iOS 5 – Anything In It For The Enterprise? (Part 2)

My usual presentation style is that I find something I believe is of interest to the MDM/Enterprise crowd, then I test it & verify it working, and present it to you either as a textual description, some screenshots or both. Today, it’s not so much tried and tested – actually you could say I’m moving into the speculation department.

I just upgraded my iPad to iOS 5 Beta 1 and gave a small rant about it:
http://mobilitydojo.net/2011/06/07/ios-5-anything-in-it-for-the-enterprise/

Since then I’ve upgraded to Beta 2, and I’ve looked through the menus of the device for relevant stuff. Now, Apple are a funny bunch of course, on their developer site they have a section for the pre-release stuff and some documentation. But the docs are mainly on new APIs and major changes. “Small” things like MDM and policies aren’t documented yet (only for iOS 4). So, I thought that, hey let’s just try to build some new .mobileconfig files and have a guess at what the settings should be. Turns out it’s not that easy…

I do not know if it’s me taking the wrong guesses, (on account of doing just that), or if it hasn’t been activated yet. Since it’s a beta it is of course perfectly possible that some things are left out. So, I kind of gave up trying to document it – after all we can except to see official docs in a couple of months. As I said in the intro this kind of breaks my usual style, but if you’re relying on what Apple releases publicly you’ll never get a leg up on the average user so my justification is that it might provide some helpful pre-release knowledge nonetheless. What I will do though is point out a few things I consider candidates for enterprise control in no particular order.

iCloud
I’d say Apple is late to the cloud game, but they had to think up an i-name for it first (must have spent a lot of time and money landing it). Steve Jobs was excited to present this at WWDC, and I agree it is a nice feature. Since Google and Microsoft are doing similar things in their mobile operating systems Apple really had no choice either. (They have plenty of cash on their hands to build a couple of clouds so I don’t think it out of fear of not affording it.)
Since not all companies are equally happy to see their data being uploaded to a random datacenter I would certainly expect there to be some settings related to this. Whether it’s a binary switch just controlling enable/disable or you actually get the ability to provision an Apple ID for it I do not know. Gotta be something related to the cloud in one form or another.

image

Restrictions
Restrictions are easy to control today – either through an MDM solution or iPhone Configuration Utility. I take it for granted that new restrictions will be configurable. (I don’t consider this mere speculation.)

image

Any interesting new restrictions? How about disabling deletion of apps? With this configured the user will not be able to remove installed apps. In the UI it’s an on/off slider, but with MDM maybe you can specify on a more granular level which apps aren’t ok to remove?

Wobbly icons with delete “ON”:
image

Wobbly icons with delete “OFF”:
image

iTunes Sync
You can currently block your users from accessing the iTunes Music Store. Could it be that you can disable iTunes in general now that you can do both activation and OS upgrades over-the-air? I know a lot of people would love to block that pesky iTunes desktop application.

Software Update
On the desktop side you don’t necessarily allow users to upgrade their OS and apply Service Packs on their own volition. It would make sense if you were able to block iOS updates until IT had a chance to test and approve it. Looking at it from a user perspective I fear that some IT departments will hold back on the updates and have their users frustrated that they can’t use flashy new features their friends got access to three months ago. And if the user is unhappy it’s not a good thing for the karma of Apple either. So I’m guessing 50-50 on the odds of this being a candidate for enterprise control.

Automatic Downloads
As it stands now you can be “clever” when it comes to installing apps. You can install apps on your iPhone and have these automatically installed on your iPad as well. (All done through the iCloud.) Either the block installation restriction would need to disable this ability, or you would need to be able to configure this separately. If I was implementing it I’d make the Automatic Download dependent on the install restriction, but let’s just see how it works out.

image

Twitter
So, Microsoft announces that Twitter will be deeply integrated into Windows Phone 7 codename Mango. Well, Apple can’t do less and is also integrating Twitter into iOS 5.
For some reason it’s not pre-installed as such – there’s a menu setting for installing Twitter. It’s nice to have the option to skip it if you don’t want it cluttering the home screen, and maybe this is the reasoning behind at this stage .
This could possibly be blocked if your device is under company control. (Either through a separate Twitter-block or blocking of the App Store in general.)

image

Home Sharing
This is more of a wild card really. But with Music and Video you can configure “Home Sharing” (AirPlay I assume) – could this possibly be disabled? I’m really not sure as I don’t see a big security risk or anything since it’s related to those two media types only, but maybe some administrators want to control this as well? Could be that this is just one of the features in the OS that is present whether the company likes it or not. How fun would it be to buy a 500$ AirPlay ready stereo and find that your company does not approve of your choice of HiFi equipment. (Could you even imagine iPhones not being able to play back music?)

image

Apple Configuration Utility
Many of us have tinkered with the iPhone Configuration Utility. It’s a nice little utility, but has primarily been a single user tool. For doing bulk configurations you are better off using an MDM solution. Apparently there is a multi-user version of this utility in the works. Not sure how it works, (I haven’t seen the UI), but supposedly you can push profiles and use it for company-owned devices. Wireless/iCloud/OTA/something so you don’t have to tether the devices. Probably not as extensive as a full MDM solution, but it might make sense for smaller companies where the company is interested in buying phones and pads for their employees without investing thousands of dollars for a management solution. Hopefully we’ll know more when OSX Lion is available since the little I have seen indicate this would be where to look in the beginning. (I haven’t tested the beta releases of OSX, but I’ll probably do an upgrade to the final release.)

