Complete breakdown and analysis of Apple's new iOS 7 mobile operating system and what it means for Enterprise, Education, and Government
With iOS 7 Apple has taken their existing support for Enterprise, Education, and Government to the next level, adding even more functionality and better iPhone and iPad device management. This follows years of Apple adding more and more features that allow IT administrators to have more control over iOS devices. iOS obeys all Exchange ActiveSync policies plus it can be further controlled and configured via iOS Configuration Profiles that allow administrators to pre-setup connections to your company’s email system for example, or to pre-setup connections to your company’s secure Wi-Fi networks, but also restrict the device in many ways including preventing access to the iTunes App Store, or the Safari browser. These are just two examples but the list is quite long.
This has always made iOS devices much more attractive in the enterprise and other platforms like Android have not been adopted because of their lack of support of all ActiveSync policies, but also because there are no ways of restricting apps or pre-setting up things like email or Wi-Fi, amongst other things.
iOS has also provided what are called Mobile Device Management (MDM) Application Programming Interfaces (APIs) that allow MDM vendors like Air-Watch or MobileIron (to name just two) to securely query and control iOS devices.
Lets take a look at the new management features found in iOS 7.
In iOS 6, through the use of MDM APIs you could:
With iOS 7 the following has been added:
In previous version of iOS, apps written by the same vendor could share login information allowing a user to login only once into one of the apps, and then be automatically logged into other apps by the same vendor.
In iOS 7, this can now be done for any app. This means that via MDM, an IT administrator can allow one or more apps to share a common set of login credentials. This is not restricted to apps built by the same vendor, but any apps that the IT administrator assigns.
SSO supports a group of apps, and a group of URL prefixes. Supporting URL prefixes allows an enterprise to tell an iOS device that if the user (or an app) browses to a URL that starts with a common phrase (e.g. https://iMore.com/thisisprivate) then the SSO information must be passed to the web server.
Today an enterprise can make volume purchases of an app using a special VPP portal. Once an app is purchased, the enterprise is provided with codes that allow the app to be installed on multiple devices (one code per device). MDM vendors try and make this a bit easier by managing the code assignments and revocations themselves but remember that since an app cannot be uninstalled remotely, revoking the code just means that the app is now not legally allowed to be on a device.
In iOS 7, codes have been replaced by licenses. MDM vendors have been given new APIs to interact with a companies VPP portal and manage the installing and revoking of apps. When an app is revoked, the user is notified that they have 30 days to purchase the app themselves. If they don’t, the app will simply stop opening after 30 days making it useless.
IT Administrators can purchase volume licenses for apps and books.
Today on an IOS device, the IT administrator can pre-configure a VPN so that when you start up apps that need access to company data, the VPN provides that secure tunnel into the organization. The problem with this approach is that the VPN is available to any app on the device. This allows personal and private data to be sent via your company’s network (which normally means that the apps will break because the company blocks many sites that are considered personal) which could expose your companies data to a rogue app.
￼ In iOS 7, an IT administrator can specify a VPN per app. This means that only the apps that are provided by your company, and need company data, will start and use the VPN connection. Apps that are personal will simply connect to the Internet as they normally do. Apps managed and installed by your company are pre-configured at installation time to use a specific VPN connection. This approach is by far more desirable than the current iOS 6 approach.
On all versions of iOS, including iOS 7, an app developer can choose to use one of three encryption classes for the files their app writes.
The encryption used by devices running iOS 6 and later have the US government’s very stringent FIPS-140-2 certification which not only means that the encryption is excellent, but it means that iOS devices are able to be sold into the US government.
In iOS 7, this remains the same however any new apps that are installed will automatically be assigned to the Complete with Authorization class so that after a device reboot, the data will remain encrypted on the device until the device password is entered.
The encryption classes mentioned above also apply to items in the Keychain and in iOS 7 you are now able to set a new attribute which prevents Keychain secrets from being backed up from one iOS device and restored onto another one. This ensures that the Keychain secrets will only ever be revealed on one iOS device.
Apple TVs are so cheap at $99 that they are ideal for classrooms and conference rooms. Using AirPlay, teachers in classrooms, or presenters in conference rooms can easily do screen mirroring from their iOS or OSX devices, or simply stream PowerPoint presentations or videos from their devices to the Apple TV. In iOS 7 (running on your Apple TV), IT administrators via the use of their MDM system, will now be able to enroll and control Apple TVs.
Using the MDM system, IT administrators will be able to do things like set the language and locale as well as pre-setting up 802.1X payloads for secure network access.
In iOS 7, an IT administrator can, via an MDM system, pre-setup iOS devices to start mirroring to a specific Apple TV, and also setup Apple TV whitelists and Apple TV passwords.
