Build v Buy? How to scale enterprise iPhone deployments

by Dan Dearing on 23/08/09 at 8:02 pm

Dan Dearing is the Vice President of Marketing & Product Management for Trust Digital and contributing editor for iPhoneCTO.

Many articles and discussions have taken place regarding the use of iPhones in the enterprise and it’s clear, there is traction. During the most recent analyst call by Apple, chief financial officer Peter Oppenheimer said that iPhone adoption in the enterprise was increasing with some 20 percent of Fortune 100 companies placing orders of 10,000 units or more and some governmental agencies having ordered up to 25,000 units. While Apple has spent a lot of energy creating compelling devices for users, these large-scale deployments may also be creating demand for Apple to provide a scalable way to deploy and support them.

Short of providing their own enterprise console for the iPhone, Apple has developed guidance – an IT blueprint of sorts – for how CIOs can meet their user’s call for the iPhone on a broad scale. In short, Apple does not package an enterprise server; instead they leave it to ambitious IT departments to build it themselves or to third parties to provide a turnkey solution. If you’re of the mind to build an in-house version visit http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf, and peruse Apple’s deployment resources, to understand how the blueprint works. In summary:

Apple provides two facilities to create policies for the iPhone.

1. ActiveSync can be used to dynamically set and update iPhone policies. Currently, the iPhone and iPod Touch enforce 12 ActiveSync policies that define how the device password is used and controls the use of the device camera. In addition, the ActiveSync protocol supports remote wipe of the device. Other mobile operating systems such as webOS and Symbian support ActiveSync in a similar fashion so this provides IT with a common way to provide basic policy control for a wide variety of devices.

2. Apple differentiates the iPhone from other smartphones by providing a second, richer facility for IT to configure the device en masse. Configuration profiles are XML files that quickly load device configuration (e.g. VPN and WiFi settings) and authorization information. The creation and secure distribution of configuration profiles is core to the new Apple blueprint that serves as a reference model for IT departments supporting the iPhone or iPod Touch.

Once the platform has been selected for setting and updating policies, the blueprint then revolves around three services: Directory, Certificate and Profile. This framework details how iPhone users can enroll and configure their devices over-the-air so they can securely connect to IT-based services and applications.

Directory Services, such as Active Directory, enable authentication of users that request enrollment. The process of enrollment requires a certificate authority (CA) to issue the device credentials using the Simple Certificate Enrollment Protocol (SCEP). SCEP is an Internet draft in the Internet Engineering Task Force (IETF) that is designed to provide a simplified way of handling certificate distribution for large-scale deployments. This enables over-the-air distribution of identity certificates to the iPhone that can be used for authentication to corporate services. Finally, the implementation of the framework requires a Profile Service to manage connectivity to the iPhone, generate configuration Profiles and verify user credentials.

After the blueprint and framework have been established then wide-scale deployment and management of iPhones can happen.

Conversely, a simpler and more cost-effective approach is to find a third party vendor – such as Trust Digital – to provide a turnkey solution. Trust Digital’s EMM platform unifies the iPhone’s policy facilities into a single seamless solution that employs ActiveSync for dynamic policies changes and configuration profiles for more static configurations. Trust Digital enhances the blueprint provided by Apple by adding a compliance service which ensures that once configuration profiles are established on the iPhone, they remain persistent.