I have also been informed that there will be new features related to distributing apps and managing them. Unfortunately I have no details to share, but there will most likely be something of interest to enterprises.

The Apple Push Notification Service which you would use for instance for issuing a remote wipe for your iPhone/iPad has according to the docs synced up with Push Notifications for OSX. I have no idea if this means anything new on the device side, or if it just introduces a push concept on the desktop side. Wouldn’t really be considered an enterprise feature either for that matter.

As for other new enterprise features I do not know yet. The features above are more or less educated guesses. Some less educated than others mind you. I’m optimistic however as Apple has shown an increasing willingness to make their iDevices enterprise friendly. Rest assured that I’ll be keeping an eye on upcoming betas, and upgrade to RTM and test once that becomes available Smile

Please share any thoughts you might have on this in the comment field, or by pinging me.
Am I completely off? Have I missed anything vital? Am I just plain wrong? Or am I onto something? Do you even like these kind of rants, or prefer the hard facts type of posts?

15 thoughts on “iOS 5 – Anything In It For The Enterprise? (Part 2)”

  1. Hi Andreas,

    I am really impressed by your knowledge and work.
    Actually I was looking for MDM APIs and more information on how to remove iPhone Configurations remotely with using a MDM soultion.
    We have tested a number of solution available in market.
    But I want to know if there is easy and cheap way to accomplish that. I am more interested in selective Wipe.

    Thanks & Regards,
    Singh

  2. Thank you for finding my site interesting.

    You can get selective wipe to a degree in iOS – for instance removing the Exchange profile will remove all Exchange-related, but not wipe the device in general.
    Whether selective wipe is available depends on what you are trying to delete.

    To be able to remove a profile from a server the MDM solution needs to be using the MDM API in iOS. (Some solutions use a kind of server-based iPhone Configuration Utility, but in those cases you are only able to push/install the profile not remove it.)

    The problem is that the MDM API is under NDA, and Apple is not handing it out to everyone publically. (It’s not all that interesting reading material either.) If you are a registered iOS developer Apple representatives might help you out if you post in the dev forums, but from what I hear they don’t always give out info regarding this particular API.

    So, to answer your question, it is possible, (provided your selective wipe isn’t unachievable in itself), but I’m not able to give you the specifics of how it is done. (It involves more work than just sending a “remove profile” statically – you need to do some coding.)

    Of course – I’d say it’s preferable to just buy an MDM solution that fits your needs unless there are good reasons why you do not want to invest in a third-party platform 🙂

  3. Hello Andreas,

    First of all I’m glad I bumped into your blog; it’s very good!

    For the last 3 months I was looking for a DLP (Data Leakage Prevention) solution for iOS and it seems there is nothing on the market yet.

    In my attempt to find a workaround on that, I thought of the possibility to enforce ALL internet traffic (WEB, email, FTP, ..etc.) using a VPN connection through the secured corporate LAN.
    Unfortunately when I performed some tests (on iOS4), I saw that this is not possible as there is no way to guarantee that 1) the user cannot edit the VPN configuration or even create a new one on the side and use it and 2) that you cannot disable 3G or Wifi when the VPN is not turned ON.

    Do you see any changes on iOS5 that could make my workaround thought possible?
    Any other suggestion are more than welcome of course.

    Thanks in advance,

    Chris

  4. I am not aware of a DLP solution for iOS, but I must admit I have not researched the topic. I am however very inline with your workaround – I mean, I love free wireless LAN, (especially when travelling to other countries), but I never use one without establishing a VPN tunnel.

    You can distribute profiles that the user is not able to edit or remove. (In iOS 4 as well.) And there is a setting on VPN connections for routing all traffic through the tunnel.
    This does not answer the following questions though:
    – What if you force a mandatory VPN profile, with forced tunneling, and the user creates their own VPN connection? I have not seen a setting for disabling VPN creation in general. It could be worth to test if the mandatory VPN profile takes precedence.
    – 3G/WiFi in general? You cannot enable/disable these as far as I know. (You may control parameters regarding roaming, but not on the home network.) I would assume though that forced tunneling means that if VPN isn’t available there is no data connection. This would also have to be tested however.

