iOS Mobile Device Management Security
The iPhone may have launched as a consumer product, but Apple continues to roll out enterprise enhancements–including native over-the-air mobile device management.
While it's possible to sync a worker’s iPhone or iPad with your corporate Microsoft Exchange Server, this does not address broader enterprise device management or security needs. Instead, IT pros can leverage native mobile device management (MDM) capabilities embedded within iPhones and iPads to remotely query, configure, update, and monitor any enrolled iOS 4 or 5 device, independent of ownership. Let’s look at how iOS MDM supports common enterprise security requirements, from self-service enrollment and transparent provisioning to compliance audits and real-time threat mitigation.
Using EAS to Control Exchange Access
As detailed in Part 1 of this series (Effectively Securing Mobile Devices), iOS devices support a subset of Exchange Active Sync (EAS) mailbox policies, including those used to enforce passcode use, length, complexity, inactivity, expiration, and history rules. EAS can also allow/deny use of a device’s camera or Safari browser, or prevent email access by older iPhones and iPods that lack hardware encryption.
For some organizations, EAS policies are enough to deny non-compliant iPhone or iPad access to enterprise email, addresses, tasks, and calendars. Should an iOS device be lost or stolen, EAS can also wipe that device on its next synchronization. But ultimately, EAS is better at enterprise messaging than device management or security.
Using Profiles to Provision Devices
Long ago, Apple built a far more extensive device administration interface into iOS, based on Configuration Profiles. As explained in Tom’s IT Pro tutorial on “Secure iPad Deployment,” many iPhone, iPod touch, and iPad attributes can be set by applying XML-formatted files generated by Apple’s iPhone Configuration Utility (below).
With this desktop utility, IT can provision new iPhones by posting “corporate standard” profiles on web servers or emailing them to users. As each user opens a profile, all contained settings get applied to their device – for example, configuring passcode rules, device restrictions, and Wi-Fi, VPN, and Exchange account parameters. Alternatively, IT can use this utility to send profiles to a single USB-connected device, provisioning new iPhones or iPads one at a time.
Apple has updated this utility over time to add more settings and to install enterprise applications. But not only doesn’t this utility scale—it does nothing to enforce on-going policy compliance or help IT control deployed devices in the field. More is required to manage and secure iOS devices on an enterprise scale.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. Since 1997, Lisa has reviewed, deployed and tested mobile policies and practices, ranging from wireless/VPN security to device/data defenses. See here for all of Lisa's Tom's IT Pro articles.