Caution: iOS 5, iCloud and the iPhone 4S in the enterprise
Apple's iOS 5 and the new iPhone 4S, which went on sale Friday, are packed with new features, many of which should boost the productivity and on-the-road capabilities of professional users. But, as with many consumer-oriented mobile platforms making their way into the workplace, iOS 5 and Apple's new iCloud service present some serious challenges in business environments.
Security issues involving iCloud and several other features will likely be the first things IT professionals weigh when it comes to iOS 5, which Apple rolled out last week. That's good, because even though Apple quietly provided some new enterprise features in iOS 5 that should make iPhones and iPads better corporate citizens, new concerns have emerged.
Out of the 200-plus new features in iOS 5, there are really just three that pose new security challenges: iCloud syncing and backup, location-based services like the new Find My Friends app, and the Siri virtual assistant in the iPhone 4S.
What's in the cloud?
Apple's iCloud is a unique brand of cloud services that's geared more toward personal use than professional. It allows users to sync all their personal data—contacts, calendars, emails, notes, iTunes media, photos, documents and so on—across all their iOS devices and Macs (and to some extent Windows PCs). Users can also back up their iOS device data wirelessly to Apple's iCloud storage or to their Mac or Windows computer using iTunes. This is a rich set of features for consumers, as it ensures easy access to virtually all data that's supported by Apple's iOS 5 as well as the security of having a backup of core iOS information that can be restored anytime, anywhere.
But while that ease of access is great for end users, it raises serious questions for iOS devices used for work, be those devices company-owned or, as is increasingly the case, employee-owned. Given that the service debuted only last week—and had a problematic rollout at that—there are now more questions than answers.
If iPhone users in the workplace start asking about using iCloud, ask yourself these questions: Will confidential corporate data such as documents, global contacts and emails be synced to a user's home computer? Might they reside on Apple's iCloud servers after a user has left a company? What if someone gains access to a user's iCloud account by stealing a device or through a phishing or social engineering attack? Could photos taken with an iOS device in the office be pushed across a range on devices and computers by iCloud's Photo Stream feature? Even more concerning is the uncertainty about whether users are putting business information onto their device(s) and into iCloud. At this point, how would an IT shop know?
In sum, what appears to be a great consumer feature could turn out to be a professional minefield. Caution is warranted.
Find my unsecured iOS device
One extension of iCloud is the new Find My Friends app, which functions very much like Google's Latitude. If your friends or other contacts give the OK, you can see their current whereabouts on a map—and vice versa.
Find My Friends offers a lot of useful potential in a business context. It can ensure colleagues can easily locate each other at a conference or some other event. It can help managers monitor employees assigned to mobile tasks like deliveries. Unfortunately, it also allows anyone who is designated as a "friend" to locate a user or his/her iPhone or iPad. That could be a prelude to theft. Find My Friends could also be used to covertly monitor a user during off hours, which—beyond being an invasion of privacy—could open someone up to blackmail or other forms of coercion.
On a personal level, if you download and set up Find My Friends on an iDevice, I suggest you be extremely cautious about who is allowed to follow you. More on what to do about Find My Friends in an enterprise environment in a moment.
Serious about Siri
The iPhone 4S's virtual assistant feature, Siri, poses it own set of concerns. Since Siri is integrated into iOS 5, it has at least some level of access to all of Apple's built-in iOS apps, including Mail, Messages, Calendar, Notes and so on.
Thus, it's conceivable that when a user asks Siri to read business content such as an email, others nearby might be able to overhear confidential information. Similarly, and perhaps more concerning, a user sending a text message, making an appointment or dictating into any app on the iPhone 4S could be overheard.
Then there's the possibility that someone other than the iPhone's owner/user could issue commands via Siri, since by default it can be accessed even when the iPhone is locked. Almost anyone could pick it up and have some level of access to the device. Physical security of your hardware will be even more important than it already is.
What is to be done
Now that we've covered some the concerns, let's talk about how to address them. There's actually some good news on this front. Since last year's release of iOS 4, Apple has added support for mobile device management (MDM) services that can lock down most iOS features. The field of MDM vendors has broadened significantly over the past year.
For enterprise organizations, there is wide range of products that can be used to manage iOS devices as well as BlackBerries, Android phones and tablets, and other mobile platforms. Many can be integrated into your existing user and client management tools and services—some are even available as integrated packages that include client management and mass deployment tools. Virtually all can be integrated with Active Directory or other directory systems. This means that each organization can develop a mobile management strategy that fits its existing infrastructure and needs.
