iOS 6 Business Sep12

7/30/2019 iOS 6 Business Sep12

1/32

iPhone and iPad in Business

Deployment ScenariosSeptember2012

LearnhowiPhoneandiPadintegrateseamlesslyintoenterpriseenvironmentswith

thesedeploymentscenarios.

MicrosoftExchangeActiveSync

Standards-BasedServices

VirtualPrivateNetworks

Wi-Fi

DigitalCerticates

SecurityOverview

MobileDeviceManagement

AppleCongurator


2/32

Deploying iPhone and iPadExchange ActiveSync

iPhoneandiPadcancommunicatedirectlywithyourMicrosoftExchangeServervia

MicrosoftExchangeActiveSync(EAS),enablingpushemail,calendar,contacts,and

tasks.ExchangeActiveSyncalsoprovidesuserswithaccesstotheGlobalAddress

List(GAL),andprovidesadministratorswithpasscodepolicyenforcementandremote

wipecapabilities.iOSsupportsbothbasicandcerticate-basedauthenticationforExchangeActiveSync.IfyourcompanycurrentlyenablesExchangeActiveSync,you

havethenecessaryservicesinplacetosupportiPhoneandiPadnoadditional

congurationisrequired.IfyouhaveExchangeServer2003,2007,or2010butyour

companyisnewtoExchangeActiveSync,reviewthefollowingsteps.

ExchangeActiveSyncSetup

Network conguration overview

Checktoensureport443isopenontherewall.IfyourcompanyallowsOutlook

WebAccess,port443ismostlikelyalreadyopen.

OntheFront-EndServer,verifythataservercerticateisinstalledandenableSSLfor

theExchangeActiveSyncvirtualdirectoryinIIS. IfyoureusingaMicrosoftInternetSecurityandAcceleration(ISA)Server,verifythata

servercerticateisinstalledandupdatethepublicDNStoresolveincomingconnections.

MakesuretheDNSforyournetworkreturnsasingle,externallyroutableaddressto

theExchangeActiveSyncserverforbothintranetandInternetclients.Thisisrequired

sothedevicecanusethesameIPaddressforcommunicatingwiththeserverwhen

bothtypesofconnectionsareactive.

IfyoureusingaMicrosoftISAServer,createaweblisteneraswellasanExchangeweb

clientaccesspublishingrule.SeeMicrosoftsdocumentationfordetails.

Forallrewallsandnetworkappliances,settheIdleSessionTimeoutto30minutes.

Forinformationaboutheartbeatandtimeoutintervals,refertotheMicrosoftExchange

documentationathttp://technet.microsoft.com/en-us/library/cc182270.aspx. Conguremobilefeatures,policies,anddevicesecuritysettingsusingtheExchange

SystemManager.ForExchangeServer2007and2010,thisisdoneintheExchange

ManagementConsole.

DownloadandinstalltheMicrosoftExchangeActiveSyncMobileAdministrationWeb

Tool,whichisnecessarytoinitiatearemotewipe.ForExchangeServer2007and

2010,remotewipecanalsobeinitiatedusingOutlookWebAccessortheExchange

ManagementConsole.

Supported Exchange ActiveSync

security policies

Remotewipe

Enforcepasswordondevice

Minimumpasswordlength

Maximumfailedpasswordattempts

(beforelocalwipe)

Requirebothnumbersandletters

Inactivitytimeinminutes(1to60minutes)

Additional Exchange ActiveSync policies

(for Exchange 2007 and 2010 only)

Alloworprohibitsimplepassword

Passwordexpiration Passwordhistory

Policyrefreshinterval

Minimumnumberofcomplexcharacters

inpassword

Requiremanualsyncingwhileroaming

Allowcamera

Allowwebbrowsing


3/32

3

Basic authentication (username and password)

EnableExchangeActiveSyncforspecicusersorgroupsusingtheActiveDirectory

service.Theseareenabledbydefaultforallmobiledevicesattheorganizationallevel

inExchangeServer2003,2007,and2010.ForExchangeServer2007and2010,see

RecipientCongurationintheExchangeManagementConsole.

Bydefault,ExchangeActiveSyncisconguredforbasicuserauthentication.Its

recommendedthatyouenableSSLforbasicauthenticationtoensurecredentialsare

encryptedduringauthentication.

Certicate-based authentication

Installenterprisecerticateservicesonamemberserverordomaincontrollerinyour

domain(thiswillbeyourcerticateauthorityserver).

CongureIISonyourExchangefront-endserverorClientAccessServertoaccept

certicate-basedauthenticationfortheExchangeActiveSyncvirtualdirectory.

Toalloworrequirecerticatesforallusers,turnoBasicauthenticationandselect

eitherAcceptclientcerticatesorRequireclientcerticates.

Generateclientcerticatesusingyourcerticateauthorityserver.ExportthepublickeyandcongureIIStousethiskey.ExporttheprivatekeyanduseaConguration

ProletodeliverthiskeytoiPhoneandiPad.Certicate-basedauthenticationcan

onlybeconguredusingaCongurationProle.

Formoreinformationoncerticateservices,pleaserefertoresourcesavailable

fromMicrosoft.

Other Exchange ActiveSync services

GlobalAddressListlookup

Acceptandcreatecalendarinvitations

Synctasks

Flagemailmessages

SyncReplyandForwardagswith

ExchangeServer2010

MailsearchonExchangeServer2007

and2010

SupportformultipleExchangeActiveSync

accounts

Certicate-basedauthentication

Emailpushtoselectedfolders

Autodiscover


4/32

iPhoneandiPadrequestaccesstoExchangeActiveSyncservicesoverport443(HTTPS).(ThisisthesameportusedforOutlookWebAccess

andothersecurewebservices,soinmanydeploymentsthisportisalreadyopenandconguredtoallowSSLencryptedHTTPStrac.)

ISAprovidesaccesstotheExchangeFront-EndorClientAccessServer.ISAisconguredasaproxy,orinmanycasesareverseproxy,to

routetractotheExchangeServer.

ExchangeServerauthenticatestheincominguserviatheActiveDirectoryserviceandthecerticateserver(ifusingcerticate-based

authentication).

IftheuserprovidesthepropercredentialsandhasaccesstoExchangeActiveSyncservices,theFront-EndServerestablishesaconnection

totheappropriatemailboxontheBack-EndServer(viatheActiveDirectoryGlobalCatalog).

TheExchangeActiveSyncconnectionisestablished.Updates/changesarepushedovertheair,andanychangesmadeoniPhoneandiPad

arereectedontheExchangeServer.

SentmailitemsarealsosynchronizedwiththeExchangeServerviaExchangeActiveSync(step5).Torouteoutboundemailtoexternal

recipients,mailistypicallysentthroughaBridgehead(orHubTransport)ServertoanexternalMailGateway(orEdgeTransportServer)via

SMTP.Dependingonyournetworkconguration,theexternalMailGatewayorEdgeTransportServercouldresidewithintheperimeter

networkoroutsidetherewall.

2012AppleInc.Allrightsreserved.Apple,theApplelogo,iPhone,iPad,andMacOSaretrademarksofAppleInc.,registeredintheU.S.andothercountries.Otherproductandcompanynamesmentioned

hereinmaybetrademarksoftheirrespectivecompanies.Productspecicationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliability

relatedtoitsuse.September2012

ExchangeActiveSyncDeploymentScenario

ThisexampleshowshowiPhoneandiPadconnecttoatypicalMicrosoftExchangeServer2003,2007,or2010deployment.

4

Firewall Firewall

ProxyServerInternet

ExchangeFront-EndorClientAccessServer

CerticateServer

ActiveDirectory

PrivateKey(Certicate)

PublicKey(Certicate)

*Dependingonyournetworkconguration,theMailGatewayorEdgeTransportServermayresidewithintheperimeternetwork(DMZ).

ExchangeMailboxorBack-EndServer(s)

MailGatewayorEdgeTransportServer*

CongurationProle

BridgeheadorHubTransportServer

443

1

4

56

2

3

4

5

6

1

3

2


5/32

Deploying iPhone and iPadStandards-Based Services

WithsupportfortheIMAPmailprotocol,LDAPdirectoryservices,andCalDAVcalendaring

andCardDAVcontactsprotocols,iOScanintegratewithjustaboutanystandards-based

mail,calendar,andcontactsenvironment.Andifyournetworkenvironmentiscongured

torequireuserauthenticationandSSL,iPhoneandiPadprovideasecureapproachto

accessingstandards-basedcorporateemail,calendar,tasks,andcontacts.

Inatypicaldeployment,iPhoneandiPadestablishdirectaccesstoIMAPandSMTPmail

serverstoreceiveandsendemailovertheair,andcanalsowirelesslysyncnoteswith

IMAP-basedservers.iOSdevicescanconnecttoyourcompanysLDAPv3corporate

directories,givingusersaccesstocorporatecontactsintheMail,Contacts,andMessages

applications.SynchronizationwithyourCalDAVserverallowsuserstowirelesslycreateand

acceptcalendarinvitations,receivecalendarupdates,andsynctaskswiththeReminders

app.AndCardDAVsupportallowsyouruserstomaintainasetofcontactssyncedwith

yourCardDAVserverusingthevCardformat.Allnetworkserverscanbelocatedwithin

aDMZsubnetwork,behindacorporaterewall,orboth.WithSSL,iOSsupports128-bit

encryptionandX.509rootcerticatesissuedbythemajorcerticateauthorities.

NetworkSetupYourITornetworkadministratorwillneedtocompletethesekeystepstoenableaccess

fromiPhoneandiPadtoIMAP,LDAP,CalDAV,andCardDAVservices:

Opentheappropriateportsontherewall.Commonportsinclude993forIMAPmail,

587forSMTPmail,636forLDAPdirectoryservices,8443forCalDAVcalendaring,and

8843forCardDAVcontacts.Itsalsorecommendedthatcommunicationbetweenyour

proxyserverandyourback-endIMAP,LDAP,CalDAV,andCardDAVserversbesettouse

SSLandthatdigitalcerticatesonyournetworkserversbesignedbyatrustedcerticate

authority(CA)suchasVeriSign.ThisimportantstepensuresthatiPhoneandiPad

recognizeyourproxyserverasatrustedentitywithinyourcorporateinfrastructure.

