ios business
TRANSCRIPT
-
8/2/2019 iOS Business
1/26
iPhone and iPad in Business
Deployment ScenariosOctober 2011
Learn how iPhone and iPad integrate seamlessly into enterprise environments with
these deployment scenarios.
MicrosoftExchangeActiveSync
Standards-BasedServices
VirtualPrivateNetworks
Wi-Fi
DigitalCerticates
SecurityOverview
MobileDeviceManagement
-
8/2/2019 iOS Business
2/26
Deploying iPhone and iPadExchange ActiveSync
iPhoneandiPadcancommunicatedirectlywithyourMicrosoftExchangeServervia
MicrosoftExchangeActiveSync(EAS),enablingpushemail,calendar,contacts,and
tasks.ExchangeActiveSyncalsoprovidesuserswithaccesstotheGlobalAddress
List(GAL),andprovidesadministratorswithpasscodepolicyenforcementandremote
wipecapabilities.iOSsupportsbothbasicandcerticate-basedauthenticationforExchangeActiveSync.IfyourcompanycurrentlyenablesExchangeActiveSync,you
havethenecessaryservicesinplacetosupportiPhoneandiPadnoadditional
congurationisrequired.IfyouhaveExchangeServer2003,2007,or2010butyour
companyisnewtoExchangeActiveSync,reviewthefollowingsteps.
ExchangeActiveSyncSetup
Network conguration overview
Checktoensureport443isopenontherewall.IfyourcompanyallowsOutlook
WebAccess,port443ismostlikelyalreadyopen.
OntheFront-EndServer,verifythataservercerticateisinstalledandenableSSLfor
theExchangeActiveSyncvirtualdirectoryinIIS. IfyoureusingaMicrosoftInternetSecurityandAcceleration(ISA)Server,verifythata
servercerticateisinstalledandupdatethepublicDNStoresolveincomingconnections.
MakesuretheDNSforyournetworkreturnsasingle,externallyroutableaddressto
theExchangeActiveSyncserverforbothintranetandInternetclients.Thisisrequired
sothedevicecanusethesameIPaddressforcommunicatingwiththeserverwhen
bothtypesofconnectionsareactive.
IfyoureusingaMicrosoftISAServer,createaweblisteneraswellasanExchangeweb
clientaccesspublishingrule.SeeMicrosoftsdocumentationfordetails.
Forallrewallsandnetworkappliances,settheIdleSessionTimeoutto30minutes.
Forinformationaboutheartbeatandtimeoutintervals,refertotheMicrosoftExchange
documentationathttp://technet.microsoft.com/en-us/library/cc182270.aspx. Conguremobilefeatures,policies,anddevicesecuritysettingsusingtheExchange
SystemManager.ForExchangeServer2007and2010,thisisdoneintheExchange
ManagementConsole.
DownloadandinstalltheMicrosoftExchangeActiveSyncMobileAdministrationWeb
Tool,whichisnecessarytoinitiatearemotewipe.ForExchangeServer2007and
2010,remotewipecanalsobeinitiatedusingOutlookWebAccessortheExchange
ManagementConsole.
Supported Exchange ActiveSync
security policies
Remotewipe
Enforcepasswordondevice
Minimumpasswordlength
Maximumfailedpasswordattempts
(beforelocalwipe)
Requirebothnumbersandletters
Inactivitytimeinminutes(1to60minutes)
Additional Exchange ActiveSync policies
(for Exchange 2007 and 2010 only)
Alloworprohibitsimplepassword
Passwordexpiration Passwordhistory
Policyrefreshinterval
Minimumnumberofcomplexcharacters
in password
Requiremanualsyncingwhileroaming
Allowcamera
Allowwebbrowsing
-
8/2/2019 iOS Business
3/26
3
Basic authentication (username and password)
EnableExchangeActiveSyncforspecicusersorgroupsusingtheActiveDirectory
service.Theseareenabledbydefaultforallmobiledevicesattheorganizationallevel
inExchangeServer2003,2007,and2010.ForExchangeServer2007and2010,see
RecipientCongurationintheExchangeManagementConsole.
Bydefault,ExchangeActiveSyncisconguredforbasicuserauthentication.Its
recommendedthatyouenableSSLforbasicauthenticationtoensurecredentialsare
encryptedduringauthentication.
Certicate-based authentication
Installenterprisecerticateservicesonamemberserverordomaincontrollerinyour
domain(thiswillbeyourcerticateauthorityserver).
CongureIISonyourExchangefront-endserverorClientAccessServertoaccept
certicate-basedauthenticationfortheExchangeActiveSyncvirtualdirectory.
Toalloworrequirecerticatesforallusers,turnoBasicauthenticationandselect
eitherAcceptclientcerticatesorRequireclientcerticates.
Generateclientcerticatesusingyourcerticateauthorityserver.ExportthepublickeyandcongureIIStousethiskey.ExporttheprivatekeyanduseaConguration
ProletodeliverthiskeytoiPhoneandiPad.Certicate-basedauthenticationcanonly
beconguredusingaCongurationProle.
Formoreinformationoncerticateservices,pleaserefertoresourcesavailablefrom
Microsoft.
Other Exchange ActiveSync services
GlobalAddressListlookup
Acceptandcreatecalendarinvitations
Synctasks
Flagemailmessages
SyncReplyandForwardagswith
ExchangeServer2010
MailsearchonExchangeServer2007
and 2010
SupportformultipleExchangeActiveSync
accounts
Certicate-basedauthentication
Emailpushtoselectedfolders
Autodiscover
-
8/2/2019 iOS Business
4/26
iPhoneandiPadrequestaccesstoExchangeActiveSyncservicesoverport443(HTTPS).(ThisisthesameportusedforOutlookWebAccess
andothersecurewebservices,soinmanydeploymentsthisportisalreadyopenandconguredtoallowSSLencryptedHTTPStrac.)
ISAprovidesaccesstotheExchangeFront-EndorClientAccessServer.ISAisconguredasaproxy,orinmanycasesareverseproxy,to
routetractotheExchangeServer.
ExchangeServerauthenticatestheincominguserviatheActiveDirectoryserviceandthecerticateserver(ifusingcerticate-based
authentication).
IftheuserprovidesthepropercredentialsandhasaccesstoExchangeActiveSyncservices,theFront-EndServerestablishesaconnection
totheappropriatemailboxontheBack-EndServer(viatheActiveDirectoryGlobalCatalog).
TheExchangeActiveSyncconnectionisestablished.Updates/changesarepushedovertheair,andanychangesmadeoniPhoneandiPad
arereectedontheExchangeServer.
SentmailitemsarealsosynchronizedwiththeExchangeServerviaExchangeActiveSync(step5).Torouteoutboundemailtoexternal
recipients,mailistypicallysentthroughaBridgehead(orHubTransport)ServertoanexternalMailGateway(orEdgeTransportServer)via
SMTP.Dependingonyournetworkconguration,theexternalMailGatewayorEdgeTransportServercouldresidewithintheperimeter
networkoroutsidetherewall.
2011AppleInc.Allrightsreserved.Apple,theApplelogo,iPhone,iPad,andMacOSaretrademarksofAppleInc.,registeredintheU.S.andothercountries.Otherproductandcompanynamesmentioned
hereinmaybetrademarksoftheirrespectivecompanies.Productspecicationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliability
relatedtoitsuse.October2011L419822B
ExchangeActiveSyncDeploymentScenario
ThisexampleshowshowiPhoneandiPadconnecttoatypicalMicrosoftExchangeServer2003,2007,or2010deployment.
4
Firewall Firewall
ProxyServerInternet
ExchangeFront-EndorClientAccessServer
CerticateServer
ActiveDirectory
PrivateKey(Certicate)
PublicKey(Certicate)
*Dependingonyournetworkconguration,theMailGatewayorEdgeTransportServermayresidewithintheperimeternetwork(DMZ).
ExchangeMailboxorBack-EndServer(s)
MailGatewayorEdgeTransportServer*
CongurationProle
BridgeheadorHubTransportServer
443
1
4
56
2
3
4
5
6
1
3
2
-
8/2/2019 iOS Business
5/26
Deploying iPhone and iPadStandards-Based Services
WithsupportfortheIMAPmailprotocol,LDAPdirectoryservices,andCalDAVcalendaring
andCardDAVcontactsprotocols,iOScanintegratewithjustaboutanystandards-based
mail,calendar,andcontactsenvironment.Andifyournetworkenvironmentis
conguredtorequireuserauthenticationandSSL,iPhoneandiPadprovideasecure
approachtoaccessingstandards-basedcorporateemail,calendar,tasks,andcontacts.
