Should your IT department support the iPhone?
When the iPhone was first launched in June 2007, it was generally panned by IT managers and systems administrators. It didn’t support any encryption of user data, could not have any enforced security policies and offered no way to remotely wipe data if it were lost or stolen. At the time, a lot of companies weren’t prepared to accept those security gaps. Perhaps more importantly, the iPhone didn’t yet support any third-party applications or interact with most office suites.
A lot can change in two and a half years. In 2008 the iPhone gained 3G and GPS support, and the simultaneous iPhone OS 2 update added support for third-party apps and the ability to interact with Exchange servers using Microsoft’s ActiveSync technology.
Exchange supportallowed security policies for mobile devices to be enforced and allowed the user—or an administrator—to remotely wipe all data from the device. Apple also started to allow administrators to pre-configure the iPhone’s settings, including an initial step toward a managed environment that could increase security and compliance with a company’s acceptable-use policies.
The mid-2009 iPhone OS 3 and iPhone 3GS release again bolstered the iPhone’s business cred. The iPhone 3GS was the first model to offer hardware encryption. The scheme isn’t perfect and forensic and jailbreaking tools can sometimes get around it, but it is one of the strongest commitments Apple has made for enterprise customers.
And the iPhone OS 3 update added support for a wider range of collaboration tools beyond Exchange. All iPhones can now access CalDAV shared calendars, subscribe to any calendar published using the iCalendar format (which can also be used to schedule meetings across various calendaring apps), and access shared contacts using the relatively new CardDAV standard. That’s in addition to its pre-existing support for vCard files and the ability to access LDAP databases for contact information.
More importantly, Apple boosted the device management capabilities available to IT departments to lock down an iPhone using configuration profiles created by the iPhone Configuration Utility. While the original version of this tool (released with the iPhone OS 2 and iPhone 3G in July 2008) was pretty limited, the latest version (released with the iPhone OS 3 update and iPhone 3GS in June 2009) allows admins to define settings and restrictions for many iPhone features. It also means you can limit access to a number of iPhone features such as the camera, the iTunes store and even Safari or YouTube.
At the same time, the ever-expanding array of apps for the iPhone provides serious business tools, including several fully functional office suites, for both general workplace functions and specific niches in a variety of industries. The result isn’t surprising: A growing number of workers want to use these apps—and the iPhone itself—as a mobile device for many different tasks.
Is this enough for IT?
With that brief iPhone history lesson out of the way, the question remains: Is the iPhone at last ready for business or enterprise adoption? Even if admins say no, you face another question: Can you effectively ban the use of the iPhone in your environment?
The first question you should consider: Does the iPhone measure up to your standards for device and data security? The answer really depends on your environment and industry. If you work in health care, the answer is probably no, because of HIPAA concerns. If you work with various state or federal government agencies, you may also find that the iPhone doesn’t meet compliance standards. If those type of regulatory issues aren’t a problem, you still need to consider the kind of data employees might store on an iPhone and how that might involve any existing security policies.
Even if you initially find the iPhone’s security lacking, there are some solutions to consider. Depending on the type of work and data involved, you can use a thin client or Web-based approach to allowing users access to data. With this approach, very little, if any, company or client data gets stored on the iPhone. Thin-client applications, including Citrix’s Receiver apps, generally encrypt all data accessed by any thin client, including the iPhone. If you use a Web-based approach, you can secure the connection with SSL, a VPN or the new Mobile Access Server feature that Apple includes with Snow LeopardServer.
Other options are available, as many enterprise software providers have already developed iPhone apps that securely integrate with their offerings. This group includes Cisco, Oracle, Salesforce.com, IBM, Market Circle, and a range solutions for accessing the collaboration tools offered for products by 37 Signals, including the popular BaseCamp.
The trickier question is this: Can you effectively ban the iPhone? Despite any reasons you come up with to justify banning the iPhone, what are you going to do when a high-level manager simply demands one? The iPhone is a stylish device that offers both fun and function, and if the CEO or a senior VP wants an iPhone, you may not be in a position to convince her that she shouldn’t have it. Once a handful of top-level managers have iPhone, you’ll get a growing chorus of lower-level managers and staff asking why they can’t have one, too.
A second likely scenario: An employee is denied an iPhone (or possibly any company-provided smartphone) and decides to get his own personal iPhone for use at work. This surreptitious infiltration is actually a bigger concern than a handful of managers; at least with them you still get to control the configuration and deployment process. If you don’t know that workers are using iPhones in your company, you can’t secure them at all. You can’t even be certain what data might be stored on them.
And since the iPhone is fairly easy for even novice users to set up — they can sign onto wireless networks, access intranets, and even gain access to an e-mail server—it’s no stretch to imagine that a lone, unauthorized iPhone could seriously compromise confidential data, as well as access to your network and the services running in it.
