About a week ago, security researcher Jonathan Zdziarski revealed what apparently is a number of "backdoors" to iOS. These allow access to data on even encrypted devices, as long as a pairing record is available from a trusted source (not trivial). Although Jonathan took pains to qualify the announcement, several reports have seemed to exaggerate the issue.
In response, Jonathan has compiled a list of more reputable tech articles on the topic. I've reprinted the list below.
iOS Lockdown “Backdoors” (TL;DR)
Dino Dai Zovi, Co-Author “iOS Hacker’s Handbook”
Surveillance Mechanisms in iOS Devices – Don’t Panic but… Do Read This
Elissa Shevinsky, CEO of Glimpse
Apple iPhones allow extraction of deep personal data, researcher finds
Reuters / Joseph Menn
Is Apple’s iOS Backdoor Not a Backdoor
Wall Street Cheat Sheet / Nathaniel Arnold
iOS slurp ware brouhaha: It’s for diagnostics, honest, says Apple
The Register / Iain Thomson
All, I have an oddity that hopefully someone has some ideas.
My infrastructure does not support traditional IP structures.
When we set up Apple Server to do Caching it instantly disables and errors out that we are using a public network. Which we are not, we just (as I said) don't use the traditional 10.*.* approach.
We need to upgrade multiple devices in multiple locations and don't / can't tie up the bandwidth needed to do them all over the air.
Here is an example:
One location may have 300 iPads.
iOS 8 is going to come in ~1.7 gb.
You don't have to be a network genius to see that 510gb of data, is going to drop traffic to a crawl!
Especially when other traffic gets the majority of the bandwidth and these device scavenge for what they get.
Has anyone tackled this, if so... please elaborate.
Are there other offerings Casper or SCCM come to mind in my quandry.
Any and all assistance is a boon at this point,
I have updated the script to work with versions 11.2.2 and 11.3
You can find the updated version here: https://github.com/brandonusher/Apple-ID-AppleScript
I have tested the creation process with the updated version while creating ~3,000 IDs and I only ran into one issue I couldn't fix, which is as follows:
- Sometimes AppleScript won't be able to find the iTunes window, so it breaks. To fix this, just edit the spreadsheet to remove the IDs it has already created and run the script again.
If you have any questions, feel free to ask and I can try to help you out
It seems Apple has made the prerelease Configuration Profile Key Reference available to the public. This the technical documentation for much of the iOS and Mac enterprise management capabilities Apple makes available via MDM vendors, Configurator, etc. (The other main document, the MDM Protocol Reference, remains behind the developer site authentication wall.)
I've done a diff with the documentation for iOS 7, and here are the highlights. Remember, this is prerelease and may change before release.
- SMIMEEnablePerMessageSwitch (Email Payload): Optional. If set to true, enable the per-message signing and encryption switch. Defaults to false.
- allowManagedAppsCloudSync (Restrictions Payload): Optional. If set to false, prevents managed applications from using cloud sync.
- allowEraseContentAndSettings (Restrictions Payload): Supervised only. If set to false, disables the “Erase All Content And Settings” option in the Reset UI.
- allowSpotlightInternetResults (Restrictions Payload): Supervised only. If set to false, Spotlight will not return Internet search results.
- allowEnablingRestrictions (Restrictions Payload): Supervised only. If set to false, disables the "Enable Restrictions" option in the Restrictions UI in Settings.
- allowActivityContinuation (Restrictions Payload): If set to false, Activity Continuation will be disabled. Defaults to true.
- allowEnterpriseBookBackup (Restrictions Payload): If set to false, Enterprise books will not be backed up. Defaults to true.
- allowEnterpriseBookMetadataSync (Restrictions Payload): If set to false, Enterprise books notes and highlights will not be synced. Defaults to true.
- EAPFASTUsePAC (WiFi Payload): Clearer fallback rules
- AlwaysOn VPN
- IKEv2 VPN
- Web Content Filter Plugins
- Managed Domains: New Email domains and Web domains. This payload defines web domains that are under an enterprise’s management.
Is anyone here using the new Apple Device Enrollment Program (DEP) for iPhones? I can see it being used for iPads since you can normally buy these direct from Apple however iPhones are a bit more challenging because I would think most enterprises buy the phones from their wireless provider. Can anyone please provide any insight they may have regarding DEP and iPhones? Thanks!
