Saturday, June 26, 2010

Apple's iOS 4 (iPhone) and enterprise support

On the iPhone 4 pre-order day Apple and AT&T pre-order websites crashed! This was kind of traffic the websites had. Within first week of iPhone pre-order, Apple sold 600,000 iPhone 4 units. Since 2007, Apple has rolled out 4 different versions of the phone. All of them are very popular and consumers love them. To begin with, the non-executive users were mostly using iPhone. But with iPhone 3G the things seem to have started changing.
Consumers love it, and executives love it too! IT teams struggled to accept the iPhone in the enterprise due to various policy non-compliances. The iPhone was still considered as an unsecured/ non-enterprise device. This situation seems to be changing with Apple’s announcement of  iOS4. The BackBerry is considered the most enterprise savvy device to date. But iOS4 based iPhone and the future iOS4 iPad are presenting a serious challenge to the BlackBerry dominance.
This document briefly discusses a few key points about why the situation is changing and why iPhone is becoming more widely accepted device in the enterprise. This write-up purely focuses on the enterprise support provided by iOS4 mobile operating system and the iPhone/ future iPad devices running it. The information in this article is based on the various developer preview tools and information published by Apple for iPhone developers.

What is an enterprise device?
To be accepted in an enterprise, a mobile OS/ device should satisfy following minimal requirements -
  • Mobile Device Management
  • Security and Control over data
  • Over the Air Application distribution and management

The MDM (Mobile Device Management) capability is a mandatory requirement for any device to be labeled as an enterprise device. The ability to control the device in terms of resource access, configurability, and application management are the key features of any MDM solution. There are already dozens of known solutions that exist in the market. However, without the support from iPhone OS, none of these solutions could really “manage” the iPhone OS based devices.
The other most important feature than an enterprise device should have is – support for stringent data security and custom connections to support VPN/ SSL and industry wide accepted security protocols. No enterprise wants the data being transported to be seen/ tampered when it is consumed over the air.
The ability to install/ uninstall/ upgrade the private enterprise applications remotely on the device makes the third most important requirement for an enterprise device.
The other features of an enterprise device would consist of – ability to sync with corporate mail servers, ability to configure multiple mailboxes, delegated calendars etc. There are many other requirements that can be listed but these are the most common and must-haves.
So let’s evaluate iPhone (iOS4) based on these criteria.

MDM Support in iOS4
The recent launch of iOS4 makes it much easy for IT staff and enterprise developers to manage iOS4-based devices. All the iPhone 4 devices and future iPad devices shall have the iOS4. With the free upgrade to iOS4, all the older iPhone 3G and 3GS phones shall also be manageable under enterprise MDM. The enterprises now have the option to use the third party MDM servers like Sybase Afaria, CloudSyncSaaS, MobileIron, BoxTone, Zenprise that will leverage the iOS4 capabilities. Alternatively the iOS4 features help the enterprises to build a small custom solution that will help manage the iOS4 devices effectively. In iOS4, apple has offered the simplified device management, OTA device enrollment, enhanced control over the device in a transparent manner and simplified OTA delivery of the enterprise applications.
The custom MDM solution/methodology offered by iOS4 looks to be an ideal solution that uses the SCEP service. This enables the solution to leverage the SCEP services offered by any OS. Microsoft Windows Server based SCEP service is an example, however the model ensures that it is not mandatory to go with Windows server. The MDM services, over the air (OTA) app distribution features offered by iOS4, combined together acts as a value add to the overall solution.  
So let’s first see how exactly the MDM services are available in iOS4 and how to utilize them into our custom solution.
Apple allows manage the device in three easy steps – 
  • Configure
  • Enroll
  • Manage
The configuration and enrollment was possible in older versions of iPhone OS too but continuous monitoring was not quite right. The iOS4 fills in the gap by providing the ability to enrollment and monitoring continuously over the air.

How it works?
The following diagram explains the technical steps/phases of the device management (source – Apple developer documentation) -
The XML based plist like configuration profile allows IT staff to specify the constraints/ permissions that a device will have. This configuration can be prepared using XML with proper syntax. The process can also be automated with the help of a custom webpage that builds this XML based on the needs. Enterprises can prepare the generic configurations or user specific configurations, as the case may be, based on their needs. The configuration profile then needs to be delivered to the device using Simple Certification Enrollment Protocol (SCEP) via web server/ web page. The web server should be configured to integrate with the Active Directory Services in order to authenticate the users and choose the right configuration profile. The profile will then be delivered over the air in an encrypted format.
The process could be as simple as detailed in the following steps –

