apple, innovation

whole new iOS13 with more privacy in enterprise

tim cook recently spoke about user data and privacy, while criticizing technology companies, like google or facebook

iOS is enterprise’s first choice for mobile activity, egnyte‘s enterprise insight showed a clear weighting and content is getting more more mobile

How-Businesses-Work-in_employees-840x1087

the biggest change since iOS5 introduced supervised devices and open-in management debuted in iOS7

iOS 13 will available in fall 2019 – since google is pushing hard with android enterprise to fit business needs, with it’s buildin containerization based on samsung’s KNOX – iOS 13 provide more granular security and better privacy restriction

enrollment methods

there are already rolled out thousands of iOS devices with either manually installing a mdm profile (uamdm) or centralized with device enrollment program (dep) to get the device under control of a unified endpoint management (uem) – additionally you can enable your iOS device as supervised either while dep enrolled or via apple configurator connected to a mac

newly added – user enrollment – previously an administrator of a managed device was able to retrieve the installed apps, remove the passcode or wipe the entire device – at least the privacy controls of the registered uem prohibit this features to individuals – with user enrollment there are huge improvements to the users privacy

  • user needs to login with managed apple id
  • uem unable to retrieve device information like IMEI, serial or mac address
  • private apps aren’t reported to uem
  • no control about device passcode or to wipe the entire device
  • still the configuration of wifi, vpn or exchange accounts will available
  • other existing restrictions reserved for supervised devices, see listing below

restriction changes

  • allowSafari, available since iOS 4, require supervised device as of iOS 13
  • allowVideoConferencing, available since iOS 4, require supervised device as of iOS 13
  • allowWiFiPowerModification, available for supervised iOS 13 devices
  • safariAllowAutoFill, available since iOS 4, require supervised device as of iOS 13
  • allowAddingGameCenterFriends, available since iOS 4.2.1, require supervised device as of iOS 13
  • allowAppInstallation, available since iOS 4, require supervised device as of iOS 13
  • allowCamera, available since iOS 4, require supervised device as of iOS 13
  • allowCloudBackup, available since iOS 5, require supervised device as of iOS 13
  • allowCloudDocumentSync, available since iOS 5, require supervised device as of iOS 13
  • allowCloudKeychainSync, available since iOS 7, require supervised device as of iOS 13
  • allowContinuousPathKeyboard, available for supervised iOS 13 devices
  • allowExplicitContent, available since iOS 4, require supervised device as of iOS 13
  • allowFindMyDevice, available for supervised iOS 13 devices
  • allowFindMyFriends, available for supervised iOS 13 devices
  • allowiTunes, available since iOS 4, require supervised device as of iOS 13
  • allowMultiplayerGaming, available since iOS 4.1, require supervised device as of iOS 13

read a full list of apple’s device management restrictions here

Sign in with Apple vs. managed Apple ID

while sign in with apple is the approach to to compete with google or facebook as a identity provider (idp) for external services, for business on the other hand managed Apple IDs were so far to manage functions of Apple Business Manager, since WWDC 2019 it’s necessary to register with user  enrollment, enterprise create additional account’s for byod user to add to their device, keeps data completely separated between both accounts, hopefully compared to now:

iPadOS

along with iOS13 apple separate to path between iPhone and iPad with a standalone OS, finally iPadOS can provide more feature to the tablet, a classic desktop replacement could possible – view the demo below

stay tuned for final release around mid-september with likely new 2019 iPhone


innovation, technology

… not in june

everyone is promising what to wait for, but not in this article – we’re ahead of big upcoming technology – it’s may 2019, but as mention in the title not in june

Samsung Fold

Samsung already presented one of the first foldable phones, but seam to struggle with the folding mechanics @androidauthority


Huawei OS

Since the ban of Huawei devices, their pushing “plan b”, what is necessary for there announced but not released device Matex and Honor20(Pro) @techradar


iOS13

At WWDC Apple will demonstrate iOS13 with it’s features, like dark mode, but release probably in late summer @macrumors


Blackberry Messenger

the messenging service is about to shutdown and will not available until june @slashgear

apple, google, innovation, microsoft, technology

windows 10 is (still) mobile

by the end of this year microsoft will end the support for windows 10 mobile on december 10 2019, the october release 1709 was the last update back in 2017

since microsoft wasn’t able to get a markable footprint in mobile business, windows phone failed, relaunched a windows 10 mobile .. there are still ways to combine windows 10 and mobile

launcher 10 – android launcher

i was a huge fan of windows 10 mobile and it’s live tile design, but missing enterprise features und apps forced me to look for other opportunities

launcher 10 offers the beloved windows phone design for android smarthphones as seaperate launcher, sort and resize your tiles including a paid feature of live tiles

live tiles are deprecated of microsoft, and microsoft missed to remove all refences, so it’s possible to do a sub domain tack over, the the service is still online http://www.buildmypinnedsite.com/

your phone app companion

every windows 10 embed a feature to connect your ios or android phone to be able to remote use features like sending messages or access media remotely from your device or synchronize file changes between devices

with is current windows 10 insider preview build 18885 (20H1) microsoft added notification for android devices – stop reaching for your phone to check your with features like

