At WWDC 2021, Apple announced a slew of exciting changes that are coming to device management, from declarative MDM to erase all content and settings for Mac. One of those announcements—about an enhancement to the managed Open In restriction—received less attention than it deserves. Here’s a quick recap of what managed Open In is and a look at how this new enhancement could give Apple admins better control over what users can do with company data.
Managed Open In
Keeping that data secure is, of course, a top priority for IT admins. One way to do that is to make sure that employees can open business-related files only in trusted apps. Apple addressed this problem with the managed Open In restriction.
Introduced back in iOS 7, managed Open In lets admins prevent users from opening attachments or documents that are associated with apps managed by MDM in unmanaged ones, and vice versa. This is accomplished by configuring the following two keys in a restrictions payload:
allowOpenFromManagedToUnmanaged: If false, documents in managed apps and accounts open only in other managed apps and accounts.
allowOpenFromUnmanagedToManaged: If false, documents in unmanaged apps and accounts open only in other unmanaged apps and accounts.
For instance, let's say you use your MDM solution to set both of those keys to false: If an employee then receives a confidential work file in their managed work email account, managed Open In could prevent them from opening it in one of their personal apps. In fact, unmanaged apps won't even appear as options when the user tries to open a managed document.
Managed Open In extends beyond apps to cover accounts, books, extensions, and domains. For instance, if a user downloads a PDF from a managed domain, they can open it in a managed PDF reader app. But managed Open In would prevent them from opening a PDF from an unfamiliar website in that same app.
At WWDC 2021, Apple announced an improvement to managed Open In that's coming in iOS and iPadOS 15: The capability will now extend to copying and pasting. This means IT admins can prevent users from copying and pasting data between managed and unmanaged environments.
This new capability is made possible by a requireManagedPasteboard key, which can also be included in a restrictions payload delivered via MDM. Four system apps supporting this new restriction have already been named: Calendar, Notes, Mail, and Files; other apps will surely follow.
From the user's perspective, the Paste button will always be visible. However, if the paste function is restricted, and the user tries to copy data from a managed app to an unmanaged one (or vice versa), that user will be notified that pasting is not allowed. Admins can customize the organization name that appears in the notification. In most cases, app developers won’t have to take any extra steps to take advantage of this new feature (the exception is if a developer chose to develop their own copy and paste control methods).
It’s one more tool—and a potentially valuable one—in the IT admin’s quest to keep corporate data safe.
The Kandji team is staying up to date on the latest changes to Apple device management, and we're constantly building new functionality into our MDM solution. With powerful features like zero-touch deployment, one-click compliance, and offline remediation, Kandji has everything you need to enroll, configure, and secure your devices.
Editor's note: This article was updated 8/13/21.