iOS devices at work…manageability

March 27, 2011/ Rick Arter / Uncategorized / 1 comment

Going hand-in-hand with security is asset management or mobile device management (MDM).   MDM is instrumental to security: delivering and updating security profiles, remotely wiping and/or locking devices, clearing passcodes, etc.  MDM goes much beyond security however.   MDM is critical to the efficient and effective everyday administration of iOS devices, ensuring they are complying with general company policies and that the latest company Apps are available.   As with security, MDM involves much more than the devices themselves.   MDM policies and practices are equally important, if not more.   Policies covering everything from the company systems and accounts that iOS devices will be allowed to connect with (VPN, WIFI, LDAP, CalDAV, IMAP/POP email, etc) to any restrictions once connected, e.g. restricted use of Camera, Screen capture, In-App purchasing, YouTube, Safari, etc.   The type and number of policies established combined with the number of devices managed determines the practices needed to administer and assure those policies.  The practices could range from being very manual in nature to being fully automated.   A small number of devices to be managed with minimal to moderate policies to be enforced might warrant a largely manual device management process.

Whether mostly manual or fully automated, two management tools from Apple help with the effort.  These are the iPhone Configuration Utility and the online iOS Provisioning Portal, which is available to registered Apple developers.   These tools provide the ability to establish and install on iOS devices configuration profiles, provisioning profiles and in-house developed or company sanctioned Apps.  Configuration profiles are created using the iPhone Configuration Utility.   A configuration profile can consist of any combination of settings including security policies and restrictions, VPN configuration information, WIFI settings, e-mail and calendar accounts and authentication credentials.   Once created, a configuration profile can be installed on an iDevice in one of four ways.   By USB cable-connecting that iDevice to the computer running the iPhone Configuration Utility software and then installing the configuration profile in very much the same manner as performing a ‘sync’ using iTunes.  Or, the configuration profile can be e-mailed to the iDevice as an attachment and then installed by tapping on the attachment. Alternatively, the configuration profile can be placed on a website with the link to the website sent via e-mail or SMS allowing the profile to be downloaded and installed through Safari.   Finally, the configuration profile can be installed over-the-air through the use of an MDM server, either one developed in-house or from a third-party.   There are no shortages of third-party MDM solutions available, the most notable being JAMF, MobileIron, Sybase Afaria, Zenprise and Air Watch.  Many, if not all, of these MDM solutions are capable of managing multiple device types, including BlackBerry and Android, and their capabilities go much beyond the routine tasks of creating and distributing configuration and provisioning profiles and Apps.   They provide other management functions such as remote-wiping, remote locking, automated inventory, usage tracking and audit trails.  Their capabilities are top-notch and truly are essential for large organizations with hundreds, if not thousands, of mobile devices to manage.   For smaller organizations , the more ‘manual’ approaches to distributing configuration profiles are suitable.

A provisioning profile allows for in-house developed Apps or company sanctioned Apps to be installed on designated iOS devices, be that through or outside the App Store.  Provisioning profiles are created using the online iOS Provisioning Portal available to registered Apple developers.   The provisioning profile can be created by ‘direct-entry’ or by using the Development Provisioning Assistant, which guides the creation process.   Once created, the provisioning profile can be associated to any number of in-house developed or company sanctioned Apps.  The provisioning profile and App(s) can then be installed using any of the mechanisms described above for installing a configuration profile.   A number of niche, over-the-air provisioning profile and App-only installation solutions are sprouting up.   Test Flight is one example.  For those not in need of over-the-air provisioning, a small number of third-party solutions are available for bulk, multi-device syncing and charging.   These are great for classroom settings and service-based organizations such as clinics or restaurants that might loan iOS devices.   The two most notable solutions in this category are from Bretford and Parat Solutions.