This Wednesday, Dave and I demoed managing iPad devices from an enterprise perspective. In this blogpost, I’ll go over the contents of that session and show you how to achieve centralized management of iPads ((but also including other iOS devices, like iPhones and iPods), without breaking a sweat.
First, let me quickly outline the four management scenarios available:
- The iPhone Configuration Utility and iOS Configuration Profiles
- Corporate App Store
- Exchange ActiveSync, Remote Wipe and ActiveSync Policies
- Mobile Device Management (MDM)
These scenarios can also be combined to control the residual state of the device after more elaborate management functionality is removed. For instance: ActiveSync Policies and Configuration Profiles can be combined so when the Exchange account is removed, the settings from the Configuration Policies still apply.
Before you can deploy management scenarios to iOS devices, several key actions need to be performed:
Initial iTunes activation of iOS devices is still needed in all the above scenarios. the iPad or iPhone need to be connected to a computer running iTunes. The latest version of iTunes is recommended, but you will need at least version 10.1. This computer needs to run at least Windows XP with Service Pack 2 (or Mac OS X version 10.5) and be connected to the Internet. You can put iTunes in Activation-only Mode, to avoid being asked about synchronization options. This will save considerable time when you need to activate hundreds of devices.
Updating to the latest and greatest iOS
Before handing iOS devices to your colleagues, make sure they are updated with the latest version of iOS, but be sure to wait a couple of weeks after launch before upgrading to a new major release. Apple releases new versions of iOS regularly adding new functionality, but also fixing bugs. iOS updating can only be performed through iTunes.
Jailbreaking devices gets you rid of the initial activation burden, but might be more work per device. You might want to performs jailbreaks when you have needs beyond the default Apple functionality, but with every new iOS version, you will need a new per-device jailbreak to maintain this functionality.
iTunes Parental Controls
For corporate installations of iTunes, several settings can be centrally configured through the Parental Controls functionality in the Windows registry. Although the feature doesn’t sound like an enterprise feature, it sure helps to manage iTunes installations. Using AdminFlags, an administrator can lockdown the iTunes installation. Using UserFlags, an administrator can push preferred settings that can be changed by the end-user.
No Administrative Templates (*.adm or *.admx files) are currently available, but you can use Group Policy Preferences to deploy the necessary registry values.
Each colleague with an iOS device needs an Apple ID to be able to use the iOS App Store. These accounts do not need a credit card associated to them, but you might want to consider associating a company credit card when rolling out business apps from the App Store (like RoamBI).
iOS Configuration Profiles
The first management method is using iOS Configuration Profiles.
Configuration profiles are XML files that contain device security policies and restrictions, VPN configuration information, Wi-Fi settings, email and calendar accounts, and authentication credentials that permit iOS devices to work with your enterprise systems. Configuration profiles quickly load settings and authorization information onto a device. Some VPN and Wi-FI settings can be set only by using a configuration profile, and if you’re not using Microsoft Exchange, you need to use a configuration profile to set device passcode policies.
These profiles can be created and edited using the iPhone Configuration Utility. This program is available for both Windows (requires at least Windows XP with Service Pack 3 and .Net Framework 3.5.1) and Mac OS X (requires Mac OS X 10.6).
With this utility, an administrator can create configuration profiles. These configuration profiles may include the following payloads:
- General settings
These basic settings contain the name of the profile, but also the security setting. Per configuration profile you can set whether the policy can be removed by the end-user. You can also specify a PIN to be able to remove it, but only with authorization.
- Passcode settings
You can specify whether a passcode is required in order to use the device, and specify characteristics of the passcode and how often it must be changed. This is also the place to configure how many password attempts will unavoidable wipe the device.
- Restrictions settings
You can use device restrictions and application restrictions. For instance, you can restrict the use of the camera, but also the corresponding applications like FaceTime, PhotoBooth and Camera. You can also granularly disallow screen capture, the App Store, in-app purchases, YouTube, Safari and set roaming settings.