Inatypicaldeployment,iPhoneandiPadestablishdirectaccesstoIMAPandSMTPmail
serverstoreceiveandsendemailovertheair,andcanalsowirelesslysyncnoteswith
IMAP-basedservers.iOSdevicescanconnecttoyourcompanysLDAPv3corporate
directories,givingusersaccesstocorporatecontactsintheMail,Contacts,andMessages
applications.SynchronizationwithyourCalDAVserverallowsuserstowirelesslycreateand
acceptcalendarinvitations,receivecalendarupdates,andsynctaskswiththeReminders
app.AndCardDAVsupportallowsyouruserstomaintainasetofcontactssyncedwith
yourCardDAVserverusingthevCardformat.Allnetworkserverscanbelocatedwithin
aDMZsubnetwork,behindacorporaterewall,orboth.WithSSL,iOSsupports128-bit
encryptionandX.509rootcerticatesissuedbythemajorcerticateauthorities.
NetworkSetupYourITornetworkadministratorwillneedtocompletethesekeystepstoenableaccess
fromiPhoneandiPadtoIMAP,LDAP,CalDAV,andCardDAVservices:
Opentheappropriateportsontherewall.Commonportsinclude993forIMAPmail,
587forSMTPmail,636forLDAPdirectoryservices,8443forCalDAVcalendaring,and
8843forCardDAVcontacts.Itsalsorecommendedthatcommunicationbetweenyour
proxyserverandyourback-endIMAP,LDAP,CalDAV,andCardDAVserversbesettouse
SSLandthatdigitalcerticatesonyournetworkserversbesignedbyatrustedcerticate
authority(CA)suchasVeriSign.ThisimportantstepensuresthatiPhoneandiPad
recognizeyourproxyserverasatrustedentitywithinyourcorporateinfrastructure.
ForoutboundSMTPemail,port587,465,or25mustbeopenedtoallowemailtobesent.
iOSautomaticallychecksforport587,then465,andthen25.Port587isthemostreliable,secureportbecauseitrequiresuserauthentication.Port25doesnotrequireauthentica-
tion,andsomeISPsblockthisportbydefaulttopreventspam.
Common ports IMAP/SSL:993
SMTP/SSL:587
LDAP/SSL:636
CalDAV/SSL:8443,443
CardDAV/SSL:8843,443
IMAP or POP-enabled mail solutions
iOSsupportsindustry-standardIMAP4-
andPOP3-enabledmailserversona
rangeofserverplatforms,including
Windows,UNIX,Linux,andMacOSX.
CalDAV and CardDAV standards
iOSsupportstheCalDAVcalendaringandCardDAVcontactsprotocols.Both
protocolshavebeenstandardizedby
theIETF.Moreinformationcanbefound
throughtheCalConnectconsortium
athttp://caldav.calconnect.org/ and
http://carddav.calconnect.org/ .
http://caldav.calconnect.org/http://carddav.calconnect.org/http://carddav.calconnect.org/http://caldav.calconnect.org/ -
8/2/2019 iOS Business
6/26
DeploymentScenario
ThisexampleshowshowiPhoneandiPadconnecttoatypicalIMAP,LDAP,CalDAV,andCardDAVdeployment.
2011AppleInc.Allrightsreserved.Apple,theApplelogo,iPhone,iPad,andMacOSaretrademarksofAppleInc.,registeredintheU.S.andothercountries.UNIXisaregisteredtrademarkofTheOpen
Group.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecicationsaresubjecttochangewithoutnotice.Thismaterialisprovidedfor
informationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.October2011L419827B
iPhoneandiPadrequestaccesstonetworkservicesoverthedesignatedports.
Dependingontheservice,usersmustauthenticateeitherwiththereverseproxyordirectlywiththeservertoobtainaccessto
corporatedata.Inallcases,connectionsarerelayedbythereverseproxy,whichfunctionsasasecuregateway,typicallybehind
thecompanysInternetrewall.Onceauthenticated,userscanaccesstheircorporatedataontheback-endservers.
iPhoneandiPadprovidelookupservicesonLDAPdirectories,givinguserstheabilitytosearchforcontactsandotheraddress
bookinformationontheLDAPserver.
ForCalDAVcalendars,userscanaccessandupdatecalendars.
CardDAVcontactsarestoredontheserverandcanalsobeaccessedlocallyoniPhoneandiPad.ChangestoeldsinCardDAV
contactsaresyncedbacktotheCardDAVserver.
ForIMAPmailservices,existingandnewmessagescanbereadoniPhoneandiPadthroughtheproxyconnectionwiththe
mailserver.OutgoingmailissenttotheSMTPserver,withcopiesplacedintheusersSentfolder.
1
2
3
4
5
6
Firewall Firewall
ReverseProxyServer
Internet
MailServer
LDAPDirectoryServer
3
6
CalDAVServer
CardDAVServer
2
4
5
1
636(LDAP)
8843(CardDAV)
993(IMAP)587(SMTP)
8443(CalDAV)
6
-
8/2/2019 iOS Business
7/26
Deploying iPhone and iPadVirtual Private Networks
SecureaccesstoprivatecorporatenetworksisavailableoniPhoneandiPadusing
establishedindustry-standardvirtualprivatenetwork(VPN)protocols.Userscan
easilyconnecttoenterprisesystemsviathebuilt-inVPNclientiniOSorthrough
third-partyapplicationsfromJuniper,Cisco,andF5Networks.
Outofthebox,iOSsupportsCiscoIPSec,L2TPoverIPSec,andPPTP.Ifyourorganization
supportsoneoftheseprotocols,noadditionalnetworkcongurationorthird-party
applicationsarerequiredtoconnectiPhoneandiPadtoyourVPN.
Additionally,iOSsupportsSSLVPN,enablingaccesstoJuniperSASeries,CiscoASA,
andF5BIG-IPEdgeGatewaySSLVPNservers.UserssimplydownloadaVPNclient
applicationdevelopedbyJuniper,Cisco,orF5fromtheAppStoretogetstarted.Like
otherVPNprotocolssupportediniOS,SSLVPNcanbeconguredmanuallyonthe
deviceorviaCongurationProle.
iOSsupportsindustry-standardtechnologiessuchasIPv6,proxyservers,andsplit-
tunneling,providingarichVPNexperiencewhenconnectingtocorporatenetworks.
AndiOSworkswithavarietyofauthenticationmethodsincludingpassword,two-
factortoken,anddigitalcerticates.Tostreamlinetheconnectioninenvironments
wherecerticate-basedauthenticationisused,iOSfeaturesVPNOnDemand,
whichdynamicallyinitiatesaVPNsessionwhenconnectingtospecieddomains.
SupportedProtocolsandAuthenticationMethods
SSL VPN
Supportsuserauthenticationbypassword,two-factortoken,andcerticates.
Cisco IPSec
Supportsuserauthenticationbypassword,two-factortoken,andmachine
authenticationbysharedsecretandcerticates.
L2TP over IPSec
SupportsuserauthenticationbyMS-CHAPv2Password,two-factortoken,andmachineauthenticationbysharedsecret.
PPTP
SupportsuserauthenticationbyMS-CHAPv2Passwordandtwo-factortoken.
-
8/2/2019 iOS Business
8/26
8
VPNOnDemand
Forcongurationsusingcerticate-basedauthentication,iOSsupportsVPNOn
Demand.VPNOnDemandwillestablishaconnectionautomaticallywhenaccessing
predeneddomains,providingaseamlessVPNconnectivityexperienceforusers.
ThisisafeatureofiOSthatdoesnotrequireadditionalserverconguration.ThecongurationofVPNOnDemandtakesplaceviaaCongurationProleorcanbe
conguredmanuallyonthedevice.
TheVPNOnDemandoptionsare:
Always
InitiatesaVPNconnectionforanyaddressthatmatchesthespecieddomain.