This has been said and heard over many times but I thought it will be good to reiterate since many enterprises will dive into creating their first mobile App and my goal is for them to avoid these pitfalls
1) Taking over 6 months from start to deploying the mobile App's first version: Everyone is very comfortable with traditional water flow implementation approach where you take 2 to 3 months to gather requirements and then go into design and build phases. You even extend the timeline to accommodate all the requirements. However this model is lethal for several reasons. First, mobile space is fast growing space where the OS sees a major version upgrade 3 to 4 minor upgrades every year. Second, you have plethora of new devices and accessories coming in everyday and current model become absolute in less than 2 years. So if your App is somewhat dependent on a particular device type then the device may become absolute even before you deploy the first version. At times, device compatibility becomes an issue if your App utilizes accessories to work
Solution: Take the traditional development approach and reverse it. Identify 1 to 2 must have requirements and reverse engineer the timeline. Identify and develop foundational elements such as logins, navigation, UI design items and create a template so that new view controllers and additional page can be easily developed later. Deploy that 1 functionality to the end users and get their feedback. 1st deployment should be within 10-12 weeks and after the first deployment go into 3-4 week update cycle where incremental functionality is introduced
2) Connecting the mobile App to existing backend systems sitting inside corporate data center: I have seen this scenario many times. The requirement goes like this...You have a desktop application that is connected to your On premise backend system such as SAP or Oracle or even mainframe. Now the requirement is to develop a mobile App that uses the integration web services to send and receive data directly to the backend system. The App is developed in xcode by instantiating the web service directly to send and receive data. In theory everything should work great because users can use either mobile App or desktop to access the backend system data and update them at the same time. However it screws up the user experience because the integration to the web service is not optimized for mobile traffic.
There are huge differences between how a desktop application sends data and mobile device send the data. In desktop application,
○ Bandwidth is not an issue so the payload size (actual data size) is always big.
○ Mostly they are request/reply interfaces where the data is sent and it waits for confirmation before "Success/failure" status is returned and the connection is closed
○ There are minimum of 2 to 3 hops before the data is handed off (it may hit gateway, application server and then the database)
Now this is opposite for mobile App… Mobile App requires small payload, multi-threaded, reduced connection time, and least no. of hops
When user open the App it takes at least 30 sec to get to the main screen because it is getting all the data in a single thread. During updates the user sees the loading spinner for more than 30 sec because it is waiting for the backend system to provide confirmation before the App can let the user go. Imagine a user trying to use the App while not on Wi-fi but with their wireless network. That might be the last time the user will ever use the App...
Solution: Do not connect your mobile App directly to your backend system but introduce a staging area where the data can be stored and retrieved by the App. The staging area can be even housed within a cloud provider outside of corporate network as long as there is VPN connectivity to the corporate network. This provides great user experience when the user opens the App and within seconds all the data is already loaded. Use background App refresh to preload the data where applicable. When saving the record, the data updates goes into this staging and then the sync occurs between staging and the backend system. The App will be really fast and the end users will love it.
3) Using existing business process with mobile App rather than creating a new one: it is hard to manage change and expensive to change the existing tried and tested business process. When creating mobile App the same business process is extended rather than changing it or introducing a new one. It is totally wrong if the goal is to create a mini me version of desktop so that the users can use mobile device.
Solution: Take advantage of new assets on the mobile device such as Camera, GPS, Bluetooth and add change time consuming business process. In this article American Airlines CIO talks consumerization, the CIO talks about how baggage mishandling was reduced by 65% by scanning the bags.
Overall, I think there is a lot of disruption to be made with enterprise mobility if the right solution is developed and implemented the way the employees can use them effectively. As always feel free to correct me and add your comments.
WWDC has always been the one time each year when Apple peels back the curtain of secrecy and previews what is to come. That is if you were one of the lucky ones to score a ticket. But in 2014, in what I think is an unprecedented display of openness, Apple has released every video of every WWDC session online and to the public. Last year, you needed to be at least a member of the developer program to view these. This year everyone can see.
Here are the three most directly focused on Enterprise. I hope you take the time to watch and comment. They really are worth your time.
Learn about the latest developments in managing Apple devices in an enterprise environment. Learn how MDM can be used to wirelessly configure settings, monitor compliance with policies, install apps, and remotely wipe devices, and how these capabilities can be integrated with in-house or third-party server solutions.
Learn about data security, enterprise authentication, integration with back-end systems, app configuration methods, and the latest technologies for interacting with documents, accessories, and more. Get helpful tips for constructing your apps to meet the needs of schools and educators, as well as key requirement from IT. Perfect for everyone looking to get their apps in the hands of business professionals, educators, and students worldwide.
