PGH Networks

iOS 7 in the enterprise – a perfect companion to ClearPass

Although Apple iOS 7 was announced yesterday, it officially arrives on Sept. 18 with a fresh new look, improvements to Siri (will she finally give me solid financial advice?), and a host of new apps.

But, what’s really interesting is Apple’s latest effort to make iPhones and iPads even more business friendly.

Prior software releases included basic enterprise functionality like ActiveSyc support and hardware encryption. With iOS 7, Apple takes direct aim at MDM vendors to make mass rollouts of iPhones and iPads easier than ever.

Let’s start with the iOS 7 features that have biggest impact on MDM:

  • Streamlined MDM enrollment – This is really more for corporate-owned devices, where IT can create a binding between the device and the MDM management server. When a new device is activated, it automatically joins and is managed by the correct MDM gateway.
  • VPP app licensing – Allows enterprises to keep their investments in mobile apps instead of just giving them away to employees.
  • Managed open-in – Lets IT control which apps will be permitted to open documents and attachments, keeping company documents only in approved apps.
  • Per-app VPN – A new MDM configuration setting for managed apps that lets IT define specific VPN configurations for each app while limiting access to the VPN from corporate-managed apps only.
  • Enterprise single-sign-on (SSO) – Permits the sharing of Kerberos authentication information between managed apps. The key thing here is that app vendors need to add Kerberos support to their apps for this to work.
  • App encryption – Allows app developers to provide additional security for their apps using the existing iOS passcode lock.
  • Enhancements for Apple TV – Gives IT the ability to take an Apple TV under MDM management, allowing IT to configure 802.1X settings on the device and manage AirPlay destinations for any iOS device.

By the looks of this list, Apple is behind the wheel of an enterprise bulldozer, leveling the MDM playing field for iOS devices. And maybe they’re onto something.

After all, we’ve done a good job of securing data centers and protecting data within the confines of business. Even when data leaves and travels across public or other untrusted networks, SSL and IPsec protect data in transit.

But what about the data that reaches a mobile device? Do we get the same level of protection and data assurance for mobile devices?

Answering these questions requires taking a closer look at enhancements in core MDM security functions. I’m talking about authentication, authorization, data encryption (in transit and at rest), and restrictions for data shared among various mobile apps.

We must also seriously consider extending and enforcing usage policies – like time-of-day, location and motion restrictions – to mobile devices and apps that are online and offline.

Apple now offers some of this natively. Things like SSO, per-app encrypted VPNs and passcode protection are vital first steps. But passcodes aren’t enough when dealing with sensitive data stored on devices. What else does IT need to do to regain control of corporate data?

Think twice about encryption

To ensure stronger data security, use a split keys for data encryption, where half an encryption key resides on the device and the other half is on a corporate server.

When an authorized user authenticates to the server, the two halves of the key are joined and the data is unlocked. This keeps corporate data secure, even when a device is off-net or has been tampered with.

Context matters

Dynamic policy management is needed to control app usage on mobile devices. Certain apps might need to be locked during off-business hours or based on where users and devices are physically located.

You might even want to restrict access to apps due to safety concerns, for example locking apps of courier devices in motion to prevent them from email while driving.

Likewise, the ability to instantly react to a change in device status – such as a jailbreak – and influence network access and app availability complete the security puzzle for BYOD.

Separate work and personal

A few other things are crucial to protecting corporate data. You must containerize it and prevent cutting-and-pasting data between corporate and personal apps. And we’re talking strictly about corporate apps and data – personal stuff stay private to avoid BYOD privacy issues.

Aruba Networks has been helping organizations overcome these challenges. Our approach is fresh and innovative, integrating every critical aspect of BYOD – NAC, MDM and MAM – into a single, integrated platform.

This approach gives IT unprecedented control and a simpler way to rollout BYOD. And it integrates with just about any network out there – even with existing MDM solutions.

The solution, Aruba ClearPass with WorkSpace, keeps IT in control of what’s most important – corporate apps and data. And we do it without taking devices under management.

ClearPass with WorkSpace keeps corporate and personal apps separate to eliminate privacy concerns and provides all the dynamic policy controls and actions needed to safeguard corporate data.

Many of the new iOS 7 features address the BYOD challenges that IT is facing as it tries to maintain visibility and control into devices and apps.

What really matters, though, is iOS 7’s security and dynamic control over corporate data. This makes iOS 7 a great companion to ClearPass with WorkSpace. Now, IT truly has the best security and iOS device controls for tackling BYOD.