Never
DoesnotinitiateaVPNconnectionforaddressesthatmatchthespecieddomain,
butifVPNisalreadyactive,itmaybeused.
Establish if needed
InitiatesaVPNconnectionforaddressesthatmatchthespecieddomainonlyafter
aDNSlook-uphasfailed.
VPNSetup
iOSintegrateswithmanyexistingVPNnetworks,withminimalconguration
necessary.ThebestwaytopreparefordeploymentistocheckwhetheriOS
supportsyourcompanysexistingVPNprotocolsandauthenticationmethods.
Itsrecommendedthatyoureviewtheauthenticationpathtoyourauthentication
servertomakesurestandardssupportedbyiOSareenabledwithinyour
implementation.
Ifyouplantousecerticate-basedauthentication,ensureyouhaveyourpublickey
infrastructureconguredtosupportdevice-anduser-basedcerticateswiththecorrespondingkeydistributionprocess.
IfyouwanttocongureURL-specicproxysettings,placeaPACleonawebserver
thatisaccessiblewiththebasicVPNsettingsandensurethatitishostedwiththe
application/x-ns-proxy-autocongMIMEtype.
ProxySetup
Forallcongurations,youcanalsospecifyaVPNproxy.Tocongureasingleproxy
forallconnections,usetheManualsettingandprovidetheaddress,port,andauthen-
ticationifnecessary.Toprovidethedevicewithanauto-proxycongurationleusing
PACorWPAD,usetheAutosetting.ForPACS,specifytheURLofthePACSle.For
WPAD,iPhoneandiPadwillqueryDHCPandDNSfortheappropriatesettings.
-
8/2/2019 iOS Business
9/26
9
1
2
3
4
5
6
Firewall Firewall
VPNServer/Concentrator
PublicInternet
PrivateNetwork
AuthenticationCerticateorToken
ProxyServer
VPNAuthenticationServerToken Generation or Certicate Authentication
1 4
3a 3b
2
5
DirectoryService
2011AppleInc.Allrightsreserved.Apple,theApplelogo,iPhone,iPad,andMacOSaretrademarksofAppleInc.,registeredintheU.S.andothercountries.AppStoreisaservicemarkofAppleInc..
Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecicationsaresubjecttochangewithoutnotice.Thismaterialisprovidedfor
informationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.October2011L419828B
DeploymentScenario
TheexampledepictsatypicaldeploymentwithaVPNserver/concentratoraswellasanauthenticationservercontrollingaccessto
enterprisenetworkservices.
iPhoneandiPadrequestaccesstonetworkservices.
TheVPNserver/concentratorreceivestherequestandthenpassesittotheauthenticationserver.
Inatwo-factortokenenvironment,theauthenticationserverwouldthenmanageatime-synchronizedtokenkeygenerationwiththekey
server.Ifacerticateauthenticationmethodisdeployed,anidentitycerticateneedstobedistributedpriortoauthentication.Ifapassword
methodisdeployed,theauthenticationprocessproceedswithuservalidation.
Onceauserisauthenticated,theauthenticationservervalidatesuserandgrouppolicies.
Afteruserandgrouppoliciesarevalidated,theVPNserverprovidestunneledandencryptedaccesstonetworkservices.
Ifaproxyserverisinuse,iPhoneandiPadconnectthroughtheproxyserverforaccesstoinformationoutsidetherewall.
-
8/2/2019 iOS Business
10/26
Deploying iPhone and iPadWi-Fi
Wireless security protocols
WEP
WPAPersonal
WPAEnterprise
WPA2Personal
WPA2Enterprise
802.1X authentication methods
EAP-TLS
EAP-TTLS
EAP-FAST
EAP-SIM
PEAPv0(EAP-MS-CHAPv2)
PEAPv1(EAP-GTC)
LEAP
Outofthebox,iPhoneandiPadcansecurelyconnecttocorporateorguestWi-Fi
networks,makingitquickandsimpletojoinavailablewirelessnetworkswhetheryoure
oncampusorontheroad.
iOSsupportsindustry-standardwirelessnetworkprotocols,includingWPA2Enterprise,
ensuringcorporatewirelessnetworkscanbeconguredquicklyandaccessedsecurely.
WPA2Enterpriseuses128-bitAESencryption,aproven,block-basedencryptionmethod,
providinguserswiththehighestlevelofassurancethattheirdatawillremainprotected.
Withsupportfor802.1X,iOScanbeintegratedintoabroadrangeofRADIUSauthentica-
tionenvironments.802.1XwirelessauthenticationmethodssupportedoniPhoneand
iPadincludeEAP-TLS,EAP-TTLS,EAP-FAST,EAP-SIM,PEAPv0,PEAPv1,andLEAP.
UserscansetiPhoneandiPadtojoinavailableWi-Finetworksautomatically.Wi-Fi
networksthatrequirelogincredentialsorotherinformationcanbequicklyaccessed
withoutopeningaseparatebrowsersession,fromWi-Fisettingsorwithinapplications
suchasMail.Andlow-power,persistentWi-Ficonnectivityallowsapplicationstouse
Wi-Finetworkstodeliverpushnotications.
Forquicksetupanddeployment,wirelessnetwork,security,proxy,andauthenticationsettingscanbeconguredusingCongurationProles.
WPA2EnterpriseSetup
Verifynetworkappliancesforcompatibilityandselectanauthenticationtype(EAPtype)
supportedbyiOS.
Checkthat802.1Xisenabledontheauthenticationserverand,ifnecessary,installa
servercerticateandassignnetworkaccesspermissionstousersandgroups.
Congurewirelessaccesspointsfor802.1Xauthenticationandenterthecorresponding
RADIUSserverinformation.
Ifyouplantousecerticate-basedauthentication,congureyourpublickey
infrastructuretosupportdevice-anduser-basedcerticateswiththecorresponding
keydistributionprocess.
Verifycerticateformatandauthenticationservercompatibility.iOSsupportsPKCS#1
(.cer,.crt,.der)andPKCS#12.
ForadditionaldocumentationregardingwirelessnetworkingstandardsandWi-Fi
ProtectedAccess(WPA),visitwww.wi-.org.
-
8/2/2019 iOS Business
11/26
WPA2Enterprise/802.1XDeploymentScenario
ThisexampledepictsatypicalsecurewirelessdeploymentthattakesadvantageofRADIUS-basedauthentication.
iPhoneandiPadrequestaccesstothenetwork.Theconnectionisinitiatedinresponsetoauserselectinganavailablewirelessnetwork,orisautomaticallyinitiatedafterapreviouslycongurednetworkisdetected.
Aftertherequestisreceivedbytheaccesspoint,therequestispassedtotheRADIUSserverforauthentication.
TheRADIUSservervalidatestheuseraccountutilizingthedirectoryservice.
Oncetheuserisauthenticated,theaccesspointprovidesnetworkaccesswithpoliciesandpermissionsasinstructedbytheRADIUSserver.
2011AppleI nc.Allrig htsreser ved.Apple,theApple logo,iPhone,iPad,andMac OSare trademarks ofAppleI nc.,registered intheU. S.andother countries.Ot herproduc tandc ompanynames mentioned
hereinmaybetrademarksoftheirrespectivecompanies.Productspecicationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliability
relatedtoitsuse.October2011L419830B
11
1
2
3
4
WirelessAccessPointwith802.1XSupport
DirectoryServices
NetworkServices
AuthenticationServerwith802.1XSupport(RADIUS)
CerticateorPasswordBasedon
EAPType
1
2
3
4
Firewall
-
8/2/2019 iOS Business
12/26
iOSsupportsdigitalcerticates,givingbusinessuserssecure,streamlinedaccessto
corporateservices.Adigitalcerticateiscomposedofapublickey,informationaboutthe
user,andthecerticateauthoritythatissuedthecerticate.Digitalcerticatesareaform
ofidenticationthatenablesstreamlinedauthentication,dataintegrity,andencryption.
OniPhoneandiPad,certicatescanbeusedinavarietyofways.Signingdatawitha
digitalcerticatehelpstoensurethatinformationcannotbealtered.Certicatescan
alsobeusedtoguaranteetheidentityoftheauthororsigner.Additionally,theycanbe
usedtoencryptCongurationProlesandnetworkcommunicationstofurtherprotect
condentialorprivateinformation.
