One of the biggest challenges IT faces with MDM is getting and keeping devices enrolled. As long as Apple and Google continue to cater their mobile OSes to the consumer market, IT will need to find ways to keep devices secure, and secure means under management. If the recent battle between FBI and Apple teaches us anything, it should serve as a warning to IT departments everywhere to make sure their devices are truly managed with some form of MDM.
Chances are you tuned in to Apple’s Worldwide Developer Conference earlier today. Apple CEO Tim Cook and a host of presenters, including two females for the first time ever, tackled improvements to everything from OS X, iOS and Watch OS to Metal, Apple Pay, Notes, iPad, Swift, Apple Music and more.
Today, Apple announced the next version of OS X, El Capitan, as well as iOS 9. With that announcement, users got a glimpse of more productivity enhancements coming their way. With El Capitan, Apple has made enhancements to Mail and Notes to provide better integration with Calendar and present a more Evernote-like experience in Notes. Look for more Mac users to push for using the native apps instead of Outlook. By bringing its graphics rendering engine, Metal, to OS X, more and more graphic-intensive apps, such as those by Autodesk, are coming to the Mac. With more apps coming to OS X, and more productivity enhancements, the Mac growth in the enterprise curve will likely only get steeper.
As iOS has grown up, it has evolved from not only being a great OS for playing games and listening to music, but a wonderful productivity tool as well. At first, iPhones and iPads were shunned a bit in the enterprise, but now are gracing the desk of many executives in every type of business. But, despite the broad adoption (and broad appeal) of Apple’s mobile devices and OS, companies have had to deal with a mobile platform that has been designed, from the ground up, to be a personal-first platform. From the sleek lines of the iPad Air and its fantastic built-in camera, to the simplicity and fluidity of the interface, these devices appeal to users on a personal level. Indeed, if it weren’t for the strong demand that individuals have shown for this platform, their growth in the enterprise would probably never have happened at all.
Arguably, it is this strong connection to these devices that has spawned such innovation on the platform–leading to a boon in mobile productivity. Now users, particularly young users who have spent much of their career with a powerful mobile device in-hand, would rather lose their keys or even their wallet than go without their phone. But therein lies the problem for IT. With so much productivity “happening” on mobile devices–and mobile devices being what they are: mobile–how can corporate data be secured? Why bother patching a user’s PC if the same spreadsheet is sitting on their phone, perhaps accidentally abandoned at the corner coffee shop?
When companies start to investigate and roll out MDM solutions in an attempt to secure iOS devices (and, in turn, secure the data), one by one, they all come to the same realization: First, unless IT has physical access to the device, they are reliant on end users to enroll the devices. And second (and possibly more importantly), users can delete the MDM profile that’s been installed on “their” device at any point, without any special permission from IT. Remember, Apple has purposefully designed iOS to be a personal-first platform.
While this might work if a company has a BYOD (Bring Your Own Device) policy in place, most companies are still buying these devices (corporate owned, personally enabled or COPE).
Enter Apple’s Device Enrollment Program (DEP). This is aimed squarely at giving control over security of corporate-owned devices back to IT.
One of the most powerful features of this program, is the ability it gives IT to put a device in what is called “supervised” mode over-the-air. While this has been available for some time, previous to DEP, it meant someone (in this case: IT) had to physically plug an iOS device into a Mac running Apple Configurator, and set it to be supervised. A corporation registered through DEP can have all their iOS device shipped with their MDM profile so that, out-of-the-box, an iOS device will automatically enroll itself in MDM.
What does supervised mode give to a company? In a nutshell, almost complete control over a device. Granted, iOS has allowed MDMs the ability to set restrictions on features and functionality for some time now. What supervised mode adds, is the ability to lock an MDM profile to a device–even after a wipe. For the first time in iOS’s glorious history, though a user can still enjoy all the benefits of a personal-first OS, a company can now relax knowing that, in reality, any particular corporate owned device is now security-first and corporate policy-first.
More information on DEP (including registering your company) can be found here <https://www.apple.com/education/it/dep/>.
Now that iOS is no longer looked upon with disdain from the collective eyes of corporations, some of the frustrations of working (or “working”–as my Android-carrying co-workers might say) with, and on, iOS devices have bubbled to the surface. The most common workaround has been, of course, to set down my phone and turn to my computer. (Even on OS X, I can check to see if the meeting I’m scheduling will conflict with others’ calendars.) But if Tim Cook can run his entire work day from the comfort of his iPad, why can’t the rest of us?
