Balancing The Personal And The Professional In iOS Device Management.
MatthewShaver 270006C69M Visits (9649)
Balancing The Personal And The Professional In iOS Device Management.
Introduction: Organizations struggling to manage iOS devices generally all experience the same crisis of conscience. “I want to manage the devices as strictly as possible without infringing on my users personal experiences.” This kind of sentiment crops up most within companies that are providing their users devices that they expect them to leverage on a 24-hour clock. The iPhones that are used to schedule important work meetings as well as setting reminder to pick the kids up from daycare.
This inability to securely manage devices just the way they want to extends to all sorts of industries, however, and has been a long standing gripe of iOS MDM admins since day 1. Apple has implemented a variety of programs over the years to help achieve more control, but often times those controls are at odds with how end-users would prefer to use the device. This blog doesn’t aim to solve all of those problems, but present the bigger picture to give companies enough information to determine if usability needs to be sacrificed in the name of security and manageability.
Do You Want Your Employees Running Around Unsupervised?
One of the first steps Apple took to grant organizations greater control over their devices was by allowing for a “Supervised” profile to be put on the device. As it exists today, there are 2 ways to accomplish this: Physically tether the device to an OS X computer and run a free app called Apple Configurator, or, over-the-air with an MDM integration with Apple’s Device Enrollment Program (DEP) and enabled devices. There currently is no PC solution for supervising devices.
Supervision is the future of iOS management. Apple has already publicly stated that certain MDM features will be deprecated in favor of their Supervised counterparts. This includes disabling the app store and Safari. Though they have not said when this will happen, they warn it is impending. We know that it is not coming with iOS 10, so as of right now, organizations have at least a year to formulate a game plan.
MDM vs. Supervised: The future of advanced capabilities is going to be compliance checking (MDM) vs. restrictions (supervised). A great example is app compliance. Application compliance for non-supervised devices gives organizations detection, alerting, and actions that are limited to alerts, removing configurations via selective wipe, un-enrolling it, and/or wiping it entirely. The full wipe action is one that even the most security-minded industries want to avoid.
Supervised app compliance allows admins to actually hide apps on the devices, displaying only approved or managed applications. Even system apps (except for the Phone and Settings apps) can be hidden (including Safari), creating a custom iOS experience for employees. The MDM feature for disabling the app store was an all-or-nothing feature when it launched. The supervised action removes the app store icon from user view, but still allows admins to distribute applications via MDM’s app catalog, further customizing the end user experience. There are many more security features included, some of which will be covered a little further down.
DEP vs. Apple Configurator:
iCloud Against Your Cloud.
Over the past few years, iCloud has made it ridiculously easy for users to back information up, and then restore as they cycle from device to device. Reconciling that ease-of-access to personal information with company owned assets is a tough thing to do.
iCloud vs. DEP/Apple Configurator: When managing Apple devices, there is one
very important lesson to remember. iCloud is a personal service. That’s it. DEP is meant only for organizationally owned devices, there are steps taken during the DEP account creation process to make sure that is understood. So, there is no easy way to allow the personal service, iCloud, on a company asset, the DEP device. Allowing the restore option during setup can override any MDM profiles intended to be installed.
It is a slippery slope for iTunes pairing as well, as that can also have unintended consequences. When provisioning devices, and building the policies, this is going to be the BIG tradeoff. Making a device company owned, and taking away that ease of access will result in some messy end-user interactions, but at the end of the day, admins must weigh why DEP was chosen in the first place.
How far is too far: There are a lot of restrictions that can be set within the confines of the device, from simply removing the apps, to actually locking down account modification, so users can not add an iCloud or e-mail account, and removing secure services, such as activation lock, that are great for the user, but nightmarish for the company. When building policies, taking these features in to consideration is extremely important for the long term. What is more important for the future of the organization? That users complain about lack of features for a few days, or that admins are going to stand in line in an Apple store each time an employee is turned over trying to get a device unlocked from an Apple ID?
What’s App, Doc?
Managing applications can be tricky. Sometimes the user wants to feel that they are free in the world to do as they please, so long as they are getting the job done. This means not being tracked by “big brother.” It seems these days that even the least tech savvy users are keenly aware of each, and every permission that an app requires. As soon as that pop-up appears with the location permission, help desk gets flooded with calls.
What we want vs. what iOS wants: I may be sounding like a broken record here, but again, these are primarily consumer driven devices. Location services are something that Apple grants APIs to, but it doesn’t mean they like the way it’s used. Applications can be stopped in the background for a variety of reasons, stopping many of the features MDM is trying to provide from fully functioning. Users can remove applications, and turn off location services for individual apps. Compliance alerts can handle a lot of worries, but the company needs to determine if these are battles worth fighting.
It’s not your app, but you treat it like family: Application management for 3rd party apps is also a big piece of the management pie. Apple has introduced new features for MDM solutions to manage application cellular data usage if it is managed. New features are popping up daily, such as the App Config community,
that allow for advanced customization of every day apps.
The questions organizations need to ask is “How far do we want to go?” Is the app catalog intended to be just enterprise apps, while the user is free to do what they want everywhere else? Is the company building an app catalog that looks like the iTunes App Store, filled with social media and streaming applications, just to be able to reign in cellular data usage? It can be tricky, the upper management may not be comfortable having Facebook in the professional app catalog, but they may like that a lot more that the annual cost of data overages.
Always Moving Forward.
It doesn’t take a psychic to predict that if/when Apple deprecates features in an iOS release, there will be MDM admins scrambling to get word to their employees begging them not to hit that update button. Guess what? Long run, there isn’t much that can be done.
It’s better to future-proof organizations today, rather than trying to play catch-up tomorrow. The latest-and-greatest is always going to be tied to new versions of iOS, 9 out of 10 MDM related issues can be solved with upgrading. Apple has given the power to admins to deploy, provision, secure, and populate devices with a all (and only) the applications that they choose with a bare minimum of user interaction (sometimes it’s simply turning on the device, connecting to wifi, and tapping the screen a few times). To do this, 9.3 is a must, and when 10 comes out, there will be must-have features there as well.
It’s Their World, We Just Enforce Compliance In It.
The dependence on mobile devices in the workforce is not going anywhere. When it comes to the demand for device management, iOS is the king of the hill right now. Apple is making changes to existing programs to give unprecedented (for Apple) control to MDM, while at the same time taking away a large amount of control to devices not in those programs, and to let the user know that they are being managed.
They show no signs of slowing down on either front, so the organizations of the future need to be prepared. Many have gotten by with simply folding their arms and mumbling under their breath about the lack of control, but for the admins that are running these programs, that lack of control represents a loss of time, money, and tangible assets. Would it be worth DEP management so that users are not eating away at data watching Netflix on the beach, ignoring the compliance alerts because they are on vacation? Would a single Mac OS X machine for Apple Configurator be worth the money admins are being paid to stand in line, waiting to get a device
unlocked, or even losing the asset entirely?
I hope this article raises some of those questions, and please leave feedback about how your organizations are utilizing these programs to balance the personal, and the professional.