  • see incoming phone notifications in real-time
  • view all of your phone notifications in one place
  • customize which notifications you want to receive
  • clear notifications individually or all at once

read more about productivity with a second screen

3rd party services

other apps like airdroid pushbulltet, mightytext and others offer the also the ability to compose and receive messages from desktop , transfer files without a wired connection and for sure receive push notifications directly from device – additionally
possible within your browser, independent from your platfrom os or even device with when using a webservice

apple

if your using an apple device you’d probably own a mac and should use features like
universal clipboard, make calls with your mac, send and receive messages or handoff immediately between devices where your stopped before, everything connected to icloud

use continuity to connect your mac, iphone, ipad, ipod touch, and apple watch

innovation, technology

virtual smart card

… for desktop/laptop a physical smartcard inserted in the device provides additional security, user just need to unlock the smartcard with a pin, without the need to know their password – in times of mobile devices it is possible to attach those smartcard with adapters, but with bad user experience

derived credentials ensure compliance with HSPD12 / FIPS 201 personal identity verification (piv) requirements


derived credentials provider, e.g. entrust, provides an overview about the integration in the infrastructure and enrollment of trusted certificate with modern emm system


citrix provides an easy way to secure authenticate at workspace app for emm trusted devices, better usability and higher security

download NCCoE released second draft version of NIST cybersecurity practice guide SP 1800-12, derived piv credentials attached:

innovation, technology

progressive web apps

progressive web apps (pwa) getting more popular due to their ability to send push notifications – provide offline content and add to homescreen – no need to install pwa, improve functionallity above browsers with less costs compared to apps – load faster than web – enhanced conversion – scroll 60 frames per second

@google developers training

test your browser online, the featureset differs a lot between mobile platform and browser-  compatibility estimated by appswithlove.com

https://whatwebcando.today

2015 a chrome developer coined progressive web app, adopted by apple and even windows 10 joined as well


Some good examples what pwa’s can do and how already using it:

how to deal with acceleated mobile pages (amp) in times of pwa, how to choose between faster loading or offline functionality, it’s possible to combine both like washington post

read more: acceleated mobile pages


in an enterprise perspective it is about how to deploy applications, with mdm it is quite easy to push an app to a device, even silent installation is possible with android enterprise or apple vpp…

…but pwa’s aren’t that apps anymore and there is no api to remote set homescreen icon 

apple, google, innovation, technology

qr code & share wifi

qr code in business it is quite common to use qr code to optimize processes – in private this feature is rarely adopted, but …

arrow read more: enterprise features of android pie

 

qr code

often used to link webpages, promote sales offers or share contacts – different styles, colors or even logos are possible …

2018-09-09 11_37_59-QR Code Generator - Create QR codes here     2018-09-09 11_40_44-QR Code Generator - Create QR codes here

 

… but it gets complicated if you don’t know how to scan the code, first need to download a qr code reader app – since ios11 apple added the native function to scan qr code with camera app – some android device got a qr code reader pre-installed, other need to download it from app store

 

wifi qr code

enterprise facing other challenges to secure authenticate and trust devices

arrowread more: wifi security today and attack vectors

friends often request to join private wifi – tell the password ? no – enter your 12diget&complex$pezialC4ract3r password ? maybe not

create a qr code of your wifi incl. password, with services like qifi, your friends needs to “simply” scan the code

tested: for ios since ios11 it is working pretty easy, android devices with pre-installed qr code reader need to find the right app, but even my huawei ai powered camera is unable to recognize the qr code

update: since ios12 it is possible to add qr code scanner to control center to access from lockscreen and qr codes  highlighted in camera while scanning

qr12-e1537271073765.jpg

 

ios share wifi

even since ios11 apple added a feature to share wifi password between two ios devices, unless you have an ios device, the are some requirements to be meet

  • both ios devices need ios11 or newer installed
  • both ios devices need wifi and bluetooth enabled
  • your ios device must be actively connected to the wifi that the other device wants to join
  • both ios devices need physical proximity to each other
  • you must have each other in contacts list

 

be aware

  1. that trusted devices are inside your network, may access your private services (sonos) or unsecured storages (nas) – better setup a separate guest wifi, with just access to the internet
  2. shared passwords synced to google backup or icloud backupScreenshot_20180909-120209
apple, google, innovation, microsoft, technology

unified endpoint management

today’s employees use at least two or more devices to do daily work on various os at different versions – it is time for a new class of tools – unified endpoint management (uem) combine the management of multiple endpoint types in a single console

evolution

from pc configuration lifecycle management (pcclm) via client management tools (cmt) to unified endpoint management (uem) – companies listed in the client management tools magic quadrant already transformed, other a overruled

content

emm

while enterprise mobility management (emm) is highly competitive and rapidly transforming — for instance, good technology, which was in gartner’s magic quadrant in 2015, was acquired by blackberry, airwatch was acquired by vmware in 2014 – emm contains of:

