So now iPhone and iPads are running all over your company, and IT is concerned about security. How can your enterprise data be kept secure on the iOS devices of your users? Apple introduced a number of significant new features for device management in iOS 4.x that gives enterprises exactly what they had been asking for.
Using Exchange ActiveSync
One of the most interesting developments in the mobile industry over the last few years has been the industry-wide standardization on Exchange ActiveSync (EAS) for both server-side and mobile device communication and collaboration data synchronization.
In addition to providing push synchronization of mail, calendar, and contacts to iOS devices, EAS also provides the ability to enforce security policies as well as remotely wipe devices if they are lost or stolen. Although EAS does not offer as many features or capabilities as Apple's MDM APIs, EAS may provide enough features for some organizations to be comfortable with the security of iOS.
When a policy is applied to Exchange ActiveSync, users will be forced to comply with the policy, or they will be unable to connect their devices to sync with the Exchange server. In some cases, like requiring a passcode or establishing a specific passcode complexity requirement, users will be prompted to configure their devices accordingly. Other policies, like requiring device encryption, are completely dependent on the device hardware (and in that specific case, it will allow only iOS devices with hardware-based encryption to connect, which includes all iPads and iPhone 3GS, and newer but not older iOS devices).
In addition to enforcing security policies, EAS provides a mechanism for remotely wiping a device if it is lost or stolen. Keep in mind that this will wipe the entire device, including all apps, data, pictures, videos, music, and anything else, whether personal or business-related. Due to the potential legal liability associated with deleting personal content and data on personally owned devices, many organizations require that users sign a legal agreement acknowledging that the company has the right to remotely wipe the device, including any personal information.
Using Mobile Device Management
For many organizations, the device management capabilities provided by EAS are not satisfactory to meet security compliance requirements. Apple listened to the enterprise community, and with iOS 4.x, they introduced a number of MDM APIs that provide enterprise IT organizations significantly more control than was previously available. In the process, dozens of third-party MDM vendors have appeared in the marketplace. Since the vendors are limited by the capabilities of the iOS MDM APIs provided by Apple, many organizations have found the MDM landscape confusing in determining exactly what's different among the various MDM solutions and vendors. In order to clear up some of the confusion, let's examine how Apple's MDM capabilities work on iOS.
Apple's iOS MDM APIs are based upon a relatively simple architecture. Unlike many prior device management architectures used on other mobile platforms, Apple decided to piggyback on the same unified Apple Push Notification Service (APNS). This is the same channel that application developers can use to deliver push notifications to individual users' devices, and it also powers communication initiation for Apple's FaceTime service. Once a device has been enrolled with an MDM server, the server can apply a configuration policy, make a management change, or query a device attribute by sending a device-specific notification through APNS. When the device receives the push notification, it gets a message that the MDM server requests contact. Rather than displaying a message like other push notifications, this MDM process runs quietly in the background.
When the device gets a request from the MDM server, it then opens a connection to the MDM server and requests whatever the MDM server has waiting for it. This can include a batch of management requests, configuration or provisioning profiles to be applied, or queries to be responded to.
The MDM enrollment process generally follows the Simple Certificate Enrollment Protocol (SCEP). Rather than deploying specific service configurations like EAS or VPN though, a configuration profile containing an MDM payload would be delivered. Then, after the device has been enrolled in MDM, the MDM server can push and manage any additional configuration profiles to the device.
Once an iOS device has been enrolled in MDM, the management server has the ability to configure the devices by adding or removing configuration profiles. The configuration profiles are just like what can be created by using the iPhone Configuration Utility, except that when deployed via MDM, the user is not prompted, and the configuration profiles can be silently applied and updated in the background transparently to the user.
In addition to managing configuration and provisioning profiles, the iOS MDM APIs also allow the MDM server to query many different attributes of the device hardware, communications information, compliance and security, and application-related data.
Finally, the iOS MDM APIs allow for several important management actions that can be performed on a device: remote wipe, remote lock, clear passcode, and the ability to apply configuration and provisioning profiles.
While most iOS deployments will also use EAS, it's important to note that this remote wipe capability is distinct and independent from the remote wipe capability of EAS. This is significant, because there is often the need for task-based iPad deployments or shared devices where EAS is not appropriate, but the ability to remotely wipe the device is critical.
If a remote device is misplaced, lost, or stolen, and if it does not already contain a passcode, one can be applied remotely to prevent prying eyes from accessing information contained on the device.
Users will occasionally forget their passcodes, and if the device is configured to wipe itself after a certain number of failed login attempts, it can be valuable to allow IT to centrally reset passcodes for individual users.
Apply Configuration and Provisioning Profiles
Configuration profiles can be applied to and removed from managed devices silently in the background without prompting the user. Configuration profiles can hold payloads including account settings, security policies, device restrictions, certificates, and Web Clips. Additionally, MDM enrolled devices can have enterprise provisioning profiles added to and removed from devices—profiles which must be present on a device in order for an in-house enterprise app to execute.
Finding a Vendor
The Mobile Device Management marketplace has recently seen explosive growth. As a result, there is currently a very rapid pace of development and innovation that will likely continue for the foreseeable future. Until the market matures somewhat and we see some consolidation of the MDM vendors, it can be a full-time job just staying on top of all the developments in the industry. As a result, this is not an exhaustive list of iOS MDM vendors, and it's also very likely that many of the vendors listed here will consolidate as clear leaders emerge and other large software firms decide to get into this space through acquisitions. Here are some of the MDM offerings on the market:
- Absolute Manage
- Afaria by Sybase
- Good for Enterprise
- McAfee Enterprise Mobility Management
- Tarmac by Equinux
- ubitexx by Research in Motion
- Zenprise Evaluating the Vendors
Due to the fundamental constraints within the iOS MDM environment, and the fact that there are so many vendors jumping into this industry, it's important to understand some of the primary criteria that can differentiate the different solutions provided by the vendors. I have worked with many customers in the evaluation of iOS MDM vendors, and the industry is emerging very rapidly and is very immature overall. The rapid growth presents a unique challenge to enterprises looking to make the best decision based upon both short-term capabilities as well as long-term viability, and potential for continued research and development and innovation.
In upcoming issues of iPhone Life, we will compare and contrast many of these solutions and provide guidance on how to select the right vendor for your needs.