This tip is a part of the SearchSecurityChannel.com resource guide, Securing mobile devices: A resource guide for solution providers.
Until recently, the iPhone
In this tip, we examine the iPhone security model and iPhone security settings in detail. You will learn about the iPhone Configuration Utility from Apple that allows you to create configurations that provide a tremendous degree of policy flexibility, as well as methods for deploying the configuration profiles to large numbers of iPhones.
The iPhone Configuration Utility is a free download available from Apple and may be installed on any Windows or Mac OS X system. The utility, shown in Figure 1, provides administrators with the Apple equivalent of the Blackberry Enterprise Server (BES), allowing for centralized administration and configuration of iPhones.
Navigating the iPhone Configuration Utility
The primary way to control iPhone security settings is to use the iPhone Configuration Utility to create iPhone configuration profiles. Administrators can create profiles that specify security and account settings for users’ iPhones, and then deploy these profiles to the devices in several ways. The utility also allows administrators to easily provision devices and deploy private, enterprise-specific applications to iPhones without going through Apple’s App Store.
When designing a configuration policy, you have many security options at your disposal.
- Require device passcodes: This utility allows you to customize a number of passcode-related settings that aren’t available through the standard iPhone interface. For example, you can set a minimum passcode length, the minimum number of nonalphanumeric characters, the maximum password age, password history requirements and other settings. You should use this functionality to enforce your organization’s password policy on these devices. Remember, a smartphone is much more likely to be lost than a computer; be sure to provide at least as much protection for phones as you do other devices.
- Limit device functionality: Within the utility, you can granularly control iPhone features. For example, you can prohibit the installation of unauthorized apps, restrict the ability to use the camera or screen capture technology, prohibit multiplayer gaming and much more. These restrictions are likely to annoy users, so be sure to deploy them only as necessary.
- Deploy digital certificates: If your organization uses digital certificates for applications, you can use the utility to preload the device with approved certificates. This limits the security-related questions and error messages seen by users and eases the certificate installation process.
- Preconfigure account settings: In addition to configuring security policies, you can also use the tool to preconfigure email accounts (including the use of Exchange ActiveSync), VPN, Wi-Fi and LDAP settings. Preconfiguring these account settings can simplify the initial setup of the device and ease the burden on administrators.
- Decide who may remove the profile: Once you deploy a profile, you have the flexibility to decide who may remove it. In most cases, you’ll be deploying at least a few security settings that may be inconvenient for end users, so you probably don’t want to choose the default “Always” option for this setting. Instead, you may wish to use the “With Authorization” setting that allows a user to remove the profile by entering a password. This provides you with the flexibility to allow users to remove the profile while on the road, once you provide them with the password.
After configuring the settings you want to deploy to the users’ iPhones, you can save them as an XML configuration profile.
Deploying configuration profiles
Apple provides a number of ways for distributing configuration profiles to users’ iPhones in the enterprise. You may use one or more depending upon the enterprise’s specific business needs. The options available are:
- Directly installing a profile on a device connected to the computer running the configuration utility: This is most useful when you are configuring a phone for the first time.
- Distributing a configuration profile by email: The utility allows you to create an email message that has the profile as an attachment. Users will receive the profile as an attachment and apply it to their phones by clicking on it. If you choose this option, you should digitally sign the profile so users are not duped into installing rogue profiles.
- Distributing profiles over the Web: You can also place the configuration file on a website, and then ask users to visit that site, using the Safari browser, where the profile will be automatically installed. If you choose this approach, you can direct users to the profile by including the link in a text message.
- Using a third-party mobile device management platform: If you have a mobile device management (MDM) system in your organization, you can use it to distribute the profile to devices. Apple supports a variety of MDM platforms, including Sybase Afaria and AirWatch. These tools provide administrators with the ability to manage multiple mobile platforms simultaneously, including devices running iOS, Windows Mobile, Android and Blackberry OS.
If your customers allow users to bring their personally owned iPhones into the enterprise, you may wish to encourage your customers to require the organization’s configuration profile be installed onto the devices. Unfortunately, this is a very difficult problem to solve technically, as there is not a good way to distinguish between corporate owned and personally owned iPhones. If the customer provides any sort of remote access to their email, their users will likely be able to access it using their iPhones. The best solution is to encourage the customer to require the use of configuration profiles as a matter of policy, and enforce this policy rigorously.
Apple’s iPhone Configuration Utility provides administrators with an unprecedented degree of control over the use of iPhones in the enterprise. It brings the iPhone into the same league as BlackBerry devices, allowing organizations to enforce their security policies and making the device viable for use in a managed enterprise environment.
About the author: Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
This was first published in April 2011