Managing ios Devices. Andrew Wellington Division of Information The Australian National University XW11

Similar documents
iphone in Business Mobile Device Management

ipad in Business Mobile Device Management

Deploying iphone and ipad Mobile Device Management

LabTech Mobile Device Management Overview

PMDP is simple to set up, start using, and maintain

Absolute Manage MDM. John Wu Systems Engineer

SYNCSHIELD FEATURES. Preset a certain task to be executed. specific time.

Managing OS X with Configuration Profiles

Deploying iphone and ipad Security Overview

Strategies for ios Deployment, Integration, and Control. Enterprise iphone and ipad Administrator s Guide. Charles Edge

Building a BYOD Program Using the Casper Suite. Technical Paper Casper Suite v9.4 or Later 17 September 2014

ManageEngine Desktop Central. Mobile Device Management User Guide

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

ipad in Business Security

Guidance End User Devices Security Guidance: Apple ios 7

APPLE & BUSINESS. ios ENTERPRISE SECURITY ENTERPRISE NEEDS CONFIGURATION PROFILES

Introduction to AirWatch and Configurator

Mobile Device Management ios Policies

Vodafone Secure Device Manager Administration User Guide

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Xperia TM. Read about how Xperia TM devices can be administered in a corporate IT environment

End User Devices Security Guidance: Apple ios 8

ENTERPRISE SECURITY. ios Security Lecture 5 COMPSCI 702

ios Enterprise Deployment Overview

Telstra Mobile Device Management (T MDM) Getting Started Guide

Apple Client Management with JAMF. Andrew D Huston Client Infrastructure Group Informa8on Services Kent State University

Sophos Mobile Control Startup guide. Product version: 3

Deploying iphone and ipad Apple Configurator

Sophos Mobile Control Technical Guide. Product version: 3

Building Apps for iphone and ipad. Presented by Ryan Hope, Sumeet Singh

1. Introduction Activation of Mobile Device Management How Endpoint Protector MDM Works... 5

Sophos Mobile Control Startup guide. Product version: 3.5

QuickStart Guide for Mobile Device Management

McAfee Enterprise Mobility Management

QuickStart Guide for Mobile Device Management. Version 8.6

iphone in Business Security Overview

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Feature Matrix MOZO CLOUDBASED MOBILE DEVICE MANAGEMENT

iphone in Business How-To Setup Guide for Users

User Guide. Version R9. English

User Manual for Version Mobile Device Management (MDM) User Manual

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

Configuration Profiles Reference Guide

Sophos Mobile Control Technical Guide. Product version: 3.5

Mobile Device Management and Security Glossary

Symantec Mobile Management 7.2 SP3 MR1 Release Notes

Bell Mobile Device Management (MDM)

Managing Mobility. 10 top tips for Enterprise Mobility Management

Casper Suite. Security Overview

Kaseya 2. User Guide. Version 1.0

Mobile Device Management Solution Hexnode MDM

User Guide. Version R92. English

GO!Enterprise Mobile Device Management ios Release Notes

Sophos Mobile Control SaaS startup guide. Product version: 6

System Configuration and Deployment Guide

Thanks for joining We ll start at 10am

The Centrify Vision: Unified Access Management

FINAL DRAFT. APPLE ios 9 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) CONFIGURATION TABLE. Version 1, Release 0.1.

Kaspersky Lab Mobile Device Management Deployment Guide

DEVICE MANAGEMENT EXTENSIONS

Copyright 2013, 3CX Ltd.

Networking & Internet: Enterprise Deployment

company policies are adhered to and all parties (traders,

Introduction to the ios Platform Guide

Systems Manager Cloud Based Mobile Device Management

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Contents. Installation and Licensing Configuring TARMAC Assigning profiles to user groups Setting Compliance Rules 24

802.1X Authentication

Windows Phone 8.1 Mobile Device Management Overview

Mobile Device Management Version 8. Last updated:

How to Enforce Security on a Mobile Phone With an Emergency

AirWatch for Android Devices

QuickStart Guide for Managing Mobile Devices. Version 9.2

Cloud Services MDM. Telecom Management Admin Guide

ios Security and Mobile Device Management Whitepaper

Mobile Configuration Profiles for ios Devices Technical Note

Sophos Mobile Control Technical guide

Cloud Services MDM. ios User Guide

itunes: About ios backups

iphone and ipad in Business Deployment Scenarios

Copyright 2013, 3CX Ltd.

