While most of the talk on Apple’s new iOS 7 mobile operating system has been about Jony Ive’s radical revamp of the user interface, administrators asked to support iPhones and iPads in the workplace have been promised management features that will make their job considerably easier.
Managing iOS devices has been a challenge in the enterprise. Users have usually brought in the devices outside formal management structures.
“And further, you don’t get to choose and can’t stop the [automatic] upgrades to iOS 7 -- and you can’t roll them back when things break,” notes Randall Cameron, the national sales manager for MSC Mobility Solutions in Sydney.
Apple has been slow to build in the features required by enterprise admins - such as access restrictions and tools to aid the provisioning of devices - a space that has been filled with third-party mobile device management (MDM) server and appliance vendors.
But with iOS 7, Apple is to some extent catching up with what’s been on offer by third-party MDM vendors.
There is a sizeable list of new configuration options coming up with iOS 7. Chief among them is the ability to specify AirPrint printers and other devices for iPads and iPhones to connect to, as well as the file path to resources required when provisioning.
From a security perspective, mobile apps running on iOS 7 can now be set to trigger their own secure virtual private network (VPN) connections - automatically or manually - which on managed devices will help enforce a network separation between corporate connections and personal ones.
By giving IT admins the ability to force corporate apps to use a secure VPN connection, data security is greatly enhanced when users aee connected to public networks outside the office.
Apple will also include several new parameters to the app lock feature in iOS - which sets the device to run only a single app. These include the ability to disable the touch screen, hardware buttons, device rotation, the ringer, stop sleep mode and more – all features that are sure to make life easier for those organisations using iPads or iPhones as point of sales devices.
Apple may have been reluctant to provide tools for corporate administrators in the past, but some of the features of iOS 7 suggest the company has had a permanent change of heart.
The restrictions administrators can apply are numerous and substantial. Supervised devices can be set to prevent accounts from being modified in iOS 7 - users can be restricted making changes to mobile data network settings, for example.
On the security side, admins can ensure users are prevented from syncing keychain data with stored usernames and passwords to the cloud, and can turn off or limit the 'Find My Friends' and ad tracking features.
Apple has also added a privacy enhancement aimed at preventing app ad networks from tracking users with Unique Device Identifiers (UDIDs) and media access control (MAC) layer addresses. All iOS 7 devices return a MAC address of 02:00:00:00:00:00 and Apple wants developers to migrate to the more privacy-conscious Identifier for Advertisers option instead.
Admins can turn pairing hosts off, ditto the Wi-Fi and Airplane mode buttons on the new lock screen in iOS 7.
Admins can also containerise data within corporate apps - limiting the use of corporate documents in managed apps and accounts. Similarly, admins can ensure unmanaged files won't open in managed apps and accounts if such additional security is deemed necessary.
These features help to preserve confidentiality and prevent the leaking of files or unauthorised accessed to them.
Specific URLs can now be whitelisted or blacklisted with Apple's Web Content Filter, and these lists can be updated automatically over the air.
A number of new configuration options are available to set up and restrict Wi-Fi access, including the prioritisation of specific networks.
More importantly, Wi-Fi Hotspot 2.0 [PDF] support can also be configured and managed in profiles.
Hotspot 2.0 support is new to iOS and allows for automatic connection to public Wi-Fi networks using WPA2 security, saving the user from connecting to pricier 3G or 4G cellular data options.
There is no need to search for Wi-Fi system identifiers or network names or to enter a log in, so long as Wi-Fi Roaming for Hotspot 2.0 is enabled.
Administrators can choose to turn off Hotspot 2.0 functionality is they deem it a security risk.
System-wide or per-app private-corporate partitioning?
A key feature that observers expect to make the cut in iOS 7 is some kind of partitioning between personal and corporate data, as found in Samsung’s KNOX and Blackberry’s Balance.
Partitioning allows for a clear and immutable line in the sand between personal and business data, essentially providing two separate devices in one phone or tablet.
Apple's combination of per-app VPNs, app licensing that for provisioning and revoking of applications and the containersiation features, will ultimately attempt to deliver the same separation as Samsung and Blackberry, but without any intrusive partitioning.
Apple's precise approach won't be known once the full iOS 7 update launches.
Where is the management software?
Crucially, while iOS 7 is in its fifth beta incarnation and rumoured to be ready for launch within weeks, Apple has not posted any new tools to create profiles with the new iOS 7 features.
Apple spokespeople told iTnews the company was "not ready to talk about it yet."
Likewise, Apple’s MDM partners did not want talk about how their new management layer might work with the aforementioned functions, citing non-disclosure agreements with Cupertino.
This puts admins wanting to learn about and trial the new features ahead of the iOS 7 launch in an awkward position. They will most likely have to wait until the upgrade rolls out, and figure out what to do after that.
We hope this preview will aid that effort.