It’s been over two years since Apple unveiled iOS 4 with mobile management features designed to make the iPhone and iPad a significantly better corporate citizen. During those years, the landscape of business and enterprise mobility has changed dramatically. RIM has collapsed and will never truly recover, Microsoft has doubled down on the interface it launched late in 2010 with no guarantee of success, and Android has become much more enterprise friendly. Perhaps more important is the fact that idea of mobile management and security has shifted from a focus on devices to a focus on securing data and managing mobile apps.
As all this has happened, Apple’s mobile management framework, which is the system that all mobile management vendors plug into in order to secure and manage iOS devices, has essentially stagnated. With iOS 6 on the horizon, lets look at the areas that Apple needs to address if it wants iOS to remain one of the preferred mobile platforms for business.
iOS 5 offered little improvement or expansion of the iOS mobile management capabilities.
All of Apple’s news for iOS 6 has largely focused on feature additions and changes aimed at consumers and, to a lesser degree, business users. The company has been mum on the subject of mobile management and enterprise features that may be included in the release. That isn’t entirely surprising. Apple kept pretty quiet about iOS 5’s handful of mobile management additions even after demoing iOS 5 at WWDC.
Those iOS 5 additions that Apple made were actually pretty minimal. There was the wholesale ability to disable Siri entirely or while an iOS device is locked. There was a similar heavy-handed set of iCloud restrictions – disable iCloud document syncing, disable device backup to a user’s iCloud account, and disable Photostream. Those restrictions offer no room for separating personal data from corporate data like disallowing documents from certain apps to sync while letting other apps that are purely for personal use to sync.
There were some additional capabilities that attempted to manage over the air app deployment and updates, but even those were pretty limited and required user responses rather than offering true automatic installation.
In the end, iOS 5 offered little improvement or expansion of the iOS mobile management capabilities. Given how tightly Apple controls what mobile management vendors are allowed to do when developing iOS management systems, there’s a real possibility that iOS will stagnate as an enterprise option without Apple keeping pace with the rest of the industry. Even setting aside the technical ramifications of iOS management stalling at a 2010 level, Apple will be reinforcing the opinion of many corporate executives and IT leaders that the company doesn’t care about its business and enterprise customers.
Hands down the most critical area that Apple needs to address is app management. Mobile App Management (MAM) has become a common acronym and buzz word in the IT world for a very good reason – it is an incredibly effective model for dealing with personal devices owned by employees but used at work as part of a bring your own device (BYOD) program as well corporate owned but personally enabled (COPE) devices that deliver many of the same benefits of BYOD.
App management encompasses multiple mobile security and management strategies. The most obvious being the ability to push apps out to mobile devices over the air. Apple tried to address this with iOS 5, but didn’t go far enough with the concept. Ideally, iOS 6 over the air installation will be fully automated and not require a user to accept app installation – a move that could ensure secure deployment of required and critically important apps (including internal apps not distributed by the App Store).
App management also means preventing the installation or use of certain apps, such as those that sync data to unapproved cloud services like Dropbox or those known to copy data without user consent. While Apple makes it easy to block install of all apps and enables mobile management to determine if unapproved apps are installed, these features should really be more granular and more effective in their operation.
Blocking the installation or use of apps that meet defined criteria like App Store categories, specific developers, or even text in the name of an app would be a welcome addition. Such functionality would also be a logical extension of the existing iOS option to block apps (and music, movies, and TV shows) based on content rating. Supporting automatic removal of blacklisted apps whether installed and paid for by the employee or employer would also be a helpful addition. While some vendors have worked around the limitations to approximate this functionality, a solution from Apple built into iOS would be a much better approach.
Hands down the most critical area that Apple needs to address is app management.
Enterprise app stores are another piece of the MAM puzzle. They can make apps available to users via an easy to use interface and can deliver both private internal apps as well as a curated list of public apps from the App Store. This is one area where third-party vendors actually deliver pretty impressive results. App licensing could be improved and would improve the existing solutions on the market (more on that in a bit), but it isn’t truly necessary for Apple to create its own enterprise app store solution.
