Apple Reverses Course and Allows Parental Control Apps to Use MDM Technology With Stricter Privacy Requirements

MacRumors

macrumors bot
Original poster
Apr 12, 2001
46,798
8,966



As one of many updates to its App Store Review Guidelines this week, Apple has indicated that parental control app developers are again permitted to use Mobile Device Management (MDM) technology in their apps, so long as they do not sell, use, or disclose any data to third parties for any purpose.


An excerpt from the newly added Guideline 5.5:
You must make a clear declaration of what user data will be collected and how it will be used on an app screen prior to any user action to purchase or otherwise use the service. MDM apps must not violate local laws. Apps offering MDM services may not sell, use, or disclose to third parties any data for any purpose, and must commit to this in their privacy policy. Apps that do not comply with this guideline will be removed from the App Store and you may be removed from the Apple Developer Program.
This comes a little over a month after The New York Times reported that Apple had removed or restricted many of the most popular screen time and parental control apps on the App Store since launching its own Screen Time feature in iOS 12 last year, raising concerns over potentially anticompetitive behavior.

In response to the report, Apple said it had discovered that some parental control apps were using MDM, putting the privacy and security of children at risk.

"These apps were using an enterprise technology that provided them access to kids' highly sensitive personal data," an Apple spokesperson said in a statement issued to The New York Times on Monday. "We do not think it is O.K. for any apps to help data companies track or optimize advertising of kids."

MDM technology is intended for enterprise users to manage their company-owned devices, and Apple said the use of MDM by consumer-focused apps carried privacy and security concerns that resulted in the company addressing the situation in its App Store Review Guidelines in 2017.

Backlash quickly mounted from parental control app developers, who eventually joined together to petition Apple to "put kids first" by releasing a public API for its Screen Time for use by developers. That never happened, with Apple going down this route instead and allowing MDM usage with stricter privacy requirements.

Apple's updated guidelines also indicate that parental control apps from "approved providers" may use one of its Personal VPN APIs.

Apple has faced increasing scrutiny over its App Store and potentially anticompetitive business practices, ranging from Spotify's complaint to multiple class action lawsuits. In response, Apple said it "welcomes competition" on the App Store, which only serves to make it a "better" platform.

Article Link: Apple Reverses Course and Allows Parental Control Apps to Use MDM Technology With Stricter Privacy Requirements
 

BootsWalking

macrumors 65816
Feb 1, 2014
1,259
7,297
There's no question the recent DOJ antitrust news factored into Apple's decision. If history has proven anything it's that Apple responds to legal threats, be they from private class action suits or from federal agencies.
 
Last edited:

69Mustang

macrumors 604
Jan 7, 2014
7,057
12,818
In between a rock and a hard place
Well it’s gonna take time for them to release the APIs; this problem was only recently discovered. This is a decent stop-gap until the APIs are released.
I agree with @Kabeyun and @BootsWalking This is the wrong solution and it sends a contradictory message.
What happened to putting the privacy and security of children at risk? Aren't those same supposed risks still there? Apple did nothing to mitigate the supposed risks, they just reversed the decision regarding MDM. The devs can still collect the same info they were collecting before.

I think you're right that it will take time to develop API's - which is the correct decision imo. Not so right in thinking this is a decent stop-gap. This reads more like a reversal to mitigate the anti competitive claims.
 
  • Like
Reactions: rjohnstone

jimbobb24

macrumors 65816
Jun 6, 2005
1,101
1,397
Apple original decision was correct. Misusing APIs is always a reason you can get booted.
 

TriBruin

macrumors regular
Jul 28, 2008
131
289
I agree with @Kabeyun and @BootsWalking This is the wrong solution and it sends a contradictory message.
What happened to putting the privacy and security of children at risk? Aren't those same supposed risks still there? Apple did nothing to mitigate the supposed risks, they just reversed the decision regarding MDM. The devs can still collect the same info they were collecting before.

I think you're right that it will take time to develop API's - which is the correct decision imo. Not so right in thinking this is a decent stop-gap. This reads more like a reversal to mitigate the anti competitive claims.
As I stated when Apple make the original decision, the statements that Apple made in public about the privacy implications of MDM were, at best, misleading, and at worse, completely false. Through the MDM protocol, there is absolutely no way to pull most of the data that Apple said was at risk. No MDM has direct access things like contacts, browsing history, or calendars. When Apple made that statement, there was a collective "Whaaaat?" from the Enterprise market.

It sounds like Apple has come up with a good interim solution and are working with their developers. Good for Apple.
 

Appleman3546

macrumors member
May 13, 2019
90
113
They probably didn’t want the European Commission and Spotify to use the MDM competition removals against them during the anti-competition investigation...smart move to allow this “for now” until the investigation ends and then Apple can remove them again since there is no other alternative distribution methods for those competing apps (meaning Apple can decide what is best for consumers and developers at a whim instead of a competitive market deciding)

On a side note, I do like that this article ends by noting that Apple said it “welcomes competition” within the App Store and it makes the platform “better”...I guess that is technically true because those competitors pay Apple 30% to compete IF they aren’t removed like the MDM apps
 
Last edited:

az431

macrumors 65816
Sep 13, 2008
1,377
3,904
Portland, OR
As I stated when Apple make the original decision, the statements that Apple made in public about the privacy implications of MDM were, at best, misleading, and at worse, completely false. Through the MDM protocol, there is absolutely no way to pull most of the data that Apple said was at risk. No MDM has direct access things like contacts, browsing history, or calendars. When Apple made that statement, there was a collective "Whaaaat?" from the Enterprise market.

It sounds like Apple has come up with a good interim solution and are working with their developers. Good for Apple.
Absolutely false. You can, in fact, access contacts, calendars, and other sensitive data via MDM if the user agrees, which is precisely what these apps were requiring.
 

69Mustang

macrumors 604
Jan 7, 2014
7,057
12,818
In between a rock and a hard place
Absolutely false. You can, in fact, access contacts, calendars, and other sensitive data via MDM if the user agrees, which is precisely what these apps were requiring.
What? Where did you get that info? Afaik, Apple supposedly shut down apps using MDM because they could access that info, not because they were accessing that info. In fact, Apple has never said any of the app developers did anything wrong regarding data. It was always about using scare tactics as justification. Nothing has changed. The apps still can access that info, yet MDM use is okay. We all know why.
 

TriBruin

macrumors regular
Jul 28, 2008
131
289
Absolutely false. You can, in fact, access contacts, calendars, and other sensitive data via MDM if the user agrees, which is precisely what these apps were requiring.
Nope, still wrong. An MDM can not access that data. Here is a direct quote from Apple:

The examples show what a third-party MDM server can and cannot see on a personal iOS device:
MDM can see:
  • Device name
  • Phone number
  • Serial number
  • Model name and number
  • Capacity and space available
  • iOS version numbed
  • Installed apps
MDM cannot see personal data such as:
  • Personal or work mail, calendars, contacts SMS or iMessages
  • Safari browser history
  • FaceTime or phone call logs
  • Personal reminders and notes Frequency of app use
  • Device location
This is direct from this Apple link: https://www.apple.com/business/resources/docs/Managing_Devices_and_Corporate_Data_on_iOS.pdf

Now, is it possible these vendors COULD have access to this data, yes, but not through MDM. Any APP can request access, but the user has to agree to it. But, that is not MDM.