How IT Departments Can Approach Bring Your Own Device Environments

No votes yet

Bring Your Own Device (BYOD) is an acknowledgement that the tools you could give your users aren't any better than the ones they already have. If your users already have iPhones, they won't want to use an Android phone. Plus, your users will hate you for forcing them to carry two devices that perform the same functions.

John Welch, Director of IT at a 200-person creative firm (Zimmerman Agency), spoke at the Mac IT Conference in San Francisco on the benefits of Bring Your Own Device and how he supports it. John stood out among IT Directors at the conference by stating that his job is to say "yes" whenever possible. IT departments of the past have been about control and locking down devices whereas he comes from the perspective of enabling people to do their jobs however they wish. He is also the author of iOS in the Enterprise.

The Benefits of Bring Your Own Device (BYOD)

  • Saves your budget on buying devices. You'll need to buy the MDM solution either way but you can save some serious money on devices.
  • Makes your users happier because they don't have to carry two devices that do the same thing. Happier users are more likely to work cooperatively with you.
  • Saves your time on training users on how to use devices they don't already own. You'll have fewer support calls to answer.

The Disadvantages of BYOD

  • You can't really lock down someone's personal device.
  • If they decide to upgrade the device or change carriers, you don't have control over that.
  • Less device consistently, which means you may have to support Windows Phone, etc.

When Does BYOD Not Work

  • Sarbanes-Oxley and HIPPA environments may not allow for BYOD.
  • High-security areas, such as work places where you are not allowed to use a phone with a camera.
  • School environments may not work because your end-users may not be mature enough to mange their own devices.

The Compromise To Support Any Device

  • At the Zimmerman Agency, employees can bring in any device that supports IMAP & SMTP for email.
  • In exchange the user has to register their iOS device with the MDM solution. They also are asked to use Exchange ActiveSync instead of IMAP.
  • Devices are setup to allow remote wipes in case of loss. Users are educated that they don't have to freak out if their device goes missing because they can text or call IT to have it wiped.
  • Some users went from using 1-2 IP addresses on the corporate network to up to 5. You may have reconfigure your DHCP server, especially for wireless access points.

Many companies specify a limited range of devices for BYOD so that it's easier to deploy mobile device management solutions and support. What challenges and advantages have you seen with Bring Your Own Device environments?

Photograph by Miki Yoshihito.

Lessons Learned from Large-Scale iPad Deployments in Education

No votes yet

How does a Windows-centric schools district deploy over a 1,000 iPads to elementary students not old enough to legally have an Apple ID? How do you get high school students to come to IT voluntarily if they jail break their device? How do you prevent iPad damage in schools? All these questions and more were answered by Cecile Lelievre from Brandeis Hillel Day School Maribel Guizar-Maita from Alum Rock Union Elementary School District in Santa Clara. Both deployed over a 1,000 iPads in their schools and shared lessons learned during a panel moderated by JAMF software at Mac IT Conference 2012.

Apple ID Strategies for Large iPad Deployments
Cecile used a combination of personal Apple IDs and JAMF's Casper Suite to offer high school students a blend of choice. Each student had an Apple ID tied to their parent's credit card so they could buy content they wanted. Apps that the school district required the student to own were available via JAMF's self-service center. Once the App is gifted to the individual's Apple ID you can't get it back so they had to expense it similarly to buying paper for students that isn't returned.

Maribel's school creates Apple IDs per grade level. Only approved applications can be downloaded and all applications are pushed via JAMF. When working in a grade school environment you must keep in mind that students under 13 can not legally have an Apple ID. This is was an additional reason why they manage all the Apple IDs.

Backup Strategies for iPad Deployments
Maribel's school gives each classroom a Bretford iPad cart with a MacBook. The iPads are backed up to that MacBook when plugged in each night. Cecile ran into problems with students taking their iPad home and syncing it with their home computer, which blew away the institutional image. She prefers Apps that sync their data online because if students accidentally sync their device at home and erase it, they don't lose the data on the device.

Who Chooses Which Apps Are Used
The school chose an assortment of Apps that covered many areas. Then the teachers can suggest Apps for their classes that they can ask IT to push out to students. If the App is free and has some educational value, it is always approved.

Loss & Damage of iPads in Schools
Brandeis Hillel Day School offered a third-party insurance program to families for an additional $50 that would cover damage and loss, they also bundle in the cost of AppleCare. They keep a whole bunch of spares. If a student drops their device twice, they get downgraded to an iPad 1. Finally, they include a ballistic case with all iPads which prevents a lot of damage.