- Wi-Fi settings
When your company uses a wireless network, an iOS device can be preconfigured with the service set identifier (SSID) and password, along with other information like the security type (WEP, WPA, WPA2 are all supported) and whether the SSID is broadcasted.
- VPN settings
When your company is using Virtual Private Networking (VPN) you can enable an iOS device to use it. The VPN connection can be Cisco SSL VPN, L2TP/IPSec and PPTP-based. Optionally the VPN connection can use RSA SecurID for authentication.
- E-mail, address lists, and calendar and Microsoft Exchange settings
Pre-configuring iPads with information on ActiveSync, IMAP4 and POP3 mailboxes. For non-Exchange environments, LDAPv3 server information can be configured for lookups. Also CalDAV can be configured for server-based calendar functionality. Since you might not want passwords and usernames for these accounts in the profile, you can omit these. Colleagues are then asked to enter the omitted information when they access the account for the first time.
- Web Clip settings
Web Clips can be used within iOS to access functionality in a restricted way. For instance, a corporate app store or the support telephone number can be added to the home screen on the iOS device of your colleagues. Web Clips pointing to URLs can still be used after Safari has been disabled through restriction policies.
Use the Credentials settings payload to add certificates and identities to the device. These settings are especially useful to add non-trusted root certification authorities.
- Simple Certificate Enrollment Protocol (SCEP) settings
Just like a router, an iOS device can enroll for certificates using Simple Certificate Enrollment Protocol (SCEP) from Cisco Systems Inc. This way, an iOS device can obtain certificates through the Network Device Enrollment Service (NDES) within Active Directory Certificate Services. (ADCS) on Enterprise and Datacenter editions of Windows Server 2008 and Windows Server 2008 R2.
- Mobile Device Management settings
An iOS device can be pointed to a Mobile Device Management (MDM) server. These settings allow such a server to manage the device over-the-air.
- Network settings
Under Advanced, several settings exist to control the cell provider and its mobile data information, like proxy server and proxy server port. Under normal circumstances you should not need to change these settings.
After you make a configuration profile you can get it onto an iPad or iPhone in the following ways:
- Directly through USB by connecting the device to the computer running the iPhone Configuration Utility. This option also allows you to install apps immediately.
- Share the configuration profile (*.Mobileconfig file) through e-mail
- Export the configuration profile and place it on a (private) web server
- Use a Mobile Device Management (MDM) solution to distribute profiles (only after you’ve distributed a configuration profile containing the MDM settings earlier)
Corporate App Store
If you’re solely interested in distributing Apps to your colleagues, a corporate App Store might be more your thing. Corporate App Stores exist next to the Apple App Store and are designed to contain custom-signed organization-specific IT-approved Apps.
To create a Corporate App Store your company will need to sign up with the Apple Developer Enterprise program. ($299 annual fee). Membership in this program allows you to distribute your proprietary, in-house iOS apps to employees or members of your organization. You can also securely host and wirelessly distribute or update in-house apps to employees, keeping them current anywhere, anytime.
Using Apple’s XCode (integrated development environment (IDE), application installers consist of three files: a *provisionprofile, *.plist and *.ipa file. Colleagues can be pointed to the files. Once they click them, the application gets installed. The most common way to do this is by setting up a webserver using Internet Information Services (IIS), for example that Microsoft Exchange Server you have standing over there…
Alternatively you can use a service like testflightapp.com.
Speaking of Microsoft Exchange; Since Apple licensed ActiveSync for iOS, ActiveSync Profiles can be used to manage iOS devices connected to an Exchange Server.
Of course, running the latest version of Exchange Server avoids certain compatibility problems. Also, using Exchange Server 2010 with Service Pack 1, allows Exchange administrators to change ActiveSync profiles using Outlook Web App:
This functionality is useful, since it also allows system administrators to iOS devices through ActiveSync from Safari on Mac OS X.
Both administrators and end-users have the ability by default to instantaneously remote wipe their connected devices through Outlook Web App. A message is sent to the inbox of the end-user by default to inform him or her of the remote wipe command. The message is a default message, but may be altered through the Exchange Management Shell.
