/CertSrv vs Mobile Devices

I mentioned in my last blog about Android Ice Cream Sandwich that it is now possible, (actually from Android 3.x Honeycomb), to enroll certificates directly from the /CertSrv web site onto your mobile device. (If you’re running a Microsoft CA of course.)

This is all nice and dandy, but it’s not like Android devices are the only devices you’re likely to be supporting. With the tablet varieties the split is something like 90/10 iPad vs “the rest”. However if you ever tried loading up /CertSrv on your iOS device or your Windows Phone you’ll have noticed that it’s not working.

I find this slightly annoying, and decided to look into this further. Those pesky ActiveX controls can’t be the only reason right? 🙂

There’s two things to sort out here really; is it anything with the web pages themselves and the server, or something on the browser side. Turns out there’s a bit of both involved actually.

Read more

iOS 5 – Changes to MDM Usage Policies

I have already covered the new (enterprise relevant) features in iOS 5:

Right after releasing that post Apple just launched a couple of changes to how these features work, or rather the policies relating to the usage of them. (The features themselves are still on – don’t worry.)

So far Apple has been very secretive even by their standards regarding how Mobile Device Management has been implemented. Since several MDM vendors have had support for iOS devices for a while now, and supported pretty much the same feature set, it was obvious that they didn’t just all come up with this out of nothing. And they certainly didn’t. This was actually with the help of a documented API, but the thing was that the documentation wasn’t exactly publicly available. You had to apply and be approved before receiving the docs, and then you could implement an MDM solution for your customers.

As of last week they have made the docs available for a broader audience. It’s still not totally public – you will need an iOS Developer Enterprise account which should set you back 299$ a year. It’s not available for hobby developers either, unless they happen to have a Dun & Bradstreet number, which I’m guessing most hobbyist don’t have. If you happen to have an Enterprise account you can just sign in and actually read everything you need to know to develop your own iOS MDM solution.

Of course not everyone will be interested in developing their own solution for managing iOS devices. After all there a couple of vendors who have been down that road already, and you don’t need something homegrown just for the fun of it. Enterprises have been able to use the MDM API for a long time already, even if they are not aware that they are using it. But so far you have had to enroll to an iOS developer program as a company to obtain the necessary certificates for authenticating to the “Apple Push Notification Service” (APNS). While APNS will work with a iOS Standard Company account you still have to send over necessary details to Apple proving you’re a company entity and pay up 99$. (There is a misconception that the iOS Enterprise program is required – it’s not. Basic MDM will work with Standard accounts, but distributing in-house apps requires an Enterprise account.)

The good news is that Apple is now waiving this fee, and you can get your APNS cert for free. The process is outlined here:

Basically your company needs to generate a Certificate Signing Request (CSR), you send it to your chosen MDM vendor who will in turn sign the CSR. The signed CSR will have to be submitted to Apple, and Apple will give you a certificate in return. (You will need a valid Apple id to sign in naturally.) Previously the entire process was performed by the customer without involving the MDM vendor at all, but this new process means that MDM vendors have to implement some new bits and bytes on their end to handle the signing part. While this means there’s still a step or two the customer needs to do it still sounds like an improvement to me. (The process to get your developer account approved by Apple could take 1-2 weeks if you’re unlucky.)

Trying to draw the line between the consumer market and the enterprise market it is also stated quite clearly in the License Agreement, (you didn’t think for a second Apple would skip a chance to present legalese did you?), that only company owned/controlled devices are allowed to use MDM. A normal end-user customer cannot sign up to a generic hosted MDM solution; the MDM control should only be used where an employer<->employee relationship is in place. Oh, well, consumers have iPhone Configuration Utility (now updated to support iOS 5) for configuration and iCloud for remote wipe so they will hopefully be able to get by without MDM Smile

iOS 5 – Anything In It For The Enterprise – Conclusion

Drumroll, please…
iOS 5 is finally here! Pack your sleeping bags, and get ready to stand in line around the block of your neighborhood Apple Store. (We don’t have any where I live so I’ll just wait it out…)

Ok, it’s not shocking really given that it has been around in various betas for months, and this is the season for launching new iGadgets. (Technically iOS 5 was soft launched when the first beta arrived, but RTM is after all the hard launch.)


I blogged a two-part post back then where I made speculations as to what iOS 5 would bring for the enterprise:
iOS 5 – Anything In It For The Enterprise?
iOS 5 – Anything In It For The Enterprise? (Part 2)

Granted some of the items listed were more wish list type of items than fact-based, whereas others were more likely to actually surface. So, with the OS finally launched – what is the status? Let’s break it down:
Read more