Skip navigation

Location Services & MDM

9272 Views 11 Replies Latest reply: May 4, 2012 1:50 PM by InitD RSS
cjackson27 Calculating status...
Currently Being Moderated
Aug 2, 2011 10:49 AM

My company recently rolled out the ability for us to access corporate resources such as email, calendar, WIFI, and VPN on our personal iPhones using a product called MobileIron.  MobileIron administers profiles that include policies such as mandatory passcodes and backup encryption, etc.  This all worked great and I was impressed with the ease of use.  However, I noticed that the MobileIron application continuously was using the phone's location services.  This raised a privacy flag, so I banned the application from using location services.  Doing this caused my device to go "out of sync" and my IT department told me that location services were a requirement to be able to access these corporate resources.

 

My question is why would this application need access to location services in order to provide me with unrelated services such as email and calendar?  I understand that MobileIron is an implementation of Apple's Mobile Device Management platform, so does this platform require location services to be enabled in order to remotely administer my device?  Are there any legitimate security / management reasons for this requirement?

iPhone 4, iOS 4.3.3
  • sarbacane Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 16, 2011 7:22 AM (in response to cjackson27)

    They're pulling that data for your benevolent overlords (IT, HR, DHS) to be able to locate your device any time they so please. Apple's MDM proper does not provide access to locational data, so they (MobileIron) are using their client to pull that data. The MobileIron client and the MDM agent are per se separate things, however, so I assume they intentionally disable their solution if their client doesn't ping back or something like that.  I can vouch for the fact that you can do MDM without touching location services.

  • sarbacane Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 16, 2011 8:24 AM (in response to cjackson27)

    cjackson27 wrote:

     

    They claim that the only reason that they require location services enabled is so that they can check for jailbroken iPhones on a regular basis.

    Do they? Sounds very dubious to me. I'm not aware liberating an iPhone affects locational data, and neither do I think knowing the device's position at any time can tell you whether it's being liberated or not (or maybe they have big red dots on their map: "jailbreak shoppe here" ). But then again, I don't know for sure.

     

    cjackson27 wrote:

     

    Do you know if there is a way to do this using MDM or some other mechanism without location service being enabled?

    Do what? Jailbreak detection? There is no reliable way to detect jailbroken devices via MDM, and IMHO there never will be (because with root access you could modify the detection mechanism). And as I said, I don't see how locational data can tell you anything about liberatedness or not. But I'd be interesting to know it if it did.

  • sarbacane Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 16, 2011 8:53 AM (in response to cjackson27)

    Interesting.

     

    Is what they're describing on this page: <http://developer.apple.com/library/iOS/#documentation/iPhone/Conceptual/iPhoneOS ProgrammingGuide/BackgroundExecution/BackgroundExecution.html> ("Implementing Long-Running Background Tasks") what you're talking about?

  • sarbacane Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 16, 2011 9:14 AM (in response to cjackson27)

    I see. They couldn't have used sound or VoIP, so they had to settle with locational services. Pity Apple didn't provide a fourth type of background tasks.

     

    I'll take back what I said before, then. I couldn't see the link between jailbreak detection and locational services, but there it is.

    It should be stressed that MDM proper, that is, querying infos from the device, pushing policies and a few other neat things, don't work through a client application (but rather a built-in daemon). But if you say they're doing sync'ing and backups and such, that's probably in the client.

     

    So there you have it: they need access to those services to have their app run in the first place. Pretty unsightly, IMHO, but I understand the decision.

     

    --------------------------

     

    Maybe if you started the app yourself and let it run in background (i.e., not killing it), you could disable location services for it?

  • sarbacane Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 16, 2011 9:36 AM (in response to cjackson27)

    cjackson27 wrote:

     

    I guess the real question becomes whether or not this is a reasonable requirement for them to maintain an acceptable level of security while administering email and calendar to the iPhone?

     

    I think so, too. Trying to force their app to be running (at least in background) all the time would be a valid aim IMO. But the location services should be a means to that, rather than an end in itself.

     

    But that's a vast debate and it isn't likely to help you much at this point.

  • KiltedTim Level 8 Level 8 (36,190 points)
    Currently Being Moderated
    Aug 16, 2011 1:19 PM (in response to cjackson27)

    cjackson27 wrote:

     

    I guess the real question becomes whether or not this is a reasonable requirement for them to maintain an acceptable level of security while administering email and calendar to the iPhone?

    I think it's simpler than that. If it was a company owned and issued phone, I'd say they can do whatever they want. If you don't want them tracking you in that case, then you shut the phone off after hours.

     

    If it were my personal phone, I'd say that it's not worth it to get company email on my phone. If they wanted me to have it that bad, they'd pay for the phone themselves, but I will NOT volunteer the kind of information they can collect of my own accord.

  • InitD Level 1 Level 1 (0 points)
    Currently Being Moderated
    May 4, 2012 1:50 PM (in response to cjackson27)

    Actually using location services is the only way to validate if a system is jailbroken. Apple used to have these restrictions in their MDM environment but no longer cares about jailbreak validation.  Yes MobileIron solely uses location services for detetcing jailbroken phones.  It can also be used to locate lost ot stolen phones but that is not the reason it is required.  The sole reason is for the jailbreak detection.

     

    I completely think this is more than appropriate for a company to monitor any mobile devices that have their proprietary and intellectual property or undisclosed information on said devices.  If you want to use your companies exchange/lotus servers they should also have the ability to locate, wipe, sever ties to their mail servers in case of theft, termination of employment etc.

     

    Why shouldn't they have a right to control their data at all times?  Even if it is a employee owned device, if it has an exchange profile for that company then they have the rights to monitor and access that data whenever they choose.  Seems pretty logical.

     

    The real beef should be with Apple for the horrid battery life location services causes.  They should also provide the API's necessary for detecting jailbroken devices and the other various consistency checks needed in MDM.  That would be a good median to both sides of this discussion.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.