Zenprise expands our Comparison of Mobile Device Management Providers

No votes yet

I'm very happy to announce that Zenprise has added their data to our Comparison of MDM Providers. We are now at 800 boxes with / ticks.

As this feature has grown, we've seeing some areas where we can improve the chart. Please visit MDM Comparison 2.0 Beta to see where we are going, and contribute your suggestions.

In-house App Deployment

Your rating: None (3 votes)

Has your company built a great app? But you don't want it on the app store? In-house App Deployment is for you. There are two ways to go:

Outsource It

Several companies make a living building private app catalogs for businesses (like this mobile application development company). These sites typically require an enterprise subscription to Apple's iOS Developer Program.

Do It Yourself

(I haven't done all these steps myself. Hopefully some of you can fill in whatever gaps exist.)

Once you have established your iOS Developer Enterprise Program, everything you need to know is listed under the Provisioning Portal.

The rough steps for in-house app distribution are:

  1. Identify internal development resources
  2. Establish a cross-functional team to establish security, design & look and feel guidelines
  3. Download Xcode from AppStore or via free iOS Developer Program
  4. Build an app in Xcode
  5. Sign up for the iOS Enterprise Developer Program (not the standard program)

iOS Developer Enterprise Program
Requires DUNS number
Enrolling employee must have binding authority to enter into contracts
This employee becomes the Team Agent
Legal contact at your company to verify enrolling employee & their binding authority
Budget 10 - 15 business days for enrollment

From Apple's iOS Provisioning Portal

  1. Create App ID (performed by Team Agent)
  2. Register development devices (Team Agent)
  3. Create Development Provisioning Profile (Team Agent)
  4. Create Developer code signing Certificate
  5. Add Provisioning Profile & Developer Certificate in Xcode

To add the app to your device, you must also add the provisioning profile. This may be done with either the iPhone Configuration Utility or with most Mobile Device Management systems.

Note that with iOS 4, provisioning profiles are read only at boot. So here is what will happen: MDM will install both profile and app, but then the app will seem to disappear. The system is simply hiding the app because it is not aware of the provisioning profile. Just reboot the device to have the app function.

McAfee EMM added to our Mobile Device Management Comparison

No votes yet

Our member andrer9999 was kind enough to fill in the blanks for our enormous Comparison of MDM Providers. Thank you!

Open Source iOS Device Management

No votes yet

EoIS member Haruhiko Nishi has released a prototype system for managing iOS devices as Open Source. The code works through an ActiveSync connection to your device, which can manage some restrictions and policies. There's a bit of discussion in our forum about this already.

The demo is quite interesting. See our forums for the URL. Thanks, Hanishi!

Thank You!

No votes yet

A huge THANK YOU to mobilEcho and all the attendees at last night's meetup shindig. The entire industry was represented: education, enterprise, developers, MDM, MAM, MFM, and your MOM. And as you can see from the photo above, even the bartender got into the spirit.

Let's do this again next year, shall we?

(Photo by Arek Dreyer. Thanks Arek!)

iOS 5 Questions

Aaron Freimark's picture
No votes yet

Yesterday's announcements bring up several questions regarding enterprise use of iOS 5.

  1. Can enterprises pre-load configurations and certificates to allow "PC Free" deployments?
  2. Do Over-The-Air software updates depend on iCloud for data backup and restore?
  3. User cy2k asks: What, if any, changes are there to MDM and mobileconfig.
  4. Can iCloud be disabled or restricted using MDM?
  5. Who holds the private keys to the iCloud?
  6. Can there be "private" iClouds for sensitive information?
  7. Is there the ability to record an iMessage conversation?

Add your thoughts and further questions below.

(A reminder about this site's policy: We aim to bring together all players in this community and therefore will not publish information covered by non-disclosure agreements. But we'll try to compile the best information available publicly.)

Enterprise iOS Meetup on Wednesday

No votes yet


No votes yet

iCloud is Apple's announced cloud service.

In addition to Address Book, calendar, mail, iBooks, music, and photos, iCloud supports a number of innovative features.

Document Storage

Just looking at the WWDC Keynote, iCloud appears to be the file system that's been missing from iOS since the beginning. Files are sync'd wirelessly and in the background to all devices. (Sounds like Dropbox.)

IT appears Apps needs to be updated to work with iCloud, using iCloud storage APIs. Works on all iOS devices, and Macs and PCs too.

No word on security yet, or on enterprise sharing features. (Likely this is consumer-only at the beginning.)


5 GB base storage for mail and documents (does not count purchased music, apps, or books). More storage is probably available at an additional fee.

iCloud is in Beta now, shipping with iOS 5 this fall.

iOS 5 Announcements

Aaron Freimark's picture
No votes yet

I'm here at WWDC, where there are several fantastic announcements for the enterprise community.

