New APIs in Apple’s latest iPhone operating system make possible a new experience for network administrators: the ability to inventory, secure, and manage the iPhone and iPod touch as enterprise devices and to do so for hundreds or thousands of them. With Monday’s release of iOS 4, Apple provided hooks and on-board Mobile Device Management Service (MFMS) that, for the first time, let third-party device management applications access information directly on the iPhone 4, and exercise control over it.
In the past, there have been two basic options. One is the management and security provided by Microsoft Exchange Server, via Apple’s expanded but still limited support for Exchange Active Sync. The second is Apple’s iPhone Configuration Utility 2.0, released in mid-2009. This version introduced some much needed figures but fell short of full-scale end-to-end system for managing the handsets, data, and users.
Today, three device management software vendors announced versions of their applications exploiting the new APIs. The applications are: Afaria from Sybase, Mobile Device Manager from AirWatch and MobileIron Virtual Smartphone Platform from MobileIron. All three are intended to provide centralised management for iOS 4 devices.
Most of these applications are adding or expanding iPhone management support to software that handles most of the leading mobile operating systems.
MobileIron is a server-based application for managing mobile devices. Administrators can create a usage or security policy on the server, assign it to individuals or groups, and then connect to the iOS mobile device management service. "We can pull information from MDMS or we can push information to the service," says Ojas Rege, vice president of products for MobileIron.
MobileIron and the other vendors initiate communications with the service through the Apple Push Notification Service (APNS). Once that notification is accepted, the server and device communicate directly via HTTPS, according to Rege.
The arrangement allows for an "agentless" approach – no iPhone application is needed. But MobileIron does offer one, downloaded from the App Store, that creates a management UI for the end user, when some kind of end user input or action is needed.
In some cases, functions that were done via Enterprise Active Sync can now be done directly via the third-party software and the handset, such as remotely wiping data from a lost or stolen iPhone.
But the third-party applications offer the ability to add new functions. For example, with iOS, an enterprise can now write an iPhone app for its own users, and distribute the app on its own, with what Apple calls an Enterprise Development Licence, without having to connect to Apple’s iTunes, via a PC or Mac, and going through the App Store. MobileIron will manage those software downloads and updates. The server can create an inventory of all apps, and their version numbers, on each iPhone.
MobileIron also offers a feature that can alert iPhone users and IT departments when the iPhone smartphone is subject to international roaming charges. Based on the alert, users can takes steps to minimise roaming charges, or IT can block the phone from using wireless data.
To support iOS 4, MobileIron will be launching three modules: ZeroTouch Security, which enables IT to apply security policies to the iPhone, application discovery which lets IT inventory and update iPhone applications, and international roaming expense monitoring. All three will be rolled into the core MobileIron product during Q3. The pricing, which starts at $4 per device per month, will remain unchanged.
Sybase Afaria also has an iPhone client, but like MobileIron, it’s also not needed for the server to make use of the new iOS management service.
Afaria manages the over-the-air download and update of enterprise iPhone apps directly to the handset. The Enterprise Development Licence associates a provisioning profile with each home-built iPhone app. Afaria can disable an app by revoking that profile, according to Mark Jordan, Afaria senior product manager.
The server software now can bypass Exchange or Apple’s MobileMe service to remotely lock and wipe an iPhone. A critical feature for enterprise network administrators is the ability now to verify that iPhone security policies have actually been installed and are working. "We can put a strong password on the device and I can query it to confirm the device is now password-protected," says Jordan.
Afaria has tweaked its Access Control Utility for the new OS release. "We can check access policies, and determine whether an iPhone has been jailbroken," Jordan says. "If it has, we can block it."
The new iPhone management service exposed a great deal more information to Afaria’s asset tracking and management capabilities. Previously, this information was limited to bare bones, such as the installed version of the OS. Now, Afaria can collect the phone’s serial number, model number and name, firmware information and other data, such as the MAC address, the carrier network, the actual voice phone number, and whether data roaming is turned on or off.
That data enables more fine-grained policies to be set, according to Jordan. "You can look at the RAM capacity on the device for a new app download," he says. "You can require a passcode and hardware encryption, for example. If these aren’t present, then the device can be blocked from accessing email, for example."
Sybase will launch the Afaria iOS 4 beta test in July, with general release for sometime later in the third quarter. The new capabilities will be introduced in some combination of add-on modules, for which there will be separate charges. Pricing will be announced closer to the release date.
AirWatch also is incorporating support for the new iOS 4 APIs into its Mobile Device Management application. As with the other two applications, administrators create policies on a central server and distribute them to the handsets. The software handles large-scale app deployment by a combination of what the vendor calls a "role-based security architecture," the ability to group devices, and managing them in bulk.
AirWatch MDM is a web-based application, that can be used as a hosted service, deployed on a corporate server behind the firewall, or as a dedicated hardware appliance.
The updated software will be available in July.