Apple iPhones, iPods and now iPads are flooding the workplace, bringing opportunities to enhance mobile productivity, accessibility, and collaboration. But for IT, these new iOS4-based mobile devices pose management challenges. In this article, we take a look at iOS4 mobile device management (MDM) features and how they enable enterprise-administered provisioning, monitoring and security.
Apple integrates mobile device management
When Apple introduced the iPhone, it was an instant hit with consumers but a concern for enterprises. Early versions had many security vulnerabilities and no software development kit for third-party security or management tools to fill gaps. Over time, Apple focused updates on consumer enhancements, but gradually addressed basic enterprise management and security needs as well. When the iPhone 3GS was released, OS 3.0 supported device-level hardware encryption, uploadable XML policies, and Exchange ActiveSync control over password and encryption use, idle lock, and device wipe after login failure or remote command from Exchange Server 2003/2007.
These features were essential for enterprises to embrace iPhones, causing many IT departments to start supporting the iPhone 3GS as a secure mobile device. But limitations still impeded broader business use, such as device initialization through iTunes, application installation through Apple's App Store, and inability to integrate more fully with third-party enterprise management and security solutions. In short, IT departments still had to jump through many iPhone-specific hoops. When the iPad was released this spring, it shared the same OS -- renamed iOS (not to be confused with Cisco's IOS) -- and thus the same management features and limitations.
However, this all changes with iOS4, released this summer with the iPhone 4. Today, iOS 4.1 runs on iPhone 3G, 3GS, and 4, as well third- and fourth-generation iPod touch devices. Some features (notably hardware encryption and multi-tasking) work only on new hardware. The iPad is expected to join this party when iOS 4.2 is released in November. iOS4 brings many important features to Apple mobile devices, but from an enterprise security perspective, the biggest is native iOS4 mobile device management.
iOS4 makes mobile device management easier
Even though enterprises were able to control some essential security settings via ActiveSync, most iPhone/iPad/iPod touch settings must be configured using XML profiles. Before iOS4, profiles had to be generated using Apple's iPhone Configuration Utility, delivered by that desktop or out-of-band (for example, by Web download), and then installed by the end user. Third-party management systems could not push updated settings to devices or transparently monitor them without first installing their own agent -- which had to be approved by Apple and downloaded from the App Store.
In iOS4, all of those settings can be provisioned and updated with profiles that can now be delivered to transparently enrolled devices, using the Apple Push Notification Service (APNS) to enable communication between devices and third-party mobile device management systems. This native MDM means that IT groups are no longer limited to what can be accomplished through ActiveSync or Apple's desktop utility. Instead, they can plug iPhones, iPod touches, and (soon) iPads directly into the MDM of their own choosing, controlling, monitoring, and securing those devices more like other IT-managed devices. Ultimately, this will be limited by the capabilities and settings supported in each device, but Apple's new native MDM flow requires almost no end-user involvement.
Here's how native MDM works. To get started, each iOS4 device user visits their employer's enterprise MDM Web provisioning portal, where he or she will log in and be prompted to install an Apple-supplied Global MDM Configuration Profile. As that profile is installed, the iPhone completes an enrollment process, during which the enterprise MDM validates the device and generates a device certificate. Thereafter, the MDM can manage and monitor the iOS4 device without user participation.
But how does the MDM communicate with the iPhone without a third-party agent or Exchange ActiveSync? This is where APNS comes in. To initiate any management request, the MDM uses APNS. The iOS4 device responds directly the MDM server over HTTPS, at which point the MDM can install or remove profiles, query settings, or receive periodic reports from the device. Although it is still possible to use Exchange ActiveSync with iOS4 devices, greater security control and visibility can now be accomplished through native MDM.
Using iOS4 MDM to meet enterprise needs
To use tap capabilities, your enterprise must use an MDM product or service that supports iOS4 native management interfaces. Vendors that have already announced intent to support iOS4 MDM include Sybase (Afaria), AirWatch (MDM), Good Technology (Good for Enterprise), MobileIron (Virtual Smartphone Platform), and Zenprise (Mobile Manager). Many are now undergoing beta testing.
You will need to create a secure Web portal to support over-the-air device enrollment, during which your enterprise certificate authority must accept Simple Certificate Enrollment Protocol (SCEP) requests and generate and return authorized device certificates. After enrollment, your MDM will be able to update and maintain managed devices by installing (optionally signed, encrypted, locked) XML configuration and application provisioning profiles.
Settings controlled through Configuration Profiles include accounts (Exchange ActiveSync, IMAP/ POP, VPN, Wi-Fi, LDAP, Cal/CardDAV, calendars), policies (passcode requirement, complexity, length, max age; auto-lock timeout and grace period; failed attempts before wipe; user override), restrictions (application install and purchase rights; camera, screen capture, locked dial, and interface use; encrypted backups; content ratings; Safari, YouTube, iTunes, and AppStore use), certificates and identities, and web clips. Application Provisioning Profiles can be used to remotely install and delete applications without user participation, although apps must still be signed, approved, and obtained from the App Store.
Native MDM can also query or periodically report on a healthy number of device parameters, including device name/UDID/IMEI, model, version, serial number; network interface type, address, and status; installed profiles, certificates, restrictions, and encryption/passcode status; and installed apps. Configuration Profiles control APNS parameters that determine how often an MDM receives any monitored data.
Finally, iOS4 mobile device management supports essential remote management commands like device lock, device wipe, and passcode clear. Putting all of this "under one roof" makes it possible for MDM vendors to supply a single console that controls and monitors everything supported by iOS4 devices, without having to rely on ActiveSync for a few commands. However, MDM vendors can still be expected to deliver value-added features that go beyond these native capabilities -- for example, to monitor parameters not included in this native set, or to perform device-resident housekeeping in between MDM contacts.
Further information about iOS4 MDM can be found on Apple's website, although specifics related to user and device authorization, provisioning, profile creation, administration, alerting, and reporting depend on the third-party mobile device management product that you use. In the near-term, enterprises may experience growing pains, while older iPhones cannot be managed this way and the kinks are worked out of iOS4 MDMs. But in the long run, enterprises may find that native MDM enables more powerful and transparent management of iOS4 devices, applied more consistently with other managed devices.
About the author:
Lisa A. Phifer is president of Core Competence Inc. She has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for more than 25 years and has advised companies large and small regarding security needs, product assessment and the use of emerging technologies and best practices. Lisa teaches about wireless LANs and mobile device security and management, and has written extensively for numerous publications.