  • No iTunes activation required ("PC Free")
  • Over the Air OS Updates
  • Delta updates will be much smaller
  • S/MIME encrypted mail
  • Improved Mail offline support
  • BBM-like messaging: "iMessage" to all iOS devices. Includes delivery & read receipts.
  • iPad 2 AirPlay integration displays fullscreen wireless to Apple TV, etc.
  • Daily backups to iCloud over WiFi

Coming this fall. will support all iOS Devices which are currently supported.
More information coming (at least, the information not under NDA).

What is your favorite feature?

Toward Complete Mobile Device Management

No votes yet

Any iOS administrator with a real deployment in operation can tell you this: Today's MDM solutions are only a fraction of the puzzle. In the real world, a complete solution is much more complicated.

Physical Device Management, specifically imaging and deployment, is the biggest pain point today. For iOS it is all manual work: iTunes, cables, mouse clicks, etc. Alternatives are desperately needed if today's pilots will scale.

Policy Management is a relatively mature space, as these things go. There are quite a few vendors, such as MobileIron, AirWatch, and Casper Suite. Although these vendors often bleed into other domains, they focus on policy management.

Application Management is a pretty sparse field. Companies such as Apperian and AppCentral allow for hosted enterprise app catalogs, but these are disconnected from other management services. MDM providers can offer private app catalogs as well, but these don't offer update services.

File Management, to manage the distribution and policies on centralized files, is relatively new. There are a few nascent tools such as mobilEcho and SilverSync in this space.

The big players today want to own the entire space, one-size-fits-all. They are thinking of what RIM did with BES. But this strategy ends up with a mobile environment without many options for the user. And like it or not, user choice is one of the foundations of the iOS platform. (Think of the App Store with nearly 400,000 apps.)

Instead, I believe we would be better off with a small set of standards that encourage independence and interoperability. Let each company make its choice for file or app or policy management. Encourage innovation and differentiation.

And how does this look?

Automatic Provisioning: I think many of us share the same dream: A newly provisioned device should automatically install certificates, policies, apps, configurations and documents appropriate for that user. Wouldn't that be nice? I don't think it would even be difficult, technically. Apple would need to integrate MDM enrollment into device registration. (Easy for me to say, right?)

Pluggable App Policies: MDM systems are pretty good today for setting up device restrictions, imagine if they were able to reach into application configurations. This is already done for SSL VPNs, where a configuration profile can pass policies to Cisco, Juniper and F5 iOS VPN clients. mobilEcho has a similar model for centralized configuration through their own server. The only way to extend this to the huge number of apps is to create a standard way of plugging into MDM consoles. App developers could, if they wanted to be included, develop their own console plug-in to this spec. Their app would then query the OS for installed MDM profiles and then request an config from the MDM server.

Policy-based Access Controls: File management on iOS is today just way too leaky. Any app can implement "Open In..." with a single line of Objective-C. But "Open In" simply makes another copy somewhere else. This is a policy and version control nightmare. So how many copies of that P&L statement do you want around? Imagine if a consortium of app developers agreed on a standard for policy-based file management. A push is already on for such a standard. I look forward to hearing more about it.

Next week will be a big one for us: How will iOS 5, iCloud, and Lion change this landscape? Stay tuned.

What to expect from WWDC

No votes yet

Ryan Faas has an in Computerworld on what to expect from WWDC 2011.

He doesn't mention one thing to expect... drinks Wednesday night!. Join us at 7:30 PM on, at the Tunnel Top Bar, 601 Bush Street. This is sponsored by Group Logic (buying the drinks) and Tekserve (my employer) for the EiOS community.

I hope to see you there.

mobilEcho — Mobile File Management

Your rating: None (1 vote)

The Concept

  • Access file servers from iPad as easily as from your Windows or Mac laptop
  • Secure (encrypt) the data at rest and data in motion
  • Manage over the air (OTA) the configuration of mobilEcho

The mobilEcho Solution

  • Server – software that runs on Windows to proxy the file access of the iPad apps based on existing Access Control Lists (ACLs)
  • Protocol – designed specifically for mobile users with limited bandwidth, high performance expectations and to encrypt traffic at all times
  • App – that provides Windows Explorer / Mac Finder like navigation of file servers, preview and open in encryption of all files and configuration data and
  • Management – governs mobilEcho app behavior with configuration templates for each Active Directory (AD) User or Group

Set Up

  • Download and install the mobilEcho server software available from Group Logic
  • Define configuration "Profiles" for AD Users and/or Groups that need file access

  • Download to the iPad the mobilEcho app which is free from the App Store
  • Configure mobilEcho over the air based on your Active Directory Group Membership


  • Browse files and folders on the server
  • Preview files and open in other apps for editing
  • Save files created or edited on the iPad to the server
  • Store files locally for offline use


  • Enhance mobile user productivity
  • Access existing files (content) on storage your organization controls and manages
  • Avoid paying for redundant cloud storage
  • Maintain security and governance of your organization's information
  • Empower remote management of files on mobile devices

Enterprise iOS T-Shirts Coming to WWDC

No votes yet

You can't have an Internet community without T-Shirts, and our shirts are on their way. They will make their debut on Wednesday, June 8, at our WWDC Meetup. These are courtesy my employer, Tekserve.