Alum Rock Union Elementary School District hasn't had as many problems with damage because the students love these devices and are very careful with them. They actually see more breakage from teachers who are less careful with the device. They include a clear case, protective film, and also tag each device with big ugly serial numbers.

Catching Jail Breakers
In the high school environment, Cecile would run a report using JAMF that would show the last time each device had been on-site. If the device hadn't registered lately, she would disable it from connecting to the network by blocking their MAC address. The student then comes to IT on their own because they can't connect to the network and then she "educates" them on why.

Pushing Non-App Content
Cecile used Dropbox or Box.net to allow teachers to push and sync content on the devices. She is now investigating a hybrid cloud using WebDav to provide a more secure place to store shared content for staff.

Maribel's school distributes content by syncing each iPad to the cart with a Macbook each night. They also configure email accounts for each student so that they can use Apps that require email addresses. Email accounts for the younger students are only allowed to email addresses within the school's domain.

You Have A Great Network But Do You Have Enough IP Addresses?
If you're considering an iOS device roll-out you need to examine your network infrastructure first. For example, Maribel's school had plenty of access points but ran out DHCP addresses during deployment.

Using Apple's Profile Manager for Mobile Device Management Overview & Best Practices

No votes yet
How does a school manage a few hundred iOS devices for only a few hundred dollars? During MacIT Conference, Derick Okihara demonstrated the pros and cons of using Apple's Profile Manager from his experience managing the Mid-Pacific Institute school. You can download the presentation slides here.

 

Why Use Apple's Profile Manager
  1. It's dirt cheap. Profile Manger is included in Lion Server which is $50-$80 flat. Contrasted with other MDM providers that charge an annual fee.
  2. It does MOST of what you want in an MDM solution.
  3. It's a First Party solution. You can call Apple for support.
Why NOT Use Apple's Profile Manager
  1. Large installs of devices - thousands of devices will require a more robust MDM solution.
  2. A required MDM element isn't available - see below and the complete comparison of MDM solutions.
How does Appleā€™s Profile Manager Measure Up?
  • App installs - You can push free Apps (getting conflicting reports on this) or in-house developed Apps to users. You can NOT push paid or volume purchased Apps to users.
  • Policy setting - Yes.
  • Security - Restrictions, VPN profiles, remote wipes.
  • Asset Tracking - Lion server will track the device.
  • Remote Control - Nope.
  • Backup - Nope. The only Apple way of doing backup is through iTunes right now.
  • Firmware / OS updates Control - Nope.
What Do You Need to Run Apple's Profile Manager?
  • Lion Server running on a Mac with Core 2 Duo or later, 2GB+ of RAM. A Mac mini for less than 1,000 devices is a very affordable solution.
  • Internet connection with certain ports open. You may need to troubleshoot push notifications.
  • Working DNS - Not just an IP address.
  • Open Directory Master - Server that holds user accounts.
  • Certificates - You'll need the following certificates: SSL/TLS Certificate (purchased from a registrar, StartCom offers the only free certificate for iOS devices), Apple Push Notification Service Certificate (free from Apple with an Apple ID), Code Signing Certificate (you can use the Lion server but a best practice is to purchase one from one of these authorities for around $300)
Lion Server Profile Manager Setup Tips and Best Practices
  • Change your Administrator account name to something besides the default of "diradmin" because someone could guess it.
  • Don't use a comma in your organization name, it'll cause the install to fail.
  • Don't use your personal Apple ID because your certificate will be tied to it. Create a new one for the institution. If the person whose Apple ID leaves you won't be able to manage it anymore.
  • If you use disable the App store your users won't be able to sync Apps via iTunes either.
  • If you use content restrictions, all Apps that allow web browsing are rated 17+.
  • You can run Profile Manager on an iPad because it's a web app.
Resources

Link itunes apps in in-house apps catalog

mcbinome's picture
No votes yet

Hello everyone,

I would like to create an in house catalog with a native app for my enterprise with the app enterprise program. My main issue is to know if it is possible to link itunes apps directly in this store with the possibility to use redeem code without to have to go in the App store application.

The main idea is to ease installation of recommended apps (free or with redeem code). I saw that it was possible with the casper suite to do push-like installation but I wonder if it is possible to do something close directly from an in-house app catalog ?

In the same way if the first part is possible, I wonder if it is possible to update apps the same way without to have to go to the app store and put a password. Should it be possible to use the same redeem code to update the app ?

Thank you very much in any case.

Mc.

BTW this website is really great

Muddying the Consumerization of IT

Aaron Freimark's picture
No votes yet

This week CIO.com published an interview with me on muddying the consumerization of IT. The story includes the following quote:

Interestingly, a lot of IT guys are rooting for Android. The reason, I think, is that there's some unexpressed hope that they can lock down the Android OS. They can put on what they want. They can do the monitoring. They can do the auditing. They can reconfigure and redeploy with their own image.