More Traditional Volume Licensing Options
Next to offering more app management functionality, Apple really needs to revisit its Volume Purchase Program (VPP). The existing system is really little more than a sad compromise between the consumer App Store purchase process and the needs for businesses and schools to buy apps in bulk for distribution to iPhone and iPad users. The biggest flaw in the system is that once a VPP redemption code is used to install an app, it becomes worthless. IT cannot reclaim the license to install/run that app on another user’s device because that license becomes permanently associated with the user’s Apple ID. Apple Configurator can mitigate that flaw, but even Configurator doesn’t make the process easy. Configurator is also far too hands-on to be scalable to the needs of a large business.
If Apple is serious about maintaining the popularity that iOS has found in the workplace, the company really needs to address app licensing with a mechanism that ties apps installed using VPP redemption codes to the company and not to the individual (or the individual’s device).
Apple also really needs to address enterprise app licensing.
Pre-Configure and Enforce App Settings
One of the great features of Mac management is that administrators can define any system or application preferences that they feel is appropriate for users. Several preferences options are available in the management interfaces of OS X Server’s Workgroup Manager and Profile Manager, but any setting that can be defined in a system component or application’s .plist preferences file can be managed be managed as well. That offers amazing granular setup and management options.
Apple could expand this functionality to iOS devices. After all, the configuration profiles that manage Macs and iOS devices using Profile Manager are identical in many ways. Unfortunately, given the level of access control that Apple maintains over iOS, we’re not likely to see this capability any time soon despite the relative technical ease with which it could be implemented.
OS Level Content Lockers
The industry has shifted from locking down the device to locking down the data.
Now that we’ve tackled most of the app-related issues Apple needs to address, lets move on to talking about business documents and other data. The entire IT industry has been recalibrating the perception of mobile security since the phrase BYOD was coined and RIM began going down in flames. The locked-down BlackBerry with its 500+ security policies is no longer a realistic option in many workplaces.
With iOS mobile management supporting less than one tenth of the policy restrictions available from a BlackBerry Enterprise Server and the range of Android variations with different security capabilities on the market, the industry has shifted the key mobile security requirement from locking down the device to locking down the data on the device. One advantage of this approach is greater flexibility and satisfaction among users of managed iOS devices. When you only focus on securing corporate data, disabling some heavy-handed management features becomes a feasible option and it delivers a better user experience.
The question, of course, is how do you secure that content. Apple’s existing encryption APIs in iOS make it relatively easy for app developers to create a secure container or storage locker. Data stored in that locker is securely encrypted. To make that encryption truly useful, apps designed to create storage lockers require independent authentication using a user account and password or two factor authentication methods that are independent of the passcode used to unlock a device. Even if a thief gets the iPhone, guesses the passcode or bypasses it by attaching the iPhone to a computer, the business data in that storage locker remains secure.
Beyond locking sensitive data, developers creating storage locker solutions like Good and Bitzer Mobile can prevent files being copied out of the locker to cloud services or other iOS apps. They can also prevent text or other content being copied and pasted into other apps.
That’s very good security, but because it is at the app level, users may not be able to work with documents or files in other apps. Good has been building a developer platform around its locker technology called Good Dynamics and Bitzer has added document editing support. Those are good workarounds, but an OS level locker from Apple would be a far better solution because approved business apps could be either integrated with the locker technology or even stored in the locker themselves and therefore effectively sandboxed from apps outside the locker while able to copy and paste to other apps within it.
Granular iCloud and Siri Restrictions
Apple dropped the ball when it comes to managing Siri and iCloud under iOS 5.
