IT will have a love-hate relationship with iOS 7, OS X Mavericks and iCloud
- 14 June, 2013 10:27
Apple certainly showed that it's still in business and isn't going anywhere during this year's keynote address at the Worldwide Developers Conference. In a presentation lasting more than two hours, Apple execs gave developers -- and everyone tuned into the live webcast -- clear signs that the company intends to remain a major player in technology for years to come.
Consumers and business users alike will find things to love about OS X Mavericks and iOS 7. Road warriors will like the amazing battery life -- 12 hours for the 13-in. model -- promised by the newest MacBook Air laptops. And hardcore power users are salivating over the forthcoming -- and completely unconventional, even by Apple standards -- Mac Pro. Even iCloud seems to have several promising prospects on the horizon as Apple offers to sync all your security credentials and credit card data across devices and join Google and Microsoft in the cloud productivity market with iWork for iCloud.
For enterprise IT pros, however, the announcements represented more of a mixed bag. Apple barely mentioned enterprise or even business features, though it managed to subtly announce several big features that have been on the IT wish list by including them on some of keynote slides. In other cases, some of the features Apple was highlighted as great for consumers should raise red flags in the minds of CIOs, security specialists and other IT professionals.
What IT will love
Activation Lock -- Activation Lock is a powerful security tool and potential theft deterrent for both consumers and business users. Even though this isn't a specifically enterprise-oriented feature, it will ease many of IT's bring-your-own-device (BYOD) concerns, particularly when paired with complex passcode rules and remote wipe capability. Apple could even extend that capability further by creating an enterprise-enabled version of Lost Mode that would require a user's enterprise credentials in addition to their Apple ID to reactivate a lost or stolen device.
App Store Volume Purchasing -- One of the biggest complaints that businesses and schools have about iOS is the lack of true volume licensing options. The company's current Volume Purchase Program leaves a lot to be desired. Because it's based around the same redemption code system that powers iTunes gift cards, the current system ties a company-purchased app to an employee's iTunes account. When a code is used, the app -- and the license to run it -- are assigned to the employee and can't be reclaimed when he or she leaves the company. It seems likely that Apple, having heard complaints about this process for years, will move towards a more traditional licensing method. Organizations will still need to purchase the licenses in bulk and deploy the apps, but a license model would allow them to revoke the license for an app when a user leaves the organization and re-use it. Whether the process would delete the app completely or simply encourage the user to buy a personal license isn't clear. I'd put money on the latter.
App Configuration Management -- Apple could be aiming at two different areas with this feature. It could be a reference to app management (automatic install, delete on command, blacklist public apps in the App Store), which would be an extension of current mobile device management (MDM) capabilities. Or it could mean allowing IT to actually define settings for managed apps. Apple has allowed management of Mac app settings for several years now. Given that iOS and Mac apps both tend to store settings as XML data, it's conceivable that Apple is planning to extend full pre-configuration to iOS apps as well. If it does, it may follow the Mac strategy of allowing administrators to just pre-set apps (and then let users change those settings) or permanently configure them in a way that bars any changes.
Streamlined MDM enrollment -- Until now, Apple has generally left MDM enrollment to MDM vendors. Different vendors have taken varied approaches to enrollment, but the most common is a free app that users download from the App Store. On first launch, they're asked to enter their enterprise credentials. Apple could significantly streamline this process by providing a unified enrollment method that includes auto-discovery capabilities. A universal method could allow Apple to simply add an extra step in the iOS setup dialog that asks users whether they want to authenticate to a management server. That could mean entering server information (though Apple might employ some type of auto-discovery of available servers) along with enterprise credentials and opting in to any managed settings assigned to that individual. That would make for a very simple out-of-the-box experience that shouldn't require any real IT intervention. Even if Apple chooses not go this route, it could create a universal management setup app or an option in the Settings app.
Enterprise Single Sign-on -- Single sign-on is a standard part of enterprise computing. When you sit down at your office PC in the morning and enter your Active Directory credentials, you can access a number of applications and corporate resources without re-authenticating. By extending that capability to iOS devices, Apple will definitely streamline user workflows. The extent to which Apple will integrate this feature with MDM or mobile app management (MAM) isn't clear, but it's worth noting that Apple has already implemented variations of single sign-on in iOS -- most notably the ability to configure Facebook and Twitter settings and then access those accounts from virtually any app through a share sheet or the Notification Center. Apple might go so far as to extend this support allowing multiple enterprise accounts, such as for consultants and contractors that could benefit from single sign-on to their company systems or their clients' systems.
