What does installing a "device enrollment challenge" do on an iPad?
I work for a large faceless corporation, and they're rolling out some new software for email. As part of the install, it's asking me to install a "Profile" which contains a "Device Enrollment Challenge".
My question is, should I be nervous about this? What privacy issues should I be concerned about, if any?
Any requests to install a profile containing Device Enrollment will have come from your corporate MDM (mobile device management) server and so can be trusted if it's a corporate device. If it's a personal device you should ask the head tech about any restrictions which may be put in place on your device by the profile. Chances are there won't be any problems if the profiles have been well implemented but it's worth double checking anyway.
I would never recommend supervision on a personal device and recommend caution with normal enrollment.
go to Settings > General > About and look for this line of text under the name of the device: “This [iPhone, iPad, or iPod touch] is Supervised. [Organization name] can monitor your internet traffic and locate this device.”
The only exception is if you spend a few hours really understanding exactly how your IT department will collect information from your personal phone, I would consider allowing this if you gain a huge benefit from the convenience of not having work pay for your mobile device (and the hassle of carrying two devices).
The job of all IT is to control everything from DNS to traffic analysis to prohibiting games and being able to locate and remotely wipe devices. Good IT does this in a transparent and positive manner. Same as HR - it always exists to protect the company first, only “good HR” also protects employees and is transparent.
This alert is your first and only step to stop that from happening on your personal device.
Apple wants you to know you’re giving up privacy here, since MDM can be configured to give the corporation deep control over your personal device. Apple does also give you very granular details on what any specific Device Enrollment Challenge will do on your device, but only after you grant that access. (You get an overview of the capabilities before you opt in to trusting the enrollment - but you get the details once the profile is actually installed by inspecting in in the Settings app under Profiles).
You can make a back up of your phone and then install the profile. Once it's installed, you can inspect all the changes it can and has made and then decide to remove the profile / leave the profile / wipe the device and start from your backup.
If you are interested in testing out your own MDM, you can avail yourself of a free solution for 3 devices called JAMF Now.
- https://www.jamf.com/products/jamf-now/
n.b. I don't get any compensation from Bushel/JAMF - just a satisfied tester and now user of the cloud based service.
Once you set up an MDM, you can see the sorts of things that MDM does and make your own signed profiles to test things out before you decide to trust your IT department. For most people, I would default to “send me whichever devices that I need to do my job.” Unless you want to learn the tech, it’s easier to be professional on your work devices and be a private person on your personal devices.