Learn how to provision and deploy apps across your enterprise. Leverage key Apple programs such as the Volume Purchase Program and the iOS Developer Enterprise Program to get the right apps in the hands of your employees, contractors, and partners. Learn how to manage certificates and provisioning profiles to deploy your apps, and take advantage of mobile device management (MDM) tools to provide a seamless experience for your users. Gain insight into the complete app management lifecycle; from signing your in-house apps in Xcode, to distributing, managing, and revoking apps across your workforce.
Our annual WWDC meeting was a big success, cramming over 50 people into a space designed for quite a few less even so, it was a great meeting of the minds, or at least a clinking of the glasses. Our sponsors MobileIron, Acronis and Tekserve deserve a very special shout-out for lubricating the whole shebang.
What do you think about repeating this next year, in a slightly larger space?
Photos after the break.
Apple, Inc. quotes “The iPhone is being used in 97% of Fortune 500, and the iPad is used in 98% of Fortune 500 and 93% of the Global 500 companies”.
What these numbers really mean? This means either employee bought their own devices (iPads, iPod Touch, iPhones) to connect to corporate network for checking emails or employee got their iPhone through corporate mobility programs or few brave companies deployed iPads for a specific use case.
What is their potential use? Mainly to use corporate emails, phone calls, imessages and other personal stuff.
While the devices are perfectly capable of handling many complex corporate applications that are in use as intranet applications or windows applications they are still restricted for several reasons until now. Even intranet sites are not mobile optimized to be viewed in iPhone or iPads. If you ask the question why, here are some obvious answers…
• We can’t manage iOS devices similar to how we manage windows laptops
• User experience is bad when they need to login through each App individually
• Data is not secured or encrypted on the device
• Secure connectivity to corporate network cannot be easily configured or managed
• App distribution is not easy – Users need to manually download the app and upgrade them
• Cost is high to develop enterprise Apps due to limited developers with Objective-C experience
At WWDC, Apple has clear response and answers for all these questions. With the introduction of new programming language “Swift”, opening up Touch ID and keychain to 3rd party Apps, App extensions, and B2B Apps they made adoption to enterprise easy and quick. There were several sessions focused on enterprise app development and deployment and dedicated resources to provide additional information. This will accelerate the migration of boring, non-intuitive windows applications and intranet sites to iOS Apps which will be secured, silently installed and managed by corporate programs.
Here are the details if you still think the questions are not answered…
Within the next few years this will change where new applications, functionality and use cases will be developed specifically for iOS devices once ROI (Return On Investement) can be justified through increase in employee productivity.
Stay tuned for more updates and feel free to add your comments…!
I've been going to Apple's Worldwide Developer Conference for many years, and this is one to remember. Not only are there a ton of new features for Mac and iOS, but this was perhaps the first WWDC with a section dedicated to Enterprise. ENTERPRISE! On Apple's biggest stage of the year. Excuse me while I take a moment.
OK, so in no particular order, here are some of my favorite enterprise features in iOS 8. It isn't the only list — see Apple's own list and Ryan Faas's too, among others. And there may or may not be additional features hiding within the Apple Developer Pre-Release Library.
- Continuity — silently create an Automatic HotSpot among Macs, iPads and iPhones, and stuff just flows between them. What stuff? iMessages already did this trick but now SMS messages do too. Web pages. Draft emails. Notes. Oh, and phone calls! You can now make calls from your Mac or iPad that quietly route through your iPhone to the carrier. I'm sure there is more here. This is a big feature. The Mac is now an accessory to your iPhone.
- Plugins for Shared Storage — this has the potential to be huge. Effectively connects any app to your enterprise document store for opening and saving.
- Interactive Notifications — Now you can respond to SMS messages & calendar appointments without leaving the Notification Center. More exciting, developers can create their own notification center plugins called Widgets. Lots of possibilities here.
- Improvements to Mail — New gestures, multiple windows (well, almost), VIP lists, per-message S/MIME controls, out-of-office controls
- QuickType — Not only predictive spelling, but predictive words and phrases too. Will pump new life into Damn You Autocorrect.
- Pluggable Keyboards — This one has me excited. For starters, I want to see this 2012 keyboard concept see the light of day.
- Exchange Calendar improvements — free/busy (yay!)
- Group Messaging improvements — Big improvements here, and this may replace similar systems for small-team communication. iMessage has proven to be quite secure.
