Apple, in its OS Deployment guide, describes an MDM as “a solution [that] lets you securely enroll Apple devices in your organisation, wirelessly configure and update device settings, monitor policy compliance, deploy apps and books, and remotely wipe or lock managed devices.”
iOS doesn’t allow consumer apps to control or monitor the system; apps only get to play in their own sandbox with just the data the app creates and the data the operating system shares with it. But to make an effective screen time app these companies were using MDM, running at the system level, to monitor app usage. This allowed, in some cases, parents to become admins of their children’s devices. But it also gave these random third party apps and the companies controlling them incredible access to any Apple device they were installed on.
It makes sense for Apple to close this privacy loophole. We’ve seen how badly a company like Facebook can abuse user data with Onavo, a VPN app also running at the system level, that monitored the network traffic of anyone who installed it. There’s nothing necessarily sinister about VPN technology, just like with MDM, as long as you completely trust the provider of the service.
The other thing that’s bugged me about this story is Apple’s reaction to it.
Apple’s public relations messages are normally crafted with surgical precision. In a recent spat with Spotify, you could feel the years of tension dripping from every word on Apple’s newsroom post, but despite that,the release was calm, economically worded, and immediately put an end to a public relations Cold War between the companies.
For the most part, Apple’s official response to the NYT story on its newsroom was concise and well written, but in an effort of really putting the discussion to bed I feel the company over reached in painting MDM as some kind of digital boogeyman.
Apple’s statement reads; “MDM does have legitimate uses. Businesses will sometimes install MDM on enterprise devices to keep better control over proprietary data and hardware. But it is incredibly risky — and a clear violation of App Store policies — for a private, consumer-focused app business to install MDM control over a customer’s device. Beyond the control that the app itself can exert over the user’s device, research has shown that MDM profiles could be used by hackers to gain access for malicious purposes.”
I can appreciate the shorthand here, but as an Apple System Administrator myself, that paragraph is incredibly frustrating. I prefer Apple’s own simple definition of MDM above, and wish it had used that to make it clear why implementing in as the screen time apps did is a bad idea.
I’ve spent years fighting the perception that IT wants to lock down, control, and monitor your device. I’ve always tried to stay out of my users’ way, just adding a company App Store and a few tweaks to make connecting to our enterprise’s services a little easier. All carrot, no stick, is my personal goal as an Apple SysAdmin. This is not the controlling, invasive picture Apple’s newsroom paints of my profession.
Perhaps I’m being too sensitive, but in the rush to defend itself against the Times article, I feel Apple’s PR team has thrown its enterprise and education teams, as well as every MDM vendor and System administrator, under the bus.
One thing is certain, writing about technology for a mainstream audience is harder than it looks.