Data Protection By Default -- Apple has allowed developers to take advantage of security APIs since the release of iOS 4 three years ago. Stepping up app security, Apple will be including data protection features as the default for all iOS 7 apps. The move will increase overall security, which remains a challenge for many organizations when corporate data is stored in third-party apps selected by employees that may or may not take advantage of Apple's security capabilities.
Per-App VPNs -- There are plenty of tasks that require users to connect to a corporate network while they're out of the office. iOS has long offered VPN capabilities and the ability to initiate a connection only when needed. In offering per-app VPN capabilities, Apple is helping to take some of the load off a corporate VPN server. While that's good news for IT, it's also good news for users since it can mean faster connectivity to Internet or cloud resources that are not behind a corporate firewall.
Automatic App Updates -- One challenge to the BYOD movement is that IT generally doesn't have the ability to patch every user's device when security threats arise. By adding automatic updates for iOS and OS X, that concern is largely mitigated.
Wi-Fi Hot Spot 2.0 -- This new feature allows an iOS device to more seamlessly and efficienly transfer from one Wi-Fi hotspot to another. While that in itself is a smart move, the bigger advantage is that it will encourage users to rely on Wi-Fi rather than their device's 3G or LTE connection. Given that LTE makes it easier for users to burn through data caps, this subtle functionality could yield real savings on data fees.
Mavericks Server -- The evolution of OS X Server through its Lion and Mountain Lion releases has seemed like a march out of the enterprise and into the small business market. Apple didn't mention Mavericks Server during the WWDC keynote, but it did offer a bit of info on the Mavericks webpage. Apple only highlighted three features. The first is an update to the iOS and Mac management Profile Manager feature -- essentially a low-cost MDM solution, albeit one that only manages Apple devices. The second is broader use of the Caching Server feature introduced in Mountain Lion Server 10.8.2. Caching Server currently lets companies mirror updates from the Mac App Store, which can speed update downloads and reduce load on an company's Internet connection. In Mavericks Server, this capability is being extended to iOS 7 devices -- and it looks like Apple will support hosting apps as well as updates. That will be a powerful addition to any app management system that Apple offers. Finally, there's a new Xcode Server feature that appears to be designed to ease and streamline app development and testing processes in a team environment. If this is an example of Apple's focus for Mavericks Server (likely running on the new Mac Pro), it seems like a toolkit for enterprise app development and deployment.
What IT will hate
The biggest concern from a security or IT management perspective isn't so much a single feature of either iOS 7 or Mavericks. It's iCloud and the deeper iCloud integration in both new OSes. On both its platforms, Apple is leveraging the power of its ecosystem more than ever. That has great potential for users and even for personal data security, but it also makes it even easier for corporate data to walk out the door with employees. While it isn't yet clear whether Apple will offer ways to effectively manage iCloud's risks on iOS devices and Macs, the limited and heavy-handed approach Apple has taken in the past doesn't inspire confidence.
iCloud Keychain -- iCloud Keychain is a great feature (and one that existed in iCloud's predecessor, Mobile Me) for users. No matter what Apple device you're using, you have access to passwords for websites, cloud services, applications and Wi-Fi networks. If you dig into the Keychain Access utility, however, you'll notice that keychains can also store security certificates and can manage Kerberos ticket granting. That's a lot of information focused on secure access -- information that could compromise enterprise security if it were ever stolen or an employee were to leave the company. If iCloud Keychain syncs corporate security items to iCloud and a user's home devices, that data leaves IT's control and becomes an ongoing security risk. Thankfully, that level of risk means that it's likely that Apple will offer the ability to disable or block iCloud Keychain sync.
