iOS 6 device management: What companies should know
Apple's new OS takes evolutionary steps toward better mobile management
While virtually every detail about the iPhone 5 was known before last week's launch event, Apple managed to keep details about iOS 6 (other than those highlighted at its annual developers conference in June) quiet. Until yesterday's release of iOS 6, virtually nothing was known about the kinds of things enterprise users are interested in, especially the mobile management capabilities of the OS update.
Now, with iOS 6 out in the wild, it seems pretty clear that it's an evolutionary step forward for mobile management. Apple is clearly making it easy for businesses and IT departments to secure new iOS 6 features and is ramping up security in key way. But this update, for better or worse, is far from a complete overhaul.
That said, here's a look at what enterprises should focus on.
Three mobile management approaches
Apple is often regarded as a key player in the bring-your-own-device (BYOD) movement that is sweeping across IT. Most people think of the arrival of the iPhone and iPad - and the ensuing desire by executives and employees to use those devices for work - as a fundamental beginning of the BYOD movement. Apple was able to capitalize on that by building mobile management features into iOS.
Today, devices in the workplace are typically seperated into corporate-owned or employee-owned, with the owner ultimately responsible for the hardware. Corporate devices tend to be heavily managed, with IT in charge of buying them, provisioning apps, configuring them for business use and applying security and management configurations. Employee-owned devices, on the other hand, tend to be more lightly managed, though they may still be enrolled in a management system that requires better security and may limit some features.
The third category: shared devices that are managed more tightly. These devices often function as digital kiosks -- an electronic restaurant menu, in-room hotel concierge system, in-flight entertainment, sales tools in a car dealership or shared devices in a classroom. Since they aren't personal and need to serve specific functions, they are largely locked down.
Apple seems to have considered all three of these approaches with the additions it's made to iOS 6's security and management capabilities. The company offers a handful of new policies that any mobile management vendor can implement and it has developed a series of more stringent policies that build on the Apple Configurator tool launched this spring.
Lets look first at the simpler BYOD-style management features new to iOS 6.
Handling shared PhotoStreams
iOS 6 offers a range of impressive new features that will be attractive to business users and consumers. Some have security implications and Apple has fortunately built in the ability to restrict access them. The first such option is the ability to disable shared PhotoStreams. Apple launched PhotoStream last year as a way for users to sync photos across all their Macs and iOS devices (including the Apple TV) with iCloud. As with other aspects of iCloud -- automatic device backup to iCloud and document/information sync -- iOS 5 allowed you to disable PhotoStream as a mobile management feature.
For security reasons, IT staffers can disable PhotoStream syncing across an employee's devices as well as PhotoStream sharing.
This year, Apple is extending PhotoStream functionality in iOS 6 by letting users create shared PhotoStreams, essentially letting a user pick specific photos and share them via iCloud with one or more iOS or Mac users. Shared PhotoStreams, which are very similar to the old MobileMe PhotoCasts, let family members build a library that includes all of their digital photos and makes it easy to share a large number of images with friends and relatives.
The change heightens the security implications of PhotoStream. Now, not only can business data or images be synced to devices and computers outside the corporate network, they can also quickly and easily be transmitted to specific people. To combat that prospect, IT staffers can disable PhotoStream syncing across an employee's devices as well as PhotoStream sharing. It is, of course, worth pointing out that iOS 6 includes plenty of other photo-sharing options including email, iMessage, MMS messaging, Twitter and Facebook.
Securing Passbook for mobile pros on the go
Passbook is another feature that has security implications. In this case, it's about business-related items being displayed while an iPhone is locked. One of the great features of Passbook is that you don't really need to think about it, thanks to location awareness: QR codes for movie tickets appear on the screen when you reach the theater, for instance, and boarding passes pop up when you arrive at the airport.
It's a pretty convenient and smart use of location services. But imagine you're on the way to the airport and your iPhone falls out of your pocket as you get out of the cab. Now, imagine that a stranger picks the phone up and because it's at the airport, your boarding pass gets displayed. Without even unlocking the device, that person knows your name, where you're going and potentially other important details like family members you're traveling with or the company you work for. That's enough information for someone to find out more about you where you live, what you do and so on. It might even be enough information to get your company's helpdesk to unlock your iPhone remotely and thus get access to your iPhone and the personal and business information on it -- a rather chilling possibility for both individuals and IT departments following the Matt Honan hacking incident.
There's an easy safeguard against that scenario that IT departments can put in place: iOS 6 mobile management includes an option to prevent Passbook from displaying data while an iPhone is locked.
Keep personal email off corporate servers
One feature Apple focused on with iOS 6 involves frequently emailed contacts. Like most email clients, including OS X's Mail and Microsoft's Outlook, Mail on an iPhone or iPad can build a list of recent/frequent email contacts. If you regularly correspond with someone, you'll notice that Mail will auto complete his or her address as you begin typing it, even if the person isn't listed in the Contacts app. Microsoft Exchange supports automatically syncing such recent contact data from devices and applications. That means these recent contacts can end up popping up in Outlook (or another application) on your work PC as well.
In iOS 6, Apple makes this recent contacts sync a mobile management option. That means that IT shops can automatically prevent recent contacts on an iPhone or iPad from syncing to the server. That keeps a stricter separation of personal and business use, ratchets up employee privacy a bit, and keeps the number of auto-completing contacts on a work PC more streamlined.