Besides Remote Wipe functionality, Microsoft Exchange Server, through its ActiveSync profiles, can be used to apply the following settings to iOS devices on a per device basis:
- Device password policies
You can specify whether a password is required in order to use the device, and specify characteristics of the password, how often it must be changed and how long the device may be inactive before locking. You can configure how many password attempts will unavoidable wipe the device. Unique to Exchange ActiveSync is the ability to recover the password for the device through Outlook Web App, if you enable it here.
- Device encryption policies
While device encryption policies may be interesting in ActiveSync policies for other devices, these policies don’t apply to iOS devices, since these devices already encrypt the entire contents of their hard drives by default.
- Device restriction policies
Using Exchange Server you can disable the camera on iPods, iPhones and iPad2s. When disabling the camera on an iPad2, you’re basically reducing its functionality to an iPad1, which might be helpful in some change management scenarios.
By default the ‘Default (default)’ ActiveSync policy applies to all ActiveSync-enabled devices. You can create your own ActiveSync profiles and apply them to all users, by making your policy the default policy or to certain users (read:mailboxes) only.
Device Access Rules
Another option you might want to explore is to block or quarantine certain device families from using Exchange ActiveSync. Blocking devices may be interesting if your organization is testing the scalability of the Exchange environment with a limited amount of devices. Quarantining is useful when your organization has a need to only allow approved iPads to be used to synchronize with Exchange Server. More information on the Allow/Block/Quarantine list can be found here.
For troubleshooting purposes, an Exchange admin can enable logging for the server. Through Outlook Web App, both the admin and the end-user can get access to the log information. The end-user accesses the information through a standardized message. The admin uses the Exchange Management Shell.
Mobile Device Management
Mobile Device Management (MDM) solutions are top of the bill in both functionality as in price. Management capabilities found in MDM solutions include (but are not limited to):
- Management of many families of devices
While this post primarily focuses on centrally managing iOS devices, many Mobile Device Management solutions offer management of BlackBerry, Android too. Some are even capable of managing Windows Phone 7. With granular targeting of profiles, different devices can receive different settings.
- Jailbreak detection
When the corporate policy is not to allow jailbroken devices, using jailbreak detection allows you to filter out these unwanted devices.
- Granular Wipe
While MobileMe, Exchange Server and other solutions only offer complete wipe functionality (by destroying the encryption keys for the entire device, and thus resetting it to factory defaults), Mobile Device Management solutions offer the capability to granularly wipe certain parts of the configuration and/or documents.
- Apple Push Notification Service
While ActiveSync policy changes rely on the device syncing with the server, Mobile Device Management solutions rely on the Apple Push Notification Service to get tailored configuration profiles to devices instantaneously. This ensures policy changes are implemented as fast as remote wipe commands and don’t rely on the next synchronization cycle.
- Active Directory integration
Assigning profiles and applications, based on Active Directory group membership or other Active Directory attributes, results in a more robust, scalable, integrated and comprehensible mobile device management solution.
Currently over 70 MDM solutions exist to manage iOS devices. In its Magic Quadrant for Mobile Device Management Software (April 2011) Gartner filtered out the good suppliers for you and placed them in the Magic Quadrant. Be aware, however, good mobile device management starts at $70 per device.
System Center Configuration Manager 2012
In 2012, Microsoft will introduce the new version of System Center Configuration Manager, with built-in iOS Mobile Device Management. Microsoft already has a System Center Mobile Device Manager product today, but it can only be used to manage Windows Mobile devices.
Four management scenarios exist to centrally manage iPads, iPhones and iPods, Depending on the needs of your organization one scenario or multiple scenarios can be used.
As this blogpost shows, centrally managing iPads is childishly simple.
The table below shows key management capabilities per management scenario:
iTunes: Turning on Activation-only Mode
Windows OS Managed Client: How to manage iTunes control features
Exchange ActiveSync Client Comparison Table
Gartner Magic Quadrant for Mobile Device Management Software (April 2011)
iPad, iPhone Challenge Management Orthodoxy
Securing the iPad in the Business
iPad Enterprise Users: Some Safety Tips