Managing iPhone with Apple’s Tools
Keeping IOS under Control in a Business Network
The latest release of Apple’s iOS mobile operating system, along with the iPhone 4 handset, makes the iPhone a much more business-friendly device. Along with the more obvious email features, and an ever-growing library of business-focused applications, there’s also support for many more policy-driven management features and improved device security.
Despite the improved range of business features, iPhones are still very much in the ‘bring your own device’ class. That’s an additional problem for anyone trying to manage one that’s connecting to a business network – it’s very easy for a user to quickly connect to an Exchange Active Sync connection, with Microsoft’s auto-configuration tools simplifying things perhaps a little too much. You can set up basic profiles in Exchange (especially in Exchange 2010), but for much finer grained control you need to use Apple’s own device management tools.
The iPhone Configuration utility is still a free download from Apple’s Web site but it has had a significant makeover since we last looked at it. It lets you keep an inventory of all managed devices, along with details of the installed applications and the current deployed configuration profile. Configuration profiles are key to managing iPhones, as they’re how you define how a device will behave. You can create and deploy multiple configuration profiles, letting you use different profiles for different roles. It’s important to make sure that profiles are well defined, and are documented in any acceptable use policy – and that users are aware of what they entail.
Setting up an iPhone configuration profile is easy enough. While the Configuration Utility isn’t a wizard-driven tool, it presents various options in a series of control panel panes – familiar to any-one using either Windows or OS X. A library provides access to registered devices and to in-ternally developed and third-party applications that can be deployed to iPhones and iPads that have been connected to a PC or Macintosh running the Configuration Utility.
The Configuration Profiles library is where you’ll create new management profiles for the iPhones connecting to your clients’ networks, building up a library of profiles for individual users, specific roles, and for departments. Profiles handle everything from managing device security, to pre-configuring email and VPN access.
The first menu item, General, describes what the profile is, and what it’s for. You’ll want to use this to document your profiles, especially if you’re supporting iPhones in more than one organisation. Each profile needs a unique identifier, and Apple recommends you use the familiar com.company.profile UID format. Using this approach, it’s simple enough to construct a naming hierarchy for your clients’ profiles. You can also use the General tab to control whether users can remove profiles once they’ve been deployed. We’d recommend using either the With Authentication or Never options – after all, there’s no point in crafting a security profile and then letting users uninstall it as soon as it becomes inconvenient.
Use the Passcode section to manage device passwords. iOS4 adds a new encrypted filesystem to iPhone 3GS and iPhone 4 devices, with increased protection and better password management. It’s reasonably secure even with a simple four digit passcode, and we’d recommend locking down devices at least this much. You can also manage the number of failed password attempts before a device is automatically wiped – something that will help ensure clients’ business information isn’t lost with a phone. You can also lock down devices further, with using Restrictions to prevent users installing apps, from using the camera (and disabling Apple’s FaceTime video conferencing tools). You can even enforce age ratings on apps, making sure that staff don’t have anything inappropriate on devices that may be seen by business partners or customers. Profiles also make things easier for users, pre-loading devices with Wi-Fi SSIDs and passwords, as well as VPN configurations. You can define multiple Wi-Fi and VPN connections, as well as requiring users use RSA SecureID tokens to connect to a VPN. Email can be pre-configured too, either using POP/IMAP connections or Exchange Active Sync. You can set up usernames and passwords, or leave them blank for users to fill out on their first connection. There are also tools for configuring access to LDAP directory services and various forms of calendar server.
If you’re using a mobile device management tool, there’s now the ability to pre-configure service endpoints on a device – including setting the management URLs, and the ability for management tools to push messages to devices. You’re also able to ensure that management software gets remote access to device configurations, letting you push new profiles over the air, rather than having to deliver them by email.
iPhone in Business
Apple rounds up details of iPhone’s business features and configuration tools:
iPhone Support: Enterprise
Apple’s iPhone support site for business users. Slightly out of date, but a good place to start:
Volume 1, Ed 1
Supporting Mobile Email on Multiple Handsets
feature finder code 1138a