Apple has a very clear vision of the role of iOS devices in the enterprise. There is BYOD, and there are enterprise-owned devices, with nearly completely different models for each. The owner of the device defines the security and management model.
On employee owned devices:
- The enterprise sends a configuration profile that the user can choose to accept or decline.
- If the user accepts it, certain minimal security can be required, such as passcode settings.
- The user gains access to their corporate email, but cannot move messages to other email accounts without permission.
- The enterprise can install managed apps, which can be set to only allow data to flow between them and managed accounts (email). These may be enterprise apps or enterprise licenses for other commercial apps. If the enterprise pays for it, they own it.
- The user otherwise controls all their personal accounts, apps, and information on the device.
- All this is done without exposing any user data (like the user’s iTunes Store account) to the enterprise.
- If the user opts out of enterprise control (which they can do whenever they want) they lose access to all enterprise features, accounts, and apps. The enterprise can also erase their ‘footprint’ remotely whenever they want.
- The device is still tied to the user’s iCloud account, including Activation Lock to prevent anyone, even the enterprise, from taking the device and using it without permission.
On enterprise owned devices:
- The enterprise controls the entire provisioning process, from before the box is even opened.
- When the user first opens the box and starts their assigned device, the entire experience is managed by the enterprise, down to which setup screens display.
- The enterprise controls all apps, settings, and features of the device, down to disabling the camera and restricting network settings.
- The device can never be associated with a user’s iCloud account for Activation Lock; the enterprise owns it.