iPhone winning over some corporate security skeptics

Editor’s Note: The following article is reprinted from Network World.

Apple’s iPhone is slowly but surely winning over some enterprise security skeptics. As a result, it’s now showing up alongside, or instead of, Research in Motion BlackBerries and Microsoft Windows Mobile handsets, despite the fact Apple offers none of the security and management features that are hallmarks of those two platforms.

With the release this year of iPhone OS 3.0, the popular handset is capable of a much more advanced mobile symbiosis, relying on the Microsoft Exchange security and management features that are accessed via Apple’s implementation of Microsoft ActiveSync. Coupled with a greatly improved iPhone Configuration Utility (ICU), the new firmware has gotten high grades. 

From its birth in 2007, the iPhone has been criticized for lacking enterprise security and Apple for not caring about it, given the company’s consumer focus with the popular smartphone. That began to change in 2008, when Apple introduced support for ActiveSync, enabling an Exchange administrator to erase all the data on a lost or stolen iPhone, for example. The 3.0 release in June 2009 added more improvements (see the official enterprise deployment guide here), and some observers expect even bigger security changes in 2010.

Apple’s absolute control over the hardware and software means the “iPhone has the potential of becoming the most secure mobile device on the market. I think they’re going to get there,” says David Field, device management and security architect for Enterprise Mobile, an IT services company that specializes in enterprise mobility and is backed by Microsoft.

But what will it take for the iPhone to become a more solid enterprise option? Experts say there are two key areas to expect changes by Apple in the near future.

The first is support for over-the-air application downloads and firmware updates, perhaps by early 2010. Today, enterprise users need iTunes on their Mac or PC to get software and updates. “Companies don’t want users connecting the iPhone to a PC [running iTunes]," says Ken Dulaney, vice president of mobile computing for Gartner. “That’s because they want to monitor and control what users are doing.” With over-the-air downloads, enterprise can control deployment of authorized applications directly to the iPhone, and ensure fast fixes for software vulnerabilities or threats.

Second, expect Apple finally to lock the iPhone’s boot loader to prevent the phone from being jailbroken. Jailbroken phones can load a new operating system image that discards many of the protections built into the official operating system, such as the sandbox architecture for applications, Field says. The sandbox is a self-contained “space” for the application, preventing or limiting access to data in other applications or hardware features. “A jailbroken iPhone is very insecure,” Field says.

Another possibility is closer cooperation by Apple with third-party security vendors. Gartner’s Dulaney speculates that Apple may introduce a way for these vendors to exploit limited background processing (or multi-tasking) on the iPhone. That would let a security application connect with, monitor and control lower-level operating system and device functions. Dulaney says Apple has been talking with security vendors about this kind of lower-level access.

Some vendors are working with the Apple Push Notification Service, introduced earlier this year, to mimic multi-tasking. Apperian, a consulting company that’s creating custom iPhone apps and software frameworks to support large-scale enterprise iPhone deployments, is creating an SDK to simplify this for security and management: a server sends an alert via the push service to the iPhone and wakes up a security application to run a check or report on a possible security breach.

“In the next year, the iPhone enterprise application infrastructure will be pretty much the same as other platforms,” predicts Bin Lee, Apperian’s CTO.

Even without these expected changes, the iPhone today meets the basic security needs for a surprisingly large number of enterprise customers.

“The iPhone gives you ActiveSync device management,” Field says. “ActiveSync is becoming the de facto management and security platform for these lower-end security requirements.”

Apple’s security improvements create a basic foundation that supports a range of options for enterprise customers. “Some iPhone apps we build for enterprise customers are low-security applications, like searching a corporate directory or finding a location on a big campus,” Apperian’s Bin Lee says. “Different companies have different security policies.”

At Chicago-based law firm Sonnenschein Nath & Rosenthal LLP, there was “tremendous demand” from lawyers to support iPhone as an alternative to the ubiquitous BlackBerry, recalls the firm’s CIO, Andy Jurczyk. A self-confessed security “extremist,” he resisted those demands until Apple improved security in 2008 with ActiveSync supporting Exchange policies. “It was enough for us to build on,” he says.

Sonnenschein begins by provisioning each iPhone, as it does with the firm’s BlackBerries, configuring it for each user. The firm uses the current iPhone capabilities but adds a separate digital certificate to create two improved security layers. Initially, the user logs on with a strong password, enforced by the software (as is done for BlackBerry users also). The combination authenticates the user to work with the iPhone and to access Exchange via ActiveSync.

If the user wants to connect to the firm's Microsoft SharePoint Server to access client documents, for example, he has to go into “settings” and activate the VPN, the rules for which are determined by the added certificate. The user has to enter a second Active Directory password to complete the secure log-in. (SharePoint 2010 sites are easily viewable with the iPhone, according to a Network World review.

Separately, the firm’s iPhones run a two-factor authentication software token from RSA Security, which generates a one-time password when a user logs into Exchange with the Safari Web browser via Outlook Web Access, or into virtualized applications hosted on the firm’s Citrix servers.

“There are things we can do on the back end with RIM that we can’t even come close to with iPhone,” Jurczyk says. “But there’s enough [with iPhone]: we can kill the device, and apply our security certificate.” There are about 200 iPhones deployed.

The German branch of global IT services firm Logica has taken a different approach in rolling out about 1,400 iPhones, all running the 3.0 firmware, strictly for e-mail and PIM access via Outlook Web Access. “With the OWA capability and Exchange, you don’t need any additional products to establish a secure connection between the iPhone and the enterprise back-end,” says Jan Kokott, head of mobile devices for Logica Germany.

The connection relies on SSL-based authentication, and Exchange administrators can view basic information about the device, the user and activities. They can also remote wipe the iPhones clean of data if they are lost, stolen or jailbroken.

Kokott says Logica considered using a VPN connection but decided that, at this point, it wasn’t necessary. A VPN makes the iPhone a core part of the internal network, he says. That was a level of access and complexity that isn’t currently needed. In any case, mobile applications need a completely different design approach. “There is no use in…[just] porting an existing [application] workflow to a mobile device,” he says.

The updated iPhone Configuration Utility has become a powerful tool for creating iPhone configuration profiles that implement a range of security policies, such as enforcing strong passwords, shutting off the camera, blocking access to some content such as disabling the Safari browser or access to iTunes or YouTube. Each device can make use of multiple profiles for different kinds of access, such as one for Exchange but a different one for VPN or Wi-Fi connections.

But ICU won’t push these out to the handsets. You have to e-mail them or provide users with a link to a Web site. “It’s very manual,” says Dave Field, with Enterprise Mobile. “The fact that there’s not over-the-air push deployment under the hood is a non-starter for many enterprises.” But the 3.0 firmware did introduce one over-the-air feature: support for Simple Certificate Enrollment Protocol (SCEP), which authenticates a device for automatic distribution of digital certificates. To the user, it is in effect a super-strong, built-in password. “You don’t have to enter it every time you connect,” Field says. “You auto-connect to the VPN, and then you can access e-mail servers, or other resources, without knowing you’re traversing a VPN.”

Encrypting data on iPhones is now possible for the 3GS model. But Apple isn’t forthcoming about what exactly what data is encrypted or how, according to Field. “It would be helpful to know how it works, so that an [enterprise] security guy can say ‘yes it meets our requirements,’” he says.

Third-party device security and management vendors are adding support for iPhone, often making use of many of the same recently introduced iPhone capabilities. Boxtone recently extended what had been its BlackBerry-only management software to iPhone. Zenprise did so earlier. Sybase just announced support for features in the recent 3.1 firmware release.

Subscribe to the Apple @ Work Newsletter

Comments