iOS 6 device management: What companies should know

It's a pretty convenient and smart use of location services. But imagine you're on the way to the airport and your iPhone falls out of your pocket as you get out of the cab. Now, imagine that a stranger picks the phone up and because it's at the airport, your boarding pass gets displayed. Without even unlocking the device, that person knows your name, where you're going and potentially other important details like family members you're traveling with or the company you work for. That's enough information for someone to find out more about you  where you live, what you do and so on. It might even be enough information to get your company's helpdesk to unlock your iPhone remotely and thus get access to your iPhone and the personal and business information on it -- a rather chilling possibility for both individuals and IT departments following the Matt Honan hacking incident.

There's an easy safeguard against that scenario that IT departments can put in place: iOS 6 mobile management includes an option to prevent Passbook from displaying data while an iPhone is locked.

Keep personal email off corporate servers

One feature Apple focused on with iOS 6 involves frequently emailed contacts. Like most email clients, including OS X's Mail and Microsoft's Outlook, Mail on an iPhone or iPad can build a list of recent/frequent email contacts. If you regularly correspond with someone, you'll notice that Mail will auto complete his or her address as you begin typing it, even if the person isn't listed in the Contacts app. Microsoft Exchange supports automatically syncing such recent contact data from devices and applications. That means these recent contacts can end up popping up in Outlook (or another application) on your work PC as well.

In iOS 6, Apple makes this recent contacts sync a mobile management option. That means that IT shops can automatically prevent recent contacts on an iPhone or iPad from syncing to the server. That keeps a stricter separation of personal and business use, ratchets up employee privacy a bit, and keeps the number of auto-completing contacts on a work PC more streamlined.

Setting the wallpaper

iOS 6 allows administrators to set both the lock screen and home screen wallpapers for iOS devices. This isn't a particularly critical option from a security perspective, but it can be used to identify devices as belonging to a specific company, grade level, or department. Typically, you'll want to use a corporate logo or similar identifying image. All the typical image formats (GIF, JPG, PNG) are supported and will be scaled and cropped automatically as dictated by the size/type of device.

Automatic unenrollement

Most of the time, when IT departments or businesses manage a mobile device for security or configuration reasons, the goal is to keep the configurations and security options in place indefinitely -- or at least until a user leaves the company. There are times, however, where a specific feature configuration or restriction needs to be in place for a specific period of time. One example is employees at a conference who will need remote access to the corporate network, even though they don't need it day to day. Setting a VPN configuration grants them access, but once they get back, IT might need to revoke that access. A simpler solution is to have that VPN configuration expire and remove itself after the last day of the conference.

Similarly temps, freelancers and other contract workers might need access to a range of corporate resources -- including Wi-Fi. Setting up that access with an expiration date removes the need by IT or human resources to remove those configurations (possibly by wiping their device).

iOS 6 offers this ability for any configuration profile, meaning that all security and management settings -- or specific settings related to temporary needs -- can be removed automatically. When setting configuration profiles to expire, iOS 6 offers IT admins the option of setting a specific expiration date or setting a more general time period, like five days from now or three months from now. The result isn't just an easier workflow, it also bumps up security because it removes the possibility of someone forgetting to remove the profiles manually down the road.

Supervised devices

Beyond basic iOS 6 management capabilities, Apple has added a more stringent set of options that can be configured. This set of options builds on the Supervise functionality of Apple Configurator and the tools that integrate with it. This ability to create supervised or authorized devices delivers a handful of additional security and management possibilities.

I spoke yesterday about the division of capabilities for supervised and non-supervised devices with AirWatch senior engineer Blake Brannon. AirWatch has announced full support for all the iOS mobile management additions as well as integration with Apple Configurator for over-the-air management of supervised devices.

Brannon noted that at companies where BYOD policies are in place, users generally want to be as free as possible when using their devices. In non-BYOD contexts, businesses and schools are often looking to secure shared or corporate-owned devices.

Probably the most restrictive option Apple has ever offered involves "app locking" a device or what's called guided access use. This feature disables the iOS home button and locks the iPhone or iPad into a single app. Brannon noed that this is an ideal solution for iPads used in kiosk or retail settings. After all, if you're running a restaurant, you don't want someone browsing the web on your digital menu. Similarly, an iPad or iPod touch used as a point-of-sale system is ideally used as a cash register -- not for posting Facebook updates.