ForoutboundSMTPemail,port587,465,or25mustbeopenedtoallowemailtobesent.

iOSautomaticallychecksforport587,then465,andthen25.Port587isthemostreliable,secureportbecauseitrequiresuserauthentication.Port25doesnotrequireauthentica-

tion,andsomeISPsblockthisportbydefaulttopreventspam.

Common ports IMAP/SSL:993

SMTP/SSL:587

LDAP/SSL:636

CalDAV/SSL:8443,443

CardDAV/SSL:8843,443

IMAP or POP-enabled mail solutions

iOSsupportsindustry-standardIMAP4-

andPOP3-enabledmailserversona

rangeofserverplatforms,including

Windows,UNIX,Linux,andMacOSX.

CalDAV and CardDAV standards

iOSsupportstheCalDAVcalendaringandCardDAVcontactsprotocols.Both

protocolshavebeenstandardizedby

theIETF.Moreinformationcanbefound

throughtheCalConnectconsortium

athttp://caldav.calconnect.org/and

http://carddav.calconnect.org/.


6/32

DeploymentScenario

ThisexampleshowshowiPhoneandiPadconnecttoatypical IMAP,LDAP,CalDAV,andCardDAVdeployment.

2012AppleInc.Allrightsreserved.Apple,theApplelogo,iPhone,iPad,andMacOSaretrademarksofAppleInc.,registeredintheU.S.andothercountries.UNIXisaregisteredtrademarkofTheOpen

Group.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecicationsaresubjecttochangewithoutnotice.Thismaterialisprovidedfor

informationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.September2012

iPhoneandiPadrequestaccesstonetworkservicesoverthedesignatedports.

Dependingontheservice,usersmustauthenticateeitherwiththereverseproxyordirectlywiththeservertoobtainaccessto

corporatedata.Inallcases,connectionsarerelayedbythereverseproxy,whichfunctionsasasecuregateway,typicallybehind

thecompanysInternetrewall.Onceauthenticated,userscanaccesstheircorporatedataontheback-endservers.

iPhoneandiPadprovidelookupservicesonLDAPdirectories,givinguserstheabilitytosearchforcontactsandotheraddress

bookinformationontheLDAPserver.

ForCalDAVcalendars,userscanaccessandupdatecalendars.

CardDAVcontactsarestoredontheserverandcanalsobeaccessedlocallyoniPhoneandiPad.ChangestoeldsinCardDAV

contactsaresyncedbacktotheCardDAVserver.

ForIMAPmailservices,existingandnewmessagescanbereadoniPhoneandiPadthroughtheproxyconnectionwiththe

mailserver.OutgoingmailissenttotheSMTPserver,withcopiesplacedintheusersSentfolder.

1

2

3

4

5

6

Firewall Firewall

ReverseProxyServer

Internet

MailServer

LDAPDirectoryServer

3

6

CalDAVServer

CardDAVServer

2

4

5

1

636(LDAP)

8843(CardDAV)

993(IMAP)587(SMTP)

8443(CalDAV)

6


7/32

Deploying iPhone and iPadVirtual Private Networks

SecureaccesstoprivatecorporatenetworksisavailableoniPhoneandiPadusing

establishedindustry-standardvirtualprivatenetwork(VPN)protocols.Userscan

easilyconnecttoenterprisesystemsviathebuilt-inVPNclientiniOSorthrough

third-partyapplicationsfromJuniperNetworks,Cisco,SonicWALL,CheckPoint,

ArubaNetworks,andF5Networks.

Outofthebox,iOSsupportsCiscoIPSec,L2TPoverIPSec,andPPTP.Ifyourorganization

supportsoneoftheseprotocols,noadditionalnetworkcongurationorthird-party

applicationsarerequiredtoconnectiPhoneandiPadtoyourVPN.

Additionally,iOSsupportsSSLVPN,enablingaccesstoJuniperNetworks,Cisco,SonicWALL,

CheckPoint,ArubaNetworks,andF5NetworksSSLVPNservers.Userssimplydownload

aVPNclientapplicationdevelopedbyoneofthesecompaniesfromtheAppStoretoget

started.LikeotherVPNprotocolssupportediniOS,SSLVPNcanbeconguredmanually

onthedeviceorviaCongurationProle.

iOSsupportsindustry-standardtechnologiessuchasIPv6,proxyservers,andsplit-

tunneling,providingarichVPNexperiencewhenconnectingtocorporatenetworks.

AndiOSworkswithavarietyofauthenticationmethodsincludingpassword,two-

factortoken,anddigitalcerticates.Tostreamlinetheconnectioninenvironments

wherecerticate-basedauthenticationisused,iOSfeaturesVPNOnDemand,

whichdynamicallyinitiatesaVPNsessionwhenconnectingtospecieddomains.

SupportedProtocolsandAuthenticationMethods

SSL VPN

Supportsuserauthenticationbypassword,two-factortoken,andcerticates.

Cisco IPSec

Supportsuserauthenticationbypassword,two-factortoken,andmachine

authenticationbysharedsecretandcerticates.

L2TP over IPSecSupportsuserauthenticationbyMS-CHAPv2Password,two-factortoken,and

machineauthenticationbysharedsecret.

PPTP

SupportsuserauthenticationbyMS-CHAPv2Passwordandtwo-factortoken.


8/32

8

VPNOnDemand

Forcongurationsusingcerticate-basedauthentication,iOSsupportsVPNOn

Demand.VPNOnDemandwillestablishaconnectionautomaticallywhenaccessing

predeneddomains,providingaseamlessVPNconnectivityexperienceforusers.

ThisisafeatureofiOSthatdoesnotrequireadditionalserverconguration.ThecongurationofVPNOnDemandtakesplaceviaaCongurationProleorcanbe

conguredmanuallyonthedevice.

TheVPNOnDemandoptionsare:

Always

InitiatesaVPNconnectionforanyaddressthatmatchesthespecieddomain.

Never

DoesnotinitiateaVPNconnectionforaddressesthatmatchthespecieddomain,

butifVPNisalreadyactive,itmaybeused.

Establish if needed

InitiatesaVPNconnectionforaddressesthatmatchthespecieddomainonlyafter

aDNSlook-uphasfailed.

VPNSetup

iOSintegrateswithmanyexistingVPNnetworks,withminimalconguration

necessary.ThebestwaytopreparefordeploymentistocheckwhetheriOS

supportsyourcompanysexistingVPNprotocolsandauthenticationmethods.

Itsrecommendedthatyoureviewtheauthenticationpathtoyourauthentication

servertomakesurestandardssupportedbyiOSareenabledwithinyour

implementation.

Ifyouplantousecerticate-basedauthentication,ensureyouhaveyourpublickey

infrastructureconguredtosupportdevice-anduser-basedcerticateswiththecorrespondingkeydistributionprocess.

IfyouwanttocongureURL-specicproxysettings,placeaPACleonawebserver

thatisaccessiblewiththebasicVPNsettingsandensurethatitishostedwiththe

application/x-ns-proxy-autocongMIMEtype.

ProxySetup

Forallcongurations,youcanalsospecifyaVPNproxy.Tocongureasingleproxy

forallconnections,usetheManualsettingandprovidetheaddress,port,andauthen-

ticationifnecessary.Toprovidethedevicewithanauto-proxycongurationleusing

PACorWPAD,usetheAutosetting.ForPACS,specifytheURLofthePACSle.For

WPAD,iPhoneandiPadwillqueryDHCPandDNSfortheappropriatesettings.


9/32

9

1

2

3

4

5

Firewall Firewall

VPNServer/Concentrator

PublicInternet

PrivateNetwork

AuthenticationCerticateorToken

ProxyServer

VPNAuthenticationServerToken Generation or Certicate Authentication

1 4

3a 3b

2

5

DirectoryService

2012AppleInc.Allrightsreserved.Apple,theApplelogo,iPhone,iPad,andMacOSaretrademarksofAppleInc.,registeredintheU.S.andothercountries.AppStoreisaservicemarkofAppleInc..

Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecicationsaresubjecttochangewithoutnotice.Thismaterialisprovidedfor

informationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.September2012

DeploymentScenario

TheexampledepictsatypicaldeploymentwithaVPNserver/concentratoraswellasanauthenticationservercontrollingaccessto

enterprisenetworkservices.

iPhoneandiPadrequestaccesstonetworkservices.

TheVPNserver/concentratorreceivestherequestandthenpassesittotheauthenticationserver.

Inatwo-factortokenenvironment,theauthenticationserverwouldthenmanageatime-synchronizedtokenkeygenerationwiththekey

server.Ifacerticateauthenticationmethodisdeployed,anidentitycerticateneedstobedistributedpriortoauthentication.Ifapassword

methodisdeployed,theauthenticationprocessproceedswithuservalidation.

Onceauserisauthenticated,theauthenticationservervalidatesuserandgrouppolicies.

Afteruserandgrouppoliciesarevalidated,theVPNserverprovidestunneledandencryptedaccesstonetworkservices.

Ifaproxyserverisinuse,iPhoneandiPadconnectthroughtheproxyserverforaccesstoinformationoutsidetherewall.


10/32

Deploying iPhone and iPadWi-Fi

Wireless security protocols

WEP

WPAPersonal

WPAEnterprise

WPA2Personal

WPA2Enterprise

802.1X authentication methods

EAP-TLS

EAP-TTLS

EAP-FAST

EAP-SIM

PEAPv0(EAP-MS-CHAPv2)

PEAPv1(EAP-GTC)

LEAP

Outofthebox,iPhoneandiPadcansecurelyconnecttocorporateorguestWi-Fi

networks,makingitquickandsimpletojoinavailablewirelessnetworkswhetheryoure

oncampusorontheroad.

iOSsupportsindustry-standardwirelessnetworkprotocols,includingWPA2Enterprise,

ensuringcorporatewirelessnetworkscanbeconguredquicklyandaccessedsecurely.