Of course, that's missing the point. It's no longer consumerization of IT, but goes back to the traditional models where IT has control all over again. If you think you have trouble supporting Android with its fragmentation now, just wait until businesses start getting a hold of the source code and recompiling it.

My point is to celebrate and embrace the tremendous innovations we've seen in the consumer space. Attempts by business to control these technologies only slow down innovation and make emoyees much less productive.

What do you think? Does this reflect the situation in your company? Please comment below.

Presenting iPad apps in web conferences with the Epiphan VGA2USB-LR adapter

No votes yet

If you work in the mobile Apps space, I'll bet that you often need to present iPad Apps & slideshows from your iPad in web conferences such as Citrix Go To Meeting and WebEx. Let me share my recommendation as to how to accomplish these presentations with high quality and low hassle.

As the president of a GroupLogic, a software firm not associated with any of the products I will recommend here, my colleagues and I have had great success with the Epiphan VGA2USB-LR adapter. When combined with video capture software (I use Evocam), the VGA2USB makes web conferences and recording easy and consistently delivers high quality.

Until my colleagues found the Epiphan, we struggled with a document camera from Ipevo and were always fooling with the adjustable arm and sitting in the dark to reduce the glare from office lights. Even in the best lighting (we purchased a photo stand that shielded the lights) the Ipevo left a lot to be desired for sharing the iPad screen.

You will need to spend the extra money for the 30 fps "LR" version which at $799 is worth the extra money over the $299 basic version that does 10 fps. The slower 10 fps frame rate makes scrolling visibly very unappealing to your viewing audience so I strongly advise that you buy the LR.

Here are the links to these products:

Epiphan VGA2USB-LR adapter http://www.epiphan.com/products/frame-grabbers/vga2usb-lr

EvoCam 4.0.1 http://www.evological.com/evocam.html

Apple Releases Over-The-Air iOS 5.0.1 Update

No votes yet

Apple today released a minor update to iOS 5. This update applies to all devices running iOS 5: iPad and iPad 2, iPhone 3GS, iPhone 4 and 4S, and iPod touch 3rd and 4th Generation. Security information can be found on Apple's support site.

This update is notable as it is Apple's first delivered over-the-air. Reports indicate no issues so far. You must be connected to a wifi network (not cell) to download. Also, you need at least 50% battery life (or be plugged in) to update.

For enterprise environments, you can't prevent or force this update on your managed devices. However, you can use MDM queries to check the versions of your devices, and set policies accordingly.

Any experiences yet?

iOS Calendar Issues

icanseeclearlynow's picture
No votes yet

I am new to this forum so I apologize if this is a repeat...

We have recorded multiple incidents of meetings dropping off of iOS calendars, but still appearing on the Outlook client. We have traced it to users with delegates that manage their calendar (some even manage their own) and more often than not, the meeting event is a recurring one that has been edited or moved in some way. We have instances of a single occurrence of a recurring meeting dropping off and the entire series. We have not been able to reproduce this issue with users that do not have delegates, that is unless the meeting invite they received comes from someone who does have a delegate.

Note: Exchange 2007 environment.

We have heard that one resolution could be disabling Cached Exchange Mode for the troubled users, but the loss of functionality has been determined to be unacceptable.

This is a sensitive issue because users that have delegates are often... senior management. Any help or direction would be greatly appreciated.

Thank you.

Android Orphans: Examining Smartphone Obsolescence

No votes yet

Blogger Michael DeGusta compiled the release and upgrade history of every Android phone released through mid-2010. It is impressive, and not in a good way.

(via Daring Fireball)

Hosted Certificate Authorities / PKI

Aaron Freimark's picture
No votes yet

Hi folks.

To unlock some of the most interesting iOS features for enterprise, you need to use a Certificate Authority (CA) to create, manage, and distribute identity certificates to your devices. (Actually, the deployment is typically done through [[MDM]). With this infrastructure in place, you can teach your servers to recognize valid certificates, allowing secure VPN, email, WIFi and intranet access without password authentication. However, many businesses do not have this infrastructure, known as PKI, in place.

I'm curious about experiences with hosted PKI. It would have to be simple to use -- that's the point.

Any of you have experience you'd like to share? Any successful hosted PKI/MDM integrations?

Head-to-head: AirWatch vs. Maas360

Tippet5x's picture
No votes yet

Hello

I was looking for some real world feedback, that could help with a decision.
Price between the two are close. Airwatch does offer multi language interface and the option to route 443 to their environment and the back. No software installed in my environment.

