iPhone Private Key Generation – Timings

While testing SCEP enrollment on the iPhone 3GS I noticed some performance issues I was not aware of. (Hence why I’m typing it down here as well in case some one else was wondering.) You have two options when choosing the length of the key size used in the certificate request – 1024 or 2048. At first I ran with 1024, but as I was cleaning up the code and the profile I upped it to 2048. And when I tried to enroll it seemed like it was timing out or something!

So I ran through the procedure a couple of times and tried to benchmark the performance. When using 1024 bits generating the key took 2-5 seconds (I’m not using precision timing here mind you). When changing it to 2048 bits I was seeing results in the 30-40 seconds range. The actual times measured varied greatly (don’t know why), but in general you could say doubling the key size made the generation take ten times as many seconds!

These tests were conducted on an iPhone 3GS with iOS 4.1.

What to do then? Now of course, the key size isn’t the only factor deciding how secure your certificate implementation is, but 2048 is becoming the “standard” size in Windows on the desktop and server side and it would be logical to use that on devices as well. I don’t know about the user perspective though – users get frustrated when it takes a long time to set up their devices. And if they think it has timed out or something they might try to cancel the process leading to other issues instead. While not a big thing you might want to keep it in mind when deciding on the profile settings.

Do report back if you are seeing something else, and there’s indications that this could be something just occurring on my test device.

Apple Loosening the Tight Grip – Slightly…

By now version 4 of iOS has been out for a while, and depending on where you live in the world a launch of the iPhone 4 may have happened or be imminent. (My guess is that when it launches where I live, come 30th July, there will be waiting lists to actually get one.) But the software iOS4 has been around as an available upgrade for current iPhone/iPod users for a couple of weeks, and if you have a 3GS you can enjoy almost all the features anyways.

What didn’t see public release at the same time though was iPhone Configuration Utility, iPCU for short, but last week this was released in a new version as well going from 2.2 to 3.0. (I blame a holiday trip of mine for not noticing until now…) This is the tool for doing basic configuration on a per-device basis. Some might call this MDM light – I call it very light, but fair enough. It also serves as the tool for generating profiles you can use if you happen to have an iPhone provisioning server configured, and in such a scenario enabling at least the policy aspect of MDM. Download here: http://support.apple.com/kb/DL926

So what’s new this time? Well, there’s the obvious one like configuring multiple Exchange accounts. There’s the ability to restrict use of FaceTime, the revolutionizing video camera functionality. (All hail Steve Jobs for inventing amazing technology…actually don’t even get me started on the whole video calling thing…)

And a new payload type called…drum roll… Mobile Device Management!
image

Not many interesting things here by itself, this is just setting up the connection to an MDM server…wait a minute? MDM of the iPhone? Well, not all details are known, but Apple have announced that they are allowing access for three MDM vendors, (Sybase, AirWatch and MobileIron), to do things previously only accessible by Apple themselves. I’ve signed up for the beta of Afaria’s support, and haven’t tested any of these solutions yet, but it looks more promising than what we’ve seen so far. For instance remote wipe without Exchange ActiveSync, and the ability to detect if a device has been jailbreaked (and then possibly prevent it from syncing PIM data).

As far as I know there is also an MDM API available for developers, if your company happens to have more than 500 employees. So maybe the configuration options also apply to in-house MDM solutions. (Note: you can only grant access to company-owned devices if you code your own MDM. You may not develop your own and re-sell it as a hosted service or anything similar. Only the approved MDM vendors may do that.)

Also available in iPCU, and from MDM platforms is the ability to add applications to a device without going through the AppStore. There is a procedure for getting your application signed by Apple, and possibly they do some technical review too, but it’s still far better than the current app distribution engine if you are an enterprise user.

I’m still not saying the iPhone is the perfect enterprise device, and even as a regular user there are things I’d like to see implemented differently. But if you compare to the other hot name of the day; the Android, it’s ahead in this department. With my HTC Hero there’s still not a properly implemented ActiveSync client (it’s updated to Android 2.1 and not using the OS native client that will arrive in 2.2 – which the Hero most likely never will see as an available upgrade). If they keep this up I see no reason to complain though.