Then there's the possibility that someone other than the iPhone's owner/user could issue commands via Siri, since by default it can be accessed even when the iPhone is locked. Almost anyone could pick it up and have some level of access to the device. Physical security of your hardware will be even more important than it already is.
Mobile management to the rescue
Now that we've covered some the concerns, let's talk about how to address them. There's actually some good news on this front. Since last year's release of iOS 4, Apple has added support for mobile device management (MDM) services that can lock down most iOS features. The field of MDM vendors has broadened significantly over the past year.
For enterprise organizations, there is wide range of products that can be used to manage iOS devices as well as BlackBerries, Android phones and tablets, and other mobile platforms. Many can be integrated into your existing user and client management tools and services -- some are even available as integrated packages that include client management and mass deployment tools. Virtually all can be integrated with Active Directory or other directory systems. This means that each organization can develop a mobile management strategy that fits its existing infrastructure and needs.
For small businesses, Apple's Lion Server includes a Profile Manager service that offers these capabilities at a low cost of entry. They can even be applied manually to each device using Apple's iPhone Configuration Utility, which, despite its name, supports all iOS devices.
With the release of iOS 5, Apple updated its management service to include support for these new features. You can manage each of the three big trouble areas in the following ways:
iCloud: Disable each of iCloud's three areas of major concern -- wireless backup to Apple's servers, syncing of documents and app data, and pushing photos to a user's Photo Stream -- or manage each setting individually. The one caveat is that they are global in their effect, meaning that you can't specify that some apps can sync to iCloud while others can't. It's all or nothing.
Find My Friends: There is no specific option to disable or manage the Find My Friends app, but there is an easy solution to that: Simply disallow access to the application, a capability offered by all MDM vendors.
Siri: Apple allows you to completely disable Siri on the iPhone 4S via MDM. That's effective from a security perspective, but it also takes away a lot of functionality for the user. It would be better if Apple offered a way to control which apps Siri can interact with. Disabling Siri may not even be a need in many environments, and even in those where confidentiality is an issue (healthcare and other industries that are subject to privacy regulations come to mind), educating users about potential risks might be a workable solution.
It's also important to note that although MDM only offers the ability to allow or deny access to Siri completely, there is an option on the iPhone 4S to disable access when the phone is locked, though it's easily missed since it isn't located with the rest of the Siri settings. It's located under Settings > General > Passcode Lock instead. While this is good news, the fact that IT cannot enforce its use is disappointing and means that you'll need to rely on users to implement it.
Things to like in iOS 5
As noted, there are new enterprise features in iOS 5 that represent major improvements and will make the lives of IT administrators and CIOs easier when it comes to supporting the iPhone and iPad.
Activation and initial deployment
First up is wireless activation and setup. This is, of course, a big gain for all iOS users, but it has particular benefits in large organizations where hundreds or thousands of devices may need to be rolled out to users. Previously, setup required activation through iTunes, a minor annoyance to users, but a major hassle for enterprises.
iOS 5 and its SCEP auto-enrollment capabilities drastically simplify the deployment task. The use of MDM software also allows for automatic configuration of devices as they become enrolled for management, something that's good for mass corporate device rollouts as well as bring-your-own-device (BYOD) programs. One nice touch is that you can preset whether the device will send diagnostic data to Apple.