UsingCerticatesiniOS
Digital certicates
Digitalcerticatescanbeusedtosecurelyauthenticateuserstocorporateserviceswithout
theneedforusernames,passwords,orsofttokens.IniOS,certicate-basedauthentica-
tionissupportedforaccesstoMicrosoftExchangeActiveSync,VPN,andWi-Finetworks.
EnterpriseServicesIntranet,Email,VPN,Wi-Fi
CerticateAuthority DirectoryServiceAuthenticationRequest
Server certicates
Digitalcerticatescanalsobeusedtovalidateandencryptnetworkcommunications.
Thisprovidessecurecommunicationtobothinternalandexternalwebsites.TheSafari
browsercancheckthevalidityofanX.509digitalcerticateandsetupasecuresession
withupto256-bitAESencryption.Thisveriesthatthesitesidentityislegitimateand
thatcommunicationwiththewebsiteisprotectedtohelppreventinterceptionof
personalorcondentialdata.
NetworkServicesHTTPSRequest CerticateAuthority
Deploying iPhone and iPadDigital Certifcates
Supported certicate and identity
formats:
iOSsupportsX.509certicates
withRSAkeys.
Theleextensions.cer,.crt,.der,.p12,
and.pfxarerecognized.
Root certicates
Outofthebox,iOSincludesanumber
ofpreinstalledrootcerticates.Toview
alistofthepreinstalledsystemroots,
seetheAppleSupportarticleat
http://support.apple.com/kb/HT4415.If
youareusingarootcerticatethatisnot
preinstalled,suchasaself-signedroot
certicatecreatedbyyourcompany,you
candistributeitusingoneofthemethods
listedintheDistributingandInstalling
Certicatessectionofthisdocument.
-
8/2/2019 iOS Business
13/26
2011AppleInc.Allrightsreserved.Apple,theApplelogo,iPhone,iPad,andMacOSaretrademarksofAppleInc.,registered
intheU.S.andothercountries.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespective
companies.Productspecicationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;
Appleassumesnoliabilityrelatedtoitsuse.October2011L419821B
DistributingandInstallingCerticates
DistributingcerticatestoiPhoneandiPadissimple.Whenacerticateisreceived,users
simplytaptoreviewthecontents,thentaptoaddthecerticatetotheirdevice.When
anidentitycerticateisinstalled,usersarepromptedforthepassphrasethatprotectsit.
Ifacerticatesauthenticitycannotbeveried,userswillbepresentedwithawarningbeforeitisaddedtotheirdevice.
Installing certicates via Conguration Proles
IfCongurationProlesarebeingusedtodistributesettingsforcorporateservices
suchasExchange,VPN,orWi-Fi,certicatescanbeaddedtotheproletostreamline
deployment.
Installing certicates via Mail or Safari
Ifacerticateissentinanemail,itwillappearasanattachment.Safaricanbeusedto
downloadcerticatesfromawebpage.Youcanhostacerticateonasecuredwebsite
andprovideuserswiththeURLwheretheycandownloadthecerticateontotheir
devices.
Installation via the Simple Certicate Enrollment Protocol (SCEP)
SCEPisdesignedtoprovideasimpliedprocesstohandlecerticatedistributionfor
large-scaledeployments.ThisenablesOver-the-AirEnrollmentofdigitalcerticates
oniPhoneandiPadthatcanthenbeusedforauthenticationtocorporateservices,as
wellasenrollmentwithaMobileDeviceManagementserver.
FormoreinformationonSCEPandOver-the-AirEnrollment,visitwww.apple.com/
iphone/business/resources.
Certicate removal and revocation
Tomanuallyremoveacerticatethathasbeeninstalled,chooseSettings>General>
Proles.Ifyouremoveacerticatethatisrequiredforaccessinganaccountornetwork,
the device will no longer be able to connect to those services.
Toremovecerticatesovertheair,aMobileDeviceManagementservercanbeused.
Thisservercanviewallcerticatesonadeviceandremoveonesithasinstalled.
Additionally,theOnlineCerticateStatusProtocol(OCSP)issupportedtocheckthe
statusofcerticates.WhenanOSCP-enabledcerticateisused,iOSvalidatesittomake
surethatithasnotbeenrevokedbeforecompletingtherequestedtask.
13
http://www.apple.com/iphone/business/integrationhttp://www.apple.com/iphone/business/integrationhttp://www.apple.com/iphone/business/integrationhttp://www.apple.com/iphone/business/integration -
8/2/2019 iOS Business
14/26
Deploying iPhone and iPadSecurity Overview
iOS,theoperatingsystematthecoreofiPhoneandiPad,isbuiltuponlayersofsecurity.
ThisenablesiPhoneandiPadtosecurelyaccesscorporateservicesandprotectimportant
data.iOSprovidesstrongencryptionfordataintransmission,provenauthentication
methodsforaccesstocorporateservices,andhardwareencryptionforalldataatrest.
iOSalsoprovidessecureprotectionthroughtheuseofpasscodepoliciesthatcanbedeliveredandenforcedovertheair.Andifthedevicefallsintothewronghands,users
andITadministratorscaninitiatearemotewipecommandtoeraseprivateinformation.
WhenconsideringthesecurityofiOSforenterpriseuse,itshelpfultounderstandthe
following:
Device security:Methodsthatpreventunauthorizeduseofthedevice
Data security:Protectingdataatrest,evenwhenadeviceislostorstolen
Network security: Networkingprotocolsandtheencryptionofdataintransmission
App security:ThesecureplatformfoundationofiOS
Thesecapabilitiesworkinconcerttoprovideasecuremobilecomputingplatform.
DeviceSecurityEstablishingstrongpoliciesforaccesstoiPhoneandiPadiscriticaltoprotectingcorporate
information.Devicepasscodesarethefrontlineofdefenseagainstunauthorizedaccess
andcanbeconguredandenforcedovertheair.iOSdevicesusetheuniquepasscode
establishedbyeachusertogenerateastrongencryptionkeytofurtherprotectmailand
sensitiveapplicationdataonthedevice.Additionally,iOSprovidessecuremethodsto
congurethedeviceinanenterpriseenvironment,wherespecicsettings,policies,and
restrictionsmustbeinplace.Thesemethodsprovideexibleoptionsforestablishinga
standardlevelofprotectionforauthorizedusers.
Passcode policies
Adevicepasscodepreventsunauthorizedusersfromaccessingdataorotherwisegaining
accesstothedevice.iOSallowsyoutoselectfromanextensivesetofpasscoderequirements
tomeetyoursecurityneeds,includingtimeoutperiods,passcodestrength,andhowoftenthepasscodemustbechanged.
Thefollowingpasscodepoliciesaresupported:
Requirepasscodeondevice
Allowsimplevalue
Requirealphanumericvalue
Minimumpasscodelength
Minimumnumberofcomplexcharacters
Maximumpasscodeage
Timebeforeauto-lock
Passcodehistory
Graceperiodfordevicelock
Maximumnumberoffailedattempts
Device security
Strongpasscodes
Passcodeexpiration
Passcodereusehistory
Maximumfailedattempts
Over-the-airpasscodeenforcement
Progressivepasscodetimeout
-
8/2/2019 iOS Business
15/26
Policy enforcement
ThepoliciesdescribedpreviouslycanbesetoniPhoneandiPadinanumberofways.
PoliciescanbedistributedaspartofaCongurationProleforuserstoinstall.Aprole
canbedenedsothatdeletingtheproleisonlypossiblewithanadministrative
password,oryoucandenetheprolesothatitislockedtothedeviceandcannot
beremovedwithoutcompletelyerasingallofthedevicecontents.Additionally,passcodesettingscanbeconguredremotelyusingMobileDeviceManagement
(MDM)solutionsthatcanpushpoliciesdirectlytothedevice.Thisenablespolicies
tobeenforcedandupdatedwithoutanyactionbytheuser.
Alternatively,ifthedeviceisconguredtoaccessaMicrosoftExchangeaccount,
ExchangeActiveSyncpoliciesarepushedtothedeviceovertheair.Keepinmind
thattheavailablesetofpolicieswillvarydependingontheversionofExchange
(2003,2007,or2010).RefertoExchange ActiveSync and iOS Devicesforabreakdown
ofwhichpoliciesaresupportedforyourspecicconguration.
