Enterprise eSIM Profiles for Anti-Theft Controls
The latest iteration of the consumer eSIM spec, SGP.22 v3.0 from October 2022, features Enterprise profiles. These can be delivered by an SM-DP+ Remote SIM Provisioning server.
An Enterprise is classed as “A business, organization or government entity that subscribes to mobile services to be utilised by its workforce in support of the business or activities of the Enterprise. The Enterprise as the Subscriber owns the relationship with the Service Provider(s).”
An Enterprise profile is classed as “An Operational Profile for which the Subscriber is an Enterprise. This Profile may include restrictions on the End User of the Device.”
An Enterprise capable device is “A Device that supports the installation and enforcement of Enterprise Rules.”
An Enterprise rule is “A rule stored in an Enterprise Profile that can be used by the Profile Owner to restrict End User controllability for enabling and installing Profiles on Enterprise Capable Devices.”
The data type EnterpriseConfiguration defines the configuration of an Enterprise Profile:
The following items within the EnterpriseConfiguration provide an indication of how the eUICC can be used as a key enforcement component of enterprise device management:
“priorityEnterpriseProfile indicates that the End User can enable only this
Enterprise Profile or has to enable this Enterprise Profile before being able to enable any other Profile.”
“onlyEnterpriseProfilesCanBeInstalled indicates that the End User can
install only Enterprise Profiles.”
“numberOfNonEnterpriseProfiles defines the maximum number of non-
Enterprise Profiles that can be Enabled on an eUICC”
If an eUICC is preloaded with a single deactivated Enterprise Profile configured as a priorityEnterpriseProfile as well as onlyEnterpriseProfilesCanBeInstalled set to true and numberOfNonEnterpriseProfiles perhaps also set to zero, can an Enterprise eSIM be used as an anti-theft mechanism?
If the device also has a physical SIM card slot, then perhaps not. Therefore, Enterprise capable devices could omit physical SIMs for this reason.
SGP.21 v3 indicates that “It SHALL NOT be possible to associate more than one Enterprise to a Device at any point in time.” Therefore, an Enterprise can be protected from a valid alternative Enterprise provider that may be rogue.
Can the Enterprise eSIM profile be deleted?
In SGP.21’s Delete Profile Procedure there is a step that checks if “The ISD-R checks if applied Profile Policy Rules permits the Profile to be deleted.” And so the implication being that there is a Non-Delete policy option. SGP.22 also states, referring to user information, “e.g., for Enterprise Profile with Non-Delete Profile Policy Rule: The profile that you are about to install can be deleted only under the terms you have agreed with your service provider”
So what happens when an Enteprise Capable device is stolen if:
- it doesn’t have a physical SIM card slot
- a priorityEnterpriseProfile is installed
- where numberOfNonEnterpriseProfiles is set to zero
The end user of the stolen device will be unable to change the eSIM profile and unable to slot in a new physical SIM card.
Perhaps the Enterprise eSIM can be disabled and the device used only as a WiFi device. Though this lessens the value of the stolen device.
It is possible that this Enterprise eSIM capability may expand into Mobile Device Management (MDM) where enforcement of richer device policy rules control device features, like WiFi, camera access, password requirements and so on. These rules can be resident within a SIM profile and so unaffected by device flashing as an alternative to a dedicated TEE that is currently used for this purpose. The key difference is that the deployment via Remote SIM Provisioning provides a standardised mechanism.
