Apple continues to improve iPhone and iPad enterprise capabilities, and many of these features are based on two important technologies: configuration profiles and Apple's over-the-air mobile device management protocol.
As organizations embrace mobility, it's worth taking some time to understand what these technologies are and how they work. Apple iOS configuration profiles are simply XML files that IT admins can install on iOS devices to change various settings, including:
- passcode requirements and complexity rules;
- access to enterprise Wi-Fi, email and VPNs;
- restricting usage of the camera, built-in apps, data sharing and iCloud backup;
- certificates and user account credentials;
- remote mobile device management (MDM) server connections.
Configuration profiles can install via USB, email attachment or by downloading them from a website. More importantly, IT can also install them over the air by enrolling devices via Apple's iOS MDM protocol and connecting those devices to a remote MDM server.
Enrolling iOS devices
To enroll a device, IT has to verify the user's identity and use the Simple Certificate Enrollment Protocol (SCEP) to enable the device to receive encrypted configuration profiles and management commands from an MDM server. Then, admins can configure the device as needed.
After admins enroll a device, the MDM server can perform various ongoing management tasks, including:
- locking or erasing the device;
- resetting the passcode;
- installing public or enterprise apps;
- querying the device for information about hardware and software, including what apps are installed;
- installing, updating and removing iOS configuration profiles to change device settings.
Apple configuration profiles and the iOS MDM protocol rely on the OS, so even if the MDM servers are from different third-party vendors, they will all provide the same on-device capabilities. Still, MDM vendors provide different agent apps IT can install on users' devices.
Configuration profiles don't require agent apps to work, but they can be useful for other reasons. An agent app can assist in enrollment or serve as an enterprise app store. Better yet, it can access information on the device that the MDM server and iOS configuration profiles can't, such as location data. The agent can even perform tests to find out if a device has been jailbroken. IT can then use these metrics to build richer management policies.
Benefits of iOS configuration profiles
Apple configuration profiles and the MDM protocol are inherently flexible. Profiles can split into small pieces called payloads, which IT can then deliver individually for specific settings. The iOS MDM protocol can vary in scope, too: It's possible to specify the particular rights a server may or may not have over a device. (Most MDM servers just take all the rights on the device by default and restrict the management options in the administrative interface instead.)
Apple iOS configuration profiles can also provide some app-level capabilities that keep work and personal data separate. IT can push enterprise apps, content and accounts to devices and then control whether or not users can share corporate data with their personal apps. Admins can also ensure that enterprise domains and apps use a VPN, to keep personal traffic off the corporate network.
The iOS MDM protocol is designed to respect user privacy, so it is not able to access personal photos, text messages or email accounts. Users can view a list of what rights the MDM server has on their devices. If the MDM connection is broken, all enterprise content and credentials are removed without IT having to erase the entire device.
Apple MDM also has many features for corporate-owned devices that admins want to lock down, such as kiosks, shared devices or devices used in education. A special management mode called Supervision allows IT to turn off iMessage, silently install apps, disable the Home button and restrict other device features.
The evolving role of MDM
There are alternatives to iOS configuration profiles and the MDM protocol. Mobile application management (MAM) vendors implement features directly in apps themselves, providing more granular app control than the MDM controls Apple provides. Organizations often turn to MAM in situations where MDM doesn't cover all needs.
As Apple configuration profiles and MDM evolve, they will work for even more use cases, but IT will likely rely on app-level features, too.
This article originally appeared in the November/December issue of the Modern Mobility e-zine.
Add CA certificates using iOS configuration profiles
Consider adopting mobile application management
An advanced guide to iOS device management