Apple has added a much improved and streamlined method for enrolling company provided iOS devices (that is devices a company purchases and provides to their employees). This new enrollment method is not for Bring Your Own Device (BYOD)
It is a two-step process.
￼ The architecture of this new enrollment mechanism is as follows.
You’ll notice from this architecture diagram that the MDM solution you use will be able to interact with the new Apple Enrollment service and your iOS and Mac devices to provide this automatic enrollment.
AirPrint is a print protocol that allows for seamless and driverless printing from iOS and OSX devices. AirPrint printers (of which there are a lot – here's the list) are available to iOS and OSX devices via Wi-Fi and Ethernet connections, but in the future also via USB. The Bonjour protocol is used to find them but AirPrint printers can also be added to a company’s Domain Name Server (DNS) as static printers and the iOS or OSX device is able to query DNS to find AirPrint printers.
AirPrint also supports IPPS (Secure IPP with TLS) for those worried about someone sniffing the contents of a print job going to an AirPrint printer.
￼ In iOS 7, via an MDM system, an administrator can pre-define AirPrint printers to iOS devices.
AirPrint has also added a few new classes of printers of interest to the enterprise that include Roll Fed printers, enterprise class laser printers, label printers, and Dye-sub photo printers.
Later this year certain consumer and enterprise print server manufacturers will be adding support for AirPrint which means that using AirPrint, iOS and OSX users will be able to print to any printer (no matter if it support AirPrint or not) attached to one of these print servers.
One anecdote about developing apps that you want to support AirPrint in, XCode includes a printer simulator that makes seeing your app’s output very easy, certainly easier and cheaper than printing to a real printer.
Multipeer connectivity is a new feature in iOS 7 that allows many iOS 7 and higher devices to communicate with each other over Bluetooth, Infrastructure Wi-Fi, and Peer to Peer Wi-Fi. Once connected devices can send message type data or stream data between devices.
￼ Since the process of connecting devices has been abstracted from the developer, it makes writing apps to support this technology very easy, in fact down to the point where the framework will use multiple radios to ensure that all device can communicate with one another no matter which radios each one may have enabled.
There is much more to read about Multipeer connectivity but I wanted to point out that this technology supports authentication and data encryption. This makes is possible for enterprises to make use of it since connections can be forced to be authenticated and the data is encrypted.
iOS has for a while now, allowed certain apps (like GPS, VoIP, and streaming audio apps) to run in the background, but all other apps go to sleep and are paused once the user switches to another app or the device goes to sleep.
In iOS 7, any app can run in the background but in a manner that is conscious of battery life. You can read more on how iOS 7 handles multitasking but in the enterprise space this allows apps to be more up to date and new content available to the user before they switch to the app.
iOS 7 is now a full 64 bit mobile operating system which provides short and long-term gains. In the short term it means a performance boost for the iPhone running on the Apple A7 chipset, as long as all apps running on it are 64 bit. This is because the 64-bit CPU provides twice as many integer and floating-point registers as the previous 32-bit CPUs allowing 64-bit apps to work with more data at once for improved performance.
Core iOS apps will ship as 64-bit apps of course.
Number crunching and working with more data at once will allow companies to create better number-crunching apps like financial dashboards, but also graphics intensive apps.
Touch ID is fingerprint ID sensor on the iPhone 5s that handles biometric authentication and authorization via a reader on the Home button and a secure enclave on the Apple A7 chipset. The Touch ID system is completely secure, and returns a simple yes/no response to iOS 7, which will then unlock or authorize a transaction. One of the biggest corporate hurdle is end-point security. Ask any Risk Management officer at a company what keeps him up at night and he or she will tell you that it is weak passwords.
Sure you can make your users enter 10 character alphanumeric passwords with special characters because it provides greater security, but you will likely be overruled by other company officers who want to make it easier to enter and remember those passwords. This ultimately leads to a compromise that makes the end-points unsafe.
Using your fingerprint to unlock your iPhone in a one-step motion will make Rick Managers happy, and your iPhone more secure.
There are additional MDM features in iOS 7 that don’t fit into the above categories
This feature allows an IT administrator to prevent an iOS user from making changes to or removing accounts on the device. This prevents a user from tampering or removing a corporate account, for example to connect to Exchange.
This feature allows an administrator to control which devices an iOS 7 device can pair with. In iOS 6 and below, pairing was uncontrolled.
No information was provided about the restrictions and queries below so I am just listing them for completeness, however many are self-explanatory.
Since iOS 4, Apple has been catering to the enterprise, government, and education space through the implementation of hardware file system encryption and the plethora of MDM controls that can be used to tightly control iOS devices.
iOS 7 has made the case for iOS in Enterprise, Education, and Government stronger. Even if Apple’s primary audience is the consumer, it has been quietly supporting the enterprise in a big way which is the reason we see much more iOS than Android in the enterprise space.