  • IT Staff configures the SCEP server. A SSL secure and ADS authentication integrated webpage to access the profile to user is deployed.
  • Send a SMS to the target device with the URL to access the enrollment server configured.
  • On the iOS4 device, user taps on the URL in the received SMS – it opens the safari browser on the device.
  • Since the URL is configured to authenticate user with Active Directory Services, it shall ask user to enter the user name and password.
  • Once the user is authenticated, the screen shall turn into the configuration profile installation. This dialog explains what exactly is happening and gives an idea of what is going to happen once the installation is accepted. Mind you – this is the chance for the user to decline if he/ she do not want the device to be enrolled!
  • The installation here onwards is automatic – all the steps explained in the above diagram takes place without any manual intervention.
  • At the end, the configuration profile gets installed on the device, and the device is successfully enrolled in the network!

Below is the workflow to explain these steps –

Ota Enrollment.jpg

The configuration profile helps IT staff to specify various policies that include –PasscodePolicies, Access Restrictions (such as Youtube, Safari launch, iTunes Music Store access, Camera access permissions, Application installation permissions and so on), WiFi configuration, VPN configuration, Email account configuration – Exchange and non Exchange, LDAP access, Calendar configuration (self and subscribed/ delegated), Web Clips (these are like safari bookmarks on your home screen), PKCS Certificates and Credentials, SCEP payloads and APNs. Profiles can be signed and encrypted for secured delivery. The encrypted profiles can be installed only using the SCEP services.
The configuration profiles can be built using the utility called iPhone Configuration Utility – iPCU. Read more about this tool at –
Now once the initial configuration is over, IT staff can continue to monitor the device, update the configuration profiles as the policies may change. This is easily achieved by using Apple’s push notification services. The events can be configured on the enterprise server to include the PUSH notifications that will wake up the device and have updated profiles installed.
The MDM Services in association with proper configuration profile provides two powerful functions 
  • Remote Commands and
  • Queries
The Remote Commands are the action that you can initiate from the server to perform on the device.  The commands offer -
  • Ability to control device,
  • Ability to lock down features/ services
  • Enforce stringent security policies/ rules of network, VPN configuration
All the commands can be delivered to the phone via MDM services configured using custom profiles and push notifications!
The Query is designed to provide the necessary device information. It enables IT staff to gather a good amount of device information , which include –
  • Network details - Bluetooth and Wi-Fi MAC addresses, ICCID, Current and SIM carrier network, Carrier settings version, Phone number, Data Roaming setting (on/off )
  • Device information - Device name, UDID, IMEI, and serial number, Model name and number, OS and build version, Modem firmware version, Total capacity and free space
  • Application details - List of apps installed, App ID, name, and version, Size of app and its data, Provisioning Profiles installed and their expiry dates
  • Compliance and security information - Installed Configuration Profiles, Certificates and expiry dates, List of restrictions in effect, Data Protection capability, Password compliance
So with the ongoing management, any iOS4 based device can be managed as efficiently as any other network resource. The backbone of this service is in Simple Certificate Enrollment Protocol known as SCEP and the Apple’s Push Notification services. Following workflow depicts the ongoing management steps –

Every time there is a change in the policy or configuration and PUSH notification can be initiated that will carry the profile and its payloads.
iPhone Configuration Utility -
This tool is an easy to use and configure any iOS4 based device. You can find the detailed review article at -

Wireless App Distribution
MDM helps manage the device and its association/ compliance in the enterprise network. What’s the fun in using the device if you are not able provision your enterprise application on them? And this is where Apple has offered the Wireless Application Distribution mechanism for the enterprise application without going onto the App Store. Yes, you need not submit your application to the app store in order to have them installed on the enterprise iOS4 devices. All a developer needs to do is, build the application, and publish the .IPA with a XML manifest file to tell about application and Ad-hoc distribution provision file on the server so that is talks to MDM server. This is same ad-hoc distribution profile developer used to give away for marketing and QA teams to install the apps using their iTunes. This time, it’s going to be over the air.
Note that in order to have wireless app distribution work on your device; the device NEED NOT be managed under MDM as we saw above! In Endeavour we use this mechanism to offer the test applications and releases to our enterprise customers during testing phase. Once the app is hosted on the server, an email or SMS with the webpage link is sent to the target device. The webpage is secured with our Active Directory logins that are shared with them. They open the URL and it turns out to be their mini App Catalog!
At a later date we plan to setup a simplified and custom built App catalog for our enterprise customer to host all the applications of the enterprise in their own network. The user authentication and ADS integration will be part of this catalog.
Now if you already have MDM it helps – the life is easy! See the scenario below –
  • Device is being managed under MDM Server
  • IT Staff configures a web clip to be delivered to the device on the MDM server. This web clip has list of Enterprise apps that are private in the network!
  • The web clip appears on the device as App catalog (because you named it so!). User opens the App catalog and sees the list of applications being delivered in your network!
  • Taps onto one of the apps, and the application starts downloading! And there you are – you have the application to your phone over the air.
  • MDM still helps you to update that provision profile whenever it is renewed.
With the new Xcode, building the app in .IPA format along with XML manifest file is very easy. It can create both of them in a single click.