WPA2Enterpriseuses128-bitAESencryption,aproven,block-basedencryptionmethod,

providinguserswiththehighestlevelofassurancethattheirdatawillremainprotected.

Withsupportfor802.1X,iOScanbeintegratedintoabroadrangeofRADIUSauthentica-

tionenvironments.802.1XwirelessauthenticationmethodssupportedoniPhoneand

iPadincludeEAP-TLS,EAP-TTLS,EAP-FAST,EAP-SIM,PEAPv0,PEAPv1,andLEAP.

UserscansetiPhoneandiPadtojoinavailableWi-Finetworksautomatically.Wi-Fi

networksthatrequirelogincredentialsorotherinformationcanbequicklyaccessed

withoutopeningaseparatebrowsersession,fromWi-Fisettingsorwithinapplications

suchasMail.Andlow-power,persistentWi-Ficonnectivityallowsapplicationstouse

Wi-Finetworkstodeliverpushnotications.

ForroamingonlargeenterpriseWi-Finetworks,iPhoneandiPadsupport802.11kand802.11r.*802.11khelpsiPhoneandiPadtransitionbetweenbasestationsbyutilizing

thereportsfromthebasestation,while802.11rstreamlines802.1Xauthenticationas

adevicemovesfromoneaccesspointtoanother.

Forquicksetupanddeployment,wirelessnetwork,security,proxy,andauthentication

settingscanbeconguredusingCongurationProles.

WPA2EnterpriseSetup

Verifynetworkappliancesforcompatibilityandselectanauthenticationtype(EAPtype)

supportedbyiOS.

Checkthat802.1Xisenabledontheauthenticationserverand,ifnecessary,installa

servercerticateandassignnetworkaccesspermissionstousersandgroups.

Congurewirelessaccesspointsfor802.1Xauthenticationandenterthecorresponding

RADIUSserverinformation.

Ifyouplantousecerticate-basedauthentication,congureyourpublickey

infrastructuretosupportdevice-anduser-basedcerticateswiththecorresponding

keydistributionprocess.

Verifycerticateformatandauthenticationservercompatibility.iOSsupportsPKCS#1

(.cer,.crt,.der)andPKCS#12.

ForadditionaldocumentationregardingwirelessnetworkingstandardsandWi-Fi

ProtectedAccess(WPA),visitwww.wi-.org.


11/32

WPA2Enterprise/802.1XDeploymentScenario

ThisexampledepictsatypicalsecurewirelessdeploymentthattakesadvantageofRADIUS-basedauthentication.

iPhoneandiPadrequestaccesstothenetwork.Theconnectionisinitiatedinresponsetoauserselectinganavailablewirelessnetwork,orisautomaticallyinitiatedafterapreviouslycongurednetworkisdetected.

Aftertherequestisreceivedbytheaccesspoint,therequestispassedtotheRADIUSserverforauthentication.

TheRADIUSservervalidatestheuseraccountutilizingthedirectoryservice.

Oncetheuserisauthenticated,theaccesspointprovidesnetworkaccesswithpoliciesandpermissionsasinstructedbytheRADIUSserver.

*iPhone4S,iPhone5,newiPad,and5th-generationiPodtouchsupport802.11kand802.11r.

2012AppleInc.Allrightsreserved.Apple,theApplelogo,iPhone,iPad,andMacOSaretrademarksofAppleInc.,registeredintheU.S.andothercountries.Otherproductandcompanynamesmentioned

hereinmaybetrademarksoftheirrespectivecompanies.Productspecicationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliability

relatedtoitsuse.September2012

11

1

2

3

4

WirelessAccessPointwith802.1XSupport

DirectoryServices

NetworkServices

AuthenticationServerwith802.1XSupport(RADIUS)

CerticateorPasswordBasedon

EAPType

1

2

3

4

Firewall


12/32

iOSsupportsdigitalcerticates,givingbusinessuserssecure,streamlinedaccessto

corporateservices.Adigitalcerticateiscomposedofapublickey,informationaboutthe

user,andthecerticateauthoritythatissuedthecerticate.Digitalcerticatesareaform

ofidenticationthatenablesstreamlinedauthentication,dataintegrity,andencryption.

OniPhoneandiPad,certicatescanbeusedinavarietyofways.Signingdatawitha

digitalcerticatehelpstoensurethatinformationcannotbealtered.Certicatescan

alsobeusedtoguaranteetheidentityoftheauthororsigner.Additionally,theycanbe

usedtoencryptCongurationProlesandnetworkcommunicationstofurtherprotect

condentialorprivateinformation.

UsingCerticatesiniOS

Digital certicates

Digitalcerticatescanbeusedtosecurelyauthenticateuserstocorporateserviceswithout

theneedforusernames,passwords,orsofttokens.IniOS,certicate-basedauthentica-

tionissupportedforaccesstoMicrosoftExchangeActiveSync,VPN,andWi-Finetworks.

EnterpriseServicesIntranet,Email,VPN,Wi-Fi

CerticateAuthority DirectoryServiceAuthenticationRequest

Server certicates

Digitalcerticatescanalsobeusedtovalidateandencryptnetworkcommunications.

Thisprovidessecurecommunicationtobothinternalandexternalwebsites.TheSafari

browsercancheckthevalidityofanX.509digitalcerticateandsetupasecuresession

withupto256-bitAESencryption.Thisveriesthatthesitesidentityislegitimateand

thatcommunicationwiththewebsiteisprotectedtohelppreventinterceptionof

personalorcondentialdata.

NetworkServicesHTTPSRequest CerticateAuthority

Deploying iPhone and iPadDigital Certicates

Supported certicate and identity

formats:

iOSsupportsX.509certicates

withRSAkeys.

Theleextensions.cer,.crt,.der,.p12,

and.pfxarerecognized.

Root certicates

Outofthebox,iOSincludesanumber

ofpreinstalledrootcerticates.Toview

alistofthepreinstalledsystemroots,

seetheAppleSupportarticleat

http://support.apple.com/kb/HT4415.If

youareusingarootcerticatethatisnot

preinstalled,suchasaself-signedroot

certicatecreatedbyyourcompany,you

candistributeitusingoneofthemethods

listedintheDistributingandInstalling

Certicatessectionofthisdocument.


13/32

2012AppleInc.Allrightsreserved.Apple,theApplelogo,iPhone,iPad,MacOS,andSafariaretrademarksofAppleInc.,registered

intheU.S.andothercountries.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespective

companies.Productspecicationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;

Appleassumesnoliabilityrelatedtoitsuse.September2012

DistributingandInstallingCerticates

DistributingcerticatestoiPhoneandiPadissimple.Whenacerticateisreceived,users

simplytaptoreviewthecontents,thentaptoaddthecerticatetotheirdevice.When

anidentitycerticateisinstalled,usersarepromptedforthepassphrasethatprotectsit.

Ifacerticatesauthenticitycannotbeveried,userswillbepresentedwithawarningbeforeitisaddedtotheirdevice.

Installing certicates via Conguration Proles

IfCongurationProlesarebeingusedtodistributesettingsforcorporateservices

suchasExchange,VPN,orWi-Fi,certicatescanbeaddedtotheproletostreamline

deployment.

Installing certicates via Mail or Safari

Ifacerticateissentinanemail,itwillappearasanattachment.Safaricanbeused

todownloadcerticatesfromawebpage.Youcanhostacerticateonasecured

websiteandprovideuserswiththeURLwheretheycandownloadthecerticate

ontotheirdevices.

Installation via the Simple Certicate Enrollment Protocol (SCEP)

SCEPisdesignedtoprovideasimpliedprocesstohandlecerticatedistributionfor

large-scaledeployments.ThisenablesOver-the-AirEnrollmentofdigitalcerticates

oniPhoneandiPadthatcanthenbeusedforauthenticationtocorporateservices,

aswellasenrollmentwithaMobileDeviceManagementserver.

FormoreinformationonSCEPandOver-the-AirEnrollment,visitwww.apple.com/

iphone/business/resources.

Certicate removal and revocation

Tomanuallyremoveacerticatethathasbeeninstalled,chooseSettings>General>

Proles.Ifyouremoveacerticatethatisrequiredforaccessinganaccountornetwork,

thedevicewillnolongerbeabletoconnecttothoseservices.

Toremovecerticatesovertheair,aMobileDeviceManagementservercanbeused.

Thisservercanviewallcerticatesonadeviceandremoveonesithasinstalled.

Additionally,theOnlineCerticateStatusProtocol(OCSP)issupportedtocheckthe

statusofcerticates.WhenanOCSP-enabledcerticateisused,iOSvalidatesittomake

surethatithasnotbeenrevokedbeforecompletingtherequestedtask.

13


14/32

Deploying iPhone and iPadSecurity Overview

iOS,theoperatingsystematthecoreofiPhoneandiPad,isbuiltuponlayersofsecurity.

ThisenablesiPhoneandiPadtosecurelyaccesscorporateservicesandprotectimportant

data.iOSprovidesstrongencryptionfordataintransmission,provenauthentication

methodsforaccesstocorporateservices,andhardwareencryptionforalldataatrest.

iOSalsoprovidessecureprotectionthroughtheuseofpasscodepoliciesthatcanbedeliveredandenforcedovertheair.Andifthedevicefallsintothewronghands,users

andITadministratorscaninitiatearemotewipecommandtoeraseprivateinformation.

