iOS 5 – Anything In It For The Enterprise – Conclusion

Drumroll, please…
iOS 5 is finally here! Pack your sleeping bags, and get ready to stand in line around the block of your neighborhood Apple Store. (We don’t have any where I live so I’ll just wait it out…)

Ok, it’s not shocking really given that it has been around in various betas for months, and this is the season for launching new iGadgets. (Technically iOS 5 was soft launched when the first beta arrived, but RTM is after all the hard launch.)


I blogged a two-part post back then where I made speculations as to what iOS 5 would bring for the enterprise:
iOS 5 – Anything In It For The Enterprise?
iOS 5 – Anything In It For The Enterprise? (Part 2)

Granted some of the items listed were more wish list type of items than fact-based, whereas others were more likely to actually surface. So, with the OS finally launched – what is the status? Let’s break it down:

No need for iTunes
This one came through in the beta (#3 I think it was?). You can setup a new iPhone/iPad without installing iTunes or tethering the device to your computer. You can do Over-the-Air OS updates, and you can backup/restore the entire device to the iCloud.

S/MIME & Exchange ActiveSync
S/MIME support is present for ActiveSync, and if you’re into this type of thing it’s obviously an improvement. Still only EAS protocol version 14.0 though.

There is also an enterprise relevant configuration setting for both ActiveSync and “regular” mail:
– Preventing moving/forwarding/replying mail items between different mail accounts. This is not to be confused with Information Restrictions Management (IRM) provided by Exchange 2010, but serves similar purposes.

Configuration Settings / Restrictions
There are a couple of new configuration settings / restrictions (pick the word you like best) it admins can push out to their users:
– Forcing iTunes password entry for each transaction.
– Disallowing SSL connections when the root certificate isn’t trusted (and the end-user cannot override this by saying “Sure, I trust this CA”).
– Disabling iCloud backup.
– Disabling iCloud document synchronization.
– Disabling iCloud Key/Value synchronization.
– Disabling Photo Stream.
– Disabling Siri (no personal assistant for you!)
– Enabling/disabling auto-join of wireless networks.
– Encryption type settings for wireless networks.
– Proxy settings for wireless networks.

A nifty feature that can be applied to ActiveSync, Wireless, and VPN is that you can configure the SCEP-enrolled client certificate to also be used as the client certificate pairing up with the credentials of the connection. So, if you want to make sure only company-enrolled iPhones are allowed to sync regardless of username/password you can make this work. This would obviously require your network infrastructure in general to be configured to use client certificates mind you. (And keep in mind that SCEP certificates are for identifying the device, not the user. With some clever engineering you can control the common name of this certificate so you can match up the two identities.)

App distribution
MDM solutions are now able to distribute apps from the App Store, and not just in-house apps. You can apply voucher codes to these as well, so instead of having all users handing over 10$ through their personal Visa card the company can purchase 1000$ worth of coupons for the app provided the app developer has adapted their app accordingly.

Apps installed by the enterprise can also be removed, along with the data belonging to it. (And as you can prevent backup of the application data this should in theory mean your data is under your control.)

As for the rest of my bets/hopes? There might be features I’m not aware of and missed out on. And if not there will of course most be likely an iOS 6 at some later point in time providing even more features Smile

Yes, I’m still missing features, but with Android not really getting any enterprise love from Google, and Windows Phone in a kind of limbo at least Apple is putting in an effort. And from a company claiming to be all about consumers that’s not bad. (I do love my Windows Phone Mango mind you, and if Microsoft can just get the enterprise bits right…who knows?)

Server-based iPhone Configuration Utility
While not an iOS 5 feature as such, as it is provided in the already launched OS X Lion Server, Apple now has a sort of MDM light solution. (Which will likely see an update soon after the release of iOS 5 to account for new settings.) Instead of using iPCU and connect devices via USB you can push out settings from your Lion Server.

