SCEP Helps iPhone Earn Enterprise IT’s Trust
by Dan Dearing on 01/10/09 at 5:05 pm
Dan Dearing is the Vice President of Marketing & Product Management for Trust Digital and contributing editor for iPhoneCTO.
The Aberdeen Group recently surveyed businesses and determined that 42% of companies allowed employees to purchase devices from any vendor, compared with 40% of companies providing devices to their users. One year ago, 75% of companies supplied their employees with smartphones. Many analysts are calling this shift, enabled by technology vendors and corporate policy-makers, the “consumerization” of enterprise mobility. And for those business users given the freedom to choose, it seems most pick the iPhone as their device for both work and play.
This consumerization, from corporate liable to employee liable devices is creating some challenges for business IT, most notably, how will users connect their iPhones to corporate services – securely and easily – without sucking up help desk resources? Another shift that is causing challenges is that many IT shops have a long history of supporting trusted BlackBerry devices that were provided to the user by the BlackBerry administrator and now they are faced with creating a whole new paradigm for the iPhone.
So how does IT establish a trusted relationship with iPhones purchased by employees directly from Apple or from AT&T? As I mentioned in my last post, Build v Buy? How to Scale iPhone Enterprise Deployments, Apple now provides an Enterprise Deployment Guide that outlines the process to do device “enrollment”. This multistep process establishes a chain of trust between the user, enterprise IT assets and the iPhone.
The chain of trust outlined in the guide hinges on directory services such as Active Directory that authenticate users via a Profile Service Portal. The process of enrollment requires a certificate authority (CA) to issue the device credentials using the Simple Certificate Enrollment Protocol (SCEP). SCEP is an Internet draft in the Internet Engineering Task Force (IETF) that is designed to provide a simplified way of handling certificate distribution for large-scale deployments. Support for SCEP was provided by iPhoneOS 3.0 and is key for over-the-air distribution of certificates to the iPhone. These building blocks establish a trusted relationship with the iPhone using the following steps:
1. User Authentication – the Profile Service Portal authenticates user credentials via an LDAP interface to the corporate directory service.
2. Certificate Enrollment – the Profile Service issues a configuration profile with a challenge password, requiring the iPhone to return the challenge password in a response signed by an Apple issued certificate. In turn, the Profile Service provides a second configuration profile that contains a challenge password for the CA, the URL of the CA and key generation specifications. The iPhone, using the associated challenge password, requests a device certificate from the CA.
3. Device Configuration – the iPhone requests a configuration profile from the Profile Service using the device certificate to sign the request. The Profile Service responds with a signed and encrypted configuration profile that securely delivers policies, configurations and credentials to the iPhone.
Using the enrollment framework described in steps 1-3 that leverages the enterprise’s Public Key Infrastructure and device certificates to simplify the configuration of IT services such as email, WiFi and VPN, the iPhone is now established as a trusted device. This is essential to leverage the full potential of the iPhone, viewed by some as the world’s most advanced mobile software platform, to deliver new levels of productivity to employees.
