You can set up your iOS/iPadOS company devices (so-called supervised devices) so that they can be used either exclusively for business (Company Owned Business Only - COBO) or for both business and private use (Company Owned Personally Enabled - COPE).
In the case of a device designated for business use only, the company retains full control over the device. If supervised devices are also permitted to be used privately, users simply gain access by using their private Apple ID. The personal area on a company-owned device, including personal apps, data and usage, is neither visible nor accessible to the company.
Aim
In this How-To we will show you how to set up supervised devices as either COBO or COPE devices.
Implementation
Setting up COBO devices
- To start, proceed as described in the help article Embedding company-owned iOS/iPadOS devices (COBO/COPE).
- In the ADE profile, remove the checkmark for Apple-ID and iCloud login (arrow in illus.). This prevents the user from entering an Apple-ID during the setup.
- Under Administration→ Policies click on the plus button (left arrow in illus.) to create a policy for iOS/iPadOS devices (right arrow in illus.).
- Keep the selection Supervised devices (arrow in illus.).
- Entfernen Sie jetzt das Häkchen aus der Checkbox Ändern von Accounteinstellungen erlauben (Pfeil im Bild).
- Then select the policy you created (left arrow in illus.) and assign it to the desired users, groups or devices (right arrow in illus.).
- Now users can no longer log in with an Apple account (arrow in illus.).
The company has full control over the device and can control it remotely. Apps can be installed and uninstalled and global guidelines implemented. The device can be located and, if necessary, reset.
Setting up COPE devices
Allow login with private Apple ID
- To start, proceed as described in the help article Embedding company-owned iOS/iPadOS devices (COBO/COPE).
- In the ADE profile place a checkmark in the box for Apple-ID and iCloud login (arrow in illus.). This will allow the user to enter their Apple ID during the device setup.
- Access to the account settings on the device is not restricted. Changes can be made at any time via the device settings (arrow in illus.).
As before, the company has control over the device, but not over the personal space. This, including its apps, data and usage, is neither visible nor accessible to the company.
Separate business and private apps and data
Users of COPE devices can now download private apps to their devices via the App Store. Business apps, on the other hand, are assigned to users via the administration portal. To do this, proceed as described in our help article Import and distribute apps from Apple Business Manager.
To prevent the exchange of data between private and business apps and contacts, you must now activate or deactivate some policies.
- Create a new policy. To do this, click on the plus icon in the administration portal under Administration→ Policies. Then select iOS/iPadOS.
- In the policies, first select the setup method Supervised devices (arrow in illus.).
For the separation of business and private apps and data, you will find a series of policies under Data and container protection. Configure at least the selected policies as follows (see illus.):
- Uncheck Allow documents from managed sources in unmanaged destinations (second arrow in illus.). Then, when sharing files, users on iOS devices will only be offered those apps that you have made available via the Administration Portal.
- If you also want to prevent data from private apps from entering business apps, uncheck Allow documents from unmanaged sources in managed destinations (third arrow in illus.).
- If you also want to prevent data (e.g. texts) from being copied and pasted back and forth between managed and unmanaged apps, enable the Managed Pasteboard (lower arrow in illus.).
- Also make sure that the checkbox Allow unmanaged apps to read from managed contacts is deactivated (default setting) (upper arrow in illus.). This ensures that private apps (such as WhatsApp) cannot access business contact data. Please also note the information in our How-To How to prevent WhatsApp, Clubhouse and their like from accessing business contacts on iOS.
- Deactivate the Allow managed apps to write to unmanaged contacts policy. This prevents managed apps, such as Outlook, from accessing private contacts.
Note! The Allow unmanaged apps to read from managed contacts policy and the Allow managed apps to write to unmanaged contacts only take effect if the Allow documents from managed sources in unmanaged destinations policy has been deactivated. The Managed Pastboard policy only applies if the Allow documents from unmanaged sources in managed destinations policy has been deactivated.
Now, if the user wants to share a document with another app or export the document there, only business apps will be offered (example in illus.). Thus, private and business data are kept apart from each other.
There are also a number of other policies available here that you can use to prevent data from flowing out via AirDrop, the iCloud or the Files app. Activate/deactivate these policies accordingly.