Apple Reverses Course and Allows Parental Control Apps to Use MDM Technology With Stricter Privacy Requirements

[MacRumors]

As one of many updates to its App Store Review Guidelines this week, Apple has indicated that parental control app developers are again permitted to use Mobile Device Management (MDM) technology in their apps, so long as they do not sell, use, or disclose any data to third parties for any purpose.

An excerpt from the newly added Guideline 5.5:

You must make a clear declaration of what user data will be collected and how it will be used on an app screen prior to any user action to purchase or otherwise use the service. MDM apps must not violate local laws. Apps offering MDM services may not sell, use, or disclose to third parties any data for any purpose, and must commit to this in their privacy policy. Apps that do not comply with this guideline will be removed from the App Store and you may be removed from the Apple Developer Program.

This comes a little over a month after The New York Times reported that Apple had removed or restricted many of the most popular screen time and parental control apps on the App Store since launching its own Screen Time feature in iOS 12 last year, raising concerns over potentially anticompetitive behavior.

In response to the report, Apple said it had discovered that some parental control apps were using MDM, putting the privacy and security of children at risk.

"These apps were using an enterprise technology that provided them access to kids' highly sensitive personal data," an Apple spokesperson said in a statement issued to The New York Times on Monday. "We do not think it is O.K. for any apps to help data companies track or optimize advertising of kids."

MDM technology is intended for enterprise users to manage their company-owned devices, and Apple said the use of MDM by consumer-focused apps carried privacy and security concerns that resulted in the company addressing the situation in its App Store Review Guidelines in 2017.

Backlash quickly mounted from parental control app developers, who eventually joined together to petition Apple to "put kids first" by releasing a public API for its Screen Time for use by developers. That never happened, with Apple going down this route instead and allowing MDM usage with stricter privacy requirements.

Apple's updated guidelines also indicate that parental control apps from "approved providers" may use one of its Personal VPN APIs.

Apple has faced increasing scrutiny over its App Store and potentially anticompetitive business practices, ranging from Spotify's complaint to multiple class action lawsuits. In response, Apple said it "welcomes competition" on the App Store, which only serves to make it a "better" platform.

Article Link: Apple Reverses Course and Allows Parental Control Apps to Use MDM Technology With Stricter Privacy Requirements

 

[Kabeyun]

I think this is the wrong solution. Unfortunate that they chose MDM over providing screen time APIs to developers.

 

[HopefulHumanist]

I think this is the wrong solution. Unfortunate that they chose MDM over providing screen time APIs to developers.

Well it’s gonna take time for them to release the APIs; this problem was only recently discovered. This is a decent stop-gap until the APIs are released.

 

[MatthewUT44]

Helicopter parents were gonna revolt so hard lol Apple

 

[BootsWalking]

There's no question the recent DOJ antitrust news factored into Apple's decision. If history has proven anything it's that Apple responds to legal threats, be they from private class action suits or from federal agencies.

 

[az431]

I think this is the wrong solution. Unfortunate that they chose MDM over providing screen time APIs to developers.

There is no Screen Time API. Does not exist.

 

[69Mustang]

Well it’s gonna take time for them to release the APIs; this problem was only recently discovered. This is a decent stop-gap until the APIs are released.

I agree with @Kabeyun and @BootsWalking This is the wrong solution and it sends a contradictory message.
What happened to putting the privacy and security of children at risk? Aren't those same supposed risks still there? Apple did nothing to mitigate the supposed risks, they just reversed the decision regarding MDM. The devs can still collect the same info they were collecting before.

I think you're right that it will take time to develop API's - which is the correct decision imo. Not so right in thinking this is a decent stop-gap. This reads more like a reversal to mitigate the anti competitive claims.

 

[thisisnotmyname]

This seems like a bad idea, it's going to be cited as precedent somewhere.

 

[rjp1]

There is no Screen Time API. Does not exist.

That is his point. They should provide APIs to it instead of allowing them to misuse MDM.

