Four Steps to Achieving iPhone Security 
at Scale in the Enterprise

The iPhone has been a catalyst for changing the way end-users and organizations think about their phones. Users want iPhones for the exceptional experience they provide and because they support a broad range of business applications. The iPhone and its new sibling, the iPad, are now a business reality. Enterprise IT departments need to develop strategies to support large-scale deployments of these devices.

With a cohesive strategy backed by automated management tools, an enterprise can deploy iPhones and iPads at scale without straining precious IT resources. However, IT administrators are sometimes unsure how to balance the richness of the iPhone experience with the mandate to keep corporate data as secure as possible. This article describes the four steps to securing iPhones at scale.

Step 1: Bring iPhones under IT management

There are two schools of thought about connecting smartphones to enterprise management systems. One holds that IT should act as the gatekeeper and be responsible for enrolling devices for users. The other feels that end-users should be provided with a simple process to enroll their devices themselves.

IT-centered enrollment

In the first model, the enterprise IT department is responsible for associating the phone with an authorized user account and entering the necessary information in the corporate inventory system. IT then completes the enrollment process on the phone or instructs the user to do so by sending instructions to the phone. This model works best in these situations:

  • Phones that are shared by employees (for instance, devices being used for a shift-based business, such as nursing or hospitality),

  • Smaller companies where there are fewer users and devices to set up,

  • Employees who require extensive, quick-response support, such as executives.

User-centered enrollment

In the second model, end-users access a Web portal to request enrollment and automatically receive instructions needed to enroll their phone. This model works best for organizations that:

  • Support a large number of users,
  • Have limited IT resources,
  • Have a dynamic environment where new employees are constantly enrolling and smartphones are regularly being replaced

  • Our experience has been that for most companies, a hybrid approach works best and the real key is to have the tools with the flexibility to support both options.

Step 2: Connect enrolled iPhones securely to enterprise resources

Once a device has been enrolled, it needs to be connected to enterprise resources such as e-mail, Wi-Fi, and VPN. These configurations should be:

  • Generated dynamically, meaning that a user's credentials should be pre-populated and the right resource (server name, VPN concentrator) targeted to the right employee,

  • Handled over-the-air so that an IT technician is not required to physically configure each device,

  • Transmitted securely so that sensitive data, such as server names or account names, cannot be intercepted by hackers.

Step 3: Enforce device-wide security policies to protect corporate data

Once a user is provisioned with enterprise e-mail, connectivity, and applications, large amounts of proprietary data will now potentially be stored on the iPhone. This data can exist in multiple locations (corporate e-mail box, browser cache, application caches) so enterprises must mandate and automatically enforce device-wide security policies such as:

  • Compliance checks for up-to-date iOS software;

  • Terminating access for modified or jailbroken devices;

  • Complex, multi-character passwords to ensure that unauthorized individuals cannot easily gain access to devices;

  • Device lockdown policies that map to corporate regulations, such as locking down cameras or preventing screenshots on the device;

  • Full-device encryption to protect all forms of corporate data.

Step 4: Maintain a detailed central inventory and ActiveSync visibility

IT needs to know which iPhones and iPads are being used in the enterprise, the persons using them, and whether the devices are owned by the enterprise or the person using them. It's also good to have each device's phone and serial number.

For a successful iPhone deployment, it's crucial to be able to see what phones are connected to the ActiveSync environment and block the ones that shouldn't be. Gartner, Inc. recently noted that, "[Exchange ActiveSync] EAS is becoming a de facto standard for push e-mail and PIM," and went on to recommend, "IT organizations should make EAS support in mobile devices a priority feature to extend the interoperability of corporate devices with multiple e-mail, calendar and contact options." With an increasing number of e-mail platforms and devices supporting ActiveSync, an IT organization needs to have a plan for obtaining both visibility and access control.

A catalyst for broadening mobile device support

Companies in virtually every industry are supporting iPhones, and iPad support will surely follow. IT support usually begins with pilot programs, but these quickly balloon from 25 or 50 units to hundreds or even thousands of inclusion requests from other users in the company.

The iPhone has been the catalyst for broadening mobile device support in the enterprise, and this trend will continue. Very soon, every end-user with a laptop will also have a smartphone. Whatever strategy your company adopts for securing iPhones, you should make sure it's extensible across existing and future smartphone platforms at scale. This is now a business-critical initiative!

Supporting large-scale deployments of the iPhone
Sept/Oct 2010
TOC Weight: