iOS 6 Business Sep12
-
Upload
webster-carroll -
Category
Documents
-
view
217 -
download
0
Transcript of iOS 6 Business Sep12
-
7/30/2019 iOS 6 Business Sep12
1/32
iPhone and iPad in Business
Deployment ScenariosSeptember2012
LearnhowiPhoneandiPadintegrateseamlesslyintoenterpriseenvironmentswith
thesedeploymentscenarios.
MicrosoftExchangeActiveSync
Standards-BasedServices
VirtualPrivateNetworks
Wi-Fi
DigitalCerticates
SecurityOverview
MobileDeviceManagement
AppleCongurator
-
7/30/2019 iOS 6 Business Sep12
2/32
Deploying iPhone and iPadExchange ActiveSync
iPhoneandiPadcancommunicatedirectlywithyourMicrosoftExchangeServervia
MicrosoftExchangeActiveSync(EAS),enablingpushemail,calendar,contacts,and
tasks.ExchangeActiveSyncalsoprovidesuserswithaccesstotheGlobalAddress
List(GAL),andprovidesadministratorswithpasscodepolicyenforcementandremote
wipecapabilities.iOSsupportsbothbasicandcerticate-basedauthenticationforExchangeActiveSync.IfyourcompanycurrentlyenablesExchangeActiveSync,you
havethenecessaryservicesinplacetosupportiPhoneandiPadnoadditional
congurationisrequired.IfyouhaveExchangeServer2003,2007,or2010butyour
companyisnewtoExchangeActiveSync,reviewthefollowingsteps.
ExchangeActiveSyncSetup
Network conguration overview
Checktoensureport443isopenontherewall.IfyourcompanyallowsOutlook
WebAccess,port443ismostlikelyalreadyopen.
OntheFront-EndServer,verifythataservercerticateisinstalledandenableSSLfor
theExchangeActiveSyncvirtualdirectoryinIIS. IfyoureusingaMicrosoftInternetSecurityandAcceleration(ISA)Server,verifythata
servercerticateisinstalledandupdatethepublicDNStoresolveincomingconnections.
MakesuretheDNSforyournetworkreturnsasingle,externallyroutableaddressto
theExchangeActiveSyncserverforbothintranetandInternetclients.Thisisrequired
sothedevicecanusethesameIPaddressforcommunicatingwiththeserverwhen
bothtypesofconnectionsareactive.
IfyoureusingaMicrosoftISAServer,createaweblisteneraswellasanExchangeweb
clientaccesspublishingrule.SeeMicrosoftsdocumentationfordetails.
Forallrewallsandnetworkappliances,settheIdleSessionTimeoutto30minutes.
Forinformationaboutheartbeatandtimeoutintervals,refertotheMicrosoftExchange
documentationathttp://technet.microsoft.com/en-us/library/cc182270.aspx. Conguremobilefeatures,policies,anddevicesecuritysettingsusingtheExchange
SystemManager.ForExchangeServer2007and2010,thisisdoneintheExchange
ManagementConsole.
DownloadandinstalltheMicrosoftExchangeActiveSyncMobileAdministrationWeb
Tool,whichisnecessarytoinitiatearemotewipe.ForExchangeServer2007and
2010,remotewipecanalsobeinitiatedusingOutlookWebAccessortheExchange
ManagementConsole.
Supported Exchange ActiveSync
security policies
Remotewipe
Enforcepasswordondevice
Minimumpasswordlength
Maximumfailedpasswordattempts
(beforelocalwipe)
Requirebothnumbersandletters
Inactivitytimeinminutes(1to60minutes)
Additional Exchange ActiveSync policies
(for Exchange 2007 and 2010 only)
Alloworprohibitsimplepassword
Passwordexpiration Passwordhistory
Policyrefreshinterval
Minimumnumberofcomplexcharacters
inpassword
Requiremanualsyncingwhileroaming
Allowcamera
Allowwebbrowsing
-
7/30/2019 iOS 6 Business Sep12
3/32
3
Basic authentication (username and password)
EnableExchangeActiveSyncforspecicusersorgroupsusingtheActiveDirectory
service.Theseareenabledbydefaultforallmobiledevicesattheorganizationallevel
inExchangeServer2003,2007,and2010.ForExchangeServer2007and2010,see
RecipientCongurationintheExchangeManagementConsole.
Bydefault,ExchangeActiveSyncisconguredforbasicuserauthentication.Its
recommendedthatyouenableSSLforbasicauthenticationtoensurecredentialsare
encryptedduringauthentication.
Certicate-based authentication
Installenterprisecerticateservicesonamemberserverordomaincontrollerinyour
domain(thiswillbeyourcerticateauthorityserver).
CongureIISonyourExchangefront-endserverorClientAccessServertoaccept
certicate-basedauthenticationfortheExchangeActiveSyncvirtualdirectory.
Toalloworrequirecerticatesforallusers,turnoBasicauthenticationandselect
eitherAcceptclientcerticatesorRequireclientcerticates.
Generateclientcerticatesusingyourcerticateauthorityserver.ExportthepublickeyandcongureIIStousethiskey.ExporttheprivatekeyanduseaConguration
ProletodeliverthiskeytoiPhoneandiPad.Certicate-basedauthenticationcan
onlybeconguredusingaCongurationProle.
Formoreinformationoncerticateservices,pleaserefertoresourcesavailable
fromMicrosoft.
Other Exchange ActiveSync services
GlobalAddressListlookup
Acceptandcreatecalendarinvitations
Synctasks
Flagemailmessages
SyncReplyandForwardagswith
ExchangeServer2010
MailsearchonExchangeServer2007
and2010
SupportformultipleExchangeActiveSync
accounts
Certicate-basedauthentication
Emailpushtoselectedfolders
Autodiscover
-
7/30/2019 iOS 6 Business Sep12
4/32
iPhoneandiPadrequestaccesstoExchangeActiveSyncservicesoverport443(HTTPS).(ThisisthesameportusedforOutlookWebAccess
andothersecurewebservices,soinmanydeploymentsthisportisalreadyopenandconguredtoallowSSLencryptedHTTPStrac.)
ISAprovidesaccesstotheExchangeFront-EndorClientAccessServer.ISAisconguredasaproxy,orinmanycasesareverseproxy,to
routetractotheExchangeServer.
ExchangeServerauthenticatestheincominguserviatheActiveDirectoryserviceandthecerticateserver(ifusingcerticate-based
authentication).
IftheuserprovidesthepropercredentialsandhasaccesstoExchangeActiveSyncservices,theFront-EndServerestablishesaconnection
totheappropriatemailboxontheBack-EndServer(viatheActiveDirectoryGlobalCatalog).
TheExchangeActiveSyncconnectionisestablished.Updates/changesarepushedovertheair,andanychangesmadeoniPhoneandiPad
arereectedontheExchangeServer.
SentmailitemsarealsosynchronizedwiththeExchangeServerviaExchangeActiveSync(step5).Torouteoutboundemailtoexternal
recipients,mailistypicallysentthroughaBridgehead(orHubTransport)ServertoanexternalMailGateway(orEdgeTransportServer)via
SMTP.Dependingonyournetworkconguration,theexternalMailGatewayorEdgeTransportServercouldresidewithintheperimeter
networkoroutsidetherewall.
2012AppleInc.Allrightsreserved.Apple,theApplelogo,iPhone,iPad,andMacOSaretrademarksofAppleInc.,registeredintheU.S.andothercountries.Otherproductandcompanynamesmentioned
hereinmaybetrademarksoftheirrespectivecompanies.Productspecicationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliability
relatedtoitsuse.September2012
ExchangeActiveSyncDeploymentScenario
ThisexampleshowshowiPhoneandiPadconnecttoatypicalMicrosoftExchangeServer2003,2007,or2010deployment.
4
Firewall Firewall
ProxyServerInternet
ExchangeFront-EndorClientAccessServer
CerticateServer
ActiveDirectory
PrivateKey(Certicate)
PublicKey(Certicate)
*Dependingonyournetworkconguration,theMailGatewayorEdgeTransportServermayresidewithintheperimeternetwork(DMZ).
ExchangeMailboxorBack-EndServer(s)
MailGatewayorEdgeTransportServer*
CongurationProle
BridgeheadorHubTransportServer
443
1
4
56
2
3
4
5
6
1
3
2
-
7/30/2019 iOS 6 Business Sep12
5/32
Deploying iPhone and iPadStandards-Based Services
WithsupportfortheIMAPmailprotocol,LDAPdirectoryservices,andCalDAVcalendaring
andCardDAVcontactsprotocols,iOScanintegratewithjustaboutanystandards-based
mail,calendar,andcontactsenvironment.Andifyournetworkenvironmentiscongured
torequireuserauthenticationandSSL,iPhoneandiPadprovideasecureapproachto
accessingstandards-basedcorporateemail,calendar,tasks,andcontacts.
Inatypicaldeployment,iPhoneandiPadestablishdirectaccesstoIMAPandSMTPmail
serverstoreceiveandsendemailovertheair,andcanalsowirelesslysyncnoteswith
IMAP-basedservers.iOSdevicescanconnecttoyourcompanysLDAPv3corporate
directories,givingusersaccesstocorporatecontactsintheMail,Contacts,andMessages
applications.SynchronizationwithyourCalDAVserverallowsuserstowirelesslycreateand
acceptcalendarinvitations,receivecalendarupdates,andsynctaskswiththeReminders
app.AndCardDAVsupportallowsyouruserstomaintainasetofcontactssyncedwith
yourCardDAVserverusingthevCardformat.Allnetworkserverscanbelocatedwithin
aDMZsubnetwork,behindacorporaterewall,orboth.WithSSL,iOSsupports128-bit
encryptionandX.509rootcerticatesissuedbythemajorcerticateauthorities.
NetworkSetupYourITornetworkadministratorwillneedtocompletethesekeystepstoenableaccess
fromiPhoneandiPadtoIMAP,LDAP,CalDAV,andCardDAVservices:
Opentheappropriateportsontherewall.Commonportsinclude993forIMAPmail,
587forSMTPmail,636forLDAPdirectoryservices,8443forCalDAVcalendaring,and
8843forCardDAVcontacts.Itsalsorecommendedthatcommunicationbetweenyour
proxyserverandyourback-endIMAP,LDAP,CalDAV,andCardDAVserversbesettouse
SSLandthatdigitalcerticatesonyournetworkserversbesignedbyatrustedcerticate
authority(CA)suchasVeriSign.ThisimportantstepensuresthatiPhoneandiPad
recognizeyourproxyserverasatrustedentitywithinyourcorporateinfrastructure.
ForoutboundSMTPemail,port587,465,or25mustbeopenedtoallowemailtobesent.
iOSautomaticallychecksforport587,then465,andthen25.Port587isthemostreliable,secureportbecauseitrequiresuserauthentication.Port25doesnotrequireauthentica-
tion,andsomeISPsblockthisportbydefaulttopreventspam.
Common ports IMAP/SSL:993
SMTP/SSL:587
LDAP/SSL:636
CalDAV/SSL:8443,443
CardDAV/SSL:8843,443
IMAP or POP-enabled mail solutions
iOSsupportsindustry-standardIMAP4-
andPOP3-enabledmailserversona
rangeofserverplatforms,including
Windows,UNIX,Linux,andMacOSX.
CalDAV and CardDAV standards
iOSsupportstheCalDAVcalendaringandCardDAVcontactsprotocols.Both
protocolshavebeenstandardizedby
theIETF.Moreinformationcanbefound
throughtheCalConnectconsortium
athttp://caldav.calconnect.org/and
http://carddav.calconnect.org/.
-
7/30/2019 iOS 6 Business Sep12
6/32
DeploymentScenario
ThisexampleshowshowiPhoneandiPadconnecttoatypical IMAP,LDAP,CalDAV,andCardDAVdeployment.
2012AppleInc.Allrightsreserved.Apple,theApplelogo,iPhone,iPad,andMacOSaretrademarksofAppleInc.,registeredintheU.S.andothercountries.UNIXisaregisteredtrademarkofTheOpen
Group.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecicationsaresubjecttochangewithoutnotice.Thismaterialisprovidedfor
informationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.September2012
iPhoneandiPadrequestaccesstonetworkservicesoverthedesignatedports.
Dependingontheservice,usersmustauthenticateeitherwiththereverseproxyordirectlywiththeservertoobtainaccessto
corporatedata.Inallcases,connectionsarerelayedbythereverseproxy,whichfunctionsasasecuregateway,typicallybehind
thecompanysInternetrewall.Onceauthenticated,userscanaccesstheircorporatedataontheback-endservers.
iPhoneandiPadprovidelookupservicesonLDAPdirectories,givinguserstheabilitytosearchforcontactsandotheraddress
bookinformationontheLDAPserver.
ForCalDAVcalendars,userscanaccessandupdatecalendars.
CardDAVcontactsarestoredontheserverandcanalsobeaccessedlocallyoniPhoneandiPad.ChangestoeldsinCardDAV
contactsaresyncedbacktotheCardDAVserver.
ForIMAPmailservices,existingandnewmessagescanbereadoniPhoneandiPadthroughtheproxyconnectionwiththe
mailserver.OutgoingmailissenttotheSMTPserver,withcopiesplacedintheusersSentfolder.
1
2
3
4
5
6
Firewall Firewall
ReverseProxyServer
Internet
MailServer
LDAPDirectoryServer
3
6
CalDAVServer
CardDAVServer
2
4
5
1
636(LDAP)
8843(CardDAV)
993(IMAP)587(SMTP)
8443(CalDAV)
6
-
7/30/2019 iOS 6 Business Sep12
7/32
Deploying iPhone and iPadVirtual Private Networks
SecureaccesstoprivatecorporatenetworksisavailableoniPhoneandiPadusing
establishedindustry-standardvirtualprivatenetwork(VPN)protocols.Userscan
easilyconnecttoenterprisesystemsviathebuilt-inVPNclientiniOSorthrough
third-partyapplicationsfromJuniperNetworks,Cisco,SonicWALL,CheckPoint,
ArubaNetworks,andF5Networks.
Outofthebox,iOSsupportsCiscoIPSec,L2TPoverIPSec,andPPTP.Ifyourorganization
supportsoneoftheseprotocols,noadditionalnetworkcongurationorthird-party
applicationsarerequiredtoconnectiPhoneandiPadtoyourVPN.
Additionally,iOSsupportsSSLVPN,enablingaccesstoJuniperNetworks,Cisco,SonicWALL,
CheckPoint,ArubaNetworks,andF5NetworksSSLVPNservers.Userssimplydownload
aVPNclientapplicationdevelopedbyoneofthesecompaniesfromtheAppStoretoget
started.LikeotherVPNprotocolssupportediniOS,SSLVPNcanbeconguredmanually
onthedeviceorviaCongurationProle.
iOSsupportsindustry-standardtechnologiessuchasIPv6,proxyservers,andsplit-
tunneling,providingarichVPNexperiencewhenconnectingtocorporatenetworks.
AndiOSworkswithavarietyofauthenticationmethodsincludingpassword,two-
factortoken,anddigitalcerticates.Tostreamlinetheconnectioninenvironments
wherecerticate-basedauthenticationisused,iOSfeaturesVPNOnDemand,
whichdynamicallyinitiatesaVPNsessionwhenconnectingtospecieddomains.
SupportedProtocolsandAuthenticationMethods
SSL VPN
Supportsuserauthenticationbypassword,two-factortoken,andcerticates.
Cisco IPSec
Supportsuserauthenticationbypassword,two-factortoken,andmachine
authenticationbysharedsecretandcerticates.
L2TP over IPSecSupportsuserauthenticationbyMS-CHAPv2Password,two-factortoken,and
machineauthenticationbysharedsecret.
PPTP
SupportsuserauthenticationbyMS-CHAPv2Passwordandtwo-factortoken.
-
7/30/2019 iOS 6 Business Sep12
8/32
8
VPNOnDemand
Forcongurationsusingcerticate-basedauthentication,iOSsupportsVPNOn
Demand.VPNOnDemandwillestablishaconnectionautomaticallywhenaccessing
predeneddomains,providingaseamlessVPNconnectivityexperienceforusers.
ThisisafeatureofiOSthatdoesnotrequireadditionalserverconguration.ThecongurationofVPNOnDemandtakesplaceviaaCongurationProleorcanbe
conguredmanuallyonthedevice.
TheVPNOnDemandoptionsare:
Always
InitiatesaVPNconnectionforanyaddressthatmatchesthespecieddomain.
Never
DoesnotinitiateaVPNconnectionforaddressesthatmatchthespecieddomain,
butifVPNisalreadyactive,itmaybeused.
Establish if needed
InitiatesaVPNconnectionforaddressesthatmatchthespecieddomainonlyafter
aDNSlook-uphasfailed.
VPNSetup
iOSintegrateswithmanyexistingVPNnetworks,withminimalconguration
necessary.ThebestwaytopreparefordeploymentistocheckwhetheriOS
supportsyourcompanysexistingVPNprotocolsandauthenticationmethods.
Itsrecommendedthatyoureviewtheauthenticationpathtoyourauthentication
servertomakesurestandardssupportedbyiOSareenabledwithinyour
implementation.
Ifyouplantousecerticate-basedauthentication,ensureyouhaveyourpublickey
infrastructureconguredtosupportdevice-anduser-basedcerticateswiththecorrespondingkeydistributionprocess.
IfyouwanttocongureURL-specicproxysettings,placeaPACleonawebserver
thatisaccessiblewiththebasicVPNsettingsandensurethatitishostedwiththe
application/x-ns-proxy-autocongMIMEtype.
ProxySetup
Forallcongurations,youcanalsospecifyaVPNproxy.Tocongureasingleproxy
forallconnections,usetheManualsettingandprovidetheaddress,port,andauthen-
ticationifnecessary.Toprovidethedevicewithanauto-proxycongurationleusing
PACorWPAD,usetheAutosetting.ForPACS,specifytheURLofthePACSle.For
WPAD,iPhoneandiPadwillqueryDHCPandDNSfortheappropriatesettings.
-
7/30/2019 iOS 6 Business Sep12
9/32
9
1
2
3
4
5
Firewall Firewall
VPNServer/Concentrator
PublicInternet
PrivateNetwork
AuthenticationCerticateorToken
ProxyServer
VPNAuthenticationServerToken Generation or Certicate Authentication
1 4
3a 3b
2
5
DirectoryService
2012AppleInc.Allrightsreserved.Apple,theApplelogo,iPhone,iPad,andMacOSaretrademarksofAppleInc.,registeredintheU.S.andothercountries.AppStoreisaservicemarkofAppleInc..
Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecicationsaresubjecttochangewithoutnotice.Thismaterialisprovidedfor
informationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.September2012
DeploymentScenario
TheexampledepictsatypicaldeploymentwithaVPNserver/concentratoraswellasanauthenticationservercontrollingaccessto
enterprisenetworkservices.
iPhoneandiPadrequestaccesstonetworkservices.
TheVPNserver/concentratorreceivestherequestandthenpassesittotheauthenticationserver.
Inatwo-factortokenenvironment,theauthenticationserverwouldthenmanageatime-synchronizedtokenkeygenerationwiththekey
server.Ifacerticateauthenticationmethodisdeployed,anidentitycerticateneedstobedistributedpriortoauthentication.Ifapassword
methodisdeployed,theauthenticationprocessproceedswithuservalidation.
Onceauserisauthenticated,theauthenticationservervalidatesuserandgrouppolicies.
Afteruserandgrouppoliciesarevalidated,theVPNserverprovidestunneledandencryptedaccesstonetworkservices.
Ifaproxyserverisinuse,iPhoneandiPadconnectthroughtheproxyserverforaccesstoinformationoutsidetherewall.
-
7/30/2019 iOS 6 Business Sep12
10/32
Deploying iPhone and iPadWi-Fi
Wireless security protocols
WEP
WPAPersonal
WPAEnterprise
WPA2Personal
WPA2Enterprise
802.1X authentication methods
EAP-TLS
EAP-TTLS
EAP-FAST
EAP-SIM
PEAPv0(EAP-MS-CHAPv2)
PEAPv1(EAP-GTC)
LEAP
Outofthebox,iPhoneandiPadcansecurelyconnecttocorporateorguestWi-Fi
networks,makingitquickandsimpletojoinavailablewirelessnetworkswhetheryoure
oncampusorontheroad.
iOSsupportsindustry-standardwirelessnetworkprotocols,includingWPA2Enterprise,
ensuringcorporatewirelessnetworkscanbeconguredquicklyandaccessedsecurely.
WPA2Enterpriseuses128-bitAESencryption,aproven,block-basedencryptionmethod,
providinguserswiththehighestlevelofassurancethattheirdatawillremainprotected.
Withsupportfor802.1X,iOScanbeintegratedintoabroadrangeofRADIUSauthentica-
tionenvironments.802.1XwirelessauthenticationmethodssupportedoniPhoneand
iPadincludeEAP-TLS,EAP-TTLS,EAP-FAST,EAP-SIM,PEAPv0,PEAPv1,andLEAP.
UserscansetiPhoneandiPadtojoinavailableWi-Finetworksautomatically.Wi-Fi
networksthatrequirelogincredentialsorotherinformationcanbequicklyaccessed
withoutopeningaseparatebrowsersession,fromWi-Fisettingsorwithinapplications
suchasMail.Andlow-power,persistentWi-Ficonnectivityallowsapplicationstouse
Wi-Finetworkstodeliverpushnotications.
ForroamingonlargeenterpriseWi-Finetworks,iPhoneandiPadsupport802.11kand802.11r.*802.11khelpsiPhoneandiPadtransitionbetweenbasestationsbyutilizing
thereportsfromthebasestation,while802.11rstreamlines802.1Xauthenticationas
adevicemovesfromoneaccesspointtoanother.
Forquicksetupanddeployment,wirelessnetwork,security,proxy,andauthentication
settingscanbeconguredusingCongurationProles.
WPA2EnterpriseSetup
Verifynetworkappliancesforcompatibilityandselectanauthenticationtype(EAPtype)
supportedbyiOS.
Checkthat802.1Xisenabledontheauthenticationserverand,ifnecessary,installa
servercerticateandassignnetworkaccesspermissionstousersandgroups.
Congurewirelessaccesspointsfor802.1Xauthenticationandenterthecorresponding
RADIUSserverinformation.
Ifyouplantousecerticate-basedauthentication,congureyourpublickey
infrastructuretosupportdevice-anduser-basedcerticateswiththecorresponding
keydistributionprocess.
Verifycerticateformatandauthenticationservercompatibility.iOSsupportsPKCS#1
(.cer,.crt,.der)andPKCS#12.
ForadditionaldocumentationregardingwirelessnetworkingstandardsandWi-Fi
ProtectedAccess(WPA),visitwww.wi-.org.
-
7/30/2019 iOS 6 Business Sep12
11/32
WPA2Enterprise/802.1XDeploymentScenario
ThisexampledepictsatypicalsecurewirelessdeploymentthattakesadvantageofRADIUS-basedauthentication.
iPhoneandiPadrequestaccesstothenetwork.Theconnectionisinitiatedinresponsetoauserselectinganavailablewirelessnetwork,orisautomaticallyinitiatedafterapreviouslycongurednetworkisdetected.
Aftertherequestisreceivedbytheaccesspoint,therequestispassedtotheRADIUSserverforauthentication.
TheRADIUSservervalidatestheuseraccountutilizingthedirectoryservice.
Oncetheuserisauthenticated,theaccesspointprovidesnetworkaccesswithpoliciesandpermissionsasinstructedbytheRADIUSserver.
*iPhone4S,iPhone5,newiPad,and5th-generationiPodtouchsupport802.11kand802.11r.
2012AppleInc.Allrightsreserved.Apple,theApplelogo,iPhone,iPad,andMacOSaretrademarksofAppleInc.,registeredintheU.S.andothercountries.Otherproductandcompanynamesmentioned
hereinmaybetrademarksoftheirrespectivecompanies.Productspecicationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliability
relatedtoitsuse.September2012
11
1
2
3
4
WirelessAccessPointwith802.1XSupport
DirectoryServices
NetworkServices
AuthenticationServerwith802.1XSupport(RADIUS)
CerticateorPasswordBasedon
EAPType
1
2
3
4
Firewall
-
7/30/2019 iOS 6 Business Sep12
12/32
iOSsupportsdigitalcerticates,givingbusinessuserssecure,streamlinedaccessto
corporateservices.Adigitalcerticateiscomposedofapublickey,informationaboutthe
user,andthecerticateauthoritythatissuedthecerticate.Digitalcerticatesareaform
ofidenticationthatenablesstreamlinedauthentication,dataintegrity,andencryption.
OniPhoneandiPad,certicatescanbeusedinavarietyofways.Signingdatawitha
digitalcerticatehelpstoensurethatinformationcannotbealtered.Certicatescan
alsobeusedtoguaranteetheidentityoftheauthororsigner.Additionally,theycanbe
usedtoencryptCongurationProlesandnetworkcommunicationstofurtherprotect
condentialorprivateinformation.
UsingCerticatesiniOS
Digital certicates
Digitalcerticatescanbeusedtosecurelyauthenticateuserstocorporateserviceswithout
theneedforusernames,passwords,orsofttokens.IniOS,certicate-basedauthentica-
tionissupportedforaccesstoMicrosoftExchangeActiveSync,VPN,andWi-Finetworks.
EnterpriseServicesIntranet,Email,VPN,Wi-Fi
CerticateAuthority DirectoryServiceAuthenticationRequest
Server certicates
Digitalcerticatescanalsobeusedtovalidateandencryptnetworkcommunications.
Thisprovidessecurecommunicationtobothinternalandexternalwebsites.TheSafari
browsercancheckthevalidityofanX.509digitalcerticateandsetupasecuresession
withupto256-bitAESencryption.Thisveriesthatthesitesidentityislegitimateand
thatcommunicationwiththewebsiteisprotectedtohelppreventinterceptionof
personalorcondentialdata.
NetworkServicesHTTPSRequest CerticateAuthority
Deploying iPhone and iPadDigital Certicates
Supported certicate and identity
formats:
iOSsupportsX.509certicates
withRSAkeys.
Theleextensions.cer,.crt,.der,.p12,
and.pfxarerecognized.
Root certicates
Outofthebox,iOSincludesanumber
ofpreinstalledrootcerticates.Toview
alistofthepreinstalledsystemroots,
seetheAppleSupportarticleat
http://support.apple.com/kb/HT4415.If
youareusingarootcerticatethatisnot
preinstalled,suchasaself-signedroot
certicatecreatedbyyourcompany,you
candistributeitusingoneofthemethods
listedintheDistributingandInstalling
Certicatessectionofthisdocument.
-
7/30/2019 iOS 6 Business Sep12
13/32
2012AppleInc.Allrightsreserved.Apple,theApplelogo,iPhone,iPad,MacOS,andSafariaretrademarksofAppleInc.,registered
intheU.S.andothercountries.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespective
companies.Productspecicationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;
Appleassumesnoliabilityrelatedtoitsuse.September2012
DistributingandInstallingCerticates
DistributingcerticatestoiPhoneandiPadissimple.Whenacerticateisreceived,users
simplytaptoreviewthecontents,thentaptoaddthecerticatetotheirdevice.When
anidentitycerticateisinstalled,usersarepromptedforthepassphrasethatprotectsit.
Ifacerticatesauthenticitycannotbeveried,userswillbepresentedwithawarningbeforeitisaddedtotheirdevice.
Installing certicates via Conguration Proles
IfCongurationProlesarebeingusedtodistributesettingsforcorporateservices
suchasExchange,VPN,orWi-Fi,certicatescanbeaddedtotheproletostreamline
deployment.
Installing certicates via Mail or Safari
Ifacerticateissentinanemail,itwillappearasanattachment.Safaricanbeused
todownloadcerticatesfromawebpage.Youcanhostacerticateonasecured
websiteandprovideuserswiththeURLwheretheycandownloadthecerticate
ontotheirdevices.
Installation via the Simple Certicate Enrollment Protocol (SCEP)
SCEPisdesignedtoprovideasimpliedprocesstohandlecerticatedistributionfor
large-scaledeployments.ThisenablesOver-the-AirEnrollmentofdigitalcerticates
oniPhoneandiPadthatcanthenbeusedforauthenticationtocorporateservices,
aswellasenrollmentwithaMobileDeviceManagementserver.
FormoreinformationonSCEPandOver-the-AirEnrollment,visitwww.apple.com/
iphone/business/resources.
Certicate removal and revocation
Tomanuallyremoveacerticatethathasbeeninstalled,chooseSettings>General>
Proles.Ifyouremoveacerticatethatisrequiredforaccessinganaccountornetwork,
thedevicewillnolongerbeabletoconnecttothoseservices.
Toremovecerticatesovertheair,aMobileDeviceManagementservercanbeused.
Thisservercanviewallcerticatesonadeviceandremoveonesithasinstalled.
Additionally,theOnlineCerticateStatusProtocol(OCSP)issupportedtocheckthe
statusofcerticates.WhenanOCSP-enabledcerticateisused,iOSvalidatesittomake
surethatithasnotbeenrevokedbeforecompletingtherequestedtask.
13
-
7/30/2019 iOS 6 Business Sep12
14/32
Deploying iPhone and iPadSecurity Overview
iOS,theoperatingsystematthecoreofiPhoneandiPad,isbuiltuponlayersofsecurity.
ThisenablesiPhoneandiPadtosecurelyaccesscorporateservicesandprotectimportant
data.iOSprovidesstrongencryptionfordataintransmission,provenauthentication
methodsforaccesstocorporateservices,andhardwareencryptionforalldataatrest.
iOSalsoprovidessecureprotectionthroughtheuseofpasscodepoliciesthatcanbedeliveredandenforcedovertheair.Andifthedevicefallsintothewronghands,users
andITadministratorscaninitiatearemotewipecommandtoeraseprivateinformation.
WhenconsideringthesecurityofiOSforenterpriseuse,itshelpfultounderstandthe
following:
Device security:Methodsthatpreventunauthorizeduseofthedevice
Data security:Protectingdataatrest,evenwhenadeviceislostorstolen
Network security: Networkingprotocolsandtheencryptionofdataintransmission
App security:ThesecureplatformfoundationofiOS
Thesecapabilitiesworkinconcerttoprovideasecuremobilecomputingplatform.
DeviceSecurityEstablishingstrongpoliciesforaccesstoiPhoneandiPadiscriticaltoprotectingcorporate
information.Devicepasscodesarethefrontlineofdefenseagainstunauthorizedaccess
andcanbeconguredandenforcedovertheair.iOSdevicesusetheuniquepasscode
establishedbyeachusertogenerateastrongencryptionkeytofurtherprotectmailand
sensitiveapplicationdataonthedevice.Additionally,iOSprovidessecuremethodsto
congurethedeviceinanenterpriseenvironment,wherespecicsettings,policies,and
restrictionsmustbeinplace.Thesemethodsprovideexibleoptionsforestablishinga
standardlevelofprotectionforauthorizedusers.
Passcode policies
Adevicepasscodepreventsunauthorizedusersfromaccessingdataorotherwisegaining
accesstothedevice.iOSallowsyoutoselectfromanextensivesetofpasscoderequirements
tomeetyoursecurityneeds,includingtimeoutperiods,passcodestrength,andhowoftenthepasscodemustbechanged.
Thefollowingpasscodepoliciesaresupported:
Requirepasscodeondevice
Allowsimplevalue
Requirealphanumericvalue
Minimumpasscodelength
Minimumnumberofcomplexcharacters
Maximumpasscodeage
Timebeforeauto-lock
Passcodehistory
Graceperiodfordevicelock
Maximumnumberoffailedattempts
Device security
Strongpasscodes
Passcodeexpiration
Passcodereusehistory
Maximumfailedattempts
Over-the-airpasscodeenforcement
Progressivepasscodetimeout
-
7/30/2019 iOS 6 Business Sep12
15/32
Policy enforcement
ThepoliciesdescribedpreviouslycanbesetoniPhoneandiPadinanumberofways.
PoliciescanbedistributedaspartofaCongurationProleforuserstoinstall.Aprole
canbedenedsothatdeletingtheproleisonlypossiblewithanadministrative
password,oryoucandenetheprolesothatitislockedtothedeviceandcannot
beremovedwithoutcompletelyerasingallofthedevicecontents.Additionally,passcodesettingscanbeconguredremotelyusingMobileDeviceManagement
(MDM)solutionsthatcanpushpoliciesdirectlytothedevice.Thisenablespolicies
tobeenforcedandupdatedwithoutanyactionbytheuser.
Alternatively,ifthedeviceisconguredtoaccessaMicrosoftExchangeaccount,
ExchangeActiveSyncpoliciesarepushedtothedeviceovertheair.Keepinmind
thattheavailablesetofpolicieswillvarydependingontheversionofExchange
(2003,2007,or2010).RefertoExchange ActiveSync and iOS Devicesforabreakdown
ofwhichpoliciesaresupportedforyourspecicconguration.
Secure device conguration
CongurationProlesareXMLlesthatcontaindevicesecuritypoliciesandrestrictions,
VPNcongurationinformation,Wi-Fisettings,emailandcalendaraccounts,and
authenticationcredentialsthatpermitiPhoneandiPadtoworkwithyourenterprise
systems.Theabilitytoestablishpasscodepoliciesalongwithdevicesettingsina
CongurationProleensuresthatdeviceswithinyourenterprisearecongured
correctlyandaccordingtosecuritystandardssetbyyourorganization.And,because
CongurationProlescanbeencryptedandlocked,thesettingscannotberemoved,
altered,orsharedwithothers.
CongurationProlescanbebothsignedandencrypted.SigningaConguration
Proleensuresthatthesettingsitenforcescannotbealteredinanyway.Encrypting
aCongurationProleprotectstheprolescontentsandpermitsinstallationonly
onthedeviceforwhichitwascreated.CongurationProlesareencryptedusing
CMS(CryptographicMessageSyntax,RFC3852),supporting3DESandAES128.
ThersttimeyoudistributeanencryptedCongurationProle,youcaninstallit
viaUSBusingtheCongurationUtilityorwirelesslyviaOver-the-AirEnrollment.In
additiontothesemethods,subsequentencryptedCongurationProlescanbe
deliveredviaemailattachment,hostedonawebsiteaccessibletoyourusers,or
pushedtothedeviceusingMDMsolutions.
Device restrictions
Devicerestrictionsdeterminewhichfeaturesyouruserscanaccessonthedevice.
Typically,theseinvolvenetwork-enabledapplicationssuchasSafari,YouTube,orthe
iTunesStore,butrestrictionscanalsocontroldevicefunctionalitysuchasapplication
installationoruseofcamera.Restrictionsletyoucongurethedevicetomeetyour
requirements,whilepermittinguserstoutilizethedeviceinwaysthatareconsistent
withyourbusinesspractices.Restrictionscanbemanuallyconguredoneachdevice,
enforcedusingaCongurationProle,orestablishedremotelywithMDMsolutions.
Additionally,likepasscodepolicies,cameraorweb-browsingrestrictionscanbe
enforcedovertheairviaMicrosoftExchangeServer2007and2010.
Inadditiontosettingrestrictionsandpoliciesonthedevice,theiTunesdesktop
applicationcanbeconguredandcontrolledbyIT.Thisincludesdisablingaccessto
explicitcontent,deningwhichnetworkservicesuserscanaccesswithiniTunes,and
determiningwhethernewsoftwareupdatesareavailableforuserstoinstall.Formore
information,refertoDeploying iTunes for iOS Devices.
Supported congurable policies
and restrictions:
Device functionality
Allowinstallingapps
AllowSiri
AllowSiriwhilelocked
AllowPassbooknoticationswhilelocked
Allowuseofcamera
AllowFaceTime
Allowscreencapture
Allowautomaticsyncingwhileroaming
AllowsyncingofMailrecents
Allowvoicedialing
AllowIn-AppPurchase
Requirestorepasswordforallpurchases Allowmultiplayergaming
AllowaddingGameCenterfriends
Setallowedcontentratings
Applications
AllowuseofYouTube
AllowuseofiTunesStore
AllowuseofSafari
SetSafarisecuritypreferences
iCloud
Allowbackup
Allowdocumentsyncandkey-valuesync
AllowPhotoStream
AllowsharedPhotoStream
Security and privacy
AllowdiagnosticdatatobesenttoApple
Allowusertoacceptuntrustedcerticates
Forceencryptedbackups
Supervised only restrictions
AllowiMessage
AllowGameCenter
Allowremovalofapps
AllowiBookstore
AlloweroticafromiBookstore
EnableSiriProfanityFilter
AllowmanualinstallofCongurationProles
15
-
7/30/2019 iOS 6 Business Sep12
16/32
DataSecurity
ProtectingdatastoredoniPhoneandiPadisimportantforanyenvironmentwith
sensitivecorporateorcustomerinformation.Inadditiontoencryptingdatain
transmission,iPhoneandiPadprovidehardwareencryptionforalldatastoredon
thedevice,andadditionalencryptionofemailandapplicationdatawithenhanceddataprotection.
Ifadeviceislostorstolen,itsimportanttodeactivateanderasethedevice.Itsalsoa
goodideatohaveapolicyinplacethatwillwipethedeviceafteradenednumber
offailedpasscodeattempts,akeydeterrentagainstattemptstogainunauthorized
accesstothedevice.
Encryption
iPhoneandiPadoerhardware-basedencryption.Hardwareencryptionuses256-bit
AEStoprotectalldataonthedevice.Encryptionisalwaysenabled,andcannotbe
disabledbyusers.
Additionally,databackedupiniTunestoauserscomputercanbeencrypted.
Thiscanbeenabledbytheuser,orenforcedbyusingdevicerestrictionsettingsin
CongurationProles.
iOSsupportsS/MIMEinmail,enablingiPhoneandiPadtoviewandsendencrypted
emailmessages.Restrictionscanalsobeusedtopreventmailmessagesfrombeing
movedbetweenaccountsormessagesreceivedinoneaccountbeingforwarded
fromanother.
Data protection
BuildingonthehardwareencryptioncapabilitiesofiPhoneandiPad,emailmessages
andattachmentsstoredonthedevicecanbefurthersecuredbyusingdataprotection
featuresbuiltintoiOS.Dataprotectionleverageseachusersuniquedevicepasscode
inconcertwiththehardwareencryptiononiPhoneandiPadtogenerateastrong
encryptionkey.Thiskeypreventsdatafrombeingaccessedwhenthedeviceislocked,
ensuringthatcriticalinformationissecuredevenifthedeviceiscompromised.
Toturnonthedataprotectionfeature,simplyestablishapasscodeonthedevice.
Theeectivenessofdataprotectionisdependentonastrongpasscode,soit
isimportanttorequireandenforceapasscodestrongerthanfourdigitswhen
establishingyourcorporatepasscodepolicies.Userscanverifythatdataprotection
isenabledontheirdevicebylookingatthepasscodesettingsscreen.MobileDevice
Managementsolutionsareabletoquerythedeviceforthisinformationaswell.
ThesedataprotectionAPIsarealsoavailabletodevelopers,andcanbeusedtosecure
enterprisein-houseorcommercialapplicationdata.
Remote wipe
iOSsupportsremotewipe.Ifadeviceislostorstolen,theadministratorordevice
ownercanissuearemotewipecommandthatremovesalldataanddeactivatesthedevice.IfthedeviceisconguredwithanExchangeaccount,theadministrator
caninitiatearemotewipecommandusingtheExchangeManagementConsole
(ExchangeServer2007)orExchangeActiveSyncMobileAdministrationWebTool
(ExchangeServer2003or2007).UsersofExchangeServer2007canalsoinitiate
remotewipecommandsdirectlyusingOutlookWebAccess.Remotewipecommands
canalsobeinitiatedbyMDMsolutionsevenifExchangecorporateservicesarenot
inuse.
Progressive passcode timeout
iPhoneandiPadcanbeconguredtoauto-
maticallyinitiateawipeafterseveralfailed
passcodeattempts.Ifauserrepeatedlyenters
thewrongpasscode,iOSwillbedisabledfor
increasinglylongerintervals.Aftertoomany
unsuccessfulattempts,alldataandsettingson
thedevicewillbeerased.
Data security
Hardwareencryption
Dataprotection
Remotewipe
Localwipe
EncryptedCongurationProles
EncryptediTunesbackups
Content ratings
Allowexplicitmusicandpodcasts
Setratingsregion
Setallowedcontentratings
16
-
7/30/2019 iOS 6 Business Sep12
17/32
Local wipe
Devicescanalsobeconguredtoautomaticallyinitiatealocalwipeafterseveralfailed
passcodeattempts.Thisprotectsagainstbruteforceattemptstogainaccesstothe
device.Whenapasscodeisestablished,usershavetheabilitytoenablelocalwipe
directlywithinthesettings.Bydefault,iOSwillautomaticallywipethedeviceafter10
failedpasscodeattempts.Aswithotherpasscodepolicies,themaximumnumberoffailedattemptscanbeestablishedviaaCongurationProle,setbyanMDMserver,
orenforcedovertheairviaMicrosoftExchangeActiveSyncpolicies.
iCloud
iCloudstoresmusic,photos,apps,calendars,documents,andmore,andautomatically
pushesthemtoallofausersdevices.iCloudalsobacksupinformation,including
devicesettings,appdata,andtextandMMSmessages,dailyoverWi-Fi.iCloud
securesyourcontentbyencryptingitwhensentovertheInternet,storingitinan
encryptedformat,andusingsecuretokensforauthentication.Additionally,iCloud
features,includingPhotoStream,DocumentSync,andBackup,canbedisabledvia
aCongurationProle.FormoreinformationoniCloudsecurityandprivacy,visit
http://support.apple.com/kb/HT4865.
NetworkSecurity
Mobileusersmustbeabletoaccesscorporateinformationnetworksfromanywhere
intheworld,yetitsalsoimportanttoensurethatusersareauthorizedandthattheir
dataisprotectedduringtransmission.iOSprovidesproventechnologiestoaccomplish
thesesecurityobjectivesforbothWi-Fiandcellulardatanetworkconnections.
Inadditiontoyourexistinginfrastructure,eachFaceTimesessionandiMessage
conversationisencryptedendtoend.iOScreatesauniqueIDforeachuser,ensuring
communicationsareencrypted,routed,andconnectedproperly.
VPN
Manyenterpriseenvironmentshavesomeformofvirtualprivatenetwork(VPN)
established.Thesesecurenetworkservicesarealreadydeployedandtypicallyrequire
minimalsetupandcongurationtoworkwithiPhoneandiPad.
Outofthebox,iOSintegrateswithabroadrangeofcommonlyusedVPNtechnologies
throughsupportforCiscoIPSec,L2TP,andPPTP.iOSsupportsSSLVPNthrough
applicationsfromJuniperNetworks,Cisco,SonicWALL,CheckPoint,ArubaNetworks,
andF5Networks.SupportfortheseprotocolsensuresthehighestlevelofIP-based
encryptionfortransmissionofsensitiveinformation.
InadditiontoenablingsecureaccesstoexistingVPNenvironments,iOSoersproven
methodsforuserauthentication.AuthenticationviastandardX.509digitalcerticates
providesuserswithstreamlinedaccesstocompanyresourcesandaviablealternative
tousinghardware-basedtokens.Additionally,certicateauthenticationenablesiOSto
takeadvantageofVPNOnDemand,makingtheVPNauthenticationprocesstransparentwhilestillprovidingstrong,credentialedaccesstonetworkservices.Forenterprise
environmentsinwhichatwo-factortokenisarequirement,iOSintegrateswithRSA
SecurIDandCRYPTOCard.
iOSsupportsnetworkproxycongurationaswellassplitIPtunnelingsothat
tractopublicorprivatenetworkdomainsisrelayedaccordingtoyourspecic
companypolicies.
Network security
Built-inCiscoIPSec,L2TP,PPTPVPN
SSLVPNviaAppStoreapps
SSL/TLSwithX.509certicates
WPA/WPA2Enterprisewith802.1X
Certicate-basedauthentication
RSASecurID,CRYPTOCard
VPN protocols
CiscoIPSec
L2TP/IPSec
PPTP
SSLVPN
Authentication methods
Password(MSCHAPv2)
RSASecurID
CRYPTOCard
X.509digitalcerticates
Sharedsecret
802.1X authentication protocols
EAP-TLS
EAP-TTLS
EAP-FAST
EAP-SIM PEAPv0,v1
LEAP
Supported certicate formats
iOSsupportsX.509certicateswith
RSAkeys.Theleextensions.cer,.crt,
and.derarerecognized.
17
-
7/30/2019 iOS 6 Business Sep12
18/32
SSL/TLS
iOSsupportsSSLv3aswellasTransportLayerSecurity(TLSv1.0,1.1,and1.2),the
next-generationsecuritystandardfortheInternet.Safari,Calendar,Mail,andother
Internetapplicationsautomaticallystartthesemechanismstoenableanencrypted
communicationchannelbetweeniOSandcorporateservices.
WPA/WPA2
iOSsupportsWPA2Enterprisetoprovideauthenticatedaccesstoyourenterprise
wirelessnetwork.WPA2Enterpriseuses128-bitAESencryption,givingusersthe
highestlevelofassurancethattheirdatawillremainprotectedwhentheysend
andreceivecommunicationsoveraWi-Finetworkconnection.Andwithsupport
for802.1X,iPhoneandiPadcanbeintegratedintoabroadrangeofRADIUS
authenticationenvironments.
AppSecurity
iOSisdesignedwithsecurityatitscore.Itincludesasandboxedapproachto
applicationruntimeprotectionandrequiresapplicationsigningtoensurethat
applicationscannotbetamperedwith.iOSalsohasasecureframeworkthatfacilitatessecurestorageofapplicationandnetworkservicecredentialsinan
encryptedkeychain.Fordevelopers,itoersaCommonCryptoarchitecturethat
canbeusedtoencryptapplicationdatastores.
Runtime protection
Applicationsonthedevicearesandboxedsotheycannotaccessdatastoredby
otherapplications.Inaddition,systemles,resources,andthekernelareshielded
fromtheusersapplicationspace.Ifanapplicationneedstoaccessdatafromanother
application,itcanonlydosousingtheAPIsandservicesprovidedbyiOS.Code
generationisalsoprevented.
Mandatory code signing
AlliOSapplicationsmustbesigned.TheapplicationsprovidedwiththedevicearesignedbyApple.Third-partyapplicationsaresignedbythedeveloperusingan
Apple-issuedcerticate.Thisensuresthatapplicationshaventbeentampered
withoraltered.Additionally,runtimechecksaremadetoensurethatanapplication
hasntbecomeuntrustedsinceitwaslastused.
Theuseofcustomorin-houseapplicationscanbecontrolledwithaprovisioning
prole.Usersmusthavetheprovisioningproleinstalledtoexecutetheapplication.
ProvisioningprolescanbeinstalledorrevokedovertheairusingMDMsolutions.
Administratorscanalsorestricttheuseofanapplicationtospecicdevices.
Secure authentication framework
iOSprovidesasecure,encryptedkeychainforstoringdigitalidentities,usernames,
andpasswords.Keychaindataispartitionedsothatcredentialsstoredbythird-party
applicationscannotbeaccessedbyapplicationswithadierentidentity.ThisprovidesthemechanismforsecuringauthenticationcredentialsoniPhoneandiPadacrossa
rangeofapplicationsandserviceswithintheenterprise.
Common Crypto architecture
ApplicationdevelopershaveaccesstoencryptionAPIsthattheycanusetofurther
protecttheirapplicationdata.Datacanbesymmetricallyencryptedusingproven
methodssuchasAES,RC4,or3DES.Inaddition,iPhoneandiPadprovidehardware
accelerationforAESencryptionandSHA1hashing,maximizingapplicationperformance.
App security
Runtimeprotection
Mandatorycodesigning Keychainservices
CommonCryptoAPIs
Applicationdataprotection
Managedapps
18
-
7/30/2019 iOS 6 Business Sep12
19/32
2012AppleInc.Allrightsreserved.Apple,theApplelogo,FaceTime,iPad,iPhone,iTunes,Passbook,Safari,andSiriaretrademarks
ofAppleInc.,registeredintheU.S.andothercountries.iMessageisatrademarkofAppleInc.iCloudandiTunesStoreareservice
marksofAppleInc.,registeredintheU.S.andothercountries.AppStoreandiBookstoreareservicemarksofApple,Inc.Other
productandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecicationsare
subjecttochangewithoutnotice.September2012
Application data protection
Applicationscanalsotakeadvantageofthebuilt-inhardwareencryptiononiPhone
andiPadtofurtherprotectsensitiveapplicationdata.Developerscandesignate
speciclesfordataprotection,instructingthesystemtomakethecontentsofthe
lecryptographicallyinaccessibletoboththeapplicationandanypotentialintruders
whenthedeviceislocked.
Managed apps
AnMDMservercanmanagethird-partyappsfromtheAppStore,aswellasenterprise
in-houseapplications.Designatinganappasmanagedenablestheservertospecify
whethertheappanditsdatacanberemovedfromthedevicebytheMDMserver.
Additionally,theservercanpreventmanagedappdatafrombeingbackedupto
iTunesandiCloud.ThisallowsITtomanageappsthatmaycontainsensitivebusiness
informationwithmorecontrolthanappsdownloadeddirectlybytheuser.
Inordertoinstallamanagedapp,theMDMserversendsaninstallationcommandto
thedevice.Managedappsrequireausersacceptancebeforetheyareinstalled.For
moreinformationaboutmanagedapps,viewtheMobile Device Management Overview
atwww.apple.com/business/mdm.
RevolutionaryDevices,SecurityThroughout
iPhoneandiPadprovideencryptedprotectionofdataintransit,atrest,andwhen
backeduptoiCloudoriTunes.Whetherauserisaccessingcorporateemail,visitinga
privatewebsite,orauthenticatingtothecorporatenetwork,iOSprovidesassurance
thatonlyauthorizeduserscanaccesssensitivecorporateinformation.And,withits
supportforenterprise-gradenetworkingandcomprehensivemethodstopreventdata
loss,youcandeployiOSdeviceswithcondencethatyouareimplementingproven
mobiledevicesecurityanddataprotection.
19
-
7/30/2019 iOS 6 Business Sep12
20/32
Deploying iPhone and iPadMobile Device Management
iOSsupportsMobileDeviceManagement(MDM),givingbusinessestheabilityto
managescaleddeploymentsofiPhoneandiPadacrosstheirorganizations.These
MDMcapabilitiesarebuiltuponexistingiOStechnologieslikeCongurationProles,
Over-the-AirEnrollment,andtheApplePushNoticationservice,andcanbeintegrated
within-houseorthird-partyserversolutions.ThisgivesITdepartmentstheabilitytosecurelyenrolliPhoneandiPadinanenterpriseenvironment,wirelesslycongureand
updatesettings,monitorcompliancewithcorporatepolicies,andevenremotelywipeor
lockmanageddevices.
ManagingiPhoneandiPad
ManagementofiOSdevicestakesplaceviaaconnectiontoaMobileDevice
Managementserver.Thisservercanbebuiltin-housebyITorpurchasedfroma
third-partysolutionprovider.Thedevicecommunicateswiththeservertoseeifthere
aretaskspendingandrespondswiththeappropriateactions.Thesetaskscaninclude
updatingpolicies,providingrequesteddeviceornetworkinformation,orremoving
settingsanddata.
Mostmanagementfunctionsarecompletedbehindthesceneswithnouser
interactionrequired.Forexample,ifanITdepartmentupdatesitsVPNinfrastructure,
theMDMservercancongureiPhoneandiPadwithnewaccountinformationover
theair.ThenexttimeVPNisusedbytheemployee,theappropriateconguration
isalreadyinplace,sotheemployeedoesntneedtocallthehelpdeskormanually
modifysettings.
Firewall
Third-PartyMDMServerApplePushNoticationService
-
7/30/2019 iOS 6 Business Sep12
21/32
MDMandtheApplePushNoticationService
WhenanMDMserverwantstocommunicatewithiPhoneoriPad,asilentnotication
issenttothedeviceviatheApplePushNoticationservice,promptingittocheck
inwiththeserver.Theprocessofnotifyingthedevicedoesnotsendanyproprietary
informationtoorfromtheApplePushNoticationservice.TheonlytaskperformedbythepushnoticationistowakethedevicesoitchecksinwiththeMDMserver.
Allcongurationinformation,settings,andqueriesaresentdirectlyfromtheserver
totheiOSdeviceoveranencryptedSSL/TLSconnectionbetweenthedeviceandthe
MDMserver.iOShandlesallMDMrequestsandactionsinthebackgroundtolimitthe
impactontheuserexperience,includingbatterylife,performance,andreliability.
InorderforthepushnoticationservertorecognizecommandsfromtheMDMserver,
acerticatemustrstbeinstalledontheserver.Thiscerticatemustberequestedand
downloadedfromtheApplePushCerticatesPortal.OncetheApplePushNotication
certicateisuploadedintotheMDMserver,devicescanbegintobeenrolled.Formore
informationonrequestinganApplePushNoticationcerticateforMDM,visit
www.apple.com/business/mdm.
Apple Push Notication network setupWhenMDMserversandiOSdevicesarebehindarewall,somenetworkconguration
mayneedtotakeplaceinorderfortheMDMservicetofunctionproperly.Tosend
noticationsfromanMDMservertotheApplePushNoticationservice,TCPport2195
needstobeopen.Toreachthefeedbackservice,TCPport2196willneedtobeopen
aswell.FordevicesconnectingtothepushserviceoverWi-Fi,TCPport5223should
beopen.
TheIPaddressrangeforthepushserviceissubjecttochange;theexpectationis
thatanMDMserverwillconnectbyhostnameratherthanbyIPaddress.Thepush
serviceusesaload-balancingschemethatyieldsadierentIPaddressforthesame
hostname.Thishostnameisgateway.push.apple.com(andgateway.sandbox.push.
apple.comforthedevelopmentpushnoticationenvironment).Additionally,the
entire17.0.0.0/8addressblockisassignedtoApplesorewallrulescanbeestablishedtospecifythatrange.
Formoreinformation,consultyourMDMvendororviewDeveloper Technical
Note TN2265intheiOSDeveloperLibraryathttp://developer.apple.com/library/
ios/#technotes/tn2265/_index.html.
Enrollment
OncetheMobileDeviceManagementserverandnetworkarecongured,therst
stepinmanaginganiPhoneoriPadistoenrollitwithanMDMserver.Thiscreates
arelationshipbetweenthedeviceandtheserver,allowingittobemanagedon
demandwithoutfurtheruserinteraction.
ThiscanbedonebyconnectingiPhoneoriPadtoacomputerviaUSB,butmostsolutionsdelivertheenrollmentprolewirelessly.SomeMDMvendorsuseanapp
tokickstartthisprocess,othersinitiateenrollmentbydirectinguserstoawebportal.
Eachmethodhasitsbenets,andbothareusedtotriggertheOver-the-AirEnrollment
processviaSafari.
iOS and SCEP
iOSsupportstheSimpleCerticateEnrollmentProtocol(SCEP).SCEPisanInternetdraftin
theIETF,andisdesignedtoprovideasimpli-
edwayofhandlingcerticatedistributionfor
large-scaledeployments.Thisenablesover-the-
airenrollmentofidentitycerticatestoiPhone
andiPadthatcanbeusedforauthenticationto
corporateservices.
21
-
7/30/2019 iOS 6 Business Sep12
22/32
22
Enrollment process overview
TheprocessofOver-the-AirEnrollmentinvolvesphasesthatarecombinedinan
automatedworkowtoprovidethemostscalablewaytosecurelyenrolldevices
inanenterpriseenvironment.Thesephasesinclude:
1. User authenticationUserauthenticationensuresthatincomingenrollmentrequestsarefromauthorized
usersandthattheusersdeviceinformationiscapturedpriortoproceedingwith
certicateenrollment.Administratorscanprompttheusertobegintheprocessof
enrollmentviaawebportal,email,SMSmessage,orevenanapp.
2. Certicate enrollment
Aftertheuserisauthenticated,iOSgeneratesacerticateenrollmentrequest
usingtheSimpleCerticateEnrollmentProtocol(SCEP).Thisenrollmentrequest
communicatesdirectlytotheenterpriseCerticateAuthority(CA),andenables
iPhoneandiPadtoreceivetheidentitycerticatefromtheCAinresponse.
3. Device conguration
Onceanidentitycerticateisinstalled,thedevicecanreceiveencrypted
congurationinformationovertheair.Thisinformationcanonlybeinstalledon
thedeviceitisintendedforandcontainsthesettingsneededtoconnecttothe
MDMserver.
Attheendoftheenrollmentprocess,theuserwillbepresentedwithaninstallation
screenthatdescribeswhataccessrightstheMDMserverwillhaveonthedevice.
Byagreeingtotheproleinstallation,theusersdeviceisautomaticallyenrolled
withoutfurtherinteraction.
OnceiPhoneandiPadareenrolledasmanageddevices,theycanbedynamically
conguredwithsettings,queriedforinformation,orremotelywipedbythe
MDMserver.
ManagementWithMobileDeviceManagement,thereareanumberoffunctionsanMDM
servercanperformoniOSdevices.Thesetasksincludeinstallingandremoving
CongurationandProvisioningProles,managingapps,endingtheMDM
relationship,andremotelywipingadevice.
Managed congurations
Duringtheinitialprocessofconguringadevice,anMDMserverpushes
CongurationProlestoiPhoneandiPadthatareinstalledbehindthescenes.
Overtime,thesettingsandpoliciesputinplaceatthetimeofenrollmentmay
needtobeupdatedorchanged.Tomakethesechanges,anMDMservercaninstall
newCongurationProlesandmodifyorremoveexistingprolesatanytime.
Additionally,context-speciccongurationsmayneedtobeinstalledoniOSdevices,dependingonauserslocationorroleintheorganization.Asanexample,ifauser
istravelinginternationally,anMDMservercanrequirethatmailaccountssync
manuallyinsteadofautomatically.AnMDMservercanevenremotelydisablevoice
ordataservicesinordertopreventauserfromincurringroamingfeesfroma
wirelessprovider.
-
7/30/2019 iOS 6 Business Sep12
23/32
Managed apps
AnMDMservercanmanagethird-partyappsfromtheAppStore,aswellasenterprise
in-houseapplications.Theservercanremovemanagedappsandtheirassociated
dataondemandorspecifywhethertheappsareremovedwhentheMDMproleis
removed.Additionally,theMDMservercanpreventmanagedappdatafrombeing
backeduptoiTunesandiCloud.
Toinstallamanagedapp,theMDMserversendsaninstallationcommandtotheusers
device.Managedappsrequireausersacceptancebeforetheyareinstalled.Whenan
MDMserverrequeststheinstallationofamanagedappfromtheAppStore,theapp
willberedeemedwiththeiTunesaccountthatisusedatthetimetheappisinstalled.
PaidappswillrequiretheMDMservertosendaVolumePurchasingProgram(VPP)
redemptioncode.FormoreinformationonVPP,visitwww.apple.com/business/vpp.
AppsfromtheAppStorecannotbeinstalledonausersdeviceiftheAppStorehas
beendisabled.
Managing supervised devices with MDM
DevicesthatareactivatedusingAppleConguratorcanbesupervised,enabling
additionalsettingsandrestrictionstobeinstalled.Onceadeviceissupervisedwith
AppleCongurator,allavailablesettingsandrestrictionscanbeinstalledoverthe
airviaMDMaswell.Formoreinformationonconguringandmanagingdevices
usingbothAppleConguratorandMDM,refertoDeploying iPhone and iPad: Apple
Congurator.
Removing or wiping devices
Ifadeviceisfoundtobeoutofpolicy,lost,orstolen,orifanemployeeleavesthe
company,anMDMservercantakeactiontoprotectcorporateinformationina
numberofways.
AnITadministratorcanendtheMDMrelationshipwithadevicebyremovingthe
CongurationProlethatcontainstheMDMserverinformation.Indoingso,allthe
accounts,settings,andappsitwasresponsibleforinstallingareremoved.Alternatively,
ITcankeeptheMDMCongurationProleinplaceanduseMDMonlytoremovethespecicCongurationProles,ProvisioningProles,andmanagedappstheywantto
delete.ThisapproachkeepsthedevicemanagedbyMDMandeliminatestheneedto
re-enrollonceitisbackwithinpolicy.
BothmethodsgiveITtheabilitytoensureinformationisonlyavailabletocompliant
usersanddevices,andensurescorporatedataisremovedwithoutinterferingwitha
userspersonaldatasuchasmusic,photos,orpersonalapps.
Topermanentlydeleteallmediaanddataonthedeviceandrestoreittofactoryset-
tings,MDMcanremotelywipeiPhoneandiPad.Ifauserisstilllookingforthedevice,
ITcanalsochoosetosendaremotelockcommandtothedevice.Thislocksthescreen
andrequirestheuserspasscodetounlockit.
Ifauserhassimplyforgottenthepasscode,anMDMservercanremoveitfromthe
deviceandprompttheusertocreateanewonewithin60minutes.
23
-
7/30/2019 iOS 6 Business Sep12
24/32
Supported management commands
Managed conguration
InstallCongurationProle
RemoveCongurationProle
Dataroaming
Voiceroaming(notavailableonallcarriers)
Managed apps
Installmanagedapp
Removemanagedapp
Listallmanagedapps
InstallProvisioningProle
RemoveProvisioningProle
Security commands
Remotewipe
Remotelock
Clearpasscode
Conguration
Tocongureadevicewithaccounts,policies,andrestrictions,theMDMserversends
lesknownasCongurationProlestothedevicethatareinstalledautomatically.
CongurationProlesareXMLlesthatcontainsettingsthatpermitthedevice
toworkwithyourenterprisesystems,includingaccountinformation,passcode
policies,restrictions,andotherdevicesettings.Whencombinedwiththepreviously
discussedprocessofenrollment,devicecongurationprovidesITwithassurancethat
onlytrustedusersareaccessingcorporateservices,andthattheirdevicesareproperly
conguredwithestablishedpolicies.
AndbecauseCongurationProlescanbesignedandencrypted,thesettings
cannotbealteredorsharedwithothers.
24
-
7/30/2019 iOS 6 Business Sep12
25/32
25
Supported congurable items
Accounts
ExchangeActiveSync
IMAP/POPEmail
Wi-Fi
VPN
LDAP
CardDAV
CalDAV
Subscribedcalendars
Passcode policies
Requirepasscodeondevice
Allowsimplevalue
Requirealphanumericvalue
Minimumpasscodelength
Minimumnumberofcomplexcharacters
Maximumpasscodeage
Timebeforeauto-lock
Passcodehistory
Graceperiodfordevicelock
Maximumnumberoffailedattempts
Security and privacy
AllowdiagnosticdatatobesenttoApple
Allowusertoacceptuntrustedcerticates
Forceencryptedbackups
Supervised only restrictions
AllowiMessage
AllowGameCenter
Allowremovalofapps AllowiBookstore
AlloweroticafromiBookstore
EnableSiriProfanityFilter
AllowmanualinstallofCongurationProles
Other settings
Credentials
Webclips
SCEPsettings
APNsettings
GlobalHTTPProxy(Supervisedonly)
SingleAppMode(Supervisedonly)
Device functionality
Allowinstallingapps
AllowSiri
AllowSiriwhilelocked
AllowPassbooknoticationswhilelocked
Allowuseofcamera
AllowFaceTime
Allowscreencapture
Allowautomaticsyncingwhileroaming
AllowsyncingofMailrecents
Allowvoicedialing
AllowIn-AppPurchase
Requirestorepasswordforallpurchases
Allowmultiplayergaming
AllowaddingGameCenterfriends
Applications
AllowuseofYouTube
AllowuseofiTunesStore
AllowuseofSafari
SetSafarisecuritypreferences
iCloud
Allowbackup
Allowdocumentsyncandkey-valuesync
AllowPhotoStream
AllowsharedPhotoStream
Content ratings
Allowexplicitmusicandpodcasts
Setratingsregion Setallowedcontentratings
-
7/30/2019 iOS 6 Business Sep12
26/32
26
QueryingDevices
Inadditiontoconguration,anMDMserverhastheabilitytoquerydevicesfora
varietyofinformation.Thisinformationcanbeusedtoensurethatdevicescontinueto
complywithrequiredpolicies.
Supported queries
Device information
UniqueDeviceIdentier(UDID)
Devicename
iOSandbuildversion
Modelnameandnumber
Serialnumber
Capacityandspaceavailable
IMEI
Modemrmware
Batterylevel
Supervisionstatus
Network information
ICCID
BluetoothandWi-FiMACaddresses
Currentcarriernetwork
Subscribercarriernetwork
Carriersettingsversion
Phonenumber
Dataroamingsetting(on/o)
Compliance and security information
CongurationProlesinstalled
Certicatesinstalledwithexpirydates
Listallrestrictionsenforced
Hardwareencryptioncapability
Passcodepresent
Applications
Applicationsinstalled(appID,name,
version,size,andappdatasize)
ProvisioningProlesinstalledwith
expirydates
-
7/30/2019 iOS 6 Business Sep12
27/32
Firewall
Third-PartyMDMServerApplePushNoticationService
1
2
4
3
5
2012AppleInc.Allrightsreserved.Apple,theApplelogo,FaceTime,iPad,iPhone,iTunes,Passbook,Safari,andSiriaretrademarksofAppleInc.,registeredintheU.S.andothercountries.iMessageisa
trademarkofAppleInc.iCloudandiTunesStoreareservicemarksofAppleInc.,registeredintheU.S.andothercountries.AppStoreandiBookstoreareservicemarksofAppleInc.TheBluetoothwordmark
andlogosareregisteredtrademarksownedbyBluetoothSIG,Inc.andanyuseofsuchmarksbyAppleisunderlicense.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheir
respectivecompanies.Productspecicationsaresubjecttochangewithoutnotice.September2012
1
2
3
4
5
ProcessOverview
ThisexampledepictsabasicdeploymentofaMobileDeviceManagementserver.
ACongurationProlecontainingMobileDeviceManagementserverinformationissenttothedevice.Theuserispresented
withinformationaboutwhatwillbemanagedand/orqueriedbytheserver.
Theuserinstallstheproletooptintothedevicebeingmanaged.
Deviceenrollmenttakesplaceastheproleisinstalled.Theservervalidatesthedeviceandallowsaccess.
Theserversendsapushnoticationpromptingthedevicetocheckinfortasksorqueries.
ThedeviceconnectsdirectlytotheserveroverHTTPS.Theserversendscommandsorrequestsinformation.
FormoreinformationonMobileDeviceManagement,visitwww.apple.com/business/mdm.
27
-
7/30/2019 iOS 6 Business Sep12
28/32
Deploying iPhone and iPadApple Congurator
iOSdevicescanbeconguredforenterprisedeploymentusingawidevarietyoftools
andmethods.Enduserscansetupdevicesmanuallywithafewsimpleinstructionsfrom
IT,ordevicesetupcanbeautomatedusingCongurationProlesorathird-partyMobile
DeviceManagement(MDM)server.
Insomedeployments,anITdepartmentmaywanttomasscongureasetofdevices
withthesamesettingsandappsbeforethedevicesareplacedinthehandsofendusers.
Thisisoftenthecasewhenthesamedevicewillbeusedbydierentpeoplethroughout
theday.Butotherdeploymentsrequirethatthedevicesbetightlymanagedandresetto
aspeciccongurationonaregularbasis.
AppleConguratormakesiteasytomasscongureanddeployiPhoneandiPadin
situationslikethesebyenablingthreesimpleoptions:
Prepare devices. YoucanPrepareasetofnewiOSdeviceswithasinglecentral
conguration,andthendeploythemtousers.Updatedevicestothelatestversionof
iOS,installCongurationProlesandapps,enrollthemwithyourorganizationsMDM
server,andthenhandthemout.Preparingdevicesisagreatdeploymentoptionwhen
yourorganizationwantstoprovideiOSdevicestoemployeesfortheirday-to-dayuse.
Supervise devices. AnotheroptionistoSuperviseasetofiOSdevicesthatremainin
yourdirectcontrolandcanbeconguredonanongoingbasis.Applyaconguration
toeachdevice,thenreapplyitautomaticallyaftereachusejustbyreconnectingthe
devicetoAppleCongurator.Supervisionisidealfordeployingdevicesfordedicated
tasks(forexample,retail,eldservice,medical),sharingdevicesamongstudentsina
classroomoralab,ortemporarilyloaningiOSdevicestocustomers(forexample,hotels,
restaurants,hospitals).
Assign devices. Lastly,youcanAssignsuperviseddevicestospecicusersinyour
organization.Checkoutadevicetoaspecicuserandrestorethatusersbackup
(includingalloftheirdata)tothedevice.Whenthedeviceischeckedbackin,back
uptheusersdataforlateruseevenonadierentdevice.Thisoptionworkswell
whenusersneedtoworkwiththesamedataanddocumentsoveraprolongedperiod,
regardlessofwhichdevicetheyaregiven.
System requirements
Maccomputer
OSXLionv10.7.5
iTunes10.7tomanagedevicesrunningi0S6
AppleConguratorworkswithdevices
runningiOS4.3orlater,andcansupervise
devicesrunningiOS5.0orlater.
-
7/30/2019 iOS 6 Business Sep12
29/32
ConguringSettingsandApps
WhetheryouchoosetoPrepare,Supervise,orAssignyouriOSdevicesbeforedeploying
them,AppleConguratormakesiteasytocongureafullrangeofsettingsandinstall
bothAppStoreandin-houseapps.
Settings
LikeiTunes,AppleConguratorletsyounamedevicesandinstalliOSupdates.
Additionally,AppleConguratorcancongurepreferenceslikeHomescreenlayout,
andothersettingsthatcanbemanuallyconguredonadeviceandbackedupto
AppleCongurator.
AppleConguratormakesiteasytoconguremanydeviceswiththesamesettings.
Simplycongureonedevicewiththesettingsandpreferencesthatyouwantonall
thedevices,thenbackupusingAppleCongurator.AppleConguratorsimultaneously
restoresthebackuptotheotherdevicesaswellupto30USB-connecteddevicesat
thesametime.
LikeiPhoneCongurationUtility,ProleManager,andthird-partyMobileDevice
Managementsolutions,AppleConguratorcancreateandinstallCongurationProles
forthefollowingsettings:
ExchangeActiveSyncaccounts
VPNandWi-Fisettings
Passcodelength,complexity,andlocalwipesettings
MDMenrollmentsettings
Devicerestrictions Certicates
Webclips
CongurationProlescreatedusingothertoolscanbeeasilyimportedintoApple
Congurator.Forafulllistofcongurationprolesettingsthatareavailablein
AppleCongurator,visithttp://help.apple.com/congurator/mac/1.0.
IfyouwanttoconnectdevicestoaMobileDeviceManagementserver,useApple
ConguratortoinstallMDMsettingsbeforehandingthedeviceovertoanenduser.
OnceadeviceisenrolledinyourorganizationsMDMserver,youcanconguresettings
remotely,monitorforcompliancewithcorporatepolicies,andwipeorlockthedevice.
FormoreinformationonthecapabilitiesofMobileDeviceManagementiniOS,visit
www.apple.com/business/mdm.
Activating devices
Topreparedevicessoyou(orendusers)
dontneedtocompleteiOSSetupAssistant,
restorethedeviceswiththebackupfroma
devicethatalreadyhasiOSSetupAssistant
completed.
Important detail:Ifnewpagesareaddedto
theiOSSetupAssistant,e.g.SiriwithiOS5,
youwillneedtomakeanewbackupafter
completingthenewassistantinorderto
bypasstheassistantentirely.Otherwise,the
userwillbepresentedwiththosenewpages.
29
-
7/30/2019 iOS 6 Business Sep12
30/32
Apps
ToinstallanAppStoreapponyourdevices,purchaseanddownloadtheappiniTunes,
addittoAppleCongurator,andtheninstalltheappduringdeviceconguration.
ToinstallpaidAppStoreappsusingAppleCongurator,youmustparticipatein
theVolumePurchaseProgram(VPP).AppleConguratorautomaticallyredeems
codesprovidedbyyourVPPProgramFacilitatororauthorizedvolumepurchaserto
installapps.
TheappslistinAppleConguratorshowswhichappsarefreeandhowmany
redemptioncodesremainforpaidapps.Eachtimeyouinstallanapponadevice,
oneredemptioncodeisusedfromtheVPPspreadsheetthatwasimportedinto
AppleCongurator.Redemptioncodescantbereused.Whenyourunout,youneed
toimportmoretoinstalltheapponmoredevices.Ifapaidappisuninstalledfroma
supervisedorassigneddevice,itcanbeinstalledlateronanotherdevice.TheVPPcode
isnotreactivated,sofutureinstallationneedstotakeplaceusingAppleCongurator
ontheMacthatoriginallyinstalledtheapp.
PaidappsfromtheAppStorecanonlybeinstalledusingredemptioncodesacquired
throughtheVolumePurchaseProgramforBusinessorEducation.TheVolumePurchaseProgramisnotavailableinallregions.Formoreinformation,visitwww.apple.com/
business/vpporwww.apple.com/education/volume-purchase-program.
Youcanalsoinstallin-houseappsthatweredevelopedanddistributedwithinyour
organization,ratherthanpurchasedfromtheiTunesStore.Addyourapp(which
includesthedistributionprovisioningprole)toAppleConguratorandtheninstall
itduringdeviceconguration.
Important: AppsinstalledusingAppleConguratoraretiedtothedevicetheywere
installedon,nottoaspecicAppleID.ToupdateappsdeployedusingAppleCongurator,
youmustreconnecttothesameMacfromwhichtheappswereinstalled.Additionally,
youcantredownloadtheseappsviaiTunesintheCloud.
Using Apple Congurator with MDM
AppleConguratorandMobileDeviceManagement(MDM)eachhavetheirownunique
capabilities.AppleConguratorhasfeatureslikedevicesupervision,massconguration,
andautomaticrefresh,whileMDMhasmanagedapps,devicequeries,andremotewipe.
Insomedeployments,youllwanttousebothtoolstotakeadvantageofthedierent
features.Forexample,inaretailenvironment,youmaywanttosupervisedeviceswith
AppleConguratorinordertotakeadvantageofsingleappmode,thenaddthe
securitybenetofremotewipeviaMDM.
Indeploymentswherebothtoolswillbeused,itsimportanttounderstandwhich
featurestheyshareandwhichtheydont.AppleConguratorandMDMserverscan
bothinstallCongurationProlesandapps,soyoullneedtodecidewhichtooltouse
foreachtaskbasedonhowoftenthedevicewillbeconnectingtoAppleCongurator
toberefreshed.WhenusingMDMtoinstallCongurationProlesorappsonadevice
thathasbeensupervisedbyAppleCongurator,therearetwohelpfulsettingsthatenablemorestreamlinedmanagement.Bydefault,AppleConguratorautomatically
refreshesdevicesassoonastheyareconnectedandremovesCongurationProlesand
appsthatitdidntinstall.InadeploymentwhereMDMisinvolved,youcandisablethese
settingsintheAppleConguratorPreferences,sochangesmadebyanMDMserver
areleftintact.
View or export device info
AppleConguratorincludesaninspectorthat
displaysdeviceinfosuchasiOSversion,serial
number,hardwareIDsandaddresses,and
availablecapacityforsuperviseddevices.Youcanalsoexportmostofthisinformationtoa
comma-separatedspreadsheetle.Orexport
ittoaleformattedspecicallyfortheiOS
developerprovisioningportal,foraccessby
yourorganizationssoftwaredevelopersin
ordertocreateprovisioningprolesforinternal
enterpriseiOSapps.
30
-
7/30/2019 iOS 6 Business Sep12
31/32
31
DeploymentExamples
ThescenariosbelowillustratehowyoucanuseAppleConguratortoquicklydeploy
customizeddevices.
Preparing new devices for personal use
WiththePrepareoption,conguredeviceswithsettingsbeforedeployingthemto
usersforpersonalbusinessuse.Thismayincludeanupdatetothelatestversionof
iOS,aninternalnetworkconguration,orenrollmentinformationforyourcompanys
MDMserver.
OnceyouPrepareadeviceusingAppleCongurator,itcanbereconguredastheend
userseest.ItwillnotberecognizedbyAppleConguratorifitislaterreconnected.
Forexample,userscanconnecttheirunsuperviseddevicestotheircopiesofiTunes
andsyncanycontenttheywant.ITadministratorswhowanttogiveusersmore
freedomtopersonalizedevicesshoulduseAppleConguratortoPrepareanddeploy
anunsuperviseddevice,andthenuseMDMtoremotelymanageeachdevicessettings,
accounts,andapps.
Congurationofanunsuperviseddeviceistypicallyaone-timeevent;thereafter,the
userisresponsibleforthedevice.AppleConguratorforgetsaboutunsupervised
devicesassoonastheyaredisconnectedifanunsuperviseddeviceisreturned,
AppleConguratortreatsitasanewdevice.
Supervising devices for deployment to unspecied users
Duringpreparation,youcanchoosetoSupervisedevicesthatneedtobecontrolled
andconguredbyAppleConguratoronanongoingbasis.Thismaybeacollection
ofdevicesthatallneedanidenticalcongurationandarenottiedtoaspecicuser.
AsuperviseddeviceiserasedeverytimeitsreconnectedtoAppleCongurator
removingtheprevioususersdataandrecongured.Additionally,superviseddevices
cantbesyncedwithiTunesorwithAppleConguratoronadierentMac.
Deployingsuperviseddevicestypicallyinvolvesdistributingthedevices,retrievingthem,
reapplyingtheirinitialconguration,anddistributingthemagain.Superviseddevicescanbeorganizedintogroups,makingiteasytoautomaticallyapplycommoncongura-
tions.
Important:WhenadeviceisinitiallysupervisedduringthePrepareprocess,allcontent
andsettingsarepurposelywiped.Thispreventsapersonaldevicefrombeingsupervised
withoutausersknowledge.
-
7/30/2019 iOS 6 Business Sep12
32/32
Assigning supervised devices to specic users
Onceyousetupasuperviseddevice,youcanalsoAssignittoadesignateduser.When
youcheckoutthedevicetoaparticularuser,AppleConguratorreturnsthedeviceto
thestateitwasinthelasttimethatpersonusedit.Alltheuserssettingsandappdata
arerestored.
Whenyoucheckthedevicebackin,AppleConguratorbacksuptheuserssettings
andappdataforthenexttime,includinganynewuser-createddata,andthenerases
anyinformationthatwasleftonthedevicebytheprevioususer.Bycheckingdevices
inandout,youcangiveeachusertheexperienceofapersonaldevice,yetretainthe
abilitytoassignthesamegroupofdevicestomanygroupsofusers.Userscanbe
addedmanuallyorimportedfromOpenDirectoryorActiveDirectoryandorganized
intocustomgroups.
IfyoureinstallingappsthatsupportiTunesFileSharing,likeKeynoteorPages,youcan
alsoinstalldocumentssotheyrereadywhenyourusersgettheirchecked-outdevices.
Andwhenadeviceischeckedbackin,abackupoftheusersdataandsettingsiscreated
andtheuserssynceddocumentscanbeaccesseddirectlyfromAppleCongurator.
32