Secure device conguration
CongurationProlesareXMLlesthatcontaindevicesecuritypoliciesandrestrictions,
VPNcongurationinformation,Wi-Fisettings,emailandcalendaraccounts,and
authenticationcredentialsthatpermitiPhoneandiPadtoworkwithyourenterprise
systems.Theabilitytoestablishpasscodepoliciesalongwithdevicesettingsina
CongurationProleensuresthatdeviceswithinyourenterprisearecongured
correctlyandaccordingtosecuritystandardssetbyyourorganization.And,because
CongurationProlescanbeencryptedandlocked,thesettingscannotberemoved,
altered,orsharedwithothers.
CongurationProlescanbebothsignedandencrypted.SigningaConguration
Proleensuresthatthesettingsitenforcescannotbealteredinanyway.Encrypting
aCongurationProleprotectstheprolescontentsandpermitsinstallationonly
onthedeviceforwhichitwascreated.CongurationProlesareencryptedusing
CMS(CryptographicMessageSyntax,RFC3852),supporting3DESandAES128.
ThersttimeyoudistributeanencryptedCongurationProle,youcaninstallit
viaUSBusingtheCongurationUtilityorwirelesslyviaOver-the-AirEnrollment.In
additiontothesemethods,subsequentencryptedCongurationProlescanbe
deliveredviaemailattachment,hostedonawebsiteaccessibletoyourusers,or
pushedtothedeviceusingMDMsolutions.
Device restrictions
Devicerestrictionsdeterminewhichfeaturesyouruserscanaccessonthedevice.
Typically,theseinvolvenetwork-enabledapplicationssuchasSafari,YouTube,or
theiTunesMusicStore,butrestrictionscanalsocontroldevicefunctionalitysuchas
applicationinstallationoruseofcamera.Restrictionsletyoucongurethedeviceto
meetyourrequirements,whilepermittinguserstoutilizethedeviceinwaysthatare
consistentwithyourbusinesspractices.Restrictionscanbemanuallyconguredon
eachdevice,enforcedusingaCongurationProle,orestablishedremotelywithMDM
solutions.Additionally,likepasscodepolicies,cameraorweb-browsingrestrictionscan
beenforcedovertheairviaMicrosoftExchangeServer2007and2010.
Inadditiontosettingrestrictionsandpoliciesonthedevice,theiTunesdesktop
applicationcanbeconguredandcontrolledbyIT.Thisincludesdisablingaccessto
explicitcontent,deningwhichnetworkservicesuserscanaccesswithiniTunes,and
determiningwhethernewsoftwareupdatesareavailableforuserstoinstall.Formore
information,refertoDeploying iTunes for iOS Devices.
Supported congurable policies
and restrictions:
Device functionality
Allowinstallingapps
AllowSiri
Allowuseofcamera
AllowFaceTime
Allowscreencapture
Allowautomaticsyncingwhileroaming
Allowvoicedialing
AllowIn-AppPurchase
Requirestorepasswordforallpurchases
Allowmultiplayergaming
AllowaddingGameCenterfriends
Applications AllowuseofYouTube
AllowuseofiTunesStore
AllowuseofSafari
SetSafarisecuritypreferences
iCloud
Allowbackup
Allowdocumentsyncandkey-valuesync
AllowPhotoStream
Security and privacy
AllowdiagnosticdatatobesenttoApple
Allowusertoacceptuntrustedcerticates
Forceencryptedbackups
Content ratings
Allowexplicitmusicandpodcasts
Setratingsregion
Setallowedcontentratings
15
-
8/2/2019 iOS Business
16/26
DataSecurity
ProtectingdatastoredoniPhoneandiPadisimportantforanyenvironmentwith
sensitivecorporateorcustomerinformation.Inadditiontoencryptingdatain
transmission,iPhoneandiPadprovidehardwareencryptionforalldatastoredon
thedevice,andadditionalencryptionofemailandapplicationdatawithenhanceddata protection.
Ifadeviceislostorstolen,itsimportanttodeactivateanderasethedevice.Itsalsoa
goodideatohaveapolicyinplacethatwillwipethedeviceafteradenednumber
offailedpasscodeattempts,akeydeterrentagainstattemptstogainunauthorized
access to the device.
Encryption
iPhoneandiPadoerhardware-basedencryption.Hardwareencryptionuses256-bit
AEStoprotectalldataonthedevice.Encryptionisalwaysenabled,andcannotbe
disabledbyusers.
Additionally,databackedupiniTunestoauserscomputercanbeencrypted.
Thiscanbeenabledbytheuser,orenforcedbyusingdevicerestrictionsettingsin
CongurationProles.
iOSsupportsS/MIMEinmail,enablingiPhoneandiPadtoviewandsendencrypted
emailmessages.Restrictionscanalsobeusedtopreventmailmessagesfrombeing
movedbetweenaccountsormessagesreceivedinoneaccountbeingforwarded
fromanother.
Data protection
BuildingonthehardwareencryptioncapabilitiesofiPhoneandiPad,emailmessages
andattachmentsstoredonthedevicecanbefurthersecuredbyusingdataprotection
featuresbuiltintoiOS.Dataprotectionleverageseachusersuniquedevicepasscode
in concert with the hardware encryption on iPhone and iPad to generate a strong
encryptionkey.Thiskeypreventsdatafrombeingaccessedwhenthedeviceislocked,
ensuringthatcriticalinformationissecuredevenifthedeviceiscompromised.
Toturnonthedataprotectionfeature,simplyestablishapasscodeonthedevice.
Theeectivenessofdataprotectionisdependentonastrongpasscode,soit
isimportanttorequireandenforceapasscodestrongerthanfourdigitswhen
establishingyourcorporatepasscodepolicies.Userscanverifythatdataprotection
isenabledontheirdevicebylookingatthepasscodesettingsscreen.MobileDevice
Managementsolutionsareabletoquerythedeviceforthisinformationaswell.
ThesedataprotectionAPIsarealsoavailabletodevelopers,andcanbeusedtosecure
enterprisein-houseorcommercialapplicationdata.
Remote wipe
iOSsupportsremotewipe.Ifadeviceislostorstolen,theadministratorordevice
ownercanissuearemotewipecommandthatremovesalldataanddeactivatesthedevice.IfthedeviceisconguredwithanExchangeaccount,theadministrator
caninitiatearemotewipecommandusingtheExchangeManagementConsole
(ExchangeServer2007)orExchangeActiveSyncMobileAdministrationWebTool
(ExchangeServer2003or2007).UsersofExchangeServer2007canalsoinitiate
remotewipecommandsdirectlyusingOutlookWebAccess.Remotewipecommands
canalsobeinitiatedbyMDMsolutionsevenifExchangecorporateservicesarenot
inuse.
Progressive passcode timeout
iPhoneandiPadcanbeconguredtoauto-
maticallyinitiateawipeafterseveralfailed
passcodeattempts.Ifauserrepeatedlyenters
thewrongpasscode,iOSwillbedisabledfor
increasinglylongerintervals.Aftertoomany
unsuccessfulattempts,alldataandsettingson
the device will be erased.
Data security
Hardwareencryption
Dataprotection
Remotewipe
Localwipe
EncryptedCongurationProles
EncryptediTunesbackups
16
-
8/2/2019 iOS Business
17/26
VPN protocols
CiscoIPSec
L2TP/IPSec
PPTP
SSLVPN
Authentication methods
Password(MSCHAPv2)
RSASecurID
CRYPTOCard
X.509digitalcerticates
Sharedsecret
802.1X authentication protocols
EAP-TLS
EAP-TTLS
EAP-FAST EAP-SIM
PEAPv0,v1
LEAP
Supported certicate formats
iOSsupportsX.509certicateswith
RSAkeys.Theleextensions.cer,.crt,
and.derarerecognized.
