iOS MDM: Expandi Visibility & Enforcement

Control without visibility can be a dangerous combo. Many MDM products offer iOS agents to give IT a better look under the hood – including jailbreak detection.

MDM servers can use native iOS MDM queries to assess the state and health of iPhones and iPads from afar. It is quite common to offer a wealth of reports and graphs based on such query results, including hardware inventories, software inventories, and compliance reports listing devices per iOS version or with/without passcodes or encryption enabled.

However, some MDM vendors use their own iOS MDM agents to deliver to IT greater visibility, and many leverage that deeper insight to help IT enforce security policies. Let’s consider a few examples.

Enforcing Native Security

Since the iPhone 3GS, iPhones and iPads have supported hardware encryption, preventing a thief from accessing a lost or stolen device’s data without its passcode. For added protection, Apple applies secondary encryption to email messages; third-party applications can also elect to encrypt their own data.

Configuration Profiles can be used to require a long complex passcode and hardware encryption. Profiles can also trigger self-wipe after repeated passcode failures and auto-lock inactive devices. Many other security-related attributes are sprinkled throughout profiles, such as disabling risky device capabilities, supplying certificates for Wi-Fi networks and VPNs, and denying iCloud synchronization.

After MDM applies profiled settings, it can be difficult but not always impossible for users to over-ride them. Furthermore, Apple mandates that users be able to remove MDM control by uninstalling the MDM profile added during enrollment. As a result, queries should always be used to verify on-going compliance and respond to deviations with business-appropriate actions (above). But MDM compliance checks and remediation aids vary; look for ability to auto-enforce your specific security policies.

Detecting Jail-Broken Devices and More

One of the riskiest things a user can do to their iPhone or iPad is to jailbreak it. Jailbreaking exploits a vulnerability to install a modified OS that lacks certain Apple restrictions – notably, permitting installation of non-Apple-signed apps from third-party sites such as Cydia. A jailbroken device is not necessarily running malicious code; however, it less trustworthy and more likely to fall victim to malware.

This is why many MDM vendors give customers the option of installing a proprietary but Apple-approved MDM agent. A device-resident agent can not only spot a jailbreak when it occurs – it can help the MDM peer into device status and activities not surfaced by native iOS MDM APIs. For example (with user permission) an MDM agent can report the device’s location to the MDM, letting IT map and track its whereabouts.

Enforcing Application Policies

Historically, MDM agents were often needed to facilitate IT-initiated app installation. However, iOS 5 expanded native application management, making it easier for IT to install enterprise and free AppStore apps without agents. Still, some MDM agents continue to play a role in application policy.

For example, the Fiberlink MaaS360 screenshot below illustrates an IT-defined blacklist of unwanted apps; alternatively, IT could specify a whitelist of allowed apps. Any deviation from this black or white list renders the device non-compliant, which may provoke an automated action (e.g., send the user email, quarantine the device). An App Catalog auto-installed on managed devices also displays these policy-recommended and required apps, as appropriate for each user.

In this article, we have touched on many features and capabilities offered by contemporary MDM products to help IT manage and secure iOS devices. As we have seen, basic management is possible without MDM. However, scalable management, on-going policy enforcement, and real-time threat mitigation requires native iOS MDM and a third-party MDM server that puts those APIs to good use.