ONE Mail Direct for Mobile Devices

Feature List for Kaspersky Security for Mobile

Systems Manager Cloud-Based Enterprise Mobility Management

Ensuring the security of your mobile business intelligence

Mobile Iron User Guide

Data Security on the Move. Mark Bloemsma, Sr. Sales Engineer Websense

Zenprise Device Manager 6.1.5

Sophos Mobile Control Technical Guide. Product version: 3.6

Dell World Software User Forum 2013

How To Use An Android Phone With A Microsoft Powerbook 2.5 (Ios) And A Microsatellite (Xen Mobile) Device (For A Free Download) For A Business

Deploying iphone and ipad Apple Configurator

Troubleshooting BlackBerry Enterprise Service 10 version Instructor Manual

Introduction to the Windows Phone 8 Guide

IOS MDM PROTOCOL SIMPLE COMMAND REFERENCE

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

Mobile Devices Using Without Losing

ipad Deployment Guide

Transcription:

Managing ios Devices Andrew Wellington Division of Information The Australian National University

About Me Mac OS X Systems Administrator Division of Information (Central IT) Mostly manage servers (about 50 servers) File services Lab management Lecture recording Collaboration (Wiki) Miscellaneous other services

Overview What is the problem What can we do about it What should we do about it What tools can help us solve the problem

State of Mobile Devices Many universities have previously been managing Blackberry or Windows Mobile style devices Most have explosive growth in ios devices for both staff and students Significant numbers of ios devices are personally owned Want to be able to manage some aspects of device without onerous restrictions on user

What are we concerned about Data Security ios sandboxes data between apps Potentially sensitive data can still be shared in various ways Screenshot of application Saving information to photo roll, address book or other ios services App supports saving to external services (eg, Dropbox) itunes device backups can be encrypted

What are we concerned about Network Security ios devices can be connected to a variety of network environments Trusted WiFi (University, secured home network) Untrusted WiFi (hotels, McDonald s, etc) Carrier 3G, EDGE or GPRS network Virtual Private Networks (VPN) Can move between networks while operation is in progress Each service may have different requirements for security

What are we concerned about Device Loss or Theft Highly portable devices lead to significantly increased risk of theft or loss Possible countermeasures: Encrypt contents of device Require passcode for access to device Able to perform remote wipe Backups of the data on the device

Management Methods A number of methods can be used for ios management End-User Self Managed Enterprise Configuration Profile Administered Mobile Device Management (MDM) Administered

Management Methods End-User Self-Managed The user or support staff manually configure the device Advantages End user choice and customisation Opt-in use of each service Limited IT overheads for initial deployment Well suited to personally owned devices with few services Disadvantages No way to enforce security policies Complex configuration for some services Variation in end-user skills and knowledge Increased support complexity through variations in configuration

Management Methods Enterprise Configuration Profile Managed Configured once with a Configuration Profile Advantages Automatic device configuration Security and device policy enforcement Extra settings and policies not in the GUI Tighter security and policy compliance Less effort for initial configuration of each device Ability to remote wipe device with Exchange ActiveSync if you auto-configure an Exchange account Disadvantages Requires manual installation on each device Password based accounts still require password entry on first use Difficult to change configuration after initial deployment

Management Methods Mobile Device Management (MDM) Administered Once enrolled a server can push configuration profile changes to the device Server can also query device for configuration information Advantages Everything a configuration profile can do Ability to reconfigure device over the air Ability to remotely reset and clear device passcodes Ability to remotely wipe device without Exchange accounts MDM service available in Mac OS X Lion Disadvantages Requires an MDM server configured and running Requires Apple ios Enterprise account Password based accounts still require password entry on initial use Some MDM vendors charge high fees

Existing Self Sufficient Users Many users will have configured at least some services themselves We still want to apply some restrictions Many users own their own devices How do we get these users to join our managed setup

Managing Personal Devices Tambako the Jaguar

Configuration Profiles XML plist format <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http:// www.apple.com/dtds/propertylist-1.0.dtd"> <plist version="1.0"> <dict> <key>payloadcontent</key> <array> <dict> <key>payloaddescription</key> <string>configures your iphone for Xworld services</string> <key>payloaddisplayname</key> <string>configuration Profile</string> <key>payloadidentifier</key> <string>com.example.profile</string> <key>payloadorganization</key> <string>x World</string> [...]

Configuration Profiles XML plist format Contains one or more payloads Mail, Exchange, CalDAV, CardDAV accounts etc Certificates, VPN settings, etc Passcode requirements Security restrictions Created with a variety of tools iphone Configuration Utility Lion Profile Server Custom server Commercial management solution

Demo iphone Configuration Utility

Supported Management Properties Accounts and Settings Restrictions Policies Exchange ActiveSync IMAP / POP Email VPN WiFi LDAP CalDAV Subscribed Calendars Certificates and Identities Web Clips APN Settings Access to itunes Music Store Access to explicit media in itunes Store Use of Safari and security preferences Use of YouTube Use of App Store and in-app purchase Installing Apps Ability to screen capture Automatic sync while roaming Use of voice dialing Enforce encrypted itunes backup Use of the camera Require passcode Allow simple passcode value Require alphanumeric passcode value Passcode length Number of complex characters in passcode Maximum passcode age Time before auto-lock Number of unique passcodes before reuse Grace period for device lock Number of failed attempted before wipe Allow Configuration Profile removal by user Configuration Profile removal passcode

Over the Air Enrolment User logs in to a web portal Deliver a configuration profile for device SCEP creates a certificate for the device

Over the Air Enrolment How it works

Over the Air Enrolment How it works 1 Enter URL in Safari

Over the Air Enrolment How it works 1 Enter URL in Safari 2 Log in Profile service

Over the Air Enrolment How it works 1 Enter URL in Safari 2 3 Log in Authenticate device Profile service

