iPhoneCTO

Craik Pyke is telecommunications architect and software developer specializing in mobile applications and a Senior Editor for iPhoneCTO.

The recent introduction of iOS4 has significantly improved the in-house application distribution model and made it significantly easier for IT administrators to manage in-house iPhones. But all is not perfect is the iOS enterprise management story. Apple has extended the capabilities for iOS to be managed by enterprise IT by strengthening the APIs for managing devices. The benefit of this really shouldn’t be underestimated. It will permit companies such as BoxTone and Good Technologies which produce mobile management platforms to more tightly incorporate the iPhone in to their existing systems. Given these systems are familiar to IT administrators, it make the iPhone less of a corner case and more aligned with typical operations procedures.

Of most specific interest to me, I was pleased to see Apple introduce Over-the-Air application distribution with the release of iOS4. With the update, Apple has allowed an enterprise to simply and effectively distribute their applications via existing infrastructures. Enterprise IT administrators are now able to distribute their applications (and distribution profiles) via an XML manifest accessible via a URL. In more simple terms – IT administrators can send a URL to employees which directs them to a secured webpage. Once logged in, the employees are able to install the necessary profiles and the application over-the-air, without ever tethering their application.

This being said, I was somewhat disappointed to see that the Over-the-Air applications distribution still somewhat lacks a suitable traceability mechanism. Back in September of last year, I bemoaned what many perceived to be issues in Apple’s “in-enterprise” application distribution model. At the time, I said I believed there were two specific problems with the in-house application distribution mechanism provided by Apple for the iPhone:

1. There’s no means to enforce/guarantee employees install the application.
2. There’s no control over where the application goes. Once the application and provisioning profile are [sent] out, they can be installed on any iPhone / iPod Touch. Apple warns in the same user guide “Please ensure to protect the distribution mechanism of this type of application as it can be installed on any Apple device if compromised.”

The introduction of iOS4 does nothing to particularly address either of these points. The first is likely to not be a significant issue. If an employee chooses not to install a corporate application, they do so at the peril of productivity or at least corporate policy. The inability to control application installation though is somewhat more of a security risk. I’m sure in the general case an enterprise application will leverage existing security capabilities (such as VPN support in iOS or secure sign-on to corporate facilities from within the application itself). However, if an application presumes security and permits unfettered access to data then the security risk of the application getting outside the enterprise becomes substantial.

I suspect Apple has made a conscious decision to push the security mitigation to the application developers in this case – either via leveraging existing security measures as previously discussed, or via having the application developer have a “phone home” within the application reporting what device/user is accessing the corporate data. There’s nothing wrong with such a solution, however it would have been more elegant to build a solution directly into the OS rather leaving it to developers (and of course administrators to specify the requirements to developers!)

Overall, Apple has significantly improved the enterprise management capabilities of iOS. However, so long as ‘corner case’ security risks aren’t sufficiently addressed via iOS capabilities and/or best practice guidelines, we can expect IT administrators and security pundits to continue to push Research In Motion over Apple products as the preferred solution.