Need input on separating business from personal data

by Volker Weber

Most large enterprises have deployed Enterprise Mobility Management platforms that manage mobile devices, their apps and their content. Most tiny and small companies don't give a sh!t. They are too busy running their daily operations to even figure out they may have a problem.

I need your thoughts on this. What can tiny and small companies do to protect their business data from Facebook & Co? Or from their kids ...

Here is one example: some Samsung phones have a personal KNOX container. But what can you do for iPhone?

Let me hear it. Everybody is welcome to push their ideas.


BlackBerry has had this area covered for ages, no matter what phone you use. Bring your personal phone and install a managed container onto it for all your business needs.

Yeah, probably having a full blown server may be a bit much for small businesses. Which is probably why you should be looking more towards Cloud services.

Dragon Cotterill, 2016-09-08

Divide for iOS was great, but I have just noticed that Google bought them out and called it Android for Work.

Andy Mell, 2016-09-08

This question is probably the weak and painful spot for all EMM vendors and partners. A full-blown solution seems too much hassle and overhead for SMBs, but a breach on the other hand could be able to eliminate the whole business.

Telling them, how to do it right, scares them off. Not doing anything is the solution chosen in 99% of all cases. The only feasible answer seems to be a hosted solution, cloud services, indeed. They are limited, though. But all relevant vendors offer them, I think. Still requires thought and effort.

Natanael Mignon, 2016-09-08

Bei uns wird z.Z. ESET mit Entpoint Security und Office365+MDM evaluiert. Im moment ist (noch) IBM Traveler/Verse im Einsatz. I.d.R. handelt es sich Firmengeräte die privat genutzt werden dürfen.

Christoph Krieger, 2016-09-08

We have two small business customers (5 to 15 employees) with a Blackberry 12 Server runnning, and one of them hosts (only) three devices (Galaxy S7 with Knox Container) and the other one hosts four devices with AfW on the BES-Server.
Installation, testing and configuration was done in only a few hours at both installations + the cost for the BES-Licences for the devices.
In both cases the customer bill was under 1.000 EUR. Not much money spent for save devices - just my 2 cents...

sorry for my bad english, i´m still practicing... ;-)

Ralph Hammann, 2016-09-08

Du darfst das gerne in deutsch schreiben, wenn Du nicht üben willst. Ich kann das lesen. :-)

Volker Weber, 2016-09-08

Next project will be a small BES Installation with some Iphones connected, then i can test how good the "good integration" was done by Blackberry. I will report soon...

Ralph Hammann, 2016-09-08

Ich weiß, Volker. Aber ich möchte ja auch dass die anderen Kommentatoren mitlesen können, und ich möchte wirklich etwas üben. :-)

Ralph Hammann, 2016-09-08

@ralph - Und ich kann Google Translate. :)

Ian Bradbury, 2016-09-08

Facebook, WhatsApp & Co. auf dem dienstlichen Smartphone per Dienstanweisung untersagen. Bei technischen Lösungen fangen Mitarbeiter gerne mal an kreativ zu werden (Stichwort Jailbreak).

Wer noch einen Schritt weiter gehen will händigt den Mitarbeitern ein Smartphone aus, auf dem sich ein ROM ohne kommerziellen App Store befindet, und untersagt in der Dienstanweisung die Installation eines solchen. Das wird mit iOS und Windows Phone wohl schwierig, ist mit Android aber machbar.

Ich nutze seit einer Weile CopperheadOS auf meinem Nexus 6P, ein AOSP basiertes ROM, das von Haus aus ohne Google Dienste kommt. Die Software kommt aus dem vorinstallierten F-Droid Store. Und ja, dort gibt es alles, was _ich_ zum Arbeiten mit dem dienstlichen Smartphone brauche.

Das ist sicher nicht die Lösung für jeden, aber wer will kann sich ja privat noch ein eigenes Smartphone zulegen, auf dem er dann tun und lassen kann was er will.

Norbert Tretkowski, 2016-09-08

Das ist sehr radikal. Und nicht das, was ich suche. Mir liegt an praktikablen Lösungen, die das Smartphone nicht kastrieren. Und die mit einem Gerät statt zweien auskommen.

Volker Weber, 2016-09-08

also BYOD sowie EMM für kleine Firmen und das auch noch günstig?
Ich möchte denjenigen sehen, der diesen gordischen Knoten durchschlägt...

Detlev Neuenhoff, 2016-09-08

Hier wo es leuchtet. Das muss man doch hin kriegen.

Volker Weber, 2016-09-08

Kurz: Trennung von geschäftlichen und privaten Daten durch Verwendung von 2 Mobilgeräten.

Lang: Solange wir als Software-Tochter eines internationalen Grossunternehmens noch relativ unabhängig mit unserer IT waren, hatten wir ein BYOD Programm für iOS-Geräte. Dort musste dann MobileIron installiert werden. Die Einzelheiten der Policies weiß ich aber nicht mehr. Da hatte man viele Freiheiten. Von der Firma gab es Blackberries bei denen im privaten Teil der Appstore von Google freigeschaltet war.