If you shoot me an E-mail I'll make sure to save one in your size.

See you there.

The Remote Access Choice: VPN or APN?

Your rating: None (2 votes)

(This article originally appeared in the blog iOS4Business, by Mathieu Bernier.)

When you’re working on an iPhone/iPad deployment project you will always come to the point where your customer or yourself asks, "How can I secure remote access to my company?"

The first answer that comes to mind is "Configure a VPN tunnel." But an underestimated way to secure the access to your internal assets is through the use of Access Point Names, or APNs.

What is an APN?

APNs are gateways typically hosted by your mobile phone carrier, allowing your mobile to browse Internet using the mobile network. In general, APNs are shared between users and you don’t even know that your phone uses this gateway to access Internet. But if you’re a big company and you prefer to have your own private APN hosted by your carrier, you can rent one for all your devices.


The big advantage is that when you use a private APN, the VPN tunnel is configured between the APN gateway and your VPN gateway. That takes away the battery problem you can encounter with traditionnal VPN deployments.

That’s the basic configuration offered by your provider. Usualy you can deploy more secured and scalable architecture, with redundancy, MPLS links if you have one etc… These APNs are usualy RADIUS compatible so you can, on your side, restrict access to your network only to devices registered in your fleet.


There are three main disadvantages using APN :

  1. First, the price. The rent is starting around 900 euros/month in France for a no-failover, simple configuration.
  2. You need to rent an APN in each country where you want to deploy your fleet.
  3. All your 3G data traffic is going to be redirected on your own network, in and out, so you need to make sure that your infrastructure can support this traffic growth.


APNs can be set using the iPhone Configuration Utility or using most Mobile Device Management software.

On-Demand VPN Explained

No votes yet

(This article originally appeared in the blog iOS4Business, by Mathieu Bernier.)

VPN On-Demand is the Holy Grail, for Apple. When you ask an Apple representative for a VPN solution, what you get in return is: VPN On-Demand. So, let’s discover what’s behind that door with a short procedure using iPhone Configuration Utility.

(I won’t cover the configuration of the VPN gateway in this article. You need to make sure that your VPN gateway is properly configured to accept Certificates authenticated connections.)

I. The Concept

The first thing you need to know about VPN On-Demand (VPoD) is : it’s a very simple concept.

  1. It allows administrators to define a Hosts Domain realm behind which all hosts must be accessed via a VPN connection.
  2. Whenever an application try to access one of the server behind that realm, the iOS device automaticaly starts the VPN tunnel.

That’s VPN "On-Demand".

II. Requirements

In order to make VPN On-Demand work properly, you need :

  • A compatible VPN gateway (Cisco, or any Cisco IPSec compatible third-party gateway, F5 SSL, JunOS Pulse etc …)
  • An enterprise Certificate Authority
  • The Authority CA Certificate
  • A personnal certificate delivered by the Certificates Authority

III. Certificates

The first thing you need to do is to import the CA Certificate and your personal Certificate in the iOS configuration profile.
It’s fairly easy to do that.

  1. Open the iPhone Configuration Utility on your desktop

  2. Go to "Certificates"

  3. Click on "Configure"

  4. You need to get your personal Certificate and (if you use a company-wide Certificate Authority) the CA Certificate of your authority. First, import your personal certificate. Enter the password of your choice (remember it !) and click OK.
  5. Do the same for the CA Certificate. It should not ask you for a password this time.
  6. Now you have imported both certificates in your profile.

IV. "On-Demand" Configuration

A few settings are required to configure the VPN On-Demand in the profile.

  1. Go to VPN

  2. Enter the VPN gateway and authentication settings values.

  3. Choose _Certificate_ as the authentication method for the device. Then select your personal certificate you imported earlier.

  4. Enable _VPN On-Demand_ option and add a new realm in the list

    Screen shot 2011-05-23 at 6.31.06 AM.png

In this example we created a realm "*.intranet.mycompany.com" with an action set to "Always establish". So now, any application trying to access a server behind "intranet.mycompany.com" will automaticaly setup a VPN tunnel to access it.

Upload the profile to your device, and then you are ready.

Simple as it looks like.

About This Site

  • Enterprise iOS is a community for administrators of the iPad, iPhone, and related devices. All content is available to browse. We encourage you to create an account to submit stories, edit wiki pages, and post to our forum.

Comparison of MDM Providers

Recent Activity

Who's New