WhenconsideringthesecurityofiOSforenterpriseuse,itshelpfultounderstandthe

following:

Device security:Methodsthatpreventunauthorizeduseofthedevice

Data security:Protectingdataatrest,evenwhenadeviceislostorstolen

Network security: Networkingprotocolsandtheencryptionofdataintransmission

App security:ThesecureplatformfoundationofiOS

Thesecapabilitiesworkinconcerttoprovideasecuremobilecomputingplatform.

DeviceSecurityEstablishingstrongpoliciesforaccesstoiPhoneandiPadiscriticaltoprotectingcorporate

information.Devicepasscodesarethefrontlineofdefenseagainstunauthorizedaccess

andcanbeconguredandenforcedovertheair.iOSdevicesusetheuniquepasscode

establishedbyeachusertogenerateastrongencryptionkeytofurtherprotectmailand

sensitiveapplicationdataonthedevice.Additionally,iOSprovidessecuremethodsto

congurethedeviceinanenterpriseenvironment,wherespecicsettings,policies,and

restrictionsmustbeinplace.Thesemethodsprovideexibleoptionsforestablishinga

standardlevelofprotectionforauthorizedusers.

Passcode policies

Adevicepasscodepreventsunauthorizedusersfromaccessingdataorotherwisegaining

accesstothedevice.iOSallowsyoutoselectfromanextensivesetofpasscoderequirements

tomeetyoursecurityneeds,includingtimeoutperiods,passcodestrength,andhowoftenthepasscodemustbechanged.

Thefollowingpasscodepoliciesaresupported:

Requirepasscodeondevice

Allowsimplevalue

Requirealphanumericvalue

Minimumpasscodelength


Maximumpasscodeage

Timebeforeauto-lock

Passcodehistory

Graceperiodfordevicelock

Maximumnumberoffailedattempts

Device security

Strongpasscodes

Passcodeexpiration

Passcodereusehistory

Maximumfailedattempts

Over-the-airpasscodeenforcement

Progressivepasscodetimeout


15/32

Policy enforcement

ThepoliciesdescribedpreviouslycanbesetoniPhoneandiPadinanumberofways.

PoliciescanbedistributedaspartofaCongurationProleforuserstoinstall.Aprole

canbedenedsothatdeletingtheproleisonlypossiblewithanadministrative

password,oryoucandenetheprolesothatitislockedtothedeviceandcannot

beremovedwithoutcompletelyerasingallofthedevicecontents.Additionally,passcodesettingscanbeconguredremotelyusingMobileDeviceManagement

(MDM)solutionsthatcanpushpoliciesdirectlytothedevice.Thisenablespolicies

tobeenforcedandupdatedwithoutanyactionbytheuser.

Alternatively,ifthedeviceisconguredtoaccessaMicrosoftExchangeaccount,

ExchangeActiveSyncpoliciesarepushedtothedeviceovertheair.Keepinmind

thattheavailablesetofpolicieswillvarydependingontheversionofExchange

(2003,2007,or2010).RefertoExchange ActiveSync and iOS Devicesforabreakdown

ofwhichpoliciesaresupportedforyourspecicconguration.

Secure device conguration

CongurationProlesareXMLlesthatcontaindevicesecuritypoliciesandrestrictions,

VPNcongurationinformation,Wi-Fisettings,emailandcalendaraccounts,and

authenticationcredentialsthatpermitiPhoneandiPadtoworkwithyourenterprise

systems.Theabilitytoestablishpasscodepoliciesalongwithdevicesettingsina

CongurationProleensuresthatdeviceswithinyourenterprisearecongured

correctlyandaccordingtosecuritystandardssetbyyourorganization.And,because

CongurationProlescanbeencryptedandlocked,thesettingscannotberemoved,

altered,orsharedwithothers.

CongurationProlescanbebothsignedandencrypted.SigningaConguration

Proleensuresthatthesettingsitenforcescannotbealteredinanyway.Encrypting

aCongurationProleprotectstheprolescontentsandpermitsinstallationonly

onthedeviceforwhichitwascreated.CongurationProlesareencryptedusing

CMS(CryptographicMessageSyntax,RFC3852),supporting3DESandAES128.

ThersttimeyoudistributeanencryptedCongurationProle,youcaninstallit

viaUSBusingtheCongurationUtilityorwirelesslyviaOver-the-AirEnrollment.In

additiontothesemethods,subsequentencryptedCongurationProlescanbe

deliveredviaemailattachment,hostedonawebsiteaccessibletoyourusers,or

pushedtothedeviceusingMDMsolutions.

Device restrictions

Devicerestrictionsdeterminewhichfeaturesyouruserscanaccessonthedevice.

Typically,theseinvolvenetwork-enabledapplicationssuchasSafari,YouTube,orthe

iTunesStore,butrestrictionscanalsocontroldevicefunctionalitysuchasapplication

installationoruseofcamera.Restrictionsletyoucongurethedevicetomeetyour

requirements,whilepermittinguserstoutilizethedeviceinwaysthatareconsistent

withyourbusinesspractices.Restrictionscanbemanuallyconguredoneachdevice,

enforcedusingaCongurationProle,orestablishedremotelywithMDMsolutions.

Additionally,likepasscodepolicies,cameraorweb-browsingrestrictionscanbe

enforcedovertheairviaMicrosoftExchangeServer2007and2010.

Inadditiontosettingrestrictionsandpoliciesonthedevice,theiTunesdesktop

applicationcanbeconguredandcontrolledbyIT.Thisincludesdisablingaccessto

explicitcontent,deningwhichnetworkservicesuserscanaccesswithiniTunes,and

determiningwhethernewsoftwareupdatesareavailableforuserstoinstall.Formore

information,refertoDeploying iTunes for iOS Devices.

Supported congurable policies

and restrictions:

Device functionality

Allowinstallingapps

AllowSiri

AllowSiriwhilelocked

AllowPassbooknoticationswhilelocked

Allowuseofcamera

AllowFaceTime

Allowscreencapture

Allowautomaticsyncingwhileroaming

AllowsyncingofMailrecents

Allowvoicedialing

AllowIn-AppPurchase

Requirestorepasswordforallpurchases Allowmultiplayergaming

AllowaddingGameCenterfriends

Setallowedcontentratings

Applications

AllowuseofYouTube

AllowuseofiTunesStore

AllowuseofSafari

SetSafarisecuritypreferences

iCloud

Allowbackup

Allowdocumentsyncandkey-valuesync

AllowPhotoStream

AllowsharedPhotoStream

Security and privacy

AllowdiagnosticdatatobesenttoApple

Allowusertoacceptuntrustedcerticates

Forceencryptedbackups

Supervised only restrictions

AllowiMessage

AllowGameCenter

Allowremovalofapps

AllowiBookstore

AlloweroticafromiBookstore

EnableSiriProfanityFilter

AllowmanualinstallofCongurationProles

15


16/32

DataSecurity

ProtectingdatastoredoniPhoneandiPadisimportantforanyenvironmentwith

sensitivecorporateorcustomerinformation.Inadditiontoencryptingdatain

transmission,iPhoneandiPadprovidehardwareencryptionforalldatastoredon

thedevice,andadditionalencryptionofemailandapplicationdatawithenhanceddataprotection.

Ifadeviceislostorstolen,itsimportanttodeactivateanderasethedevice.Itsalsoa

goodideatohaveapolicyinplacethatwillwipethedeviceafteradenednumber

offailedpasscodeattempts,akeydeterrentagainstattemptstogainunauthorized

accesstothedevice.

Encryption

iPhoneandiPadoerhardware-basedencryption.Hardwareencryptionuses256-bit

AEStoprotectalldataonthedevice.Encryptionisalwaysenabled,andcannotbe

disabledbyusers.

Additionally,databackedupiniTunestoauserscomputercanbeencrypted.

Thiscanbeenabledbytheuser,orenforcedbyusingdevicerestrictionsettingsin

CongurationProles.

iOSsupportsS/MIMEinmail,enablingiPhoneandiPadtoviewandsendencrypted

emailmessages.Restrictionscanalsobeusedtopreventmailmessagesfrombeing

movedbetweenaccountsormessagesreceivedinoneaccountbeingforwarded

fromanother.

Data protection

BuildingonthehardwareencryptioncapabilitiesofiPhoneandiPad,emailmessages

andattachmentsstoredonthedevicecanbefurthersecuredbyusingdataprotection

featuresbuiltintoiOS.Dataprotectionleverageseachusersuniquedevicepasscode

inconcertwiththehardwareencryptiononiPhoneandiPadtogenerateastrong

encryptionkey.Thiskeypreventsdatafrombeingaccessedwhenthedeviceislocked,

ensuringthatcriticalinformationissecuredevenifthedeviceiscompromised.

Toturnonthedataprotectionfeature,simplyestablishapasscodeonthedevice.

Theeectivenessofdataprotectionisdependentonastrongpasscode,soit

isimportanttorequireandenforceapasscodestrongerthanfourdigitswhen

establishingyourcorporatepasscodepolicies.Userscanverifythatdataprotection

isenabledontheirdevicebylookingatthepasscodesettingsscreen.MobileDevice

Managementsolutionsareabletoquerythedeviceforthisinformationaswell.

ThesedataprotectionAPIsarealsoavailabletodevelopers,andcanbeusedtosecure

enterprisein-houseorcommercialapplicationdata.

Remote wipe

iOSsupportsremotewipe.Ifadeviceislostorstolen,theadministratorordevice

ownercanissuearemotewipecommandthatremovesalldataanddeactivatesthedevice.IfthedeviceisconguredwithanExchangeaccount,theadministrator

caninitiatearemotewipecommandusingtheExchangeManagementConsole

(ExchangeServer2007)orExchangeActiveSyncMobileAdministrationWebTool

(ExchangeServer2003or2007).UsersofExchangeServer2007canalsoinitiate

remotewipecommandsdirectlyusingOutlookWebAccess.Remotewipecommands

canalsobeinitiatedbyMDMsolutionsevenifExchangecorporateservicesarenot

inuse.

