and certificates interactively*

Applicable for devices running 6.0 or later versions

These restrictions prevent users from adding unauthorized certificates/profiles on the devices as well as prevent users from adding non-corporate accounts to the device or allow devices to be paired using iTunes or via USB, thereby preventing data from being shared through USB.

Add/Modify iCloud, Mail and other accounts*

Applicable for devices running 7.0 or later versions

Allow iTunes pairing and other USB connections*

Applicable for devices running 7.0 or later versions

APPLICATION

Users can install unapproved apps*

N/A

Prevents unapproved apps from being installed on the device, thereby preventing these apps from accessing corporate apps or the data they work with.

NETWORK AND ROAMING

Connect to Wi-Fi, only if distributed via MDM*

Applicable for devices running 10.3 or later versions

This prevents users from connecting to untrusted Wi-Fi connections as well as configure unauthorized VPN connections on the device, thus ensuring secure transmission of corporate data.

Allow users to configure VPN*

Applicable for devices running 11.0 or later versions

ICLOUD

iCloud Device Backup

N/A

This prevents corporate data from being saved on iCloud, which is a third-party cloud service.

iCloud Sync Data and Documents of Managed Apps

Applicable for devices running 8.0 or later versions
  • Now, Save and Publish this profile. Distribute it to devices and/or groups.
  • On successful profile association, you would have a container-like setup on devices.