Over the Air Enrolment How it works 1 Enter URL in Safari 2 Log in 4 Enrol device (SCEP) 3 Authenticate device Profile service Certificate authority

Over the Air Enrolment How it works 1 Enter URL in Safari 2 Log in 4 Enrol device (SCEP) 3 Authenticate device Profile service Certificate authority 5 Make encrypted device profile

Over the Air Enrolment How it works 1 Enter URL in Safari 2 Log in 4 Enrol device (SCEP) 3 Authenticate device Profile service Certificate authority 5 Make encrypted device profile 6 Install profile

Over the Air Enrolment How it works 1 Enter URL in Safari 2 Log in 4 Enrol device (SCEP) 3 Authenticate device Profile service Certificate authority 5 Make encrypted device profile 6 Install profile 7 Confirm installation

Mobile Device Management Manage ios devices transparently over the air Send configuration changes on demand Works with any network connection (WiFi, 3G, etc) Connection must allow HTTPS and APNS connections Ensure you have a real SSL certificate

Mobile Device Management Remote Commands Install or remove configuration profiles Install or remove provisioning profiles Lock device Remove passcode Remote wipe

MDM Capabilities Device Information Unique device identifier (UDID) Device name ios build and version Model name and number Serial number Capacity and space available IMEI Modem firmware Network Information ICCID (SIM) Bluetooth MAC address Wi-Fi MAC address Current carrier network Carrier settings version Phone number Data roaming setting Compliance Applications Management Configuration profiles available Certificates installed and expiry dates List of all restrictions enforced Hardware encryption capability Passcode present Applications installed App ID, name, version, size, App data size Provisioning profiles installed (with expiry dates) Remote wipe Remote lock Clear passcode Update configuration Update provisioning profiles

Mobile Device Management How it works 1 OTA Enrolment MDM Service

Mobile Device Management How it works 1 2 OTA Enrolment Create MDM Profile MDM Service

Mobile Device Management How it works 3 Install MDM Profile 1 2 OTA Enrolment Create MDM Profile MDM Service

Mobile Device Management How it works 3 Install MDM Profile 1 OTA Enrolment 4 Bind to MDM Server 2 Create MDM Profile MDM Service

Mobile Device Management How it works 3 Install MDM Profile 1 OTA Enrolment 4 Bind to MDM Server 2 Create MDM Profile MDM Service Apple Push Notification Service 5 Send Push Notification

Mobile Device Management How it works 3 Install MDM Profile 1 OTA Enrolment 4 Bind to MDM Server 2 Create MDM Profile MDM Service Apple Push Notification Service 5 Send Push Notification 6 Connect to MDM Server (HTTPS)

Mobile Device Management How it works 3 Install MDM Profile 1 OTA Enrolment 4 Bind to MDM Server 2 Create MDM Profile 7 Run commands MDM Service Apple Push Notification Service 5 Send Push Notification 6 Connect to MDM Server (HTTPS)

Demo Mobile Device Management

Mobile Device Management How Profiles Work The top level MDM profile is the parent of child profiles The top level profile can be removed by user at any time, but removes all child profiles MDM Managed Profiles

Mobile Device Management How Profiles Work MDM server can query information about all profiles Can only remove or replace profiles that are children of the MDM root profile Individual child profiles can be locked to disallow user removal without removing the parent profile

Internal App Distribution You will need an Enterprise ios Developer account Use a configuration profile to install a web clip linking to a website that provides your own app catalogue Install a provisioning profile allowing your app to run Package applications using Xcode into an IPA with manifest User can install applications from the app catalogue Not available for App Store apps

Potential Solutions Mac OS X Lion Profile Server Provides a web interface to push configuration profiles to devices using the Apple Push Notification Service (APNS) Self service interface for users to lock, reset passcode and wipe devices they registered Can apply settings to devices based on user, group user is a member of, device or device groups Low cost, high functionality option

Potential Solutions Casper Can integrate with Macs, PCs and ios Android coming soon Provides built in support for app distribution Supports invitations via SMS and email Cost can be variable depending on modules purchased

Potential Solutions AirWatch Supports management of ios, Android, Blackberry, Windows Mobile, Symbian Can be deployed locally or via software as a service Provides its own API to integrate your own custom software Could be a bit expensive Can transfer from software as a service to locally hosted

Potential Solutions Equinix Tarmac All the usual MDM support Designed for ios specifically Licensing on a per-device basis Deploys on Mac or Windows based server

Potential Solutions Lots more There s a lot of 3rd party software available: http://www.apple.com/iphone/business/integration/mdm/

What approach to use iphone Configuration Utility Small workgroup Up to about 20 devices Little change in services offered Manual handling of each device is OK

What approach to use Configuration Profiles Simple setup Support many devices Little change in services or configuration offered No support for querying device information Store your configuration profiles on a webserver of your choice Potentially write custom web app to select correct config profile

What approach to use MDM Service Flexible setup Support many devices Future changes to services supported Query devices and know their current status MDM Service

Q&A Andrew Wellington Mac OS X Systems Administrator Systems and Desktop Services Division of Information The Australian National University E: andrew.wellington@anu.edu.au XW10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information