Do companies have IT "spyware" on corporate iPhones?

Companies can choose to provide in-house apps to employees through the iOS Developer Enterprise Program without listing them on the Apple iOS App Store.

What you're asking about mainly falls into the realm of MDM (Mobile Device Management). One of the popular MDM solutions on iOS is Afaria, from SAP. Installation of the MDM app is made a mandatory requirement by some companies in order to allow employees to connect to corporate email (and other services). An MDM solution can be used to setup apps, accounts, impose corporate policies/restrictions on specific features and also enable remote wiping of the device through the provisioning of profiles.

Due to the application sandbox restrictions imposed by iOS, the MDM application does not have complete control over the device to snoop across every other application on the system and the OS. It cannot log keystrokes, network communication or data from the apps you use.

Read through the iPhone in Business page for details. Here are some relevant snippets:

While IT can interact with iPhone and iPad devices through an MDM server, not all settings and account information are exposed. IT can only manage corporate accounts, settings, and information provisioned via MDM. The user's personal accounts can’t be accessed.
...
...

Examples of what an MDM server can and can't see on an iOS device.

MDM can see:

  • Device name
  • Phone number
  • Serial number
  • Model name and number
  • Capacity and space available
  • iOS version number
  • Installed apps

MDM cannot see:

  • Personal mail, calendar, contacts
  • SMS or iMessages
  • Safari browser history
  • FaceTime or phone call logs
  • Personal reminders and notes
  • Frequency of app use
  • Device location

A few more points to note on this topic:

  • Apple may expand on the device monitoring and policy enforcement features in future releases of iOS.
  • One important prerequisite imposed by companies for allowing access to corporate email (and other resources) in exchange for installing MDM on the device is that the device must not be jailbroken. Companies that take security seriously would not allow (at least in their policies) jailbroken devices that could be vulnerable to all kinds of attacks (including, but not limited to, disabling or crippling the MDM app and/or the MDM policies pushed to the device).
  • Of course, if a device is jailbroken, then any malicious app could access and gather a lot more information than standard MDM solutions available now (however, no commercial enterprise solution would ask for the device to be jailbroken as a prerequisite).