Seit einiger Zeit werden wir immer stärker integriert. Blackberry wird aussortiert. das BYOD-Programm läuft aus. Jetzt gibt es Firmen-iPhones ebenfalls mit MobileIron aber sehr strengen Policies. Es gibt einen eigenen Appstore mit wenigen zugelassenen Apps und wenn man per Safari ins Internet will muss man zusätzlich den MobileIron-Tunnel installieren. Für die Verwendung zum Intranet wird web@work (ebenfalls MobileIron) verwendet.

Oliver Stör, 2016-09-08

May be I'm missing something here, but when I read tiny companies I picture something like business owner + partner (partner as in husband/wife/boyfriend/girlfriend) and may be 2-3 employees max. And you talk of servers, BYOD, Dienstanweisung, policies, CopperheadOS, Intranet and stuff like that? Seriously?

These companies have may be one, max two company PC (quite possibly a desktop) and/or may be one or two laptops which are used for both business and private use by the owner and his/her partner. Smartphones are for both personal and business use. They have one or two Facebook accounts, one personal account for the owner and one (usually set up later) for the company. Usage is flexible and often interlinked. Same applies to their Twitter account(s). Quite possibly the password for the company Facebook and Twitter account is shared (and 2FA not enabled). Budget is limited to non-existent.

They could be in real trouble if they lose their data because their kid pours their freshly pressed orange juice over their laptop or surfs to a dodgy site with an encryption trojan. Or if a friend in the pub posts a stupid post to their company Facebook page (may be even unintentionally as they think they're posting to the personal account. Yes, this example is inspired by the Knox examples). They could get into trouble if their business contacts are sucked up by Facebook/WhatsApp because they only have one address book. Etc pp.

That's the challenge I see, that's where they need easy to use and cheap protection and help. Not complicated server setups, obscure OSs only insiders know how to install or Dienstanweisungen.

And no, I don't have a single answer how to address this. But I'd be interested to see how they can be helped to be safer.

Armin Grewe, 2016-09-09

We don’t restrict our employees’ usage of their company-issued smartphones (or laptops) in any way. We have rules that forbid the usage of free services for company purposes/confidential data (e.g. no use of Google Calendar to manage business meetings). Exceptions are those where we as a company are an actual (typically paying) customer.

Why exactly do we need anything else? If WhatsApp and Facebook and whatever are running in parallel on the company phone, why should I care?

Stefan Tilkov, 2016-09-09

Ein Kunde mit ca. 1000 Endgeräten macht das nun mit BES, nachdem Intune gescheitert ist. Details hab ich nicht, kann ich ggf. aber bekommen.

Helmut Weiss, 2016-09-09

It all depends on the Device OS, so let's give it a try:

Android native (Nougat)
AfW (Android for Work) is the primary answer. Admins can create business workspaces where the User needs a PIN/Password to access it. With just one Click (On device or via MDM) you can disable - not delete - the Business Part for weekends for example.

Android (Samsung)
You can use Samsung Knox, but seems you know already ;-)

iOS native
Using the Lockdown Policies you can make sure, that enterprise-marked data will not get into private stuff and vice versa. This can be configured for email and for documents as well.

Windows 10
Windows Information Protection - WIP (former EDP) is your friend, I don't need to repeat what TechNet is already saying, but this is OS security layer integrated technology which needs also EMM to be used.

Android + iOS (EMM Container)
We - MobileIron - do provide a technology called AppConnect which makes all of that above stuff working without using native Policies, added some stuff which OS can not give you and still not interrupting the native user experience of Apps and OS.

Questions? Ask! :)

Martin Cygan, 2016-09-09

Recent comments

Mariano Kamp on Weitergehen. Keine Haufen bilden. at 22:59
Jonas Rathert on Stream Spotify on Apple Watch at 22:46
Thomas Cloer on Siri has completely replaced Alexa at 16:49
Andreas Pfau on Siri has completely replaced Alexa at 13:02
Benno Christen on Weitergehen. Keine Haufen bilden. at 12:48
Oliver Stör on Weitergehen. Keine Haufen bilden. at 11:16
Volker Weber on Weitergehen. Keine Haufen bilden. at 10:35
Stephan Perthes on Weitergehen. Keine Haufen bilden. at 10:22
Volker Weber on Siri has completely replaced Alexa at 09:40
John Keys on Siri has completely replaced Alexa at 07:51
Martin Hiegl on Siri has completely replaced Alexa at 06:37
Stephan H. Wissel on Siri has completely replaced Alexa at 01:25
Martin Engel on Like. Share. Kill. at 22:58
Bill Greenberg on Siri has completely replaced Alexa at 21:52
Ole Saalmann on File Management with iPad Pro at 19:58
Claude Lehmann on Weitergehen. Keine Haufen bilden. at 19:22
Frank Quednau on Siri has completely replaced Alexa at 18:55
Thorsten Köbe on Weitergehen. Keine Haufen bilden. at 18:36
Claude Lehmann on Weitergehen. Keine Haufen bilden. at 18:31
Leo Wiggins III on Siri has completely replaced Alexa at 18:05
Volker Weber on Weitergehen. Keine Haufen bilden. at 17:36
Christopher Schmidt on Weitergehen. Keine Haufen bilden. at 17:27
Jan Krohn on Microsoft Office 365 verlängern at 15:26
Volker Weber on Microsoft Office 365 verlängern at 15:16
Karsten Ernst on Microsoft Office 365 verlängern at 15:06

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.


Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 06:57


buy me coffee