How is a managed iPhone managed (on corporate level)? IMEI, SIM, Apple ID, other?

[kiddingguy]

A friend of mine is leaving his job. He has an iPhone 8 which is managed by his company, according to IT.

 

There is "no managed by" message displayed in the settings, or everywhere as as he can see.

He uses his personal Apple ID to sign in, e.g. all contacts are on his Apple ID. 

 

Some corporate apps were already remotely wiped, but all other apps remained installed. And can still be used.

He has some specific apps which requires a lot of hassle to be reinstalled if needed (codes went all over from third party to him, with response codes etc etc when installing it last time; he would like not to do this again preferably).

 

So, now he is asking himself: can I use my phone now unmanaged ánd is it unmanaged now, or is this phone still enrolled with his (former) employer. Has is been managed at all? Or should I refresh/reinstall iOS and restore from a backup.

 

Which brings me to the question: how is a managed iPhone be managed by a corporate IT-dept?

Is it on IMEI-level, on Apple ID, on SIM-level, Apple Business Manager, or some other variable (I also saw something like Miradore)?

 

Do you guys know?

Or can he better contact the IT-dept for more info? Maybe Apple Support if they can see something?

And/or should he reinstall his iPhone anyhow, even though the message 'This iPhone is managed by your organization' is/has not been visible at all?

Edited December 17, 2021 by kiddingguy

[Nick H. Supervisor]

Most places that I have worked, including my current place, using VMWare's Airwatch (now called Intelligent Hub) to manage the device. There's nothing partiularly special about it - it installs a certificate on the phone that allows the Mail app to synchronize with our mail server, and it gives us (IT) the ability to push apps to the phone, impose certain security settings (minimum passcode length), as well as certain commands like a device wipe for if the phone gets stolen.

 

A user could delete the Intelligent Hub app from their phone, or they could wipe the device if they wanted. We wouldn't be able to stop them. But we would get notified, and that would make us ask the user what they are up to. If they say that they don't want the device to be monitored by us anymore we would say, "hey that's fine! But we gave you the device, so you now need to hand it back."

 

But if the phone was your friend's phone to begin with, why doesn't he just go to IT and ask them to unenroll the device? It won't wipe his device entirely, but it will remove the certificate for the mail app, and automatically remove any business apps that were pushed to the phone in the first place. He should probably do this anyway as part of a BYOD policy, although at the same time when IT receive his termination notice one of their steps should also be to do this ASAP.

[kiddingguy]

Thanks @Nick H.

It turned out this his own device was wrongly registered and never enrolled/managed anyhow.

They pulled back the company software/apps - so the 'automatically remove any business apps' as you stated.

I guess the mail certificate is removed as well. Is there a way to check this?

[Nick H. Supervisor]

On 17/12/2021 at 14:49, kiddingguy said:

I guess the mail certificate is removed as well. Is there a way to check this?

Does he have his work emails appearing in his Mail app still? If so he will need to bring it to the attention of his IT department - part of the reason for unenrolling the device is to remove corporate data.

[Brandon H Supervisor]

managed just means the company apps were being controlled by a portal. whether that be Intelligent Hub like Nick mentioned or more often Microsoft Intuit it's all basically the same. once you remove the management portal all the managed apps go with it.

 

if he's using his personal apple id on it then there shouldn't be anything else that needs done to continue using the device normally.

 

only caveat will be if it was a work provided phone, they may want the device physically back if that's the case. If it was a BYOD then he's fine to keep it.

[Good Bot, Bad Bot]

On 17/12/2021 at 07:52, Nick H. said:

Most places that I have worked, including my current place, using VMWare's Airwatch (now called Intelligent Hub) to manage the device. There's nothing partiularly special about it - it installs a certificate on the phone that allows the Mail app to synchronize with our mail server, and it gives us (IT) the ability to push apps to the phone, impose certain security settings (minimum passcode length), as well as certain commands like a device wipe for if the phone gets stolen.

 

A user could delete the Intelligent Hub app from their phone, or they could wipe the device if they wanted. We wouldn't be able to stop them. But we would get notified, and that would make us ask the user what they are up to. If they say that they don't want the device to be monitored by us anymore we would say, "hey that's fine! But we gave you the device, so you now need to hand it back."

 

But if the phone was your friend's phone to begin with, why doesn't he just go to IT and ask them to unenroll the device? It won't wipe his device entirely, but it will remove the certificate for the mail app, and automatically remove any business apps that were pushed to the phone in the first place. He should probably do this anyway as part of a BYOD policy, although at the same time when IT receive his termination notice one of their steps should also be to do this ASAP.

Why in the world would someone allow their company to manage their own phone? That is just crazy to me. They want me to use my phone for work they better be supplying me one even than I would have a separate work Apple ID/Google account for it.

[Fleet Command]

On 17/12/2021 at 17:19, kiddingguy said:

I guess the mail certificate is removed as well. Is there a way to check this?

Yes.

 

Open the Settings app, go to General, and see if there is a Device Management entry there. Standard iPhone devices have no such section.