I don't think maas360 has that option but I heard their up port is better

Thank you

APNS Certificates Without a Developer Membership?

No votes yet

Hi All,

To play with Mobile Device Management, you need an Apple Push Notification Service certificate. And to get one of those, you've always needed a paid membership in the iOS Developer Program. Until now, it seems.

Check this out: https://identity.apple.com/pushcert/

If this is true, it would be great news!

(It seems you can also manage the APNS certs that you got when using Apple Profile Manager).

Cheers,
Oliver

Apple's iOS 5 Changes to .mobileconfig Enhance Security and Add Features (updated)

No votes yet

(Update: AirWatch sent a useful summary of the changes. I've added them below.)

With the release of iOS 5, Apple has added some new features to its .mobileconfig specification. This is the fundamental specification for how Mobile Device Management services interface with the iPhone and iPad. This is the reason why so many MDM providers offer similar features. MDM providers are limited to providing new features until Apple updates this spec. So when Apple adds keys here, expect MDM providers to follow -- and the best to follow quickly.

Email

The most significant changes are with email payloads. A set of new keys allow for enhanced security.

PreventMove, if set to true, forces this email account into a fence. That is, messages received by this account cannot be moved into another account. This also prevents forwarding or replying from a different account than the original account.

PreventAppSheet, if set to true, prevents this account from being used in third-party applications.

SMIMEEnabled, and its companions SMIMESigningCertificateUUID and SMIMEEncryptionCertificateUUID, allow for signed and encrypted mail. SCEP-based credentials managed by the MDM system may be used here.

iCloud

There are a number of new keys for allows control over iCloud.

allowCloudBackup permits or disables iCloud device backup.

allowCloudDocumentSync will disable document syncing, while allowCloudKeyValueSync will disable key-value syncing, for apps that use that iCloud technology (not every app is document-based). Finally, allowPhotoStream can be used to disable iCloud storage of device photos.

Restrictions

forceITunesStorePasswordEntry prevents iTunes from saving your backup password. So you'll need to add it every time.

allowUntrustedTLSPrompt enhances SSL security by rejecting invalid certificates. The default behavior is to prompt the user, who may not think before tapping.

Here's a biggie: You can now disable voice and/or data roaming.

Wi-Fi

Wi-Fi payloads gain an AutoJoin keyword. It also more specifically describes known Wi-Fi networks by allowing specification of the EncryptionType and ProxyType.

Query

Battery Life can now be queried.

Carrots and Sticks

No votes yet

"Carrots and Sticks" is a methodology of balancing the "stick" of security-enhancing restrictions with the "carrot" of user access to otherwise restricted data.

By design, users may opt-out of Mobile Device Management at any time. Settings > General > Profiles > Global MDM Profile > Remove. Individual configuration profiles may be password protected, but the root MDM certificate is always removable without anything more than the device passcode. And once that is removed, all child profiles are also removed. There is no programmatic way to prevent this.

One solution is to make MDM more attractive for the users. These are the "carrots." Here are some ways to do that.

  • Deploy managed apps (new to iOS 5) using MDM. Managed apps are sent over the air as art of the MDM package. If MDM is removed, these apps can be set to disappear as well.
  • Develop in-house apps using Apple's iOS Developer Program, and distribute the deployment certificate only by MDM.
  • Use a Public Key Infrastructure to grant access to VPN, Exchange, Wi-Fi, etc. Deploy user credentials through MDM only.
  • Slightly different than using PKI to grant access to corporate resources, more MDMs are offering DMZ based components to their solution which are in-line proxies prior to their Exchange, Domino, Office365, Google Apps services. These proxies/filters check with the MDM to ensure compliancy prior to allowing the device through. By using this, users are blocked & required to enroll in MDM to get to the corporate email resources.

Got more carrots, Doc? Edit this wiki page and add them here.

Demonstrating Over-the-Air App Deployment in iOS 5

No votes yet

Perhaps the biggest enterprise feature yet uncovered in iOS 5 is Over-the-Air app deployment. It's not quite "push"; but I'll call it "push-like".

Here's how it working, using JAMF's Casper Suite. JAMF updated their software today to support the latest iOS 5 technologies.

First, log into the MDM console.

Under Management, click "Mobile Device App Catalog".

Click "Add App".

About This Site

  • Enterprise iOS is a community for administrators of the iPad, iPhone, and related devices. All content is available to browse. We encourage you to create an account to submit stories, edit wiki pages, and post to our forum.

Comparison of MDM Providers

Recent Activity

Who's New