Secure Corporate iOS Devices The Smart Way

Ben Greiner -

No matter how many iOS devices (iPads, iPhones or iPod Touches) a company owns there is only one way to install and update Apps on the device. In-house Apps aside, every App must be installed and patched using a free iTunes account. Apple does not offer shared corporate accounts. This raises the question, “How does a company deal with iTunes accounts across several devices?”

 

Let’s say a company buys 100 iPads. The iPads are company-owned and contain, or have access to, confidential data. Many IT departments, when faced with protecting the integrity of these iPads, will want to lock them down: 

 

  • Disable App installation: no Angry Birds
  • Disable camera use: no crazy company party pics on Facebook
  • Disable YouTube: no cat videos
  • Disable iTunes Music Store: no distracting music at work 
  • Disable Safari: no visiting unauthorized web sites

 

Does this protect company data? Often not entirely. Does it severely cripple the functionality of a “magical and revolutionary” device? Definitely.

 

In addition, companies may consider using a single iTunes account for all 100 iPads. (If so, it’s best to create an account without a credit card. Choose Payment Method “None” during iTunes Account signup. This will only allow the buying of free Apps.) In this situation a Master iPad is built with the necessary Apps installed, plus network and security settings preconfigured (no email accounts). The remaining 99 iPads are then activated and restored using the backup of the Master iPad so all 100 devices are identical and ready-to-use. 

 

Sharing a single account amongst several users is attainable but not ideal because it will inevitably require a second account. Preinstalled Apps must be patched using the shared iTunes account while a personal account is best for downloading paid Apps (reimbursed by the company as necessary). If a credit card is linked to the shared account then beware that even the most exemplary employee will want to buy personal movies, music or games and might forget to use their personal iTunes account.

 

Plus, every time an application patch is released users will have to enter the matching iTunes password. If they ever replace the device, they must enter the security code of the corresponding credit card for verification purposes. Managing multiple accounts can get tiring quickly. It’s best to use a single iTunes account on each device. 

 

One alternative to exposing the shared iTunes account is to require each users to sync exclusively with the computer used to build the Master iPad. This solution may work for school labs, but is not practical for many businesses. (I tried this with my family of four using two iPads but have since switched to syncing each iPad separately and with unique iTunes accounts — his and hers.)

 

Another common issue with multiple devices is the syncing of media (music, videos, audiobooks, or other content). If the preconfigured iPads are seeded with media, then users cannot sync the devices with their own computers without losing this media. It’s technically possible to sync an iOS device with more than one computer, but it’s not an intuitive solution. Anyone attempting to sync with a second computer will be given the option to “Cancel”, “Transfer Purchases”, or “Erase and Sync”. 

 

“Transfer Purchases” will transfer from the device to the iTunes library iTunes Store purchases the computer is authorized to play. (No more than 5 computers at a time may be authorized.) The account username will be presented. The user must enter the corresponding account password. 

 

“Erase and Sync” deletes media on the device and replaces it with media from the iTunes library. Despite the title, this does not erase everything on the device. A complete erase of all Content and Settings can only be executed from the device’s Settings App (or remotely with specific tools). Furthermore, Apps are not deleted from the device unless one chooses to Sync Apps, then all existing Apps and Apps data on the device is replaced with Apps from the iTunes library — unless the Apps are authorized for use on the computer (just like media). If all of this sounds a bit complicated, it is! But it doesn’t have to be. Patching Apps and backing up the device is a process best managed by individuals with unique iTunes accounts. I’ve heard many companies stop their iOS investigation right here and decide to “wait for Apple to deliver a corporate solution.” Apple has delivered a great solution! It just may not be what everyone expected.

 

Apple’s solution is to allow users to manage their own device. Companies can buy iOS devices and maintain the integrity and security of their corporate data (along with providing a great end-user experience) if they accept the idea that these devices don’t have to be completely locked down. Treat the device like an employee benefit! Treat it like a company car: would a company issue a car and disable the radio or require one key to drive it home and another to drive it to work?

 

A great way to achieve the personal-security balance is with an iOS profile. A profile simply tells a device what it can and cannot do. Apple allows three options for securing a profile:

 

  1. Allow the profile to always be removed. This is perfect for companies that want to allow personal devices access to corporate data (servers, wireless networks, and email accounts). Companies can enforce security policies like passcode locks and remote wipe, but because it’s not a company owned device the user can remove the profile whenever they want. Of course, if they do then they lose access to corporate data.
  2. Allow the profile to be removed only with a passcode. This is beneficial for high security situations where there’s a need to protect an area from potentially nefarious guests. Users enter the office without their device (turn it over to security) or install an iOS profile that can only be removed with a passcode that will be provided at the end of the visit.
  3. Can never be removed (outside of wiping the device). Good for company owned devices. There’s no reason a user should ever need to remove the profile, because it’s not their device.

 

These profile security options, along with Mobile Device Management (MDM) tools for over-the-air deployment and ongoing management of iOS devices, provide a very comprehensive solution that satisfies consumer-driven IT and the need for corporate security. No matter who owns the device, I encourage all companies to secure their data without crippling the device. Employees are happier and more productive if they have a fully functioning iOS device.

 

Have more questions? Submit a request

4 Comments

  • 0
    Avatar
    Ben Greiner

    This article is published in i.Business Magazine as _Cure Corporate iOS Devices The Smart Way. _

    Buy issue or Subscription at  frgt.co/giZlOo. View article on Flickr here.

  • 0
    Avatar
    Ben Greiner
  • 0
    Avatar
    Ben Greiner

    Apple has since released the App Store Volume Purchasing for Business program.

    The one downside to this program is that it's often best to push the management of the App (syncing it, backing it up, updating the app) to the end-user (and their own personal iTunes account).  Because the app resides with the owner of the iTunes library where the code was redeemed this means that if the end-user leaves the company they take the app with them.

    This is still better than the alternative — trying to manage the app with a company owned iTunes account. Most iOS apps are inexpensive and can be considered a part of what's required to hire an employee and provide them with the tools they need.

     

  • 0
    Avatar
    Ben Greiner
Please sign in to leave a comment.