  • mobile device management (mdm)
  • mobile application management (mam)
  • mobile identity (mi)
  • mobile content management (mcm)

uem combine cmt + emm + iot

benefit

  1. reduce it management cost – a single tool
  2. improved security – get the best of both
  3. better insights – reporting
  4. prepared – enterprise of things

gartner

magic quadrant reports the ability to execute and completeness of vision for vendors – read full report here

Magic Quadrant for Unified Endpoint Management Tools

tco

according to gartner research, the annual tco of a fully managed smartphone using emm is almost
80% lower than the annual tco of a fully managed desktop using cmt

@mobileiron

apple, innovation, technology

defer ios updates

ios12 was announced and demonstrated at wwdc, beta started at june 19th and public beta followed at june 25th

since ios 11.3 it is possible to surpress ios update on managed devices – cause you want to test new releases in your infrastructure – ensure that all of your productivity apps running fine with the new version

it is mandatory that those devcies are supervised, setup with apple device enrollment program or enabled with apple configurator

appleconfigurator

with current emm vendor it is possible to simply enable/disable this value – otherwise configure a profile in apple configurator, either send it via mail or upload to enterprise mobility management suite and deploy remote

 

This slideshow requires JavaScript.

if your device running ios version below ios 11.3 your able to configure global http proxy – with *.pac file your able to redirect apple update url

proxypac

mobile devices fit enterprise needs

innovation, technology

multi-factor authentication

most used passwords still “12345” and “password”, keep you private data as save as enterpises

secure authentification needs to be smart

smssim

short message service is the most convinat second factor, but sms is insecure and can be intercepted – major us carriers working together on next-gen ‘mobile authentication platform’ to replace weak sms system

mobile id

is a more secure service, based on certificates and secured with a seperat pin – special sim needs to be provided form the carrier @mobileid

id cardLogo_nPA

electronic id function of the german passport to secure authenticate at public services, insurances or banks – registred to you secured with a pin – you need a card reader or app @personalausweisportal

oath

is an open standard that allow strong authentication of all users on all devices – no need to send or her intercepted with man in the middle (mitm) attack, code ist calculated in an app – get code right at your smartwatch or backup you accounts with andotp

update: since ios12 and macos 10.14 it is possible to configure oauth in exchange payload via emm, read detailed at: apple’s configuration profile reference

pointsharp

d2ff31ae74196b94cdbdf4dd812ea5bb.png

provides secure login with multi-factor authentication to enterprise alliances or cloud services – use pointsharp passwort for mobile services, instead of windows accounts – login with scratch cards, hardware token smartwatch, biometrics or one-time pin

fido

71G5MIq2OPL._SL1500_
review here

an alliance to provide passwordless experience and a secure second factor – a hardware device ensure the trust of identity @fidoalliance.org

microsoft announced “password-less sign-in to windows 10 & azure ad using fido2” @blog.microsoft

cloud

casb (cloud access security broker) check access based on security policy infront a a cloud service

iam (identity access management) manage user identities centralised, provide role-based access

emm alone can’t prevent users from accessing cloud services via unmanaged apps or browsers. neither iam nor casb have the visibility or ability to allow or deny access to a cloud service based on the state of the mobile device or application. @mobileiron

access.png

arrow be safe – review here for list of websites and whether or not they support 2fa

no excuses anymore

google, innovation

enterprise features of android p

only a few days ahead of google i/o – google’s annual developer conference – may 8-10 – were they will present android p, gmail, android wear 3.0, vr with daydream, google home and maybe more

here are the main feature to be provided to the enterprise – rock solid progression of android enterprise – modifications from other os’s found as well – some cool admin gadgets

work profile user interface

  • Switch apps across profiles

  • Programmatically turn work profiles on or off

lock down any app to a device

  • whitelist and control certain system ui features

support multiple users on dedicated devices

  • multiple users can share a single device, dedicated for a specific purpose, managed via emm

clear package data and remove accounts

new user restrictions and increased control over settings

  • Configure APNs

  • Configure time and timezone

  • Enforce user restrictions on important settings

  • Metered data

migrate dpc

  • handover a device between different emm verdor

postpone over-the-air (ota) updates

  • also possible at ios device since ios 11.3

restrict sharing into a work profile

hardware-secured keys and machine certificates

  • enerated keys never leave the secure hardware and can be used from the android keychain

password blacklist

streamlined qr-code enrollment

androidenterprise2

  • wifi profile supported like with ncf enrollment

@google