How iOS4 works with existing infrastructure?
The important fact is that with iOS4, nothing changes in the existing network infrastructure. If you would have observed – Apple MDM support is purely based on SCEP services – this is the basic service you would find in any network resource like routers. So for Network Administrators it should be as simple as monitoring your CISCO router! The difference is in the comfort level of the UI. If Enterprises  can build the MDM services themselves on top of existing MDM commands and queries offered in iOS4, they would have what they exactly needed.. The alternative is to go with third party MDM server platforms that are sold as products.
For various reasons that involve time and cost, the best approach might be to invest in the existing off the shelf components and fine-tune them to your needs. The MDM and wireless app distribution will have to be built inside the business workflow seamlessly!
No change is expected to happen in any of the enterprise access scenarios including changes to exchange Active sync, VPN and other policies, as Enterprises embrace iOS4.  In a short period of time, we can expect the existing MDM solution vendors to tailor their products in such a manner that these products leverage the benefits of the iOS4 to support the iPhone and future iPad devices.

More Enterprise Support in iOS4/ iPhone -
As an add on to the iOS4 upgrade, the device gets some of the below cool features –VPN Support - Network communications stay secure with Cisco IPSec VPN, WPA2 Enterprise Wi-Fi, Support for SSL/TLS on iPhone, Multiple mailboxes with unified view, Enhanced Calendar support.
The FaceTime utility makes video conferencing very easy if both the parties are operating on the iPhone 4 devices.

Links and References:


  1. Hi AB,

    Great information about iPhone Enterprise Management and iOS4. May be you can help us with one issue: we already setup OTA configuration and works fine for iOS3.x, but if I try to use the platform from a iOS4 iPhone device, I get an error message when I tried to get the personal certificates.

    Do you know if there any adjustment from previous OTA infrastructure to work with iOS4?

    Thanks in advance for your supoport

    Gerardo Trevino

  2. Hello Gerardo,

    Thanks for your comments.

    I personally never had built OTA for 3.X devices. I did it only for 4.0. My team worked on this. I have forwarded this information to them to tell me more.

    Yes there are some changes from iOS3.x to iOS4.X devices but I am not sure what solution you are using for OTA configuration or you have built your own. In our case we built our own and used the usual ad-hoc distribution provisioning files. we built a simple HTML file with the link to the application that was created by xCode build process. It works. If you compare this with your existing solution you might find out what is different.

    I cannot share the exact code/ configuration with you as of now over this blog posts, but let me know if you ned more information. You can reach me on my email address Thanks again for visiting this post and your time to comment.

  3. We were having the same problem with OTA configuration working on iOS 3.1.X but failing on iOS 4.

    In our case, it was caused by the GetCACaps operation that is not supported on Microsoft and that, apparently, iOS4 requires and answer from the CA/SCEP server and if no answer is received it fails with a "Network connection lost." error.

    We posted all the info in our company's blog in case you are still interested:

    Hope this helps you.

  4. This is a a great post. Thanks for making it. I'll be using it as a resource for our iPad implementation at our clients.


  5. Great Post ..

    I have a question that do we need to enroll for Enterprise Developer Program to implement MDM services.

  6. Yes, enterprise developer program subscription is must.

  7. Hi,

    I like to know about the JSOn message or the way to send the MDM commands to the device. How to invoke the mdm in the device through Push notification issued from the server.

  8. Hi, great document!

    Do you know where I can get more technical information about MDM?
    Things like the sdk, the api, architecture, etc.



  9. Your best bet for documentation is Apple SDK documents! I found WWDC sessions very useful. You may want to look at them.

  10. Hello AB,

    We gone through SDK docs but it does not suggest how exactly we can configure MDM server in our premises.
    We dont want to go with third parties like Airwatch, but we want to setup our own stuff - what do we need?, we already have enterprise account, we have configured through iPhone configuration utility, we have our SCEP implementation.. how to join all this components to make it work - so we can manage our iPhones? please advice.


  11. You need to build a consolidation website. The way you need the interface and functions, access, integration to the backed active directory etc, you will have to do it on your own.

  12. Hello AB, thank you for your answer - however I want to know how exactly "to command" & "to query" to iPhone be specific with example.. what am I supposed to do to lock the iPhone remotely..everybody says send command...but How? please share some knowledge on it.