For more details check out Anandtech’s review:
In-Depth with Mac OS X Lion Server

Simplified Airport configuration
While not an “enterprise” feature I’m sure there are an IT Pro or two out there who have had to configure wireless routers and access points. (Not just the expensive enterprise-grade stuff, but also consumer-grade equipment.) While the configurations are often web-based affairs this is not the case with Apple’s Airport Extreme which requires you to install dedicated software. If you plug in a fresh Airport and enable WiFi on your iPad, (and presumably iPhone as well although I haven’t tested it), you’ll be notified that an Airport is nearby and asked if you would like to configure it. There’s apparently a “secret” app which will handle this for you.

I just had to name the network and define a password – it just magically configured the rest of the settings. I had to tweak some settings afterwards to get it just the way I wanted it, but if you just want to setup a wireless network on the go really quick I can recommend this for enterprise users as well, even though it might be slightly out of the scope indicated by the title of this article Smile

As usual there’s probably things I have missed or not covered, but I felt it only natural to try to finalize my previous rants.

Disclaimer: I have not tested all these features yet.

As a side note: While I appreciate that the iOS developer site is already offering the GM seed it was quite surprising that Microsoft landed their Mango build on my Windows Phone last week beating Apple’s launch cycle. (I wouldn’t be surprised if someone in Redmond worked overtime to make it.) Now I have two new mobile operating systems to get friendly with all at the same time Smile

12 thoughts on “iOS 5 – Anything In It For The Enterprise – Conclusion”

  1. How does one apply some of the configuration settings mentioned above? I am particularly interested in ….

    Disabling iCloud backup.
    – Disabling iCloud document synchronization.
    – Disabling iCloud Key/Value synchronization

    Is this configurable through Active sync and/or MDM solutions, and how has Apple made this possible.

    Thanks for your feedback!

  2. I would not expect any of these settings to show up in Exchange ActiveSync as they are Apple-specific settings, and I don’t see Microsoft building up that part 🙂
    It would make sense for Apple to release a new version of the iPhone Configuration Utility as these settings should work the same way, but since iOS 5 is officially only available for registered developers it make take a little extra while before publishing it. (If I remember correctly from previos iOS updates iPCU isn’t necessarily in sync in it’s release cycle.)
    MDM vendors should have the necessary info from Apple already to implement in in their solutions, and are most likely running it through QA with the final build of iOS 5 before releasing updates to their products.

  3. Andreas,
    Thank you again for another great blog. Based on the documentation and your quote above,

    “And keep in mind that SCEP certificates are for identifying the device, not the user. With some clever engineering you can control the common name of this certificate so you can match up the two identities”

    Do you have any information regarding this setup? I’m particularly interested in a scenario using a reverse proxy (ISA/TMG) with KCD and authenticating only with User Certifictates. I mention this because it appears both ISA/TMG require the SubjectAltName=othername:principalname to map the user in AD since it’s the “only” authentication mechanism being used. Do you have any advice on configuring NDES to accept requests with this SAN format and issue the certificate with the UPN in the SAN field?

    Since SCEP is for subject type=Computer, how can we accomplish this “trickery” so I can associated the SCEP enrolled certificate with ActiveSync?

  4. I was sort of planning to do an article on trying to use SCEP certs for EAS, but it would have been to dependent on MDM and I probably wouldn’t have had it ready by the time iOS 5 was released so it hasn’t really come together yet. (Future posts aren’t planned out, but if there’s demand for it I could possibly return to this issue.)

    I am not aware of ISA/TMG requiring a specific mapping for SubjectAltName, since it cannot always be expected that a client cert matches up with an AD object. I haven’t seen certificate mapping configuration in TMG similar to what you can do with IIS. There might be something for all I know though, since I don’t know all the low-level details of this in TMG.

    You can however configure restrictions on the client certificate, and I’d definitly look into that on the web listener properties if you are to implement client certs for EAS.

    With iPhone Configuration Utility you can specify both the Subject and Subject Alternative name in the request, so you can make this anything you want really. The NDES service defaults to using the “IPSECIntermediateOffline” certificate template, but you can change this in the registry if you like. (HKLM\Software\Microsoft\Cryptography\MSCEP).

