With iOS 7, Apple has given IT more tools than ever for managing iOS devices, but you should understand which iOS 7 security and privacy features you can control and how.
Apple iOS 7 lets you control apps, protect sensitive data and ensure user privacy more effectively. The OS also provides greater integration with mobile device management (MDM) tools for more streamlined deployment and administration. But many of the iOS 7 security and privacy features come with caveats: Some open potential for vulnerabilities and others require devices be in supervised mode.
Managing apps in iOS 7
As is the case on most devices that workers use to conduct business, apps are either managed or unmanaged. Managed apps are IT-implemented and controlled, whereas unmanaged apps are personal ones that users install and manage themselves.
You can deploy and manage apps through a combination of systems and services such as the Volume Purchase Program, iOS Developer Enterprise Program, Exchange ActiveSync, Apple Configurator and third-party MDM tools. At the same time, some iOS 7 settings prevent you from viewing or controlling unmanaged apps or taking other steps that compromise users' privacy. This makes it easier for the enterprise to support bring your own device or corporate owned, personally enabled programs, and it helps you focus on managing only the important parts of the device.
Managed apps are not the same as supervised devices, however. Supervised devices are those set up through Apple Configurator, which imposes more restrictive control over the device as a whole, rather than at the app level. Typically, a supervised device is company owned, supports multiple users and serves a specific purpose, such as testing students or offering retail customers catalog access.
Administering iOS 7
Also new in iOS 7 is single sign-on (SSO), which lets users log in once and be authenticated across a spectrum of enterprise applications. But SSO relies on secure access to an organization's Kerberos key distribution center, the same type that Active Directory uses. That means iOS devices must connect to the secure network either behind the corporate firewall or through a device-wide virtual private network (VPN) to take advantage of SSO. Because of this, compromised user credentials could make many more resources vulnerable than just the data accessible in a single app.
Another iOS 7 security feature is per-app VPN which provides a secure way for an individual managed app to transmit and receive sensitive data. When you enable this feature, applications automatically establish a VPN connection. You can also use it for specific URLs so a VPN connection is created if a user tries to access a secure site through Safari. Per-app VPN also ensures user privacy because only app-specific, business-related data is transmitted over the VPN, and everything else is left alone. Be aware, however, that your organization's VPN service must support this feature and might require a firmware or software update to do so.
Apple has also added the "open in" feature, which lets you control how data is shared among managed and unmanaged apps. You can prevent data from being sent from managed to unmanaged apps, from unmanaged to managed apps or both. Although open in doesn't provide app-based granularity for controlling the flow of data, it does let you establish a baseline for how data is permitted to move between apps, helping to protect sensitive information while preserving user privacy.
The OS also lets you push configuration information, such as server names or Web addresses, to a managed app. The app then automatically uses the new configuration from that point forward. Plus, app developers can include feedback features that provide information such as error messages or usage statistics back to the organization. To implement the configuration feature, however, the application must have been specifically developed to include the iOS 7 configuration options. Both the app configuration and feedback capabilities can help streamline operations and improve the user experience.
Built into iOS 7 is an MDM framework that lets devices wirelessly interact with third-party MDM tools. The OS includes new application programming interfaces (APIs) that offer a wide range of configuration options for setting up and managing devices so your MDM tool can enroll and configure them.
More on iOS 7 security
Apple iOS 7 from an IT perspective
Advanced iOS 7 features for app and device control
Top eight iOS 7 features
Seven questions on iOS 7
The MDM framework and supporting APIs let you perform a number of tasks. For example, you can push Web filters to devices so you can whitelist or blacklist specific URLs or domains. Those rules are applied across all browsers, eliminating the need for proxy servers to filter traffic.
The MDM capabilities in iOS also let you distribute fonts, manage Apple TV devices and enable silent app updates. In addition, the APIs let you disable features such as Touch ID, personal hotspots, AirDrop and the ability to modify mail account settings.
But some of those features apply only to devices in supervised mode. For example, you can configure AirPlay and AirPrint destinations on any managed device, but the ability to whitelist destinations applies only to supervised devices. The same goes for the ability to perform silent updates or disable AirDrop or mail account changes.
Much more in iOS 7
Apple has also extended the single app mode capabilities in iOS 7 so you can better control a device's behavior. For example, you can specify which apps can automatically enter single app mode. You can also disable hardware controls such as the ringer, volume and sleep/wake buttons or disable software features such as rotation sensing, touch screen and auto lock. Apple has also enhanced the Wi-Fi configuration capabilities in iOS 7. You can configure multiple networks and define which ones a device should use.
With an update to license management, organizations can now purchase apps through the Volume Purchasing Program and maintain complete control over the licensing. That way, if an employee leaves the company, the license can be transferred to another user.
You can also set up a local caching server to facilitate app downloads and updates. In addition, iOS 7 now includes the Activation Lock feature, which prevents a lost or stolen device from being reactivated without the owner's iCloud account credentials improving iOS 7 security. Plus, all third-party apps are now automatically encrypted on iOS 7 devices when passcodes are used for device access.
Dig Deeper on Apple iOS in the enterprise
What if Apple brought Privacy Preferences Policy Control payloads (aka TCC profiles) to iOS?
A quick look at the Exodus MDM migration tool
Enterprise-signed iOS apps on unmanaged devices is a pain. How should we proceed?
Student testing is another use case that could use some more MDM options for BYOD