At the beginning of this post, I pointed out the ways in which Apple dropped the ball when it comes to managing Siri and iCloud. With Siri gaining a range of new features (not to mention integration with in-dash auto systems), such a blunt off or on approach is severely limiting. If Siri becomes the ubiquitous part of daily life that Apple is aiming for, users will probably insist on some flexibility such as access to certain Siri commands or features like navigation or app launching. The tricky thing for Apple is determining a method that allows innocuous non-work Siri functionality but blocks Siri (and iOS and Mountain Lion dictation features) from transmitting sensitive data up to Apple’s servers for processing. What that might look like is a topic for speculation, but Apple will need to address it.
iCloud restrictions are also heavy-handed. Tying iCloud access into an app management approach, however, could be relatively easy. iOS lets mobile management systems query for installed apps. Expanding that with a blacklist that prevents business-related apps from syncing data to iCloud or a whitelist of apps that are approved to sync content should be relatively straightforward. Apple could even let administrators limit specific app data from being backed up to iCloud, but that would probably more challenging on a technical and administrative level.
Photostream also poses a potential problem for syncing photos, screenshots, and other data out of the office and onto Apple’s servers (and the devices of non-employee users thanks to shared Photostreams being introduced in iOS 6). One way around that could be creating a geofence around various work locations. Photos (and other images) geocoded with location data identifying them as having been taken on company grounds could then be identified and blocked from syncing.
Management Policies Based on Location
Speaking of geofencing, Apple could enable the use of geofences around offices or complexes to configure iOS management and access to corporate resources. When employees arrive at work, certain device features and apps become disabled while access to corporate Wi-Fi and network resources is enabled. When employees leave, access to those resources becomes disabled or shifts to more secure options like automatic VPN use. This is an approach that various mobile management vendors have already begun implementing, but a solution from Apple would enable broader use and consistent mechanisms for location-based management.
Privacy Settings Management
One excellent feature included in iOS 6 is that iOS apps need permission to access potentially confidential iOS data like contacts, calendar events and data, reminders, photos, Bluetooth device sharing, and Twitter and Facebook accounts. These privacy settings are an extension of how Apple already manages access to location data. Making it possible for IT departments to pre-set or enforce access restrictions on this type of data would be a great enterprise feature, particularly if those restrictions can be done on an app-by-app basis.
AirPlay, Apple TVs, AirPrint, and Bonjour
Earlier this year, a number of IT professionals at colleges and universities petitioned Apple to update its Bonjour automatic network discovery protocol along with related iOS technologies AirPlay and AirPrint. There were three parts to the complaint. First, the automatic discovery requests could bog down campus wireless networks. Second, the services can only discover resources on the same subnet as the device itself, which means the Wi-Fi network being used. Third, any devices support AirPlay, AirPrint, and Bonjour will be discovered and presented to iOS users.
Apple and third parties could handle these issues in a couple of ways. One approach being taken by networking vendors is to build Bonjour data routing and management into enterprise Wi-Fi access points and other network hardware. Another would be allowing IT departments to disable these self-discovery features on iOS devices and/or providing tools to pre-configure access to these services so that only specific devices like office printers or Apple TVs installed in classrooms or conferences are presented to users – ideally with support for routing across subnets.
Advanced Network Options And Security
Finally, Apple can and should broaden the network management options that IT can set for iOS devices. Options for AirPlay, VPN, and corporate Wi-Fi access are good starting points but many iOS devices connect to unsecure networks in coffee shops, libraries, hotels, and other places.
Beyond Wi-Fi there’s the are cost issues associated with data roaming and LTE access. LTE poses a particular challenge because it makes it so easy for iPad users (and soon iPhone users as well) to blow through data in a short span of time.
There are also certain types of data that it may be ideal to limit or prevent altogether – access to Netflix over a corporate network for example or potential network-borne threats. Offering more network configuration options and even a true iOS firewall would be an excellent security addition and it would go a long way towards iOS becoming the dominant mobile platform in business as well as education.
Apple can and should broaden the network management options that IT can set for iOS devices.
Will Apple ultimately deliver any of these suggestions? Hoping for all might be too much to ask, but certainly some of them have real potential to appear in iOS 6 or later iOS revisions.