iCloud integration with the Mavericks file system -- This isn't really a new issue in OS X Mavericks. As Apple continues to encourage developers to build iCloud support into their apps and to offer iCloud as a default storage location, however, the potential for users to inadvertently place sensitive data in their iCloud data store will make it more difficult for IT to determine whether data has leaked out. Similar issues exist with apps that routinely sync data between iCloud and local storage on an Mac, iPad or iPhone. To date, Apple hasn't provided much specificity when it comes to blocking iCloud storage or sync. The choices are on and off globally on a device rather than on a per-app basis. Given that Apple is dipping its tow into app management, this may be about to change.
iOS Notifications in Mavericks -- This is a great feature in a lot of respects and will likely prove particularly helpful for business users that prefer to respond to notifications on their Macs rather than pulling out their iPhones or iPads. The concern, however, is that notifications sent from work-related apps (both third-party and in-house) or by coworkers could contain sensitive information that isn't meant to be seen on anything other than a secure iOS device, such as clinical information about a patient sent to a doctor's iPhone. If that notification popped up on a device being used by another family member, it could constitute a breach of healthcare privacy regulations. The opposite is also true: Sensitive personal information could be displayed on a Mac in the workplace.
iWork for iCloud - iWork for iCloud is Apple's entry into the cloud-based productivity world, where it will take on Google Docs/Apps, Office 365, and other similar services. Although Apple demoed iWork for iCloud on both a Mac and PC, it didn't really address many practical issues, most likely because it's still a ways out from a public beta or primetime use. We don't know what security features will be included, how freely users will be able to share documents, whether there will be enterprise licensing or management options, and how much it will cost. (I wouldn't be surprised if Apple offered the service for free or on a freemium basis.) The concerns here are the same as for consumer-oriented cloud storage options like Dropbox and Google Drive. As users rely on cloud services more, data tends to sprawl outside of an organization with no oversight or auditing. That presents security issues and other challenges. Data becomes siloed in ways that many workers can't access it and there's no easy way to manage version control and ensure that everyone is using the same copy of a given set of files or documents.
Moving past iCloud, there are also a few areas of concern involving iOS 7 and Mavericks.
AirDrop in iOS
AirPlay Displays -- AirPlay displays is a particularly interesting feature. As more schools and offices integrate Apple TVs as solutions in conference rooms and classrooms, AirPlay is becoming a common business capability. That Apple is now extending that ability from simply mirroring a Mac's screen to acting as a fully capable display is great for office collaboration, teaching/training or even just to add an extra display for convenience in a conference room. The problem is that locating and connecting to an Apple TV largely relies on Apple's Bonjour auto-discovery, which generates excess traffic and is really designed to locate devices on a single subnet like a home network. In an enterprise network, these issues can make it difficult to use and ensure access to the appropriate devices. Connecting to the wrong device by accident can lead to the exposure of sensitive data to people who shouldn't see it. Thankfully, some enterprise vendors, including Aerohive, Aruba, and Cisco, are beginning to build Bonjour traffic management into their networking products. That mitigates, though doesn't entirely resolve, these issues. Apple has also taken some steps to enterprise-ify Apple TV security, although they're still pretty minimal.
Interactive Lock Screens -- We've all been waiting to see whether Apple would make the iOS lock screen more functional. iOS 7 does that to some extent by allowing access to the revamped Notification Center and the new Control Center. The problem is that both of these provide access to areas of the OS that could contain sensitive data and allow some functionality without unlocking a device. That means a lost or stolen device can become a security concern -- even if it's locked remotely or by the user. A similar issue exists with the OS X Maverick's lock/login screen, because it can display notifications and allow users to interact with them without unlocking a Mac.
Automatic App Updates -- Yes, automatic updates are in both parts of the love-hate list. One of the advantages, particularly on desktop computers, to disallowing automatic updates is that it gives the IT department a chance to download and test software and patches before rolling them out to everyone. The process, which until now Apple has generally endorsed as part of Mac management in business and education, ensures that IT verifies updates as issue-free. A testing or cooling off period also allows IT to determine whether outside users are having issues by checking support forums, mailing lists, and social networks like LinkedIn and Spiceworks. The result is that automatic app updates represent a bit of mixed bag.
Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues. He has been a Computerworld columnist since 2003 and is a frequent contributor to CITEworld.com. Faas is also the author of iPhone for Work (Apress, 2009). You can find out more about him at RyanFaas.com and follow him on Twitter ( @ryanfaas).
Read more about ios in Computerworld's iOS Topic Center.