Local wipe
Devicescanalsobeconguredtoautomaticallyinitiatealocalwipeafterseveralfailed
passcodeattempts.Thisprotectsagainstbruteforceattemptstogainaccesstothe
device.Whenapasscodeisestablished,usershavetheabilitytoenablelocalwipe
directlywithinthesettings.Bydefault,iOSwillautomaticallywipethedeviceafter10
failedpasscodeattempts.Aswithotherpasscodepolicies,themaximumnumberoffailedattemptscanbeestablishedviaaCongurationProle,setbyanMDMserver,
orenforcedovertheairviaMicrosoftExchangeActiveSyncpolicies.
iCloud
iCloudstoresmusic,photos,apps,calendars,documents,andmore,andautomatically
pushesthemtoallofausersdevices.iCloudalsobacksupinformation,including
devicesettings,appdata,andtextandMMSmessages,dailyoverWi-Fi.iCloud
securesyourcontentbyencryptingitwhensentovertheInternet,storingitinan
encryptedformat,andusingsecuretokensforauthentication.Additionally,iCloud
features,includingPhotoStream,DocumentSync,andBackup,canbedisabledvia
aCongurationProle.FormoreinformationoniCloudsecurityandprivacy,visit
http://support.apple.com/kb/HT4865.
NetworkSecurity
Mobileusersmustbeabletoaccesscorporateinformationnetworksfromanywhere
intheworld,yetitsalsoimportanttoensurethatusersareauthorizedandthattheir
dataisprotectedduringtransmission.iOSprovidesproventechnologiestoaccomplish
thesesecurityobjectivesforbothWi-Fiandcellulardatanetworkconnections.
Inadditiontoyourexistinginfrastructure,eachFaceTimesessionandiMessage
conversationisencryptedendtoend.iOScreatesauniqueIDforeachuser,ensuring
communicationsareencrypted,routed,andconnectedproperly.
VPN
Manyenterpriseenvironmentshavesomeformofvirtualprivatenetwork(VPN)
established.Thesesecurenetworkservicesarealreadydeployedandtypicallyrequire
minimalsetupandcongurationtoworkwithiPhoneandiPad.
Outofthebox,iOSintegrateswithabroadrangeofcommonlyusedVPNtechnologies
throughsupportforCiscoIPSec,L2TP,andPPTP.iOSsupportsSSLVPNthrough
applicationsfromJuniper,Cisco,andF5Networks.Supportfortheseprotocolsensures
thehighestlevelofIP-basedencryptionfortransmissionofsensitiveinformation.
InadditiontoenablingsecureaccesstoexistingVPNenvironments,iOSoersproven
methodsforuserauthentication.AuthenticationviastandardX.509digitalcerticates
providesuserswithstreamlinedaccesstocompanyresourcesandaviablealternative
tousinghardware-basedtokens.Additionally,certicateauthenticationenables
iOStotakeadvantageofVPNOnDemand,makingtheVPNauthenticationprocess
transparentwhilestillprovidingstrong,credentialedaccesstonetworkservices.Forenterpriseenvironmentsinwhichatwo-factortokenisarequirement,iOSintegrates
withRSASecurIDandCRYPTOCard.
iOSsupportsnetworkproxycongurationaswellassplitIPtunnelingsothat
tractopublicorprivatenetworkdomainsisrelayedaccordingtoyourspecic
company policies.
Network security
Built-inCiscoIPSec,L2TP,PPTPVPN
SSLVPNviaAppStoreapps
SSL/TLSwithX.509certicates
WPA/WPA2Enterprisewith802.1X
Certicate-basedauthentication
RSASecurID,CRYPTOCard
17
-
8/2/2019 iOS Business
18/26
SSL/TLS
iOSsupportsSSLv3aswellasTransportLayerSecurity(TLSv1.0,1.1,and1.2),the
next-generationsecuritystandardfortheInternet.Safari,Calendar,Mail,andother
Internetapplicationsautomaticallystartthesemechanismstoenableanencrypted
communicationchannelbetweeniOSandcorporateservices.
WPA/WPA2
iOSsupportsWPA2Enterprisetoprovideauthenticatedaccesstoyourenterprise
wirelessnetwork.WPA2Enterpriseuses128-bitAESencryption,givingusersthe
highestlevelofassurancethattheirdatawillremainprotectedwhentheysend
andreceivecommunicationsoveraWi-Finetworkconnection.Andwithsupport
for802.1X,iPhoneandiPadcanbeintegratedintoabroadrangeofRADIUS
authenticationenvironments.
AppSecurity
iOSisdesignedwithsecurityatitscore.Itincludesasandboxedapproachto
applicationruntimeprotectionandrequiresapplicationsigningtoensurethat
applicationscannotbetamperedwith.iOSalsohasasecureframeworkthatfacilitatessecurestorageofapplicationandnetworkservicecredentialsinan
encryptedkeychain.Fordevelopers,itoersacommoncryptoarchitecturethat
canbeusedtoencryptapplicationdatastores.
Runtime protection
Applicationsonthedevicearesandboxedsotheycannotaccessdatastoredby
otherapplications.Inaddition,systemles,resources,andthekernelareshielded
fromtheusersapplicationspace.Ifanapplicationneedstoaccessdatafromanother
application,itcanonlydosousingtheAPIsandservicesprovidedbyiOS.Code
generation is also prevented.
Mandatory code signing
AlliOSapplicationsmustbesigned.TheapplicationsprovidedwiththedevicearesignedbyApple.Third-partyapplicationsaresignedbythedeveloperusingan
Apple-issuedcerticate.Thisensuresthatapplicationshaventbeentampered
withoraltered.Additionally,runtimechecksaremadetoensurethatanapplication
hasntbecomeuntrustedsinceitwaslastused.
Theuseofcustomorin-houseapplicationscanbecontrolledwithaprovisioning
prole.Usersmusthavetheprovisioningproleinstalledtoexecutetheapplication.
ProvisioningprolescanbeinstalledorrevokedovertheairusingMDMsolutions.
Administratorscanalsorestricttheuseofanapplicationtospecicdevices.
Secure authentication framework
iOSprovidesasecure,encryptedkeychainforstoringdigitalidentities,usernames,
andpasswords.Keychaindataispartitionedsothatcredentialsstoredbythird-party
applicationscannotbeaccessedbyapplicationswithadierentidentity.ThisprovidesthemechanismforsecuringauthenticationcredentialsoniPhoneandiPadacrossa
rangeofapplicationsandserviceswithintheenterprise.
Common Crypto architecture
ApplicationdevelopershaveaccesstoencryptionAPIsthattheycanusetofurther
protecttheirapplicationdata.Datacanbesymmetricallyencryptedusingproven
methodssuchasAES,RC4,or3DES.Inaddition,iPhoneandiPadprovidehardware
accelerationforAESencryptionandSHA1hashing,maximizingapplicationperformance.
App security
Runtimeprotection
Mandatorycodesigning Keychainservices
CommonCryptoAPIs
Applicationdataprotection
18
-
8/2/2019 iOS Business
19/26
2011AppleInc.Allrightsreserved.Apple,theApplelogo,FaceTime,iPad,iPhone,iTunes,andSafariaretrademarksofAppleInc.,
registeredintheU.S.andothercountries.iCloudandiTunesStoreareservicemarksofAppleInc.,registeredintheU.S.andother
countries.AppStoreisaservicemarkofApple,Inc.Otherproductandcompanynamesmentionedhereinmaybetrademarksof
theirrespectivecompanies.Productspecicationsaresubjecttochangewithoutnotice.October2011L422500B
Application data protection
Applicationscanalsotakeadvantageofthebuilt-inhardwareencryptiononiPhone
andiPadtofurtherprotectsensitiveapplicationdata.Developerscandesignate
speciclesfordataprotection,instructingthesystemtomakethecontentsofthe
lecryptographicallyinaccessibletoboththeapplicationandanypotentialintruders
whenthedeviceislocked.
Managed apps
AnMDMservercanmanagethird-partyappsfromtheAppStore,aswellasenterprise
in-houseapplications.Designatinganappasmanagedenablestheservertospecify
whethertheappanditsdatacanberemovedfromthedevicebytheMDMserver.
Additionally,theservercanpreventmanagedappdatafrombeingbackedupto
iTunesandiCloud.ThisallowsITtomanageappsthatmaycontainsensitivebusiness
informationwithmorecontrolthanappsdownloadeddirectlybytheuser.
Inordertoinstallamanagedapp,theMDMserversendsaninstallationcommandto
thedevice.Managedappsrequireausersacceptancebeforetheyareinstalled.For
moreinformationaboutmanagedapps,viewtheMobile Device Management Overview
atwww.apple.com/business/mdm.