- Expanded Data Protection — In addition to Mail, more of Apple apps are now encrypted (when you use a passcode): Calendar, Contacts, Reminders, Notes, and Messages.
- Managed Books and PDFs — automatically push these documents to managed devices
- New MDM Tools — Set device name, check last iCloud backup time, certificate-based SSO
- Use TouchID in Apps — Use your fingerprint instead of your password. Note this isn't necessary more secure, but it's quicker
iOS 8 Beta is available today from the Apple Developer Site. It is scheduled to be publicly released this Fall (Northern hemisphere, we assume). It will run on all devices down to iPhone 4S (not 4) and the three-year-old iPad 2.
What did I miss? Comment below. And if you are in San Fran tomorrow, join me us at [annual WWDC meetup!
I have a dilemma. My boss wants me to signup for the Enterprise Developer Program but I don't have the legal authority to act on behalf of my company. This is the third time he has asked me to complete this task and I have explained I don't have the authority to complete the registration. I'm not sure what to do and want some advice to complete it or tell him what to do.
Can someone help me or has someone experienced the same problem with there boss and how did they solve it?
We also want to sign up for the Apple Deployment Program but it is the same problem with sign up.
I'll be live-tweeting the WWDC keynote tomorrow, focusing on Apple's announcements to enterprise users. Tune into @EnterpriseiOS beginning at 10 am PDT to follow along!
What's in store? iOS 8 is a safe bet. For the enterprise? No idea. But each year Apple seems to add more and more enterprise-focused features. I look forward to updating this chart.
Can you push install apps over-the-air with MDM on supervised devices (if you have activated supervision via Apple Configurator, not using Device Enrollment Program)?
Meraki Whitepaper (Deploying Apple iOS in Education - https://meraki.cisco.com/lib/pdf/meraki_whitepaper_ios.pdf - chapter 10) says that on “[s]upervised devices [you] must be re-connected to Apple Configurator for app updates and [...] to remove any unsanctioned apps on the device.”
Does this mean MDM (and specifically Meraki) can't deploy apps over the air? And if so, is it just a limitation to them, or can MDM in general not do this unless they are using Device Enrollment Program?
Once each year Apple parts the blackout curtains and lets us peek at the future. The event is the Apple Worldwide Developer Conference, and this year both the keynote and the "Platform State of the Union" are being streamed live.
Date and Time:
Monday, June 2, 10 AM PDT / 1 PM EDT
Live streaming video requires Safari 4 or later on OS X v10.6 or later; Safari on iOS 4.2 or later. Streaming via Apple TV requires second- or third-generation Apple TV with software 5.0.2 or later.
It's the next best thing to being there. (And if you ARE going to be there, be sure to join us at our meeting in San Fran Tuesday night!
- Comparison of MDM Providers (765,773)
- Complete List of iOS User-Agent Strings (387,965)
- How to get remote viewing/control of the IPAD screen via internet or preferably 3G? (249,486)
- Apple Configurator vs. MDM (155,373)
- iOS Devices (131,499)
- Mobile Device Management (98,971)
- Apple Profile Manager (96,389)
- Batch Apple ID Creator (89,585)
- Gartner Magic Quadrant for MDM (2014, 2012, 2011) (86,879)
- AirWatch (80,626)
Forum topic added by taylor 12 hours ago
Forum topic added by Mahesh 1 week ago
Story comment by taylor 2 weeks ago
Mobile Management Provider changed by Aaron Freimark 2 weeks ago
Wiki Page changed by Aaron Freimark 2 weeks ago
Story added by Aaron Freimark 2 weeks ago
Mobile Management Provider changed by Aaron Freimark 2 weeks ago
Forum topic comment by Elizabeth Hale 18 weeks ago
Mobile Management Provider changed by Simo Kari 18 weeks ago
Forum topic comment by jpref 19 weeks ago
Forum topic comment by bugfrisch 20 weeks ago
Mobile Management Provider changed by krypted 20 weeks ago
Mobile Management Provider changed by JAMFSoftware 21 weeks ago
Forum topic comment by spurtipreetham 21 weeks ago
Forum topic added by okta 21 weeks ago
Forum topic added by am.imran.ahmed 21 weeks ago
Forum topic comment by Samuelbrown 21 weeks ago
Mobile Management Provider changed by NeerajOR 22 weeks ago
Forum topic comment by Elizabeth Hale 22 weeks ago
Forum topic comment by taylor 22 weeks ago