Although Apple has incrementally improved business and enterprise functions with every iOS release, three releases were particularly significant for business users and the IT professionals that support them: iOS 2 (called iPhone OS 2 at the time), which introduced support for Exchange ActiveSync and configuration profiles; iOS 4, which introduced Apple's mobile management and app encryption APIs and helped launch the MDM/EMM industry; and last year's iOS 7, which ratcheted up enterprise security and management capabilities.
iOS 8 isn't as paradigm shifting as those releases. Most new features are aimed more at consumers than business users or enterprise IT. HealthKit, HomeKit, Handoff and other Continuity features that link iOS devices and Macs, and even the upcoming Apple Pay, are decidedly consumer-oriented.
But that doesn't mean IT departments can easily write off iOS 8 as a welcome, but unimportant update.
Apple's new mobile OS presents several challenges (and opportunities) to IT shops as well as enterprise app developers. Here's what IT departments should keep in mind as Apple launches iOS 8 later today and rolls out the iPhone 6 and 6 Plus on Friday.
Privacy and data protections
One of the challenges for IT involves many of those new consumer-focused features. With the introduction of HealthKit, HomeKit and Apple Pay, iPhones will become even more personal devices for users. With personal health information, which may included medical information protected by privacy laws; the ability to activate smart devices at home, including opening doors with smart locks; and a burgeoning mobile payment system, IT shops should revisit their mobility and BYOD policies to ensure that those policies spell out what user data must remain private from IT and support staff.
This is something that involves policy issues as well as technical and user education components, especially when it comes to health information. Policy updates should be coordinated with human resources and legal teams to ensure compliance with other employee policies as well as federal, state and local laws.
HR needs to be closely involved if an organization has an employee wellness program that uses mobile apps and/or fitness tracking devices that integrate data with HealthKit or, perhaps more significantly, pull data from HealthKit. The goal is to ensure that policy and technical safeguards are in place and may involve discussions with benefit coordinators, insurers and outside companies. Since employee participation in these programs is now a bargaining chip when it comes to health insurance costs, a third-party company that collects or manages data for a wellness program should be involved.
Managed apps, accounts, domains and ebooks
On a technical level, Apple's pseudo-containerization approach, introduced in iOS 7 and expanded in iOS 8, should serve to separate user-installed HealthKit- and HomeKit-capable apps. This system, often referred to as "managed open-in," creates a distinction between apps a user installs from the App Store and those installed by IT using enterprise mobility management (EMM) solutions or by users through an enterprise app store. Apps installed by EMM or an enterprise app store are designated as managed apps. Even though the user sees no apparent difference, rules can be configured that allow managed apps to only share information with other managed apps; unmanaged apps may be blocked from sharing data for security reasons.
In addition to designating apps as managed, user accounts (like email accounts) can also be designated as managed when created or configured through EMM enrollment. Managed accounts can be prevented from transferring content into unmanaged accounts or apps. With iOS 8 comes the concept of managed domains, in which EMM can be used to designate domains that live under similar restrictions.
iOS 8 also adds managed ebooks, allowing organizations to push out or make available ebooks to their employees — including PDFs and ePUB files — with certain features like note and highlight sync between devices disabled and managed ebooks culled from device backups. That can be useful for certain types of company documents like various policies, procedures or instructions.
Some third-party EMM solutions offer full-featured containerization for apps and content that goes beyond the basic, though generally effective, options Apple offers. Talk to your EMM vendor (or would-be EMM vendor) about such options.
Extensions and data sharing
One of the nice things until now about iOS from a data security perspective has been that apps are largely self-contained and don't share a single file system. Apple's limited approach to allowing data transfers between apps has been a challenge for users trying to develop multi-app workflows, but it imposed a level of content management.
iOS 8 changes that significantly. The use of extensions allows apps to inject functionality into other installed apps and even into the OS itself. Third-party keyboards and photo filter extensions have gotten the most attention among users since iOS 8 was unveiled in June. But there are a range of extension types that aid data sharing between apps, across cloud or network storage or provide access to documents or content created by other apps.
Apple's developer site lists seven kinds of iOS 8 extensions, four of which IT departments should focus on as ways data could migrate across a device and third-party services in ways that were either impossible or unwieldy in earlier iOS releases. Those four extension types are:
- Share: Users can share content via social networks and other file and content sharing services.
- Developers create or designate a storage location that can be accessed by other apps, a location that can include cloud or network storage.
- Document Picker: Apps can access and edit documents and content created by other apps. This means that a single document can be edited in one place by multiple apps without having to be copied or imported into each app.
- Custom Actions: Developers create custom action buttons for the iOS 8 Action Sheet that include a variety of tasks like applying a watermark to documents, translating text or creating a wish list. The key feature here is that custom actions might be able to link apps and content to off-device third-party services like Google Translate.
The other three extension types involve custom keyboards, widgets for the Today pane in Notification Center and photo editing.
