Enterprise mobile security smackdown: iOS vs. Android vs. Windows
A comprehensive collection of articles, videos and more, hand-picked by our editors
Some of the new iOS 7 MDM features come with a pretty big caveat.
Certain capabilities are only available on Apple Inc.'s iPhones and iPads in supervised mode, a feature that gives IT nearly complete control over users' devices -- and therefore isn't a good fit in bring your own device (BYOD) settings.
Supervision has a lot more importance in iOS 7 than it has before.
chief technology officer, Tekserve
Further, the only way to place a device in supervised mode is with Apple Configurator software, which requires a physical connection to a Mac computer.
The supervised mode requirement for some iOS 7 mobile device management (MDM) features has caught some IT professionals by surprise.
"It sounds really great when they stand up and scream about it, but when you put it into practice, it just isn't the same," said an IT professional at a large enterprise evaluating iOS 7.
Blocking AirDrop with iOS 7 MDM
Some iOS MDM capabilities have always required supervised mode, but of particular concern in iOS 7 is AirDrop, a new feature that lets users transfer data from one device to another in close proximity over a direct Wi-Fi connection. Administrators can't disable it unless users' devices are in supervised mode.
"We were told by our security folks, when looking at the features, that AirDrop is one of those we have to turn off," said the IT pro evaluating iOS 7.
Apple's developer library website mentions that disabling AirDrop requires supervised mode, but some organizations only found out about it through discussions with their MDM vendors.
"I find it discouraging," this IT pro said.
Ideally, administrators would be able to control which applications and pieces of data AirDrop can and can't access, said Brian Katz, head of mobility engineering at a large pharmaceutical company in New Jersey.
More on iOS 7 mobile device management
Apple iOS device management cheat sheet
How iOS 7 MDM will affect enterprise mobility management vendors
The current all-or-nothing approach is common for new iOS features, however. When iCloud first came out, there was only a master on/off switch; IT now has more granular control over access to that service.
"You want AirDrop or any of this stuff based on the data," Katz said. "It's a little blunt now, but one just hopes that they refine it as we go along."
The new Managed Open In feature in iOS 7 could help in that area, said Aaron Freimark, chief technology officer at Tekserve, an Apple solution provider in New York. He'd like to see Managed Open In, which restricts data sharing between apps, give IT more control over AirDrop.
"The question is whether AirDrop should be thought of as an app feature or a device feature," he said. "It seems Apple thought of it as a device feature."
More iOS MDM features require supervised mode
Supervised mode is most commonly used in schools or in businesses where devices only need to run one app, like for point-of-sale in a retail store or kiosks in an airport.
It's in direct competition with BYOD and COPE, where a company owns the device but allows employees to use them as personal devices as well, Katz said.
Other iOS 7 MDM capabilities that IT can perform only on supervised devices include the following:
- Installing apps directly with no user involvement;
- Filtering Web content;
- Preventing users from creating or modifying Apple ID accounts;
- Disabling changes to Find My Friends, which shares users' location; and
- Disabling iMessages.
"Supervision has a lot more importance in iOS 7 than it has before," Freimark said.
Apple is working on a way to put devices into supervised mode without physically connecting them to a Mac running Apple Configurator. Its upcoming streamlined device enrollment service will offer the ability to turn on supervised mode wirelessly. The service, however, is only available on devices that companies purchase directly from Apple.