๐Ÿ“– eUICC.tech โ† All Stories ๐Ÿ  Home
Page 1 of 14
ACME ๐Ÿ  Personal + โ†“ SAME VAULT Article 63 ยท SGP.22 v3.x

๐Ÿข Your Work Keycard

How Work and Personal Keys Live Together

A story of enterprise profiles, immutable company IDs, and BYOD made simple

Page 2 of 14
Page 3 of 14
๐Ÿ  Personal Key You own it Delete anytime ๐Ÿข Work Keycard Company owns it Cannot delete! Company decides when to deactivate ๐Ÿ  ๐Ÿข Work โœˆ๏ธ Different rules, same keychain

๐Ÿ”‘ Not All Keys Are the Same

Your personal key is yours: you can delete it, disable it, switch it out whenever you want. But your work keycard belongs to your company. They decide when to deactivate it, you can't delete it, and it might even have priority over your personal keys. Both live on the same keychain!

Page 4 of 14
Page 5 of 14
๐Ÿท๏ธ Enterprise Config OID: 1.2.3.4.5 (immutable!) Name: "Acme Corp" Enterprise Rules โ†’ OID never changeable: locked forever ๐ŸŽš๏ธ Three Switches 1. referenceEnterpriseRule 2. priorityEnterpriseProfile 3. onlyEnterpriseProfiles + non-enterprise quota limit Capable Full enforcement Non-Capable Rules = labels only Owned Strongest enforcement

๐Ÿท๏ธ What Makes a Key "Enterprise"?

Any key becomes an enterprise key through its Enterprise Configuration: a globally unique Company OID (immutable forever!), a human-readable name, and three rule switches. The OID is written in hardware: even a rogue IT admin can't change it. Plus a quota on how many personal keys can be active!

Page 6 of 14
Page 7 of 14
๐ŸŽ›๏ธ Master Switch referenceEnterpriseRule This profile governs the ENTIRE vault โญ Priority Work key must be enabled before (or instead of) personal ๐Ÿ”’ Enterprise-Only No personal keys allowed: company phone only! Personal key quota: 2 1 work + 2 personal = 3 slots

๐Ÿ“‹ The Company Sets the Rules

Three rule switches give the company control: the Master Switch (this profile governs the whole vault: only ONE key can have this), Priority (work key comes first), and Enterprise-Only (no personal keys at all!). Plus a quota limits how many personal keys can be active alongside the work key.

Page 8 of 14
Page 9 of 14
PPR2 Cannot Delete This key + Enterprise Rules Vault-wide control = ๐Ÿ›ก๏ธ DOUBLE PROTECTED ๐Ÿ›ก๏ธ๐Ÿ›ก๏ธ๐Ÿ›ก๏ธ The Seven Guards at the Gate 7 validation checks during download: OID mismatch, PPR conflicts, device capability, user consent, reference rule errors, enterprise-only conflicts, LPR support

๐Ÿ”’ You Can't Turn It Off, You Can't Delete It

Enterprise profiles combine PPRs (sticky notes like "can't delete") with Enterprise Rules (vault-wide control like "work-only device"). Both are enforced independently in vault hardware. Seven validation checks run during download: each with its own error code, so everyone knows exactly why something was rejected!

Page 10 of 14
Page 11 of 14
๐Ÿ“ฑ BYOD You own the phone Company provides the SIM Work key = always active Personal keys = limited quota ๐Ÿ’ผ COPE Company buys the phone You use it for work+personal Work key = undeletable Maybe 1 personal key allowed ๐Ÿข ๐Ÿ 

๐Ÿค Both Keys Live Together

BYOD (Bring Your Own Device): you own the phone, the company provides the SIM: work key always active, personal keys limited by quota. COPE (Corporate Owned, Personally Enabled): company buys the phone, both work and personal keys coexist: work key undeletable, perhaps exactly one personal key allowed. Simple, secure coexistence!

Page 12 of 14
Page 13 of 14
๐Ÿ”’ Enterprise OID 1.2.3.4.5 โš ๏ธ NEVER CHANGEABLE Not by you, not by the company Hardware-enforced Even IT admin can't change ๐Ÿง  OID locked forever in hardware!

Once an Enterprise OID is written into the vault, it can NEVER be changed: not by you, not by the company, not even by the Key Maker. The eUICC chip enforces this in hardware. Even a rogue IT admin can't remotely change the company ID on your work profile. The vault says: "Sorry, that field is locked forever!"

๐Ÿ“š Explore More Stories!

๐Ÿ“– Back to All Stories โ†’

โ† Prev: The Vault's Rulebook

Page 14 of 14
โฌ† โฌ‡ โ† Prev All Books