DOC RABE Media - Fotolia


New iOS security features are all about the apps

Expanded per-app VPNs, the new Trust user interface and changes to the Device Enrollment Program give IT more flexibility when it comes to iOS security.

With iOS 9, Apple continues its slow but steady outreach to enterprise IT with key capabilities and controls intended to facilitate secure mobility.

Apple has built partnerships with enterprise vendors such as IBM and Cisco and is striving to turn iOS devices such as the new iPad Pro into more efficiently and effectively managed PC alternatives. The new iOS security features show that Apple will continue to find and fix holes to meet enterprise IT security and provisioning needs.

In iOS 9, the default minimum passcode length and complexity increase from four digits to six alphanumeric characters -- significantly reducing the risks posed by lost or stolen devices. To soften the blow of constantly having to enter a longer passcode, iOS users with newer iPhones and iPads can use Touch ID for frequent fingerprint-based authentication throughout the day. But the combination of Touch ID and longer, stronger passcodes makes brute force-cracking attacks much harder.

One of the more important new iOS security features is two-factor authentication for access to data synchronized to iCloud. Specifically, whenever a new device is configured to access iCloud using an Apple ID, Apple sends a verification notice to all other devices associated with that same Apple ID. This approach reduces the risks of storing data in iCloud by alerting users to unauthorized access.

App-level iOS security features

Per-app VPNs are expanded in iOS 9, integrated into native layer-three VPN clients and with added support for UDP traffic, which allows organizations to securely tunnel VoIP application traffic.

In addition, the new requirements that App Store apps must support IPv6 and App Transport Security (ATS) raise the bar for iOS 9 security. When ATS is enabled, apps that communicate through HTTP automatically attempt to connect with HTTPS instead. Together, these changes reduce the risk of enterprise data leakage through unencrypted over-the-air traffic.

IT also has more granular control over Apple's AirDrop peer-to-peer data sharing in iOS 9. Previously, IT only had the ability to turn AirDrop on or off entirely. Now, IT can let personal -- unmanaged -- apps use AirDrop but block access from enterprise -- managed -- apps.

Other new features at ITs disposal include the ability to disable Apple Watch pairing and screen recording synchronization with iCloud. These new restrictions are only available on company-owned devices that are activated through the Apple Device Enrollment Program (DEP), however.

More on iOS 9 security

As the ability to exert efficient and effective IT control over apps grows more important, Apple has made quite a few improvements in iOS security features to overcome pain points and gaps in earlier versions.

For example, many organizations want to provision App Store apps for business, but Apple's restrictions that required heavy user involvement have hampered those efforts. But in iOS 9, IT can manage user-installed App Store apps.

Another new iOS 9 security feature is the Trust user interface (UI) that facilitates easier app provisioning by IT. With the Trust UI, users give installation permission to any enterprise-developed apps signed with a certain certificate. After users complete this one-time agreement, any future attempts by IT to install apps signed with that certificate will raise no warnings. And on devices in Supervised mode, the installation will happen automatically, without any user participation at all.

The Trust UI doesn't actually prevent users from installing bad apps, but it can help them make better choices by differentiating between apps from trusted and untrusted sources. Enterprises will need to educate users about how and why to accept trusted certificates, however, and what to do about those warning prompts.

Finally, in iOS 9, Apple continues to refine the DEP and Volume Purchase Program to dovetail more cleanly with enterprise provisioning workflows. For example, DEP now prevents company-owned devices from being used until IT entirely completes mobile device management provisioning. And two new application licensing options -- user-based and device-based -- enable IT to provision apps to devices without associating them to an Apple ID.

Next Steps

What should iOS 9 app developers look out for?

The new features in iOS 9 make it more enterprise-friendly.

Here are three iOS features IT still needs.

Dig Deeper on Apple iOS in the enterprise