In other words, simply banning the iPhone doesn’t really work. As long as employees have their own personal phones, it can be difficult to mitigate potential compromises. Of course you can draft a policy restricting the use of personal phones in the office, but enforcing that policy is going to be tough. At best, you’ll be able to restrict access to internal resources by not allowing the iPhone to connect to your wireless network and prevent users from syncing their phones to a company-owned computer. (Simply disallowing iTunes is one effective way to prevent syncing.)
Even this may not be effective if employees are allowed to access services from outside your network. Even if you can banish the iPhone from your network, you still can’t stop users from entering notes, appointments, or contacts from within your organization onto their iPhones by hand.
Acceptance and control
If you know or suspect that iPhones are making a stealthy march into your operation, you have a couple of options. First, you can offer an alternative. By providing employees with an alternate smartphone such as a BlackBerry or a Windows Mobile device—both have great centralized security options—you can reduce the clamor for the iPhone and at the same time provide a more secure, business-proven solution.
In many cases, however, providing and supporting an alternative phone may not be a viable option. Doing so could be cost-prohibitive, especially if it means setting up a BlackBerry Enterprise Server, an Exchange server or an Exchange alternative. If you’re asked to support only a couple of iPhones, it’s probably easier to manually configure and restrict them by hand. This is particularly true if high-level managers are the primary users demanding the iPhone.
Here, user education is important. By explaining why devices need to be managed for security reasons and explaining the policies that you’ve implemented on the managed iPhones, you can at least offer them a rationale for minimizing the use of iPhones in your environment. This may not always be successful in limiting demand, but it’s always a good starting point.
If you’re forced to make the iPhone more broadly available, you can develop a configuration profile, or a series of profiles, that effectively limit access to iPhone features and applications and enforce needed security options. You can then make these profiles available to users. One advantage of the current iPhone OS is that once a policy is accepted on the device, you can restrict who can remove it.
This can be effective in dealing with both company-owned iPhones as well as personal devices. If you can get support for the idea that employees using a personal iPhone for work means some of its features need to be secured, you can distribute the requisite profiles. This gives you a way to configure and allow access to a wireless network or to other internal resources while at the same time layering on needed security measures.
A key point here is communication. You need to spell out why the iPhone needs to be locked down as much as possible. You may even want to create company-wide policies about what resources users are allowed to access or store on their iPhones. It helps to be willing to entertain the option of an iPhone, even as you also make clear your concerns and provide ways to address them. The bottom line is this: If you’re forced to deal with iPhones in your environment, you want as much control and cooperation as possible.
While the iPhone Configuration Utility and the profiles that it can apply and enforce provide the best options for mitigating risks, they’re not the only options. As I mentioned earlier, if you have an Exchange environment, you can also apply Exchange security policies. They, unlike configuration profiles, can be deployed over the air.
Granted, the entire range of profiles isn’t available, but basic ones such as requiring a passcode to unlock the iPhone are available. Exchange also enables remote wipe, making it one of the more powerful options for using an iPhone in the enterprise.
If you don’t have Exchange, and don’t want to spend money on it, there are a number of less-expensive alternatives—Kerio MailServer, Zimbra and Communigate Pro—that still provide the core features of Exchange by licensing Microsoft’s ActiveSync.
Another third-party product is Good for Enterprise. This suite allows you to secure not just iPhones, but also Android and Palm WebOS devices such as the Pre and Pixi. Good offers this security by using its own native iPhone application. The app provides much of the same groupware functionality that the iPhone’s Mail, Calendar, and Contacts apps provide, but enterprise data is stored in encrypted form and can be remotely wiped from the device when necessary.
This provides better security than even the built-in Exchange support and is relatively easy to configure and manage, though an appropriate collaboration suite such as Exchange or Domino is required. Even with Good, though, you may want to further secure the iPhone using configuration profiles.
Testing and preparation
If your company is poised to deal with iPhones in the year ahead, one of your best options may be to try a pilot program. This allows you to see whether the iPhone can meet your security requirements and how to make that happen in the most effective manner possible.
It also lets you demonstrate your security concerns to managers who want to implement the iPhone. If meeting security needs will require significant manpower or a serious software/hardware investment, or means disabling too many core iPhone technologies, a pilot program is an ideal way to find out. It also allows you to get some hands-on experience in effectively deploying and managing the iPhone in your environment.
Another benefit to a pilot program is that it helps you identify the risks, solutions, deployment issues and support requirements that will be needed if the iPhone expands beyond a just couple of people. And it has the advantage of building good will from management, because you’ve demonstrated you’re willing to really consider the impact of the iPhone rather than just saying no right away. If you decide the pilot program isn’t successful, at least you can say you tried. Then you can move on to alternative options.
And if the pilot program is successful to some degree, it should give you the information you need to successfully roll out the iPhone. That’s important information to have as the iPhone continues to evolve and gain an even stronger foothold in the enterprise. With most of the hardware and software pieces in place—and with the iPhone’s continuing popularity—it’s a virtual certainty that more companies will be looking to roll it out, at least on a trial basis, in 2010.
In a future piece, I’ll spell out what it takes to develop and run an effective and accurate iPhone pilot program in a large organization.
[Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues. His most recent book is The iPhone for Work, published by Apress.]