Apple @ Work is brought to you by Spike, the world’s first conversational email app that helps professionals and teams spend less time on email, and more on getting things done.

One of the common things I hear about Mobile Device Management solutions from my technology-focused friends is they hate when their company IT departments “suck” their devices into the management system the organization chooses. For those that love to tinker, set up, and manage their own devices, having them “managed” may seem like big brother is watching. Thankfully, Apple has clear APIs for how their devices interact with MDMs, so end users can rest assured their IT department doesn’t have access to everything on their devices. If you’re wondering if your IT department can read your iMessages, you’ve come to the right place.

About Apple @ Work: Bradley Chambers has been managing an enterprise IT network since 2009 Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise-grade Wi-Fi, 100s of Macs, and 100s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.

One of the first things to understand if your company uses a MDM is whether or not an iOS device is supervised or not (supervision is iOS only). Apple has a support page to guide you through discovering if your device supervised.

If your devices are supervised, you’ll see a notice at the very top of the Settings screen that will say “This iPhone is supervised and managed by Company, Inc.” If you don’t see this message, your device is not supervised. If the devices are supervised, you can go to Settings > General> Profiles & Device Management to see what exactly a company has changed from the iOS default. When a company supervises a device, they get more control over it than they normally would. Most of this extra control isn’t access to more data, but the ability to put more restrictions on what you can do.

Can my IT department track my location?

This question comes up a lot for corporate iPhone users. There are three parts to this question. If you are connected to a corporate Wi-Fi network, your IT department can determine if you are there. If your company has tracking through a cellular carrier, they can determine where you are. Through an MDM, IT departments can only track your device if they put your device into managed lost mode. Managed lost mode is only available to supervised devices. Only registered users of the MDM portal will be able to locate the device. Managed lost mode is not permanent, and it must be disabled before the device can be used again.

Can my IT department read iMessages?

No, SMS messages and iMessages are not viewable by your IT department. An MDM can report information on the number of messages or contracts, but they cannot see who or what you’ve sent messages to using the messages app. SMS messages can possibly be viewed using a cellular carrier, but this doesn’t involve Apple or iMessage. An IT department can disable the use of the Messages app, though. This setting is generally done for devices that have a specific purpose.

One thing to keep in mind is that if you are signed into iMessage on a device that is owned by your company, if they took it from you, they could unlock it and view your messages. Apple’s focus here is on letting IT departments manage the usage of iMessage, but not letting your messages be viewed remotely.

Can my IT department view my photos in the Photos app?

Similar to iMessage, there is no MDM protocol to view, modify, or delete photos in the Photos app (including iCloud Photos). They can disable features like iCloud Photos, though. Disabling this might be to keep users from overloading a managed Apple ID with non-education/business media. It’s also wise for end-users to be aware that apps that ask for access to your photo library can view all of your photos and location data stored with them.

Can my IT department read my personal email accounts?

If you are using webmail, the IT department can likely tell that you’ve used a personal email account, but they can’t read what you’ve sent. If you are using a local Mail app, they cannot view your emails either. IT departments can specify if you can add or remove mail accounts outside of what they specify, though.

Can my IT department remotely control my device?

On the iOS side, they cannot. The Mac does have remote control options, but the Mac sends a pop-up window when it is being remotely controlled. The whole point of an MDM is for management vs control/monitoring. On the Mac side, there are more invasive tools that IT departments can use, but Apple doesn’t have official APIs for that. For a BYOD situation, I would not allow IT departments to be able to install anything other than an MDM profile.

Can my IT department view my browser history?

Using Apple MDM APIs, no they cannot. Like I said earlier, MDM is about management. Your IT department can install more invasive tools on the macOS side, but they cannot monitor your Safari or Chrome history through a tool like Jamf. They can limit the sites you can access, block a web browser altogether, or force you to use a VPN back to the corporate network (where they can monitor traffic), but they cannot view a list through the MDM portal of your visited websites.

Wrap-up

I hope this answers some basic questions about having your device managed. I know that using a personal iPhone to access corporate email can be a bit unnerving if MDM is required for access, but Apple is always concerned about end-user privacy even in corporate situations. The last thing Apple wants is for an IT department to be reading your iMessages.

On the iOS side, MDM is about as strict as it gets. On the Mac side, IT departments can install more invasive tools. If it’s a corporately owned device, assume someone is watching your screen. If it’s a personal device that has had an MDM profile added, the IT team is limited by Apple’s limits. One final thing to keep in mind is that a company-owned device that is managed can be unlocked by IT departments, so if you are signed into personal services like iMessage and iCloud Photos, be sure to sign out before returning the device.

Thanks to Spike for sponsoring Apple @ Work. Spike conversational email gives your team superpowers. Turn your email into the only workspace app you’ll ever need. Chat, email and great collaboration tools to save you time, all in one place. Get more done with Spike. Try it for free on all platforms now.