    A different approach, which may or may not be available to you, is the concept of private APNs. Many mobile operators will be able to provide you with SIM cards that creates an extension to your corporate LAN on a network level. There are many different configurations, but you’d typically hook up a dedicated router or something that will provide your SIM cards with IP addresses in your private range, and have the SIM cards authenticate to your infrastructure with RADIUS. You would still be interested in VPN or other transport security mechanisms, (because the encryption offered by the mobile operator might be something laughably insecure), but it would give you an added level of control. (It requires configuration on the device to get it working, but iOS has support for this.)

    Of course, that means you have to make sure all users have the same mobile operator, and you get additional components to be aware of during troubleshooting, so I’d advise you to think through it before splashing out for something like that. (It usually ain’t a freebie.)

    I’m still digging through iOS 5 to see what it provides, but it’s all I can come up with for the time being.

  5. Hi Andreas,

    Thank you for the prompt response.

    I know that a user cannot delete a distributed profile but I didn’t manage to restrict the editing of it on the device as the Save button remains active.

    Also, I have thought of the concept of the private APNs that you suggested but as you cannot disable WiFi what would be the point?

    My goal is to monitor any corporate data on the mobile device from “leaking” outside in any possible way.

    Sandboxed solutions (like iAnywhere) would also not work as you cannot disable the Copy/Paste functionality. A user can easily copy the text from emails and paste it outside of the sandbox, perhaps to his personal email and forward it. This is just an assumption for the moment as I can’t really test it.

    I think the DLP for smartphones is becoming a huge topic. Companies do not really care about the devices themselves. They even encourage workers to bring their own devices.
    What they want is to be able to control and secure the corporate data only.
    VM on the device would be a good solution if you ask me but we are not there yet…

    I have a feeling that I will end-up on a Remote Access solution ( …which does not work offline of course).

    Please keep us informed of you findings on the iOS5 towards these issues.

    Regards,
    Chris

  6. I wasn’t aware you could edit locked profiles…hmm.. sounds like a bad design if you ask me… (With an MDM solution you can re-enforce settings, but that’s obviously a retroactive fix.)

    I should of course have thought of the WiFi scenario with a private APN – shooting from the hip means you tend to forget some details 🙂

    Bring your own device is a popular topic these days, but I don’t think everyone is thinking it through properly. If I pay for a device there are certainly limits to what I will allow my employer to do with my device. Of course you have companies like Citrix saying BYOD is the future, but then you kind of would expect that from someone selling a solution tailored for such a scenario… I can see positive things about BYOD as well of course, but I haven’t landed on a definitive conclusion personally.

    Mobile Office/OneBridge (which I assume you refer to with iAnywhere) are end-of-life next year, so I wouldn’t go for that specific solution 🙂 But even others like Good isn’t able to address copy/paste entirely. There are some new settings related to email accounts related to this in iOS 5, but I’ll have to get back to those once released.

    In the good old days of Windows Mobile things were so much easier 🙂

  7. John H:
    While not technically spam, you are basically just putting up an advertisement here. MaaS360 is however an actual MDM platform though, so I’ll let it pass 🙂

    I’m more of an Afaria guy myself, but for those wanting cloud-based solutions I accept that there are alternatives 🙂 (Are you supporting the new MDM API in iOS 5 as well?)

  8. Hi Andreas,

    This is Singh again…. We did our investigation to implement MDM solution. But we couldn’t finilize any.. So I am still looking for a cheap in house solution to selective wipe iOS device remotely…

  9. Since the last time we visited the topic of the MDM API in iOS Apple has gone and released the docs for everyone with an Enterprise Developer account:
    http://mobilitydojo.net/2011/10/20/ios-5-changes-to-mdm-usage-policies/

    So it should be slightly easier implementing your own solution now.

    As to which solution to recommend for in-house use while being cheap and offering all necessary features I have no strong recommendations. (Pricing structures sometimes make it hard to compare across countries.)

  10. Thanks Andreas,

    I read your post earlier and tried to look for documnet under Developer login as per you : “They didn’t exactly put up a very visible button linking to the docs
    You should be able to find “Mobile Device Management Protocol Reference” by going to: iOS Provisioning Portal->Certificates->Other

    But couldn’t find it….

    Can you help??

    Thanks in advance…

  11. It will only be present if your Apple Id is linked to an Enterprise account, not Standard developer accounts. If it’s not there I’d try contacting Apple Developer Support and see if they are able to send it to you.

  12. Hi,
    I wanted some help from youin regards to afaria
    Can you please Tell how can we do a selective wipe of data on the device remotely from the Server as Afaria Administrator console has only 1 option and that is remote wipe will will delete all of the data and also how can we configure Exchange 365 on the server.
    Will be gald if you can help me

    Regards
    Sachin

  13. Removing the MDM profile from a device will delete the data associated with it. So, if you used MDM for setting up Exchange the Exchange delete will be deleted when the profile is removed – this probably qualifies as a selective wipe if that’s what you had in mind. Which options are available in Afaria depends on the version of Afaria, and the config so I can’t really tell what happens in your console.
    Not sure what you mean by configuring Exchange 365 on the server.

Leave a Reply

Your email address will not be published. Required fields are marked *

*