    How you would actually do this with iPCU I’m not sure – you’d have to deploy a SCEP configuration profile first to get the cert, and then configure Exchange settings to use that cert. (Normally iPCU accesses certs on the host computer, and I haven’t tested if you can select certs on the device.) So for this to actually work for a deployment scenario I would think it would come highly recommended to use an MDM solution that has all the bits and bytes in place to do this.

  5. Thanks for the response, Andreas. I am asking these questions because we are currently evaluating MDM solutions from Airwatch, MobileIron, and Maas360, and the documentation for implementing SCEP for EAS certs is very miminal…almost non-existent. It could also be that I’m not getting the best customer support due to the new method of linking SCEP enrolled certificates to user services (WiFi,VPN, and EAS). The ability to use SCEP enrolled “device” certificates has been around for awhile but mostly for encrypting configuration profiles and the like. According to the latest iOS Configuration Profile Key Reference, it is possible to link SCEP enrolled certificates to EAS by using the PayloadCertificateUUID key.

    So…I am very interested in seeing the process for implementing SCEP (NDES mostly) for EAS with any of the MDM vendors. If the demand is not high enough for you to dedicate a blog entry, I would be interested in any specific MDM documentation you could direct me to. It seems like I’m pulling teeth with my MDM contacts to get some answers but I see great value with this feature to simplify enrollment and configuration.

  6. The usage scenario for the SCEP certs so far has primarily been for encrypting the configuration profiles and things like remote wipe through Apple Push Notification Services. Being able to link them to EAS, WiFi and APN was introduced with iOS 5, and even though one can assume MDM vendors have been aware of this for a while I’m guessing they haven’t had time to finalize all the work on the released build of iOS 5.

    I don’t know the specifics of how iOS 5 support is coming along for the MDM platforms you’re mentioning (I know the products, but I haven’t read up on the latest details), but I know Sybase hasn’t had the time yet to add all new features to their Afaria platform. (Which is what I use at home.) Since SCEP so far is mainly an iOS thing on mobile devices (I’m not counting the Cisco routers and switches it’s also used for) I don’t know how many enterprises will link it with EAS. I can see it making sense linking it to WiFi on for instance iPads since Android isn’t a major player on tablets, but if you’re also allowing Android phones it can be difficult to implement. For pure iPhone deployments though I could see it making sense.

    It would possibly make more sense to implement client certificate support in general for EAS with SCEP just being one of the acceptable certificate types/templates. Could be interesting testing it with iPCU just for the sake of it, but I’m guessing that most people going for this would use MDM even if it’s possible to do the manual way.

  7. Feeding off of Colin’s point, is there a way to disable iCloud using ActiveSync or the iPhone Configuration utility? This is a big concern of our Information Security Group and I understand that it may not be specifically stated in the Exchange ActiveSync policies option, is there a way to add it in as a “blocked application”. Surely there must be some type of work around or security feature in place even when using ActiveSync to disallow users from using iCloud.

    Thank you for your time

  8. Apple has released a new version of iPhone Configuration Utility which has added options for disabling iCloud (backup, document sync & key/value sync).
    I still don’t see any way to do it through Exchange ActiveSync policies. The “Blocked Applications” policy only works on Windows Mobile 6.x as far as I know.

  9. Has anyone got this working with their MDM. I am looking at deploying the Client Certificates that are created via the SCEP process, to link them to EAS for this. The main reason is to avoid the end user entering their password on the device, when the netowrk requests a change. The phone is protected via Lock code so why would they need to key in their password on a change!

    Any assistance or guidance/blog/site/doco would be great. Currently got the SCEP and the user certificate landing on the iPhone, but unable to find where the EAS tie for that is!


  10. If you use iPhone Configuration Utility in OSX (the Windows version didn’t support this last time I checked) you can get it working. We had a little discussion in the comment thread (down at the bottom currently) for a previous article:

    The challenge for doing this via MDM is that the MDM server needs to know the id of the SCEP cert to tie it into the EAS profile, but it’s not able to know this id up-front. Of course, if the MDM solution is implemented in a way that it’s done in two phases were the SCEP profile is pushed out, device reports back id, and then an EAS profile is pushed out it would work. But this would of course be up to each MDM vendor to sort out for their solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *