The rise of the iPhone and iPad as an unmatched, personal productivity champion has resulted in an always-connected, modern, mobile workforce – and a big challenge for IT management.

Mobile device ownership is ubiquitous, and most employees bring their devices on the job, whether it's for work, personal, or both. However, in the past few years, trying to tap into this device's potential has not been easy. Many Bring Your Own Device (BYOD) programs have been great in concept but flawed in practice. Employees provide the hardware, and organizations provide access, but devices are often over-managed, or the employees are under-served.

On one side, the mobile device management framework can lead to over-management because it can see every application on the device – both work and personal. IT also has the ability to lock, unlock or wipe the entire device. Obviously, the owner is not fond of giving up complete control of their personal device, not to mention having their privacy compromised – or even the feeling of that privacy being compromised.

Another method of managing BYOD devices is mobile application management, which allows IT to apply corporate policies to specific apps provisioned to the device. The problem is, IT is unable to provide other services like securely configuring Wi-Fi and VPN or requiring device passcodes and other security measures to confidently give employees corporate access to the resources they need to do their job. The absence of basic corporate policies leaves these employees feeling under-served, and IT feeling open to security vulnerabilities.

The reality is, the success – or failure – of a BYOD program hinges on both the comfort of the organization and the user, which requires the right balance of IT control and securing devices with personal privacy. This paper outlines a strategy for striking that balance and BYOD work.

Privacy matters to users

Our personal devices carry the most private kinds of data: Personal correspondence, photos, contacts, and documents. Even the choice of apps installed on the device can reveal very private information about our hobbies, habits, and lifestyle. It's no surprise that most employees are reluctant to give access to that information by enrolling their personal devices in a mobile device management (MDM) system controlled by their organization’s IT group.

When BYOD programs fail, one common reason is users are reluctant to volunteer access – or even the perception of access – to this personal data by an IT admin. Personal privacy matters-, and users are increasingly sensitive to any attempt at breaching the privacy barrier in the name of IT control.


Security matters to IT

For the IT e, the idea of unfettered access to internal resources from personal devices with unknown configurations and security controls is the stuff of nightmares. Mobile devices are a common target for malware or phishing attacks and present a potential vector for intrusion when connected to an organization’s network.

Without any visibility or control of the endpoints, effective IT security is an impossible task. The need for security is what pushes organizations to use MDM for their BYOD program, and therefore require employees to enroll their personal devices to gain access to the internal network, mail, calendars, VPN, and more.

Striking the Balance

Both users and IT have perfectly valid concerns. The employee only wants to use one device but doesn’t want to give up access and control of their private data. IT wants to cut down costs by purchasing fewer corporate devices but still needs organizational security. For many organizations, these crossroads meant failure for their BYOD program.

One Solution to satisfying both concerns is to rethink the role of MDM as it applies to BYOD. Instead of a one-size-fits-all approach, IT managers can choose an MDM tool that’s designed for BYOD, with privacy protection to satisfy the employee and strong security controls to satisfy the needs of IT.

BYOD for the modern workforce

Leading organizations choose a feature set specifically for BYOD, to meet the needs of both sides but without unnecessary complexities and added costs. It's important for both IT and the end user to clearly understand the benefits of a BYOD program designed for them. It's also critical to the success of the program to provide communication and transparency to employees about the advantage of a BYOD program, as this will help ease any tension over using a personally owned device at work. Below are some examples of what the organization and employees can gain from a well-designed BYOD program.


Example BYOD Management Controls

IT admins can:

  • Lock the device.
  • Apply corporate configurations, like Wi-Fi, VPN, mail, and passcode requirements.
  • Install and remove corporate apps and books and the associated data.
  • Collect security info from the device.
  • Add/remove restrictions that protect corporate data.


IT admins cannot:

  • Erase private data like photos, personal mail, or contacts.
  • Remove any personal apps.
  • View any private data including the names of personal apps.
  • Restrict the usage of the device or limit the personal apps that can be installed.
  • Track the location of the device.
  • Remove anything installed by the user.
  • Collect the user’s information from the device.


Success is when everyone wins!

Employee Benefits

A familiar experience, both personal & professional, all in one device.

  • Transparency of IT management capabilities for a personally owned device, before enrolling, which ensures the protection of the user’s personal data.
  • Secure access to `corporate resources such as emails, calendars, Wi-Fi, and apps, making it easy to be productive.

Organizational Benefits

A balance between security and end-user privacy, all in one device.

  • Ensure the security of the device and access to corporate data and resources, keeping employees protected and productive.
  • Reduction in cost by purchasing fewer devices.


BYOD with Jamf and Apple

As this paper stresses, the goal is to hit a sweet spot for personal devices that don’t overmanage but still allow IT to adequately serve their users and organization through easy, secure access to the software and apps users need for their jobs. It’s with this in mind that Jamf has leveraged Apple to extend the benefits and enhance what is possible for Bring Your Own Device Programs.

With a heavy focus on security and privacy, Apple’s Account-Driven User Enrolment is a BYOD method for iOS and iPad OS devices that streamlines the user enrolment onboarding process and focuses on providing corporate access to BYOD users while maintaining user privacy on their personal devices. Organizations can take advantage of this new workflow to enroll personally owned mobile devices with iOS and iPad OS 15 with Jamf Pro 10.33 or later.

Account-Driven User Enrolment keeps personal and institutional data separate by associating a personal Apple ID with personal data and a Managed Apple ID with corporate data. Jamf Pro has embraced Apple’s Service Discovery feature, allowing for use of a set of configurations that associate management with the employee and how they use the device for work, not the entire device itself. The user has the ability to access their corporate data in a secure manner without IT ever having to touch the device or send them an enrollment link. The employee even receives Jamf Self-Service which can be used to install corporate applications. And all the user needs to do is something simple and similar to what they’ve done many times before on their personal device which is to go into general settings. It’s a familiar and trusted experience that makes it easy for the user and a bit like zero-touch deployment for IT with the perks of secure access to their organization’s resources.



A successful BYOD program is a benefit to employees and IT admins alike. With the right MDM solution, IT can concentrate on addressing critical enterprise needs without friction from the technology itself or users. And users receive comfort and familiarity with their own devices without intrusive IT involvement.