As it turns out, Apple has not turned a blind eye to the enterprise, and this has crystallized even more with iOS 8. While some of the changes are very user-centric (that is, to provide productivity gains for the end users), other enhancements have been designed with the aim of empowering IT and securing the data on the device.
1. End-user Productivity
Nothing has made smartphones more valuable to modern corporations than PIM (to resurrect an old term). If it weren’t for real-time calendar, contacts and email access, the iPhone would still be a combination phone and iPod. For my productivity, leaving my computer at work when I go home has a small impact. When I check my calendar, and schedule my day, it is my iPhone, not my computer, that I turn to. My computer is often muted. Certainly, even if it alerts me to meetings and email, it is certainly not always on, nor always with my iPhone. With iOS 8, Apple is addressing some of the most egregious gaps in how I manage my time and communication.
Despite the fact that many people I work with haven’t learned how to use this feature in Outlook yet (it’s only been, what, 15 years since this feature was added?), Apple has added the ability to do a busy search in Calendar. In other words, I can now schedule meetings from my iOS device with confidence that I can see if I’m scheduling it on top of someone else’s meeting or not. With this addition, I’m not sure there will be any reason to turn to Outlook for my calendaring needs.
One of the fastest ways to ruin your vacation is to forget to turn on your out-of-office auto-reply in Outlook before leaving the office. If I’m lucky, I’ll discover this while I still have my laptop with me. If not, my only hope for peace and solitude is to turn off my phone–limiting my contact with the outside world (the horror!). iOS 8 closes that gap by allowing you, from your iPhone or iPad, to set an out-of-office reply. (Of course, that doesn’t solve my problem of actually never taking vacation, but I’m willing to wait for iOS 9 for Apple to solve that one for me.)
In addition to managing apps through MDM, companies will now be able to manage documents through the native MDM interface as well. This means that, in addition to pushing critical business apps to an end user’s iPad, IT could also push critical documents (such as an employee handbook or travel policy) or even ebooks an employee needs (or one which management has mandated they read–not that such thing ever happens). And, of course, just like with apps, these documents (be it PDF of ePub) can be just as easily revoked. Books can also be purchased through Apple’s VPP, so users can get access to the content without having to pull out their wallets.
Getting content to devices is now much easier with AirDrop. This is something I felt they should have added at least a year ago (about the time I discovered how cool AirDrop is). Basically, it will allow the transfer of files between OS X and iOS over-the-air, but without the need to set up any networking. While it uses WiFi, it sets up a peer-to-peer ad-hoc network on the fly–meaning that while your iPhone needs to have WiFi on, it doesn’t need to necessarily be on the same network as your MacBook Pro to transfer files. Along that same vein, if your users are using Apple’s suite of office applications, they can now seamlessly move between computer and mobile device (if the computer is running OS X 10.10 and iOS 8). One could be writing a document in Pages on their Mac, then pick up their iPad and instantly pick up where they left off without the need to do anything as cumbersome as saving and syncing.
2. Securing the Data
From the moment the first iOS device landed inside a company, IT has had it’s hands full trying to cover all the security implications that came with such a powerful device. Fortunately, Apple has provided means for MDMs to add a lot of security to iOS devices. While keeping productivity in mind, Apple continues that trend in iOS 8.
Administrators will be able to enforce security more simply by preventing users from resetting their devices–and thus, removing MDM profiles. IT will also be able to control which apps are allowed to open documents from iCloud, giving them much better control over how content flows from computer to device. Of course, with the added ability to restrict a device, Apple has also given admins the a better view into the device. Through MDM, admins can check on such things as the last time a device was backed up, ensuring users are prepared in the event of that almost-inevitable dunking their phone will take through it’s short and abused lifespan.
AirPlay is a boon for allowing Apple devices (either iOS or OS X) to connect to a projector or large display for presenting or demo’ing. However, this has always required access to the same network as the AirPlay device (oftentimes an Apple TV). In iOS 8, using similar ad-hoc technology as AirDrop, users can now connect to an AirPlay device (such as an Apple TV) without needing access to a corporate network. This is great for companies with executive briefing centers that are often where external partners and customers might come and present or be presented to. IT can simplify presenting on a large screen, while keeping the corporate network locked down.
Additionally, Apple has taken steps to secure the data on the device by requiring a passcode to view contacts, calendar and email items after reboot, as well as providing the capability to encrypt individual messages within Mail.
New iOS adoption is always rapid. However, with the productivity features in iOS 8, companies should expect this to increase. Luckily, Apple is empowering IT with better security and more visibility into their devices. For more information on iOS 8, see <https://www.apple.com/ios/ios8/enterprise/>.