RevolutionaryDevices,SecurityThroughout
iPhoneandiPadprovideencryptedprotectionofdataintransit,atrest,andwhen
backeduptoiCloudoriTunes.Whetherauserisaccessingcorporateemail,visitinga
privatewebsite,orauthenticatingtothecorporatenetwork,iOSprovidesassurance
thatonlyauthorizeduserscanaccesssensitivecorporateinformation.And,withits
supportforenterprise-gradenetworkingandcomprehensivemethodstopreventdata
loss,youcandeployiOSdeviceswithcondencethatyouareimplementingproven
mobiledevicesecurityanddataprotection.
19
-
8/2/2019 iOS Business
20/26
Deploying iPhone and iPadMobile Device Management
iOSsupportsMobileDeviceManagement(MDM),givingbusinessestheabilityto
managescaleddeploymentsofiPhoneandiPadacrosstheirorganizations.These
MDMcapabilitiesarebuiltuponexistingiOStechnologieslikeCongurationProles,
Over-the-AirEnrollment,andtheApplePushNoticationservice,andcanbeintegrated
within-houseorthird-partyserversolutions.ThisgivesITdepartmentstheabilitytosecurelyenrolliPhoneandiPadinanenterpriseenvironment,wirelesslycongureand
updatesettings,monitorcompliancewithcorporatepolicies,andevenremotelywipeor
lockmanageddevices.
ManagingiPhoneandiPad
ManagementofiOSdevicestakesplaceviaaconnectiontoaMobileDevice
Managementserver.Thisservercanbebuiltin-housebyITorpurchasedfroma
third-partysolutionprovider.Thedevicecommunicateswiththeservertoseeifthere
aretaskspendingandrespondswiththeappropriateactions.Thesetaskscaninclude
updatingpolicies,providingrequesteddeviceornetworkinformation,orremoving
settings and data.
Mostmanagementfunctionsarecompletedbehindthesceneswithnouser
interactionrequired.Forexample,ifanITdepartmentupdatesitsVPNinfrastructure,
theMDMservercancongureiPhoneandiPadwithnewaccountinformationover
theair.ThenexttimeVPNisusedbytheemployee,theappropriateconguration
isalreadyinplace,sotheemployeedoesntneedtocallthehelpdeskormanually
modifysettings.
Firewall
Third-PartyMDMServerApplePushNoticationService
-
8/2/2019 iOS Business
21/26
MDMandtheApplePushNoticationService
WhenanMDMserverwantstocommunicatewithiPhoneoriPad,asilentnotication
issenttothedeviceviatheApplePushNoticationservice,promptingittocheck
inwiththeserver.Theprocessofnotifyingthedevicedoesnotsendanyproprietary
informationtoorfromtheApplePushNoticationservice.TheonlytaskperformedbythepushnoticationistowakethedevicesoitchecksinwiththeMDMserver.
Allcongurationinformation,settings,andqueriesaresentdirectlyfromtheserver
totheiOSdeviceoveranencryptedSSL/TLSconnectionbetweenthedeviceandthe
MDMserver.iOShandlesallMDMrequestsandactionsinthebackgroundtolimitthe
impactontheuserexperience,includingbatterylife,performance,andreliability.
InorderforthepushnoticationservertorecognizecommandsfromtheMDMserver,
acerticatemustrstbeinstalledontheserver.Thiscerticatemustberequestedand
downloadedfromtheApplePushCerticatesPortal.OncetheApplePushNotication
certicateisuploadedintotheMDMserver,devicescanbegintobeenrolled.Formore
informationonrequestinganApplePushNoticationcerticateforMDM,visit
www.apple.com/business/mdm.
Apple Push Notication network setupWhenMDMserversandiOSdevicesarebehindarewall,somenetworkconguration
mayneedtotakeplaceinorderfortheMDMservicetofunctionproperly.Tosend
noticationsfromanMDMservertoApplePushNoticationservice,TCPport2195
needstobeopen.Toreachthefeedbackservice,TCPport2196willneedtobeopen
aswell.FordevicesconnectingtothepushserviceoverWi-Fi,TCPport5223should
be open.
TheIPaddressrangeforthepushserviceissubjecttochange;theexpectationis
thatanMDMserverwillconnectbyhostnameratherthanbyIPaddress.Thepush
serviceusesaload-balancingschemethatyieldsadierentIPaddressforthesame
hostname.Thishostnameisgateway.push.apple.com(andgateway.sandbox.push.
apple.comforthedevelopmentpushnoticationenvironment).Additionally,the
entire17.0.0.0/8addressblockisassignedtoApplesorewallrulescanbeestablishedtospecifythatrange.
Formoreinformation,consultyourMDMvendororviewDeveloper Technical
Note TN2265intheiOSDeveloperLibraryathttp://developer.apple.com/library/
ios/#technotes/tn2265/_index.html.
Enrollment
OncetheMobileDeviceManagementserverandnetworkarecongured,therst
stepinmanaginganiPhoneoriPadistoenrollitwithanMDMserver.Thiscreates
arelationshipbetweenthedeviceandtheserver,allowingittobemanagedon
demandwithoutfurtheruserinteraction.
ThiscanbedonebyconnectingiPhoneoriPadtoacomputerviaUSB,butmostsolutionsdelivertheenrollmentprolewirelessly.SomeMDMvendorsuseanapp
tokickstartthisprocess,othersinitiateenrollmentbydirectinguserstoawebportal.
Eachmethodhasitsbenets,andbothareusedtotriggertheOver-the-AirEnrollment
processviaSafari.
iOS and SCEP
iOSsupportstheSimpleCerticateEnrollmentProtocol(SCEP).SCEPisanInternetdraftin
theIETF,andisdesignedtoprovideasimpli-
edwayofhandlingcerticatedistributionfor
large-scaledeployments.Thisenablesover-the-
airenrollmentofidentitycerticatestoiPhone
andiPadthatcanbeusedforauthenticationto
corporate services.
21
http://www.apple.com/business/mdm.http://developer.apple.com/library/ios/#technotes/tn2265/_index.htmlhttp://developer.apple.com/library/ios/#technotes/tn2265/_index.htmlhttp://developer.apple.com/library/ios/#technotes/tn2265/_index.htmlhttp://developer.apple.com/library/ios/#technotes/tn2265/_index.htmlhttp://www.apple.com/business/mdm. -
8/2/2019 iOS Business
22/26
22
Enrollment process overview
TheprocessofOver-the-AirEnrollmentinvolvesphasesthatarecombinedinan
automatedworkowtoprovidethemostscalablewaytosecurelyenrolldevices
inanenterpriseenvironment.Thesephasesinclude:
1. User authenticationUserauthenticationensuresthatincomingenrollmentrequestsarefromauthorized
usersandthattheusersdeviceinformationiscapturedpriortoproceedingwith
certicateenrollment.Administratorscanprompttheusertobegintheprocessof
enrollmentviaawebportal,email,SMSmessage,orevenanapp.
2. Certicate enrollment
Aftertheuserisauthenticated,iOSgeneratesacerticateenrollmentrequest
usingtheSimpleCerticateEnrollmentProtocol(SCEP).Thisenrollmentrequest
communicatesdirectlytotheenterpriseCerticateAuthority(CA),andenables
iPhoneandiPadtoreceivetheidentitycerticatefromtheCAinresponse.
3. Device conguration
Onceanidentitycerticateisinstalled,thedevicecanreceiveencrypted
congurationinformationovertheair.Thisinformationcanonlybeinstalledon
thedeviceitisintendedforandcontainsthesettingsneededtoconnecttothe
MDMserver.
Attheendoftheenrollmentprocess,theuserwillbepresentedwithaninstallation
screenthatdescribeswhataccessrightstheMDMserverwillhaveonthedevice.
Byagreeingtotheproleinstallation,theusersdeviceisautomaticallyenrolled
withoutfurtherinteraction.
OnceiPhoneandiPadareenrolledasmanageddevices,theycanbedynamically
conguredwithsettings,queriedforinformation,orremotelywipedbythe
MDMserver.
CongurationTocongureadevicewithaccounts,policies,andrestrictions,theMDMserversends
lesknownasCongurationProlestothedevicethatareinstalledautomatically.
