iOS Security: One Big Reason Haliburton Chose The iPhone Over Android | Cult of Mac

iOS Security: One Big Reason Haliburton Chose The iPhone Over Android



Haliburton’s decision to choose iOS as its new mobile platform was made after “significant research” indicated that iOS “offered the best capabilities, controls and security for application development,” according to a leaked memo published by AppleInsider.  These capabilities, collectively known as mobile device management (MDM) features offer a solid framework that can be used to apply a number of security policies like complex passcode requirements and that a device’s data be encrypted.  MDM features also include the ability to IT departments to restrict access to iOS features (say installing apps or taking photos) and to monitor devices remotely.  Of course, they also include the ability to remotely wipe a device if it’s lost or stolen.


One excellent facet of MDM in iOS 4 and iOS 5 is the ability to monitor a device.  There are a wide range of states that management software, including the Profile Manager service in Lion Server, can collect about managed devices.  This includes seeing what apps have been installed, ensuring OS updates are rolled out, and being able to tell if a device has been jailbroken.


While all this may sound a bit like big brother, if you’re a major energy company with operations in dozens of countries, security can be a major issue.  Of course, I could say the same thing about a medical practice needing to maintain privacy compliance.

Today, MDM vendors (and there are many of them) often support a mix of different mobile platforms and it isn’t unusual to see companies employing MDM for iPhones, Android handsets, and BlackBerry devices.  Which begs the question: why select just a single platform?


Security probably wasn’t the big reason to dump RIM.  Outages, an unclear future, and maybe even limitations from a development perspective are all good reasons, however. Then again there’s always the potential cost.


But why not pick Android as well as or instead?


That comes down to the iOS MDM features.  For one thing, all iOS devices running iOS 4 or 5 support them and they work the same on every iPhone, iPad, and iPod touch – not something you can so universally say about Android.


Then there’s the app environment.  iOS devices that aren’t jailbroken can only download apps from Apple or from a corporate selection of apps developed in-house.  That plus MDM ensures things are secure.


Apple also has a trick up its sleeve that Android doesn’t.  Every company that invests in an MDM product also needs to request a security certificate from Apple.  That certificate is responsible for identifying the MDM server(s) the company purchases to the Apple Push Notification Server (APNS).


APNS is used by any app that uses Apple’s notification framework for iOS.  In MDM, it functions very similarly.  The MDM server tells the APNS to notify one or more devices. The certificate ensures this is a legitimate command and tells the device(s) to check-in with the server. The use of APNS has two advantages – it ensures the validity of the MDM command and it issues commands with limited impact on a business’s infrastructure or battery life on the managed devices.  No actual company data is transmitted though Apple beyond identifying the MDM server and requested devices – they securely communicate directly once a device responds to the initial push notification from APNS.


A similar Apple certificate process happens when a business creates its own internal apps.  An enterprise developer account certificate must be requested from Apple (including paying the $299 enterprise level developer program membership).  Similarly this certificate identifies to installed apps are legitimate to each iOS device within an organization.


It’s worth noting that up until last fall, companies would need to use an enterprise developer account to acquire an APNS certificate, a requirement that Apple has no done away with.  The entire process actually involves the certificate being generated by the company implementing MDM and then being signed by Apple and the MDM vendor.


This process actually offers a nice balance of security and the ability to leverage Apple’s push notification architecture to ensure best performance and battery life on managed devices.


For more information, you can check out Apple’s MDM white paper and InfoWorld’s introduction.