It's important to note that extensions are essentially apps or parts of apps. That means Apple's managed open-in rules can be applied to them. Doing so, particularly with third-party apps, may have unexpected consequences. IT departments should approach this challenge on two fronts. The first is to discuss options with your EMM vendor to understand how your particular solution will manage extensions; the second is to test a broad range of extensions from the App Store before applying any restrictions to enrolled iOS devices.
You should also provide adequate support in case users encounter unexpected behavior — and have a process in place to verify and respond to such incidents.
Apple has made Touch ID available to developers for authenticating users or authorizing access to data, services or cloud/network resources. This presents both a challenge and an opportunity in enterprise environments.
The challenge is that third-party apps, installed by the user or via an EMM/enterprise app store, can offer Touch ID as an alternative to traditional authentication methods. Depending on your security standards, this may conflict with specified authentication requirements, particularly for managed apps. Disabling Touch ID is supported in Apple's EMM framework, but doing so might stop people from using Touch ID fr personally-installed apps and it could even prohibit the use of Apple Pay. (Details on this remain unclear at the moment).
The other implication of Touch ID is that enterprise app developers are free to use it just as much as consumer app developers. Apple's Touch ID system largely works as a shortcut to passcodes or login credentials, much as it did in iOS 7 for unlocking a device or authorizing an iTunes/App Store purchase. The system is highly secure and generally more convenient, which may make it an attractive option for internal of business-to-business apps. Here's more information on Touch ID and the implications for iOS 8 in the enterprise.
Apple introduced Kerberos-based single sign-on in iOS 7. In iOS 8, it has added support for certificate integration with single sign-on that allows a device to automatically refresh Kerberos credentials, allowing users to continue working with enterprise resources without needing to reauthenticate.
Handoff isn't part of the initial iOS rollout, in part because it's designed to function with Macs running OS X Yosemite, the final version of which won't be out until next month. Handoff is a great user feature, particularly for users who switch frequently between a Mac and iOS devices. It will also be included in the Apple Watch for exchanging tasks with a paired iPhone (and potentially with a Mac as well). This does present some concerns for IT departments, because it could mean sharing tasks — and therefore data — between an iPhone and a personal Mac.
While Apple offers an option to disable Handoff on managed devices, it appears that option will be an all-or-nothing choice.
One useful security option in iOS 8 is Mail's ability to enable S/MIME encryption for individual messages. This is particularly helpful for organizations operating in regulated industries, though many companies may find it attractive as a general security enhancement. The feature is relatively easy to use, but IT departments that implement it will want ensure that users understand it's there, its advantages and how to use it.
Apple Pay will be less of an issue for techies. It uses the Secure Element in Apple's A8 chip, meaning IT staffers won't have access to any financial data belonging to a user. Beyond that, Apple's approach of not storing actual credit/debit card information on the device — instead, there's a device-specific account number that can be used with the payment service to generate one-time payment tokens or card numbers — provides a high level of user privacy.
Although this limits the technical liability issues associated with Apple Pay on managed devices, it's important that this be spelled out in privacy, mobility and BYOD policies. It is also important that this be clearly conveyed to users of managed devices.
Additional EMM options for iOS devices
In addition to the major changes noted above, Apple added a handful of new EMM commands to iOS 8. As in iOS 6 and 7, these are divided into two categories. The first applies to all iOS devices enrolled in EMM — company-owned and BYOD — and include the following:
- Allow or prevent Internet search results from being included in Spotlight searches.
- Allow or prevent iCloud sync for managed apps.
- Query device to see which managed ebooks are installed (personal ebooks don't get included in the query results).
- Query device to see when it last backed up using iCloud. (As in previous iOS releases, EMM can block iCloud backup.)
- Query device for iTunes account. This option doesn't provide details about a user's account for privacy reasons, but by comparing hashes, an EMM console can let an administrator know whether an account has been removed/replaced on a managed device. That information can dictate whether a device should be cut off from licensed apps and ebooks. (It'd be wise to follow up with the device owner before revoking them.)
The second set of EMM commands applies to supervised devices. These are devices that have been purchased and configured by an organization using Apple's Device Enrollment Program or Apple Configurator and, therefore, support additional restrictions.
- Allow or prevent access to the Erase all Settings and Content function that effectively restores an iOS device to its factory default state.
- Allow or prevent users from setting up app and device restrictions using the Settings app. (If a device already has restrictions in place with a passcode, an administrator can clear the passcode and the disable restrictions.)
- Set the name of the device
Additional content filtering capabilities are also available that are primarily of interest to K-12 schools looking to comply with filtering laws in various states or school districts.
Communicating policies to users
Although there are big policy concerns around these features, simply updating or drafting new policies and employing available technical safeguards is only half the job. iOS users need to understand these policies and they need to understand the technical limitations placed on IT to implement them. This is critical to assuring employee trust in using personal (or even company-provided) devices running iOS 8.
Taking into account all of the changes in iOS 8 does no good unless users are told what they should do, and why. So make sure you know what iOS 8 offers, use those features to protect your data (and users), and make sure you tell device owners what you're doing and why, and what they can do to keep data safe. iOS 8 puts new tools in your hands; use them.