Progressive passcode timeout

iPhoneandiPadcanbeconguredtoauto-

maticallyinitiateawipeafterseveralfailed

passcodeattempts.Ifauserrepeatedlyenters

thewrongpasscode,iOSwillbedisabledfor

increasinglylongerintervals.Aftertoomany

unsuccessfulattempts,alldataandsettingson

thedevicewillbeerased.

Data security

Hardwareencryption

Dataprotection

Remotewipe

Localwipe

EncryptedCongurationProles

EncryptediTunesbackups

Content ratings

Allowexplicitmusicandpodcasts

Setratingsregion

Setallowedcontentratings

16


17/32

Local wipe

Devicescanalsobeconguredtoautomaticallyinitiatealocalwipeafterseveralfailed

passcodeattempts.Thisprotectsagainstbruteforceattemptstogainaccesstothe

device.Whenapasscodeisestablished,usershavetheabilitytoenablelocalwipe

directlywithinthesettings.Bydefault,iOSwillautomaticallywipethedeviceafter10

failedpasscodeattempts.Aswithotherpasscodepolicies,themaximumnumberoffailedattemptscanbeestablishedviaaCongurationProle,setbyanMDMserver,

orenforcedovertheairviaMicrosoftExchangeActiveSyncpolicies.

iCloud

iCloudstoresmusic,photos,apps,calendars,documents,andmore,andautomatically

pushesthemtoallofausersdevices.iCloudalsobacksupinformation,including

devicesettings,appdata,andtextandMMSmessages,dailyoverWi-Fi.iCloud

securesyourcontentbyencryptingitwhensentovertheInternet,storingitinan

encryptedformat,andusingsecuretokensforauthentication.Additionally,iCloud

features,includingPhotoStream,DocumentSync,andBackup,canbedisabledvia

aCongurationProle.FormoreinformationoniCloudsecurityandprivacy,visit

http://support.apple.com/kb/HT4865.

NetworkSecurity

Mobileusersmustbeabletoaccesscorporateinformationnetworksfromanywhere

intheworld,yetitsalsoimportanttoensurethatusersareauthorizedandthattheir

dataisprotectedduringtransmission.iOSprovidesproventechnologiestoaccomplish

thesesecurityobjectivesforbothWi-Fiandcellulardatanetworkconnections.

Inadditiontoyourexistinginfrastructure,eachFaceTimesessionandiMessage

conversationisencryptedendtoend.iOScreatesauniqueIDforeachuser,ensuring

communicationsareencrypted,routed,andconnectedproperly.

VPN

Manyenterpriseenvironmentshavesomeformofvirtualprivatenetwork(VPN)

established.Thesesecurenetworkservicesarealreadydeployedandtypicallyrequire

minimalsetupandcongurationtoworkwithiPhoneandiPad.

Outofthebox,iOSintegrateswithabroadrangeofcommonlyusedVPNtechnologies

throughsupportforCiscoIPSec,L2TP,andPPTP.iOSsupportsSSLVPNthrough

applicationsfromJuniperNetworks,Cisco,SonicWALL,CheckPoint,ArubaNetworks,

andF5Networks.SupportfortheseprotocolsensuresthehighestlevelofIP-based

encryptionfortransmissionofsensitiveinformation.

InadditiontoenablingsecureaccesstoexistingVPNenvironments,iOSoersproven

methodsforuserauthentication.AuthenticationviastandardX.509digitalcerticates

providesuserswithstreamlinedaccesstocompanyresourcesandaviablealternative

tousinghardware-basedtokens.Additionally,certicateauthenticationenablesiOSto

takeadvantageofVPNOnDemand,makingtheVPNauthenticationprocesstransparentwhilestillprovidingstrong,credentialedaccesstonetworkservices.Forenterprise

environmentsinwhichatwo-factortokenisarequirement,iOSintegrateswithRSA

SecurIDandCRYPTOCard.

iOSsupportsnetworkproxycongurationaswellassplitIPtunnelingsothat

tractopublicorprivatenetworkdomainsisrelayedaccordingtoyourspecic

companypolicies.

Network security

Built-inCiscoIPSec,L2TP,PPTPVPN

SSLVPNviaAppStoreapps

SSL/TLSwithX.509certicates

WPA/WPA2Enterprisewith802.1X

Certicate-basedauthentication

RSASecurID,CRYPTOCard

VPN protocols

CiscoIPSec

L2TP/IPSec

PPTP

SSLVPN

Authentication methods

Password(MSCHAPv2)

RSASecurID

CRYPTOCard

X.509digitalcerticates

Sharedsecret

802.1X authentication protocols

EAP-TLS

EAP-TTLS

EAP-FAST

EAP-SIM PEAPv0,v1

LEAP

Supported certicate formats

iOSsupportsX.509certicateswith

RSAkeys.Theleextensions.cer,.crt,

and.derarerecognized.

17


18/32

SSL/TLS

iOSsupportsSSLv3aswellasTransportLayerSecurity(TLSv1.0,1.1,and1.2),the

next-generationsecuritystandardfortheInternet.Safari,Calendar,Mail,andother

Internetapplicationsautomaticallystartthesemechanismstoenableanencrypted

communicationchannelbetweeniOSandcorporateservices.

WPA/WPA2

iOSsupportsWPA2Enterprisetoprovideauthenticatedaccesstoyourenterprise

wirelessnetwork.WPA2Enterpriseuses128-bitAESencryption,givingusersthe

highestlevelofassurancethattheirdatawillremainprotectedwhentheysend

andreceivecommunicationsoveraWi-Finetworkconnection.Andwithsupport

for802.1X,iPhoneandiPadcanbeintegratedintoabroadrangeofRADIUS

authenticationenvironments.

AppSecurity

iOSisdesignedwithsecurityatitscore.Itincludesasandboxedapproachto

applicationruntimeprotectionandrequiresapplicationsigningtoensurethat

applicationscannotbetamperedwith.iOSalsohasasecureframeworkthatfacilitatessecurestorageofapplicationandnetworkservicecredentialsinan

encryptedkeychain.Fordevelopers,itoersaCommonCryptoarchitecturethat

canbeusedtoencryptapplicationdatastores.

Runtime protection

Applicationsonthedevicearesandboxedsotheycannotaccessdatastoredby

otherapplications.Inaddition,systemles,resources,andthekernelareshielded

fromtheusersapplicationspace.Ifanapplicationneedstoaccessdatafromanother

application,itcanonlydosousingtheAPIsandservicesprovidedbyiOS.Code

generationisalsoprevented.

Mandatory code signing

AlliOSapplicationsmustbesigned.TheapplicationsprovidedwiththedevicearesignedbyApple.Third-partyapplicationsaresignedbythedeveloperusingan

Apple-issuedcerticate.Thisensuresthatapplicationshaventbeentampered

withoraltered.Additionally,runtimechecksaremadetoensurethatanapplication

hasntbecomeuntrustedsinceitwaslastused.

Theuseofcustomorin-houseapplicationscanbecontrolledwithaprovisioning

prole.Usersmusthavetheprovisioningproleinstalledtoexecutetheapplication.

ProvisioningprolescanbeinstalledorrevokedovertheairusingMDMsolutions.

Administratorscanalsorestricttheuseofanapplicationtospecicdevices.

Secure authentication framework

iOSprovidesasecure,encryptedkeychainforstoringdigitalidentities,usernames,

andpasswords.Keychaindataispartitionedsothatcredentialsstoredbythird-party

applicationscannotbeaccessedbyapplicationswithadierentidentity.ThisprovidesthemechanismforsecuringauthenticationcredentialsoniPhoneandiPadacrossa

rangeofapplicationsandserviceswithintheenterprise.

Common Crypto architecture

ApplicationdevelopershaveaccesstoencryptionAPIsthattheycanusetofurther

protecttheirapplicationdata.Datacanbesymmetricallyencryptedusingproven

methodssuchasAES,RC4,or3DES.Inaddition,iPhoneandiPadprovidehardware

accelerationforAESencryptionandSHA1hashing,maximizingapplicationperformance.

App security

Runtimeprotection

Mandatorycodesigning Keychainservices

CommonCryptoAPIs

Applicationdataprotection

Managedapps

18


19/32

2012AppleInc.Allrightsreserved.Apple,theApplelogo,FaceTime,iPad,iPhone,iTunes,Passbook,Safari,andSiriaretrademarks

ofAppleInc.,registeredintheU.S.andothercountries.iMessageisatrademarkofAppleInc.iCloudandiTunesStoreareservice

marksofAppleInc.,registeredintheU.S.andothercountries.AppStoreandiBookstoreareservicemarksofApple,Inc.Other

productandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecicationsare

subjecttochangewithoutnotice.September2012

Application data protection

Applicationscanalsotakeadvantageofthebuilt-inhardwareencryptiononiPhone

andiPadtofurtherprotectsensitiveapplicationdata.Developerscandesignate

speciclesfordataprotection,instructingthesystemtomakethecontentsofthe

lecryptographicallyinaccessibletoboththeapplicationandanypotentialintruders

whenthedeviceislocked.

Managed apps

AnMDMservercanmanagethird-partyappsfromtheAppStore,aswellasenterprise

in-houseapplications.Designatinganappasmanagedenablestheservertospecify

whethertheappanditsdatacanberemovedfromthedevicebytheMDMserver.

Additionally,theservercanpreventmanagedappdatafrombeingbackedupto

iTunesandiCloud.ThisallowsITtomanageappsthatmaycontainsensitivebusiness

informationwithmorecontrolthanappsdownloadeddirectlybytheuser.

Inordertoinstallamanagedapp,theMDMserversendsaninstallationcommandto

thedevice.Managedappsrequireausersacceptancebeforetheyareinstalled.For

moreinformationaboutmanagedapps,viewtheMobile Device Management Overview

atwww.apple.com/business/mdm.