CongurationProlesareXMLlesthatcontainsettingsthatpermitthedevice
toworkwithyourenterprisesystems,includingaccountinformation,passcode
policies,restrictions,andotherdevicesettings.Whencombinedwiththepreviously
discussedprocessofenrollment,devicecongurationprovidesITwithassurance
thatonlytrustedusersareaccessingcorporateservices,andthattheirdevicesare
properlyconguredwithestablishedpolicies.
AndbecauseCongurationProlescanbesignedandencrypted,thesettings
cannot be altered or shared with others.
-
8/2/2019 iOS Business
23/26
Supported congurable settings
Accounts
ExchangeActiveSync
IMAP/POPEmail
Wi-FiVPN
LDAP
CardDAV
CalDAV
Subscribedcalendars
Passcode policies
Requirepasscodeondevice
Allowsimplevalue
Requirealphanumericvalue
Minimumpasscodelength
Minimumnumberofcomplexcharacters
Maximumpasscodeage
Timebeforeauto-lock
Passcodehistory
Graceperiodfordevicelock
Maximumnumberoffailedattempts
Security and privacy
AllowdiagnosticdatatobesenttoApple
Allowusertoacceptuntrustedcerticates
Forceencryptedbackups
Other settings
Credentials
Webclips
SCEPsettings
APNsettings
Device functionality
Allowinstallingapps
AllowSiri
Allowuseofcamera AllowFaceTime
Allowscreencapture
Allowautomaticsyncingwhileroaming
Allowvoicedialing
AllowIn-AppPurchase
Requirestorepasswordforallpurchases
Allowmultiplayergaming
AllowaddingGameCenterfriends
Applications
AllowuseofYouTube
AllowuseofiTunesStore
AllowuseofSafari
SetSafarisecuritypreferences
iCloud
Allowbackup
Allowdocumentsyncandkey-valuesync
AllowPhotoStream
Content ratings
Allowexplicitmusicandpodcasts
Setratingsregion
Setallowedcontentratings
23
-
8/2/2019 iOS Business
24/26
QueryingDevices
Inadditiontoconguration,anMDMserverhastheabilitytoquerydevicesfora
varietyofinformation.Thisinformationcanbeusedtoensurethatdevicescontinueto
complywithrequiredpolicies.
Supported queries
Device information
UniqueDeviceIdentier(UDID)
Devicename
iOSandbuildversion
Modelnameandnumber
Serialnumber
Capacityandspaceavailable
IMEI
Modemrmware
Batterylevel
Network information ICCID
BluetoothandWi-FiMACaddresses
Currentcarriernetwork
Subscribercarriernetwork
Carriersettingsversion
Phonenumber
Dataroamingsetting(on/o)
Compliance and security information
CongurationProlesinstalled
Certicatesinstalledwithexpirydates
Listallrestrictionsenforced
Hardwareencryptioncapability
Passcodepresent
Applications
Applicationsinstalled(appID,name,
version,size,andappdatasize)
ProvisioningProlesinstalledwith
expirydates
Management
WithMobileDeviceManagement,thereareanumberoffunctionsanMDMserver
canperformoniOSdevices.ThesetasksincludeinstallingandremovingConguration
andProvisioningProles,managingapps,endingtheMDMrelationship,andremotelywiping a device.
Managed settings
Duringtheinitialprocessofconguringadevice,anMDMserverpushesConguration
ProlestoiPhoneandiPadthatareinstalledbehindthescenes.Overtime,thesettings
andpoliciesputinplaceatthetimeofenrollmentmayneedtobeupdatedor
changed.Tomakethesechanges,anMDMservercaninstallnewCongurationProles
andmodifyorremoveexistingprolesatanytime.Additionally,context-specic
congurationsmayneedtobeinstalledoniOSdevices,dependingonauserslocation
orroleintheorganization.Asanexample,ifauseristravelinginternationally,anMDM
servercanrequirethatmailaccountssyncmanuallyinsteadofautomatically.AnMDM
servercanevenremotelydisablevoiceordataservicesinordertopreventauserfrom
incurringroamingfeesfromawirelessprovider.
Managed apps
AnMDMservercanmanagethird-partyappsfromtheAppStore,aswellasenterprise
in-houseapplications.Theservercanremovemanagedappsandtheirassociated
dataondemandorspecifywhethertheappsareremovedwhentheMDMproleis
removed.Additionally,theMDMservercanpreventmanagedappdatafrombeing
backeduptoiTunesandiCloud.
24
-
8/2/2019 iOS Business
25/26
25
Toinstallamanagedapp,theMDMserversendsaninstallationcommandtothe
usersdevice.Managedappsrequireausersacceptancebeforetheyareinstalled.
WhenanMDMserverrequeststheinstallationofamanagedappfromtheAppStore,
theappwillberedeemedwiththeiTunesaccountthatisusedatthetimetheapp
isinstalled.PaidappswillrequiretheMDMservertosendaVolumePurchasing
Program(VPP)redemptioncode.FormoreinformationonVPP,visitwww.apple.com/business/vpp/.AppsfromtheAppStorecannotbeinstalledonausersdeviceifthe
AppStorehasbeendisabled.
Removing or wiping devices
Ifadeviceisfoundtobeoutofpolicy,lost,orstolen,orifanemployeeleavesthe
company,anMDMservercantakeactiontoprotectcorporateinformationina
numberofways.
AnITadministratorcanendtheMDMrelationshipwithadevicebyremoving
theCongurationProlethatcontainstheMDMserverinformation.Indoingso,
alltheaccounts,settings,andappsitwasresponsibleforinstallingareremoved.
Alternatively,ITcankeeptheMDMCongurationProleinplaceanduseMDMonly
toremovethespecicCongurationProles,ProvisioningProles,andmanagedappstheywanttodelete.ThisapproachkeepsthedevicemanagedbyMDMand
eliminatestheneedtore-enrollonceitisbackwithinpolicy.
BothmethodsgiveITtheabilitytoensureinformationisonlyavailabletocompliant
usersanddevices,andensurescorporatedataisremovedwithoutinterferingwitha
userspersonaldatasuchasmusic,photos,orpersonalapps.
Topermanentlydeleteallmediaanddataonthedeviceandrestoreittofactory
settings,MDMcanremotelywipeiPhoneandiPad.Ifauserisstilllookingforthe
device,ITcanalsochoosetosendaremotelockcommandtothedevice.Thislocks
thescreenandrequirestheuserspasscodetounlockit.
Ifauserhassimplyforgottenthepasscode,anMDMservercanremoveitfromthe
deviceandprompttheusertocreateanewonewithin60minutes.
Supported management commands
Managed settings
InstallCongurationProle
RemoveCongurationProle
Dataroaming
Voiceroaming(notavailableonallcarriers)
Managed apps
Installmanagedapp
Removemanagedapp
Listallmanagedapps
InstallProvisioningProle
RemoveProvisioningProle
Security commands
Remotewipe
Remotelock
Clearpasscode
http://www.apple.com/business/vpp/http://www.apple.com/business/vpp/http://www.apple.com/business/vpp/http://www.apple.com/business/vpp/ -
8/2/2019 iOS Business
26/26
Firewall
Third-PartyMDMServerApplePushNoticationService
1
2
4
3
5
2011 Apple Inc All rights reserved Apple the Apple logo FaceTime iPad iPhone iTunes and Safari are trademarks of Apple Inc registered in the U S and other countries iCloud and iTunes Store are
1
2
3
4
5
Process Overview
ThisexampledepictsabasicdeploymentofaMobileDeviceManagementserver.
ACongurationProlecontainingMobileDeviceManagementserverinformationissenttothedevice.Theuserispresented
withinformationaboutwhatwillbemanagedand/orqueriedbytheserver.
Theuserinstallstheproletooptintothedevicebeingmanaged.
Deviceenrollmenttakesplaceastheproleisinstalled.Theservervalidatesthedeviceandallowsaccess.
Theserversendsapushnoticationpromptingthedevicetocheckinfortasksorqueries.
ThedeviceconnectsdirectlytotheserveroverHTTPS.Theserversendscommandsorrequestsinformation.
FormoreinformationonMobileDeviceManagement,visitwww.apple.com/business/mdm .
26
http://www.apple.com/business/mdmhttp://www.apple.com/business/mdm