Full access to my phone via Profiles and Device Management

applelover4u

macrumors 6502
Original poster
Nov 6, 2012
300
139
So whoever I add to profiles and device management and grant trusted status will without a doubt have full access to my phone? is that how it works?

Or can they only control or see certain aspects of the phone?
 

Shirasaki

macrumors G3
May 16, 2015
9,980
3,867
Yup. Profile can only control certain aspects of your phone. It is not a way to jailbreak, which in no doubt gives you full access (or nearly) of your device).
 

Shirasaki

macrumors G3
May 16, 2015
9,980
3,867
Which aspects can they see or control?
For example:
Through profile, corporation can set up mail accounts and all associated settings so that once profile is installed, user can use certain Email address.
Or, profile allows user to download contents only available in certain organizations or even networks.
Or, users could be prevented from changing certain device settings (possibly those invisible to users) or erase device without credentials.
 
  • Like
Reactions: cswifx

Justaguy48

macrumors member
May 2, 2017
64
52
MDM and profiles, mainly from academic and corporate institutions is more of what the device is allowed to do, versus what the profile/MDM can do.

Profiles are limited, for example configuring a wifi login for a corporate network, or a profile to set up VPN.

MDM can control almost every aspect of the phone. It doesn't have access to the root system, no public iOS software allows that, but when MDM is installed almost any feature or option, even ones you don't know exist, can be changed.

If your curious about what MDM can do you can download Apple configurator 2, that'll give you an idea of what can be changed.
 

applelover4u

macrumors 6502
Original poster
Nov 6, 2012
300
139
MDM and profiles, mainly from academic and corporate institutions is more of what the device is allowed to do, versus what the profile/MDM can do.

Profiles are limited, for example configuring a wifi login for a corporate network, or a profile to set up VPN.

MDM can control almost every aspect of the phone. It doesn't have access to the root system, no public iOS software allows that, but when MDM is installed almost any feature or option, even ones you don't know exist, can be changed.

If your curious about what MDM can do you can download Apple configurator 2, that'll give you an idea of what can be changed.
What is MDM?
 

cswifx

Suspended
Dec 15, 2016
563
180
MDM and profiles, mainly from academic and corporate institutions is more of what the device is allowed to do, versus what the profile/MDM can do.

Profiles are limited, for example configuring a wifi login for a corporate network, or a profile to set up VPN.

MDM can control almost every aspect of the phone. It doesn't have access to the root system, no public iOS software allows that, but when MDM is installed almost any feature or option, even ones you don't know exist, can be changed.

If your curious about what MDM can do you can download Apple configurator 2, that'll give you an idea of what can be changed.
What about enterprise profiles that people install to install third party apps? Are those given the same capabilities?
 

Justaguy48

macrumors member
May 2, 2017
64
52
This is what I want to know
1. For an App to run on any iOS device it has to be signed.
2. There are two types of apps. "Private" apps and "public" apps.

Public apps are ones on the AppStore that follow all of Apples guidelines and are signed by Apple. This means that the iOS device recognizes that Apple allows the app to run on the device.

Private apps, or internal apps, are ones that are commonly developed and used by an organization. For example the US military has their own "AppStore" where you can install internal apps that they use. There are many companies that develop and send out internal apps that employees use. And these apps are signed by an enterprise developer license. so the app is allowed to run as long as the user, you, approves the app to run.

Because enterprise signature allows an app to run without going through the AppStore process this means that the developer doesn't necessarily have to follow the guidelines Apple sets for apps.

So a lot of times these companies will develop apps that don't follow the guidelines, sign them with an enterprise license, and put them online you anyone to download. Which installs a profile on the device that you have to trust before you can use the app.

That kind of app profile is not the same as MDM or other profiles. The app profile is there because it isn't a "approved by apple" app. The profile can't change settings, view any data about the device, and has no control over the device. However because the app is not approved by Apple the app may have spying code in it, and could act in a way that is unexpected.

I know it's long but I wanted to try to be as clear as possible.
 

cswifx

Suspended
Dec 15, 2016
563
180
1. For an App to run on any iOS device it has to be signed.
2. There are two types of apps. "Private" apps and "public" apps.

Public apps are ones on the AppStore that follow all of Apples guidelines and are signed by Apple. This means that the iOS device recognizes that Apple allows the app to run on the device.

Private apps, or internal apps, are ones that are commonly developed and used by an organization. For example the US military has their own "AppStore" where you can install internal apps that they use. There are many companies that develop and send out internal apps that employees use. And these apps are signed by an enterprise developer license. so the app is allowed to run as long as the user, you, approves the app to run.

Because enterprise signature allows an app to run without going through the AppStore process this means that the developer doesn't necessarily have to follow the guidelines Apple sets for apps.

So a lot of times these companies will develop apps that don't follow the guidelines, sign them with an enterprise license, and put them online you anyone to download. Which installs a profile on the device that you have to trust before you can use the app.

That kind of app profile is not the same as MDM or other profiles. The app profile is there because it isn't a "approved by apple" app. The profile can't change settings, view any data about the device, and has no control over the device. However because the app is not approved by Apple the app may have spying code in it, and could act in a way that is unexpected.

I know it's long but I wanted to try to be as clear as possible.
Wow, didn't expect that informative response. Thank you so much!
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.