When Apple’s iPhone 5 went on sale less than two weeks ago, IT administrators braced themselves for the onslaught of these new devices coming into the enterprise. It’s not all bad news for the IT department, though, as some of the new features can be centrally managed, security experts say.
However, administrators still have to make sure their mobile policies are up-to-date and take the time to understand how the new iOS 6 features and applications would affect the organization. Risky applications and features from previous versions haven’t gone away, such as the fact that iCloud can put copies of sensitive company documents on Apple servers. Organizations should be assessing new features and figuring out what should be blocked and making sure existing mobile device management policies are still relevant.
“Day zero support is critical to BYOD initiatives,” agreed Josh Lambert, senior product manager at Fiberlink.
Considering how frequently devices are being released, the mobile device management should be able to support new devices without waiting for the IT department to get around upgrading or changing configuration settings, Dabbiere said.
Administrators need to ask how the “new consumer features play into the existing enterprise strategy,” Horacio Zambrano, senior director of product marketing at Mocana, told SecurityWeek.
The biggest security-related implications of the news features introduced in iOS 6 are consumer-facing issues, Zambrano said. New features such as Passbook stores more personal data than ever, apps can update or load itself without requiring a password, and users can now remotely lock and display a message alert on a lost device.
However, it’s not clear how the new “Lost” mode for remotely locking the device will work with existing remote wipe capabilities and PIN resets available through corporate mobile device management platforms, Zambrano said. Enterprises need to investigate to make sure their MDM policies still work in light of new features, or if they are out-dated, to quickly define new ones.
It’s also not clear at this point in the process how MDMs can ensure app integrity during updates now that passwords are not required, Zambrano said.
At least Apple is beginning to think about the enterprise, as evidenced by the company’s recent IT-friendly moves to “ease management and ensure security” of corporate data, Lambert told SecurityWeek. By adding a new step to the device provisioning process, Apple now allows IT to centrally manage iMessage via MDM, for example. Along with iCloud, Passbook and Photo Stream sharing can also be turned off, or blocked, by the administrator. It’s not yet clear how enterprises will view the tighter integration with Facebook, Lambert said.
Organizations “in the most highly regulated industries,” such as financial services, are more likely to block iMessage since there are strict rules on over how SMS and instant messaging tools are used, Lambert said.
It’s not just about turning off services, either. Features like time limited profiles, kiosk mode, and global proxy offer intriguing possibilities for enterprises, Lambert said.
Apple introduced “kiosk mode” or single-app mode with the iOS 6. With this feature, organizations can configure the iOS device to run only a single application and restrict users from modifying that application. Retail, healthcare, and education customers would be able to use this feature to lock down the iPad from unauthorized use, Lambert said.
For IT administrators who set up a single Internet proxy server within the corporate network to manage inbound and outbound connections, iOS devices was a challenge because there was no way to force that mobile traffic over the proxy, Lambert noted. The new global proxy in iOS 6 finally gives IT administrators that capability, which would be useful for organizations who want to filter traffic based on certain policies, he said.
Time-limited profiles are very “promising,” especially for managing devices belonging to contractors and other temporary workers, Lambert said. IT departments can setup and distribute corporate profiles to managed devices, and be set to expire after a set-time, even if the device is not online.
Administrators can also push out a common theme for wallpapers and locked screens on all managed devices, Lambert said. He suggested having standard messaging indicating where to return lost devices or display a reminder the information stored on the device is confidential.