Skip to main content

Hello Jamf Nation...

 

Question regarding BYOD options in JAMF Pro:

 

We are a financial services company with a strong focus internally on security for our customers.  We are working on beefing up our cell phone policy.  Here's what we're looking at:

-Allowing BYOD devices - we need to be able to limit screenshots from apps containing sensitive corporate information.  Android devices are able to do this by creating a separate work profile.  

-Denying BYOD and distributing corporate-owned cell phones -  This will be the easier option for the company, but not so much for end-users.  We could just lock down screenshots on this period. 

 

I am trying to find a way to implement screenshots on just the corporate apps.  JAMF support told me it's possible, but I'm not sure they were correct.  They said something about using the screenshot blocking with app restrictions, but it looks to me like those two settings are mutually exclusive, not connected.

Another thought I had was requiring users to be on the VPN in order to access corporate data, and finding a way to block screenshots while connected to the VPN.

Have any of you accomplished something similar?  What is your practice?

You can only block screenshots to the whole phone, you can't single out a app.

Also I think apple prevents app developers from blocking screenshots to app unless its some sort of DRM video app like Netflix.

You can only block screenshots to the whole phone, you can't single out a app.

Also I think apple prevents app developers from blocking screenshots to app unless its some sort of DRM video app like Netflix.


What about blocking screenshots while just on VPN?

Nothing comes to mind, you would need to apply the restriction at connection and un-apply at disconnect.

Even if you could somehow make a smart group based on this, the timing would be slow due to when the device decides to check in.

Maybe in the future with ios17 and on device declarative management this might be a thing.

You can only restrict screenshots on devices enrolled with Automated Device Enrollment, or devices that have been prepared for supervision. In other words screenshots cannot be blocked on BYOD. If your need is to block BYOD, your need is to issue organizationally owned devices.


Generally speaking organizationally owned devices are easier for users, not harder beyond keeping two devices. You can fully setup the device with Automated Device Enrollment. With an organizationally owned device there is no need for a user to follow a set of instructions to enroll a device with MDM, and troubleshooting the device can be as simple as sending a wipe command depending on how extreme you need to be.

In brief, to my knowledge, you can only accomplish this with Android for work currently.

Reply


Terms & ConditionsCookie settings