For small businesses, Apple's Lion Server includes a Profile Manager service that offers these capabilities at a low cost of entry. They can even be applied manually to each device using Apple's iPhone Configuration Utility, which, despite its name, supports all iOS devices.
With the release of iOS 5, Apple updated its management service to include support for these new features. You can manage each of the three big trouble areas in the following ways:
iCloud Disable each of iCloud's three areas of major concern—wireless backup to Apple's servers, syncing of documents and app data, and pushing photos to a user's Photo Stream—or manage each setting individually. The one caveat is that they are global in their effect, meaning that you can't specify that some apps can sync to iCloud while others can't. It's all or nothing.
Find My Friends There is no specific option to disable or manage the Find My Friends app, but there is an easy solution to that: Simply disallow access to the application, a capability offered by all MDM vendors.
Siri Apple allows you to completely disable Siri on the iPhone 4S via MDM. That's effective from a security perspective, but it also takes away a lot of functionality for the user. It would be better if Apple offered a way to control which apps Siri can interact with. Disabling Siri may not even be a need in many environments, and even in those where confidentiality is an issue (healthcare and other industries that are subject to privacy regulations come to mind), educating users about potential risks might be a workable solution.
It's also important to note that although MDM only offers the ability to allow or deny access to Siri completely, there is an option on the iPhone 4S to disable access when the phone is locked, though it's easily missed since it isn't located with the rest of the Siri settings. It's located under Settings > General > Passcode Lock instead. While this is good news, the fact that IT cannot enforce its use is disappointing and means that you'll need to rely on users to implement it.
The good news
As noted, there are new enterprise features in iOS 5 that represent major improvements and will make the lives of IT administrators and CIOs easier when it comes to supporting the iPhone and iPad.
First up is wireless activation and setup. This is, of course, a big gain for all iOS users, but it has particular benefits in large organizations where hundreds or thousands of devices may need to be rolled out to users. Previously, setup required activation through iTunes, a minor annoyance to users, but a major hassle for enterprises.
iOS 5 and its SCEP auto-enrollment capabilities drastically simplify the deployment task. The use of MDM software also allows for automatic configuration of devices as they become enrolled for management, something that's good for mass corporate device rollouts as well as bring-your-own-device (BYOD) programs. One nice touch is that you can preset whether the device will send diagnostic data to Apple.
One challenge to iOS in the enterprise is that its native Mail app supports personal email accounts (including all the major free hosted mail services like Gmail and Yahoo Mail) as well as enterprise accounts like Exchange. With this mixed approach, users could easily forward mail to personal addresses, respond to corporate emails from personal accounts, and send emails generated by iOS apps (like the Photos app) from corporate accounts.
iOS 5 resolves this issue by allowing IT to prevent apps beyond Mail from accessing corporate email accounts, along with preventing users from forwarding or moving their corporate email to personal mailboxes.
By far the biggest enterprise addition in iOS 5 has to be the ability for companies to make volume purchases from the App Store and then make those apps available to users.
Getting business apps onto iOS devices has been a big challenge since the App Store went live three years ago. Until recently, the only option was to have users purchase or download apps manually using their own iTunes accounts (possibly with company reimbursements or through iTunes gift credits). This approach was far from streamlined and even opened the prospect of users taking an app and all of its data with them when they left a company.
Apple's volume purchase plan resolves that issue by allowing organizations to purchase apps for deployment to user devices. The MDM service in iOS 5 even goes a step further by letting administrators manage volume purchased apps on devices—which means they can wipe any corporate-bought apps and associated data from employee-owned devices at any time. This also combines well with the ability provided by almost every MDM vendor to create an internal app storefront containing both internally developed and App Store apps.
The BYOD dilemma
It's pretty clear that Apple is taking the enterprise seriously with the management capabilities it's built into both iOS 4 and iOS 5. Those capabilities and the 200-plus new user-oriented features make iOS 5 attractive to businesses.
Those management features also highlight the ongoing challenges of employee-owned devices in the workplace. While it's possible to prevent iCloud sync or backup, that removes important features for iPhone and iPad owners who bring their devices into the office. The same can be said of many of the other management features available in iOS (and other platforms).
Apple has struck some balance by allowing organizations to provide and remove volume purchased apps, along with general corporate data like email and shared contacts and calendars, without affecting user data and content. That's a help, but it's clear that there's still a ways to go in balancing the professional and personal use of employee-owned technology—whether that technology comes from Apple or another manufacturer.
The upshot is that while iOS 5 offers a variety of useful technologies for users, and a number of much-needed management tools, IT shops need to be smart about rolling out the new OS and the iPhone 4S.