Client Certificates in Android Ice Cream Sandwich

0 | December 31st, 2011 | Posted in Android, Device Management

I touched upon the release of Android 4.0, also known as Ice Cream Sandwich, back in October:
http://mobilitydojo.net/2011/10/19/ice-cream-sandwiches-for-the-kids/

That was based upon the official docs and emulator, but about a week ago I finally got an actual device in my hands in the form of the Galaxy Nexus, and I find it a lot easier to test on real hardware so I thought I’d revisit the OS to test out some client certificate related features. (The eye candy factor is greatly improved, but it’s not like you can’t find tests of that all over the web.)

I said that certificate support was improved – for instance the support of client certificates with the Google-supplied Exchange ActiveSync client. This implied there might have been some improvements for the browser as well, and the short answer would be yes Smile
Read more

System Center Configuration Manager 2012–Release Candidate Comes Along

0 | November 9th, 2011 | Posted in Device Management, SCMDM, Updates

We’re fond of dabbling with Microsoft products at this site, and System Center is no exception (without Virtual Machine Manager my lab would have been less manageable). I’ve done a lot of articles on System Center Mobile Device Manager, and have also taken quick looks at the successor; System Center Configuration Manager 2012 and the Beta releases:
System Center Configuration Manager 2012 Beta 2 Available
SCCM v.Next hits Beta 1

It only seemed natural to at least do an install of the Release Candidate of said product. Now, I have no doubt I can manage my desktop systems and servers with Configuration Manager, but the mobility features…so far they haven’t been causing manic episodes. I have tried to look through the console to see what is available now, assuming that the RC should be pretty much feature complete.

Read more

iOS 5 – Changes to MDM Usage Policies

3 | October 20th, 2011 | Posted in Device Management, iOS, iPad, iPhone

I have already covered the new (enterprise relevant) features in iOS 5:
http://mobilitydojo.net/2011/10/04/ios-5-anything-in-it-for-the-enterprise-conclusion/

Right after releasing that post Apple just launched a couple of changes to how these features work, or rather the policies relating to the usage of them. (The features themselves are still on – don’t worry.)

So far Apple has been very secretive even by their standards regarding how Mobile Device Management has been implemented. Since several MDM vendors have had support for iOS devices for a while now, and supported pretty much the same feature set, it was obvious that they didn’t just all come up with this out of nothing. And they certainly didn’t. This was actually with the help of a documented API, but the thing was that the documentation wasn’t exactly publicly available. You had to apply and be approved before receiving the docs, and then you could implement an MDM solution for your customers.

As of last week they have made the docs available for a broader audience. It’s still not totally public – you will need an iOS Developer Enterprise account which should set you back 299$ a year. It’s not available for hobby developers either, unless they happen to have a Dun & Bradstreet number, which I’m guessing most hobbyist don’t have. If you happen to have an Enterprise account you can just sign in and actually read everything you need to know to develop your own iOS MDM solution.

Of course not everyone will be interested in developing their own solution for managing iOS devices. After all there a couple of vendors who have been down that road already, and you don’t need something homegrown just for the fun of it. Enterprises have been able to use the MDM API for a long time already, even if they are not aware that they are using it. But so far you have had to enroll to an iOS developer program as a company to obtain the necessary certificates for authenticating to the “Apple Push Notification Service” (APNS). While APNS will work with a iOS Standard Company account you still have to send over necessary details to Apple proving you’re a company entity and pay up 99$. (There is a misconception that the iOS Enterprise program is required – it’s not. Basic MDM will work with Standard accounts, but distributing in-house apps requires an Enterprise account.)

The good news is that Apple is now waiving this fee, and you can get your APNS cert for free. The process is outlined here:
http://www.apple.com/ipad/business/integration/mdm/

Basically your company needs to generate a Certificate Signing Request (CSR), you send it to your chosen MDM vendor who will in turn sign the CSR. The signed CSR will have to be submitted to Apple, and Apple will give you a certificate in return. (You will need a valid Apple id to sign in naturally.) Previously the entire process was performed by the customer without involving the MDM vendor at all, but this new process means that MDM vendors have to implement some new bits and bytes on their end to handle the signing part. While this means there’s still a step or two the customer needs to do it still sounds like an improvement to me. (The process to get your developer account approved by Apple could take 1-2 weeks if you’re unlucky.)

Trying to draw the line between the consumer market and the enterprise market it is also stated quite clearly in the License Agreement, (you didn’t think for a second Apple would skip a chance to present legalese did you?), that only company owned/controlled devices are allowed to use MDM. A normal end-user customer cannot sign up to a generic hosted MDM solution; the MDM control should only be used where an employer<->employee relationship is in place. Oh, well, consumers have iPhone Configuration Utility (now updated to support iOS 5) for configuration and iCloud for remote wipe so they will hopefully be able to get by without MDM Smile

RSS for Posts RSS for Comments