RevolutionaryDevices,SecurityThroughout

iPhoneandiPadprovideencryptedprotectionofdataintransit,atrest,andwhen

backeduptoiCloudoriTunes.Whetherauserisaccessingcorporateemail,visitinga

privatewebsite,orauthenticatingtothecorporatenetwork,iOSprovidesassurance

thatonlyauthorizeduserscanaccesssensitivecorporateinformation.And,withits

supportforenterprise-gradenetworkingandcomprehensivemethodstopreventdata

loss,youcandeployiOSdeviceswithcondencethatyouareimplementingproven

mobiledevicesecurityanddataprotection.

19


20/32

Deploying iPhone and iPadMobile Device Management

iOSsupportsMobileDeviceManagement(MDM),givingbusinessestheabilityto

managescaleddeploymentsofiPhoneandiPadacrosstheirorganizations.These

MDMcapabilitiesarebuiltuponexistingiOStechnologieslikeCongurationProles,

Over-the-AirEnrollment,andtheApplePushNoticationservice,andcanbeintegrated

within-houseorthird-partyserversolutions.ThisgivesITdepartmentstheabilitytosecurelyenrolliPhoneandiPadinanenterpriseenvironment,wirelesslycongureand

updatesettings,monitorcompliancewithcorporatepolicies,andevenremotelywipeor

lockmanageddevices.

ManagingiPhoneandiPad

ManagementofiOSdevicestakesplaceviaaconnectiontoaMobileDevice

Managementserver.Thisservercanbebuiltin-housebyITorpurchasedfroma

third-partysolutionprovider.Thedevicecommunicateswiththeservertoseeifthere

aretaskspendingandrespondswiththeappropriateactions.Thesetaskscaninclude

updatingpolicies,providingrequesteddeviceornetworkinformation,orremoving

settingsanddata.

Mostmanagementfunctionsarecompletedbehindthesceneswithnouser

interactionrequired.Forexample,ifanITdepartmentupdatesitsVPNinfrastructure,

theMDMservercancongureiPhoneandiPadwithnewaccountinformationover

theair.ThenexttimeVPNisusedbytheemployee,theappropriateconguration

isalreadyinplace,sotheemployeedoesntneedtocallthehelpdeskormanually

modifysettings.

Firewall

Third-PartyMDMServerApplePushNoticationService


21/32

MDMandtheApplePushNoticationService

WhenanMDMserverwantstocommunicatewithiPhoneoriPad,asilentnotication

issenttothedeviceviatheApplePushNoticationservice,promptingittocheck

inwiththeserver.Theprocessofnotifyingthedevicedoesnotsendanyproprietary

informationtoorfromtheApplePushNoticationservice.TheonlytaskperformedbythepushnoticationistowakethedevicesoitchecksinwiththeMDMserver.

Allcongurationinformation,settings,andqueriesaresentdirectlyfromtheserver

totheiOSdeviceoveranencryptedSSL/TLSconnectionbetweenthedeviceandthe

MDMserver.iOShandlesallMDMrequestsandactionsinthebackgroundtolimitthe

impactontheuserexperience,includingbatterylife,performance,andreliability.

InorderforthepushnoticationservertorecognizecommandsfromtheMDMserver,

acerticatemustrstbeinstalledontheserver.Thiscerticatemustberequestedand

downloadedfromtheApplePushCerticatesPortal.OncetheApplePushNotication

certicateisuploadedintotheMDMserver,devicescanbegintobeenrolled.Formore

informationonrequestinganApplePushNoticationcerticateforMDM,visit

www.apple.com/business/mdm.

Apple Push Notication network setupWhenMDMserversandiOSdevicesarebehindarewall,somenetworkconguration

mayneedtotakeplaceinorderfortheMDMservicetofunctionproperly.Tosend

noticationsfromanMDMservertotheApplePushNoticationservice,TCPport2195

needstobeopen.Toreachthefeedbackservice,TCPport2196willneedtobeopen

aswell.FordevicesconnectingtothepushserviceoverWi-Fi,TCPport5223should

beopen.

TheIPaddressrangeforthepushserviceissubjecttochange;theexpectationis

thatanMDMserverwillconnectbyhostnameratherthanbyIPaddress.Thepush

serviceusesaload-balancingschemethatyieldsadierentIPaddressforthesame

hostname.Thishostnameisgateway.push.apple.com(andgateway.sandbox.push.

apple.comforthedevelopmentpushnoticationenvironment).Additionally,the

entire17.0.0.0/8addressblockisassignedtoApplesorewallrulescanbeestablishedtospecifythatrange.

Formoreinformation,consultyourMDMvendororviewDeveloper Technical

Note TN2265intheiOSDeveloperLibraryathttp://developer.apple.com/library/

ios/#technotes/tn2265/_index.html.

Enrollment

OncetheMobileDeviceManagementserverandnetworkarecongured,therst

stepinmanaginganiPhoneoriPadistoenrollitwithanMDMserver.Thiscreates

arelationshipbetweenthedeviceandtheserver,allowingittobemanagedon

demandwithoutfurtheruserinteraction.

ThiscanbedonebyconnectingiPhoneoriPadtoacomputerviaUSB,butmostsolutionsdelivertheenrollmentprolewirelessly.SomeMDMvendorsuseanapp

tokickstartthisprocess,othersinitiateenrollmentbydirectinguserstoawebportal.

Eachmethodhasitsbenets,andbothareusedtotriggertheOver-the-AirEnrollment

processviaSafari.

iOS and SCEP

iOSsupportstheSimpleCerticateEnrollmentProtocol(SCEP).SCEPisanInternetdraftin

theIETF,andisdesignedtoprovideasimpli-

edwayofhandlingcerticatedistributionfor

large-scaledeployments.Thisenablesover-the-

airenrollmentofidentitycerticatestoiPhone

andiPadthatcanbeusedforauthenticationto

corporateservices.

21


22/32

22

Enrollment process overview

TheprocessofOver-the-AirEnrollmentinvolvesphasesthatarecombinedinan

automatedworkowtoprovidethemostscalablewaytosecurelyenrolldevices

inanenterpriseenvironment.Thesephasesinclude:

1. User authenticationUserauthenticationensuresthatincomingenrollmentrequestsarefromauthorized

usersandthattheusersdeviceinformationiscapturedpriortoproceedingwith

certicateenrollment.Administratorscanprompttheusertobegintheprocessof

enrollmentviaawebportal,email,SMSmessage,orevenanapp.

2. Certicate enrollment

Aftertheuserisauthenticated,iOSgeneratesacerticateenrollmentrequest

usingtheSimpleCerticateEnrollmentProtocol(SCEP).Thisenrollmentrequest

communicatesdirectlytotheenterpriseCerticateAuthority(CA),andenables

iPhoneandiPadtoreceivetheidentitycerticatefromtheCAinresponse.

3. Device conguration

Onceanidentitycerticateisinstalled,thedevicecanreceiveencrypted

congurationinformationovertheair.Thisinformationcanonlybeinstalledon

thedeviceitisintendedforandcontainsthesettingsneededtoconnecttothe

MDMserver.

Attheendoftheenrollmentprocess,theuserwillbepresentedwithaninstallation

screenthatdescribeswhataccessrightstheMDMserverwillhaveonthedevice.

Byagreeingtotheproleinstallation,theusersdeviceisautomaticallyenrolled

withoutfurtherinteraction.

OnceiPhoneandiPadareenrolledasmanageddevices,theycanbedynamically

conguredwithsettings,queriedforinformation,orremotelywipedbythe

MDMserver.

ManagementWithMobileDeviceManagement,thereareanumberoffunctionsanMDM

servercanperformoniOSdevices.Thesetasksincludeinstallingandremoving

CongurationandProvisioningProles,managingapps,endingtheMDM

relationship,andremotelywipingadevice.

Managed congurations

Duringtheinitialprocessofconguringadevice,anMDMserverpushes

CongurationProlestoiPhoneandiPadthatareinstalledbehindthescenes.

Overtime,thesettingsandpoliciesputinplaceatthetimeofenrollmentmay

needtobeupdatedorchanged.Tomakethesechanges,anMDMservercaninstall

newCongurationProlesandmodifyorremoveexistingprolesatanytime.

Additionally,context-speciccongurationsmayneedtobeinstalledoniOSdevices,dependingonauserslocationorroleintheorganization.Asanexample,ifauser

istravelinginternationally,anMDMservercanrequirethatmailaccountssync

manuallyinsteadofautomatically.AnMDMservercanevenremotelydisablevoice

ordataservicesinordertopreventauserfromincurringroamingfeesfroma

wirelessprovider.


23/32

Managed apps

AnMDMservercanmanagethird-partyappsfromtheAppStore,aswellasenterprise

in-houseapplications.Theservercanremovemanagedappsandtheirassociated

dataondemandorspecifywhethertheappsareremovedwhentheMDMproleis

removed.Additionally,theMDMservercanpreventmanagedappdatafrombeing

backeduptoiTunesandiCloud.

Toinstallamanagedapp,theMDMserversendsaninstallationcommandtotheusers

device.Managedappsrequireausersacceptancebeforetheyareinstalled.Whenan

MDMserverrequeststheinstallationofamanagedappfromtheAppStore,theapp

willberedeemedwiththeiTunesaccountthatisusedatthetimetheappisinstalled.

PaidappswillrequiretheMDMservertosendaVolumePurchasingProgram(VPP)

redemptioncode.FormoreinformationonVPP,visitwww.apple.com/business/vpp.

AppsfromtheAppStorecannotbeinstalledonausersdeviceiftheAppStorehas

beendisabled.

Managing supervised devices with MDM

DevicesthatareactivatedusingAppleConguratorcanbesupervised,enabling

additionalsettingsandrestrictionstobeinstalled.Onceadeviceissupervisedwith

AppleCongurator,allavailablesettingsandrestrictionscanbeinstalledoverthe

airviaMDMaswell.Formoreinformationonconguringandmanagingdevices

usingbothAppleConguratorandMDM,refertoDeploying iPhone and iPad: Apple

Congurator.