Setting the wallpaper
iOS 6 allows administrators to set both the lock screen and home screen wallpapers for iOS devices. This isn't a particularly critical option from a security perspective, but it can be used to identify devices as belonging to a specific company, grade level, or department. Typically, you'll want to use a corporate logo or similar identifying image. All the typical image formats (GIF, JPG, PNG) are supported and will be scaled and cropped automatically as dictated by the size/type of device.
Most of the time, when IT departments or businesses manage a mobile device for security or configuration reasons, the goal is to keep the configurations and security options in place indefinitely -- or at least until a user leaves the company. There are times, however, where a specific feature configuration or restriction needs to be in place for a specific period of time. One example is employees at a conference who will need remote access to the corporate network, even though they don't need it day to day. Setting a VPN configuration grants them access, but once they get back, IT might need to revoke that access. A simpler solution is to have that VPN configuration expire and remove itself after the last day of the conference.
Similarly temps, freelancers and other contract workers might need access to a range of corporate resources -- including Wi-Fi. Setting up that access with an expiration date removes the need by IT or human resources to remove those configurations (possibly by wiping their device).
iOS 6 offers this ability for any configuration profile, meaning that all security and management settings -- or specific settings related to temporary needs -- can be removed automatically. When setting configuration profiles to expire, iOS 6 offers IT admins the option of setting a specific expiration date or setting a more general time period, like five days from now or three months from now. The result isn't just an easier workflow, it also bumps up security because it removes the possibility of someone forgetting to remove the profiles manually down the road.
Beyond basic iOS 6 management capabilities, Apple has added a more stringent set of options that can be configured. This set of options builds on the Supervise functionality of Apple Configurator and the tools that integrate with it. This ability to create supervised or authorized devices delivers a handful of additional security and management possibilities.
The Guided Access restriction allows IT shops to "lock" an iPhone or iPad into using just one app.
I spoke yesterday about the division of capabilities for supervised and non-supervised devices with AirWatch senior engineer Blake Brannon. AirWatch has announced full support for all the iOS mobile management additions as well as integration with Apple Configurator for over-the-air management of supervised devices.
Brannon noted that at companies where BYOD policies are in place, users generally want to be as free as possible when using their devices. In non-BYOD contexts, businesses and schools are often looking to secure shared or corporate-owned devices.
Probably the most restrictive option Apple has ever offered involves "app locking" a device or what's called guided access use. This feature disables the iOS home button and locks the iPhone or iPad into a single app. Brannon noed that this is an ideal solution for iPads used in kiosk or retail settings. After all, if you're running a restaurant, you don't want someone browsing the web on your digital menu. Similarly, an iPad or iPod touch used as a point-of-sale system is ideally used as a cash register -- not for posting Facebook updates.
I can see this being useful for devices in healthcare settings - either as an information appliance or as an electronic patient information form.
Restrictions in iOS 6 can be used to limit which apps work on an iPhone or iPad.
This feature can be manually enabled via the Accessibility option under Settings>General.
No iMessage and Game Center distractions
Two feature restrictions are the ability to block the use of Apple's iMessage system. iMessage works through the Messages app in iOS and OS X. The secure messaging system functions as a pretty robust and secure alternative to text messaging and can sync entire conversations across a user's devices. Supervised devices can disable iMessage. Similarly, access to Game Center, which also functions across iOS devices and Mountain Lion Macs, can be disabled.
iBooks access and ratings
Apple's iBooks app and iBookstore can now be blocked on iOS devices. Apple has also introduced the option for content rating in the iBookstore. Similar to restrictions already in place for apps, music and video content from the iTunes Store, iBooks can block ebooks with certain content or ratings. To date, Apple has only created a restriction category listed as Erotica. If and when the company will differentiate further isn't clear.
Universal proxy settings
One challenge to implementing iOS devices, particularly in K-12 schools, has been support for proxy servers. Proxy support itself hasn't be the challenge, as iOS already offers it. The problem is that proxy settings up until now have been options set individually for each Wi-Fi network. That means that proxy server configurations in a school of office aren't applied to home or public Wi-Fi networks.
Given that some state and federal programs for K-12 schools tie funding to content filtering and that some states and districts have additional regulations and requirements for filtering, this has been a big challenge. In many cases, the regulations specify school technology as a whole, whether it's used on campus, at home or anywhere else. Schools have largely relied on VPN configurations that pass all managed iPad data through the school's network and its proxy servers. That's a cumbersome solution and one that can place additional load on a school's resources.
iOS 6 resolves the situation by allowing managed devices to have a single universal proxy configuration.
Preventing outside certificates and configuration profiles
iOS 6 also allows IT staff to block security certificates and configuration profiles (beyond those deployed by IT) from being installed on a supervised device. This means outside security certificates, including root certificates, can't be added. It also means that a user can't add a configuration profile, intentionally or by accident, that isn't from a trusted source. That promotes overall security because it helps ensure that compromised or malicious credentials can't be used to create a man-in-the-middle attack on a device or the network resources it uses.
Overall, Apple didn't deliver a huge range of new features in iOS 6, opting instead to add incremental updates for specific features while delivering on some long-standing enterprise and education customer requests. There's no radical new management system and Apple, as in the past, stayed largely out of the app management and content management arenas. There are, however, companies specializing in those areas that are doing a great job filling corporate needs: App 47, Apperian, Good, Bitzer and Accellion.
Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues. He has been a Computerworld columnist since 2003 and is a frequent contributor to Peachpit.com. Faas is also the author of iPhone for Work (Apress, 2009). You can find out more about him at RyanFaas.com and follow him on Twitter ( @ryanfaas).
Read more about ios in Computerworld's iOS Topic Center.