 

[jimbobb24]

Apple original decision was correct. Misusing APIs is always a reason you can get booted.

 

[TriBruin]

I agree with @Kabeyun and @BootsWalking This is the wrong solution and it sends a contradictory message.
What happened to putting the privacy and security of children at risk? Aren't those same supposed risks still there? Apple did nothing to mitigate the supposed risks, they just reversed the decision regarding MDM. The devs can still collect the same info they were collecting before.

I think you're right that it will take time to develop API's - which is the correct decision imo. Not so right in thinking this is a decent stop-gap. This reads more like a reversal to mitigate the anti competitive claims.

As I stated when Apple make the original decision, the statements that Apple made in public about the privacy implications of MDM were, at best, misleading, and at worse, completely false. Through the MDM protocol, there is absolutely no way to pull most of the data that Apple said was at risk. No MDM has direct access things like contacts, browsing history, or calendars. When Apple made that statement, there was a collective "Whaaaat?" from the Enterprise market.

It sounds like Apple has come up with a good interim solution and are working with their developers. Good for Apple.

 

[Appleman3546]

They probably didn’t want the European Commission and Spotify to use the MDM competition removals against them during the anti-competition investigation...smart move to allow this “for now” until the investigation ends and then Apple can remove them again since there is no other alternative distribution methods for those competing apps (meaning Apple can decide what is best for consumers and developers at a whim instead of a competitive market deciding)

On a side note, I do like that this article ends by noting that Apple said it “welcomes competition” within the App Store and it makes the platform “better”...I guess that is technically true because those competitors pay Apple 30% to compete IF they aren’t removed like the MDM apps

 

[Kabeyun]

There is no Screen Time API. Does not exist.

Yet. That’s the point. That’s the right answer.

 

[az431]

As I stated when Apple make the original decision, the statements that Apple made in public about the privacy implications of MDM were, at best, misleading, and at worse, completely false. Through the MDM protocol, there is absolutely no way to pull most of the data that Apple said was at risk. No MDM has direct access things like contacts, browsing history, or calendars. When Apple made that statement, there was a collective "Whaaaat?" from the Enterprise market.

It sounds like Apple has come up with a good interim solution and are working with their developers. Good for Apple.

Absolutely false. You can, in fact, access contacts, calendars, and other sensitive data via MDM if the user agrees, which is precisely what these apps were requiring.

 

[69Mustang]

Absolutely false. You can, in fact, access contacts, calendars, and other sensitive data via MDM if the user agrees, which is precisely what these apps were requiring.

What? Where did you get that info? Afaik, Apple supposedly shut down apps using MDM because they could access that info, not because they were accessing that info. In fact, Apple has never said any of the app developers did anything wrong regarding data. It was always about using scare tactics as justification. Nothing has changed. The apps still can access that info, yet MDM use is okay. We all know why.

 

[TriBruin]

Absolutely false. You can, in fact, access contacts, calendars, and other sensitive data via MDM if the user agrees, which is precisely what these apps were requiring.

Nope, still wrong. An MDM can not access that data. Here is a direct quote from Apple:

The examples show what a third-party MDM server can and cannot see on a personal iOS device:
MDM can see:

• Device name
• Phone number
• Serial number
• Model name and number
• Capacity and space available
• iOS version numbed
• Installed apps

MDM cannot see personal data such as:

• Personal or work mail, calendars, contacts SMS or iMessages
• Safari browser history
• FaceTime or phone call logs
• Personal reminders and notes Frequency of app use
• Device location

This is direct from this Apple link: https://www.apple.com/business/resources/docs/Managing_Devices_and_Corporate_Data_on_iOS.pdf

Now, is it possible these vendors COULD have access to this data, yes, but not through MDM. Any APP can request access, but the user has to agree to it. But, that is not MDM.

 

[petvas]

That is his point. They should provide APIs to it instead of allowing them to misuse MDM.

Maybe the APIs are just not ready yet and are coming next year, but Apple needed a quick solution, so they chose to change their policy