Removing or wiping devices

Ifadeviceisfoundtobeoutofpolicy,lost,orstolen,orifanemployeeleavesthe

company,anMDMservercantakeactiontoprotectcorporateinformationina

numberofways.

AnITadministratorcanendtheMDMrelationshipwithadevicebyremovingthe

CongurationProlethatcontainstheMDMserverinformation.Indoingso,allthe

accounts,settings,andappsitwasresponsibleforinstallingareremoved.Alternatively,

ITcankeeptheMDMCongurationProleinplaceanduseMDMonlytoremovethespecicCongurationProles,ProvisioningProles,andmanagedappstheywantto

delete.ThisapproachkeepsthedevicemanagedbyMDMandeliminatestheneedto

re-enrollonceitisbackwithinpolicy.

BothmethodsgiveITtheabilitytoensureinformationisonlyavailabletocompliant

usersanddevices,andensurescorporatedataisremovedwithoutinterferingwitha

userspersonaldatasuchasmusic,photos,orpersonalapps.

Topermanentlydeleteallmediaanddataonthedeviceandrestoreittofactoryset-

tings,MDMcanremotelywipeiPhoneandiPad.Ifauserisstilllookingforthedevice,

ITcanalsochoosetosendaremotelockcommandtothedevice.Thislocksthescreen

andrequirestheuserspasscodetounlockit.

Ifauserhassimplyforgottenthepasscode,anMDMservercanremoveitfromthe

deviceandprompttheusertocreateanewonewithin60minutes.

23


24/32

Supported management commands

Managed conguration

InstallCongurationProle

RemoveCongurationProle

Dataroaming

Voiceroaming(notavailableonallcarriers)

Managed apps

Installmanagedapp

Removemanagedapp

Listallmanagedapps

InstallProvisioningProle

RemoveProvisioningProle

Security commands

Remotewipe

Remotelock

Clearpasscode

Conguration

Tocongureadevicewithaccounts,policies,andrestrictions,theMDMserversends

lesknownasCongurationProlestothedevicethatareinstalledautomatically.

CongurationProlesareXMLlesthatcontainsettingsthatpermitthedevice

toworkwithyourenterprisesystems,includingaccountinformation,passcode

policies,restrictions,andotherdevicesettings.Whencombinedwiththepreviously

discussedprocessofenrollment,devicecongurationprovidesITwithassurancethat

onlytrustedusersareaccessingcorporateservices,andthattheirdevicesareproperly

conguredwithestablishedpolicies.

AndbecauseCongurationProlescanbesignedandencrypted,thesettings

cannotbealteredorsharedwithothers.

24


25/32

25

Supported congurable items

Accounts

ExchangeActiveSync

IMAP/POPEmail

Wi-Fi

VPN

LDAP

CardDAV

CalDAV

Subscribedcalendars

Passcode policies

Requirepasscodeondevice

Allowsimplevalue

Requirealphanumericvalue

Minimumpasscodelength


Maximumpasscodeage

Timebeforeauto-lock

Passcodehistory

Graceperiodfordevicelock

Maximumnumberoffailedattempts

Security and privacy

AllowdiagnosticdatatobesenttoApple

Allowusertoacceptuntrustedcerticates

Forceencryptedbackups

Supervised only restrictions

AllowiMessage

AllowGameCenter

Allowremovalofapps AllowiBookstore

AlloweroticafromiBookstore

EnableSiriProfanityFilter

AllowmanualinstallofCongurationProles

Other settings

Credentials

Webclips

SCEPsettings

APNsettings

GlobalHTTPProxy(Supervisedonly)

SingleAppMode(Supervisedonly)

Device functionality

Allowinstallingapps

AllowSiri

AllowSiriwhilelocked

AllowPassbooknoticationswhilelocked

Allowuseofcamera

AllowFaceTime

Allowscreencapture

Allowautomaticsyncingwhileroaming

AllowsyncingofMailrecents

Allowvoicedialing

AllowIn-AppPurchase

Requirestorepasswordforallpurchases

Allowmultiplayergaming

AllowaddingGameCenterfriends

Applications

AllowuseofYouTube

AllowuseofiTunesStore

AllowuseofSafari

SetSafarisecuritypreferences

iCloud

Allowbackup

Allowdocumentsyncandkey-valuesync

AllowPhotoStream

AllowsharedPhotoStream

Content ratings

Allowexplicitmusicandpodcasts

Setratingsregion Setallowedcontentratings


26/32

26

QueryingDevices

Inadditiontoconguration,anMDMserverhastheabilitytoquerydevicesfora

varietyofinformation.Thisinformationcanbeusedtoensurethatdevicescontinueto

complywithrequiredpolicies.

Supported queries

Device information

UniqueDeviceIdentier(UDID)

Devicename

iOSandbuildversion

Modelnameandnumber

Serialnumber

Capacityandspaceavailable

IMEI

Modemrmware

Batterylevel

Supervisionstatus

Network information

ICCID

BluetoothandWi-FiMACaddresses

Currentcarriernetwork

Subscribercarriernetwork

Carriersettingsversion

Phonenumber

Dataroamingsetting(on/o)

Compliance and security information

CongurationProlesinstalled

Certicatesinstalledwithexpirydates

Listallrestrictionsenforced

Hardwareencryptioncapability

Passcodepresent

Applications

Applicationsinstalled(appID,name,

version,size,andappdatasize)

ProvisioningProlesinstalledwith

expirydates


27/32

Firewall

Third-PartyMDMServerApplePushNoticationService

1

2

4

3

5

2012AppleInc.Allrightsreserved.Apple,theApplelogo,FaceTime,iPad,iPhone,iTunes,Passbook,Safari,andSiriaretrademarksofAppleInc.,registeredintheU.S.andothercountries.iMessageisa

trademarkofAppleInc.iCloudandiTunesStoreareservicemarksofAppleInc.,registeredintheU.S.andothercountries.AppStoreandiBookstoreareservicemarksofAppleInc.TheBluetoothwordmark

andlogosareregisteredtrademarksownedbyBluetoothSIG,Inc.andanyuseofsuchmarksbyAppleisunderlicense.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheir

respectivecompanies.Productspecicationsaresubjecttochangewithoutnotice.September2012

1

2

3

4

5

ProcessOverview

ThisexampledepictsabasicdeploymentofaMobileDeviceManagementserver.

ACongurationProlecontainingMobileDeviceManagementserverinformationissenttothedevice.Theuserispresented

withinformationaboutwhatwillbemanagedand/orqueriedbytheserver.

Theuserinstallstheproletooptintothedevicebeingmanaged.

Deviceenrollmenttakesplaceastheproleisinstalled.Theservervalidatesthedeviceandallowsaccess.

Theserversendsapushnoticationpromptingthedevicetocheckinfortasksorqueries.

ThedeviceconnectsdirectlytotheserveroverHTTPS.Theserversendscommandsorrequestsinformation.

FormoreinformationonMobileDeviceManagement,visitwww.apple.com/business/mdm.

27


28/32

Deploying iPhone and iPadApple Congurator

iOSdevicescanbeconguredforenterprisedeploymentusingawidevarietyoftools

andmethods.Enduserscansetupdevicesmanuallywithafewsimpleinstructionsfrom

IT,ordevicesetupcanbeautomatedusingCongurationProlesorathird-partyMobile

DeviceManagement(MDM)server.

Insomedeployments,anITdepartmentmaywanttomasscongureasetofdevices

withthesamesettingsandappsbeforethedevicesareplacedinthehandsofendusers.

Thisisoftenthecasewhenthesamedevicewillbeusedbydierentpeoplethroughout

theday.Butotherdeploymentsrequirethatthedevicesbetightlymanagedandresetto

aspeciccongurationonaregularbasis.

AppleConguratormakesiteasytomasscongureanddeployiPhoneandiPadin

situationslikethesebyenablingthreesimpleoptions:

Prepare devices. YoucanPrepareasetofnewiOSdeviceswithasinglecentral

conguration,andthendeploythemtousers.Updatedevicestothelatestversionof

iOS,installCongurationProlesandapps,enrollthemwithyourorganizationsMDM

server,andthenhandthemout.Preparingdevicesisagreatdeploymentoptionwhen

yourorganizationwantstoprovideiOSdevicestoemployeesfortheirday-to-dayuse.

Supervise devices. AnotheroptionistoSuperviseasetofiOSdevicesthatremainin

yourdirectcontrolandcanbeconguredonanongoingbasis.Applyaconguration

toeachdevice,thenreapplyitautomaticallyaftereachusejustbyreconnectingthe

devicetoAppleCongurator.Supervisionisidealfordeployingdevicesfordedicated

tasks(forexample,retail,eldservice,medical),sharingdevicesamongstudentsina

classroomoralab,ortemporarilyloaningiOSdevicestocustomers(forexample,hotels,

restaurants,hospitals).

Assign devices. Lastly,youcanAssignsuperviseddevicestospecicusersinyour

organization.Checkoutadevicetoaspecicuserandrestorethatusersbackup

(includingalloftheirdata)tothedevice.Whenthedeviceischeckedbackin,back

uptheusersdataforlateruseevenonadierentdevice.Thisoptionworkswell

whenusersneedtoworkwiththesamedataanddocumentsoveraprolongedperiod,

regardlessofwhichdevicetheyaregiven.

System requirements

Maccomputer

OSXLionv10.7.5

iTunes10.7tomanagedevicesrunningi0S6

AppleConguratorworkswithdevices

runningiOS4.3orlater,andcansupervise

devicesrunningiOS5.0orlater.


29/32

ConguringSettingsandApps

WhetheryouchoosetoPrepare,Supervise,orAssignyouriOSdevicesbeforedeploying

them,AppleConguratormakesiteasytocongureafullrangeofsettingsandinstall

bothAppStoreandin-houseapps.

