In this article I’ll look at the different ways of enforcing iOS security. I will discuss what native protections you get with iOS as well as the Mobile Device Management (MDM) capabilities of something you may already have in house, Exchange 2010, and also something you may not, MDM specific services such as Maas360.
Follow me

I am currently getting ready to go to Cisco Live, Cisco Systems’ big conference every year. Their big push this year is the BYOD movement, where everybody has their own smart phone, tablet but still tying into our networks to get their work done. Our job in IT is moving from a sea of devices we completely control to a sea of devices we have little control over but still store and access data from our secured networks.

While you can easily secure the information as it sits on my servers, and can with a little effort secure the path that data travels between the server and the device, how do I tell let alone enforce the protection of that information once it is on a device the company may not even own? There are a great deal of options out there for helping to secure these devices and the data they contain.

Screen lock passcode ^

So the good news is that going from no data level protection to full protection with iOS devices is exceptionally simple in that it all hinges on if you set a screen lock passcode or not. The bad news is that it isn’t enabled by default and the choice to enable it or not is not part of the new device setup wizard (as I think it should be.)

Enforced Passcode

Enforced Passcode

When enabled, Apple utilize the exceptionally strong AES 256 encryption standard, based on a couple of IDs that are hardcoded in during manufacturing and cannot be read by software directly. You can also set the period of inactivity after which to use the device you’ll have to enter the passcode again. Setting a Passcode is available Under the General section of the Settings App. Apple has a pretty in depth PDF available that outlines many of their available security measures.

iOS app restrictions ^

You also have the ability to limit what native iOS apps (Safari, Maps, iTunes, etc.) are available to users of the phone. There is a lot to cover here, but you can see for yourself under Settings > General > Restrictions.

iOS app restrictions

iOS app restrictions

Guided Access ^

Finally if you are to the point of using iOS for Point of Sale operations or any other application where a user should be only using a single application there is a fairly well hidden setting called Guided Access. Guided Access, which is found under the Settings > General> Accessability window allows you to lock the screen and restrict touch access to prevent the switching of applications.

ActiveSync Mailbox Policies ^

All of the above are great things, but how do you make sure your users actually use them? If you support a Microsoft Exchange environment this can be exceptionally simple. By enabling ActiveSync Mailbox Policies as outlined in a previous 4sysops article, you can make it so that in order for e-mail to be delivered to the device certain security measures such as a passcode, encryption, and screen lock times are setup. Further to protect from users moving your data out to any of the cloud based storage locations you can block named applications from installation.

Mobile Device Management services ^

While the controls available through Exchange are great, essentially all you are saying is in order to receive e-mail from this account on your device these measures must be met. In order to take control a step further and be able to enforce and monitor the compliance of these BYOD devices you’ll need to look at one of the many Mobile Device Management services and applications that are popping up.

These suites and services allow you to instruct your users to install an app (usually linked via e-mail) to their device and create a connection back to the management system. Once connected you can create and enforce policies for all kinds of things; encryption, pass codes, allowed or disallowed software, etc. Further you can monitor usage and many even have a GPS breadcrumbs capability to monitor where the device has been. Apple has a page on their site describing their implementation and ZDnet has a comparison that I’ve found useful of some of the bigger players in the market.

Both of these management options also give you the ability to perform what is called a remote wipe. If the device is lost or stolen you can go into the management system and command the devices to reformat itself, removing any data in the process.

Conclusions ^

Securing Apple’s iOS devices for enterprise use is actually something that is quite possible, although it may take a little work including at this point at least a little time hands on with your users’ devices. There is some potential for Group Policy like capability with the use of Exchange and MDM services, but still requires at least some minimum setup on the user’s part to get it going. Hopefully in the future we’ll see something like the Open Mobile Alliance’s specifications get supported by the Apples and Googles of the world to where once the user hooks into the system via Exchange or something full on MDM capabilities will be possible without an additional app.


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account