Settings

LikeiTunes,AppleConguratorletsyounamedevicesandinstalliOSupdates.

Additionally,AppleConguratorcancongurepreferenceslikeHomescreenlayout,

andothersettingsthatcanbemanuallyconguredonadeviceandbackedupto

AppleCongurator.

AppleConguratormakesiteasytoconguremanydeviceswiththesamesettings.

Simplycongureonedevicewiththesettingsandpreferencesthatyouwantonall

thedevices,thenbackupusingAppleCongurator.AppleConguratorsimultaneously

restoresthebackuptotheotherdevicesaswellupto30USB-connecteddevicesat

thesametime.

LikeiPhoneCongurationUtility,ProleManager,andthird-partyMobileDevice

Managementsolutions,AppleConguratorcancreateandinstallCongurationProles

forthefollowingsettings:

ExchangeActiveSyncaccounts

VPNandWi-Fisettings

Passcodelength,complexity,andlocalwipesettings

MDMenrollmentsettings

Devicerestrictions Certicates

Webclips

CongurationProlescreatedusingothertoolscanbeeasilyimportedintoApple

Congurator.Forafulllistofcongurationprolesettingsthatareavailablein

AppleCongurator,visithttp://help.apple.com/congurator/mac/1.0.

IfyouwanttoconnectdevicestoaMobileDeviceManagementserver,useApple

ConguratortoinstallMDMsettingsbeforehandingthedeviceovertoanenduser.

OnceadeviceisenrolledinyourorganizationsMDMserver,youcanconguresettings

remotely,monitorforcompliancewithcorporatepolicies,andwipeorlockthedevice.

FormoreinformationonthecapabilitiesofMobileDeviceManagementiniOS,visit

www.apple.com/business/mdm.

Activating devices

Topreparedevicessoyou(orendusers)

dontneedtocompleteiOSSetupAssistant,

restorethedeviceswiththebackupfroma

devicethatalreadyhasiOSSetupAssistant

completed.

Important detail:Ifnewpagesareaddedto

theiOSSetupAssistant,e.g.SiriwithiOS5,

youwillneedtomakeanewbackupafter

completingthenewassistantinorderto

bypasstheassistantentirely.Otherwise,the

userwillbepresentedwiththosenewpages.

29


30/32

Apps

ToinstallanAppStoreapponyourdevices,purchaseanddownloadtheappiniTunes,

addittoAppleCongurator,andtheninstalltheappduringdeviceconguration.

ToinstallpaidAppStoreappsusingAppleCongurator,youmustparticipatein

theVolumePurchaseProgram(VPP).AppleConguratorautomaticallyredeems

codesprovidedbyyourVPPProgramFacilitatororauthorizedvolumepurchaserto

installapps.

TheappslistinAppleConguratorshowswhichappsarefreeandhowmany

redemptioncodesremainforpaidapps.Eachtimeyouinstallanapponadevice,

oneredemptioncodeisusedfromtheVPPspreadsheetthatwasimportedinto

AppleCongurator.Redemptioncodescantbereused.Whenyourunout,youneed

toimportmoretoinstalltheapponmoredevices.Ifapaidappisuninstalledfroma

supervisedorassigneddevice,itcanbeinstalledlateronanotherdevice.TheVPPcode

isnotreactivated,sofutureinstallationneedstotakeplaceusingAppleCongurator

ontheMacthatoriginallyinstalledtheapp.

PaidappsfromtheAppStorecanonlybeinstalledusingredemptioncodesacquired

throughtheVolumePurchaseProgramforBusinessorEducation.TheVolumePurchaseProgramisnotavailableinallregions.Formoreinformation,visitwww.apple.com/

business/vpporwww.apple.com/education/volume-purchase-program.

Youcanalsoinstallin-houseappsthatweredevelopedanddistributedwithinyour

organization,ratherthanpurchasedfromtheiTunesStore.Addyourapp(which

includesthedistributionprovisioningprole)toAppleConguratorandtheninstall

itduringdeviceconguration.

Important: AppsinstalledusingAppleConguratoraretiedtothedevicetheywere

installedon,nottoaspecicAppleID.ToupdateappsdeployedusingAppleCongurator,

youmustreconnecttothesameMacfromwhichtheappswereinstalled.Additionally,

youcantredownloadtheseappsviaiTunesintheCloud.

Using Apple Congurator with MDM

AppleConguratorandMobileDeviceManagement(MDM)eachhavetheirownunique

capabilities.AppleConguratorhasfeatureslikedevicesupervision,massconguration,

andautomaticrefresh,whileMDMhasmanagedapps,devicequeries,andremotewipe.

Insomedeployments,youllwanttousebothtoolstotakeadvantageofthedierent

features.Forexample,inaretailenvironment,youmaywanttosupervisedeviceswith

AppleConguratorinordertotakeadvantageofsingleappmode,thenaddthe

securitybenetofremotewipeviaMDM.

Indeploymentswherebothtoolswillbeused,itsimportanttounderstandwhich

featurestheyshareandwhichtheydont.AppleConguratorandMDMserverscan

bothinstallCongurationProlesandapps,soyoullneedtodecidewhichtooltouse

foreachtaskbasedonhowoftenthedevicewillbeconnectingtoAppleCongurator

toberefreshed.WhenusingMDMtoinstallCongurationProlesorappsonadevice

thathasbeensupervisedbyAppleCongurator,therearetwohelpfulsettingsthatenablemorestreamlinedmanagement.Bydefault,AppleConguratorautomatically

refreshesdevicesassoonastheyareconnectedandremovesCongurationProlesand

appsthatitdidntinstall.InadeploymentwhereMDMisinvolved,youcandisablethese

settingsintheAppleConguratorPreferences,sochangesmadebyanMDMserver

areleftintact.

View or export device info

AppleConguratorincludesaninspectorthat

displaysdeviceinfosuchasiOSversion,serial

number,hardwareIDsandaddresses,and

availablecapacityforsuperviseddevices.Youcanalsoexportmostofthisinformationtoa

comma-separatedspreadsheetle.Orexport

ittoaleformattedspecicallyfortheiOS

developerprovisioningportal,foraccessby

yourorganizationssoftwaredevelopersin

ordertocreateprovisioningprolesforinternal

enterpriseiOSapps.

30


31/32

31

DeploymentExamples

ThescenariosbelowillustratehowyoucanuseAppleConguratortoquicklydeploy

customizeddevices.

Preparing new devices for personal use

WiththePrepareoption,conguredeviceswithsettingsbeforedeployingthemto

usersforpersonalbusinessuse.Thismayincludeanupdatetothelatestversionof

iOS,aninternalnetworkconguration,orenrollmentinformationforyourcompanys

MDMserver.

OnceyouPrepareadeviceusingAppleCongurator,itcanbereconguredastheend

userseest.ItwillnotberecognizedbyAppleConguratorifitislaterreconnected.

Forexample,userscanconnecttheirunsuperviseddevicestotheircopiesofiTunes

andsyncanycontenttheywant.ITadministratorswhowanttogiveusersmore

freedomtopersonalizedevicesshoulduseAppleConguratortoPrepareanddeploy

anunsuperviseddevice,andthenuseMDMtoremotelymanageeachdevicessettings,

accounts,andapps.

Congurationofanunsuperviseddeviceistypicallyaone-timeevent;thereafter,the

userisresponsibleforthedevice.AppleConguratorforgetsaboutunsupervised

devicesassoonastheyaredisconnectedifanunsuperviseddeviceisreturned,

AppleConguratortreatsitasanewdevice.

Supervising devices for deployment to unspecied users

Duringpreparation,youcanchoosetoSupervisedevicesthatneedtobecontrolled

andconguredbyAppleConguratoronanongoingbasis.Thismaybeacollection

ofdevicesthatallneedanidenticalcongurationandarenottiedtoaspecicuser.

AsuperviseddeviceiserasedeverytimeitsreconnectedtoAppleCongurator

removingtheprevioususersdataandrecongured.Additionally,superviseddevices

cantbesyncedwithiTunesorwithAppleConguratoronadierentMac.

Deployingsuperviseddevicestypicallyinvolvesdistributingthedevices,retrievingthem,

reapplyingtheirinitialconguration,anddistributingthemagain.Superviseddevicescanbeorganizedintogroups,makingiteasytoautomaticallyapplycommoncongura-

tions.

Important:WhenadeviceisinitiallysupervisedduringthePrepareprocess,allcontent

andsettingsarepurposelywiped.Thispreventsapersonaldevicefrombeingsupervised

withoutausersknowledge.


32/32

Assigning supervised devices to specic users

Onceyousetupasuperviseddevice,youcanalsoAssignittoadesignateduser.When

youcheckoutthedevicetoaparticularuser,AppleConguratorreturnsthedeviceto

thestateitwasinthelasttimethatpersonusedit.Alltheuserssettingsandappdata

arerestored.

Whenyoucheckthedevicebackin,AppleConguratorbacksuptheuserssettings

andappdataforthenexttime,includinganynewuser-createddata,andthenerases

anyinformationthatwasleftonthedevicebytheprevioususer.Bycheckingdevices

inandout,youcangiveeachusertheexperienceofapersonaldevice,yetretainthe

abilitytoassignthesamegroupofdevicestomanygroupsofusers.Userscanbe

addedmanuallyorimportedfromOpenDirectoryorActiveDirectoryandorganized

intocustomgroups.

IfyoureinstallingappsthatsupportiTunesFileSharing,likeKeynoteorPages,youcan

alsoinstalldocumentssotheyrereadywhenyourusersgettheirchecked-outdevices.

Andwhenadeviceischeckedbackin,abackupoftheusersdataandsettingsiscreated

andtheuserssynceddocumentscanbeaccesseddirectlyfromAppleCongurator.

32

iOS 6 Business Sep12

Documents

Transcript of iOS 6 Business Sep12