general

unmanaged but secured – how mobile application management support your enterprise

while ios and android offer more and more deep api to securely managed a mobile device and integrate into enterprise – apple utilize restrictions to natively separate managed from unmanaged content – android buildin work container on every device to secure enterprise data – both offer enrollment program to easiely intergrate the devices to management system

but there a argument to not rely on device management api – ios lack unfinished restriction of unmanaged/managed data, it is possible to bypass limitation under certain conditions – android depricated existing device admin feature in favor of android enterprise technology, but new container ui/ux isn’t consitant between different os releases and lack of some existing features, e.g. private/business calender overlay

privacy is a main point to offer a byod solution for your employees, ios managed devices could report your installed app and fully wipe even your private data (until user-enrollment was released), android enterprise addressed this from the very first, apple introduced user-erollment to address privacy concerns for byod deployments

usablity is the other big point to address for your users – while apple provide the ability to use business data within ios native applications, android lack of a consistant look and feel between os releases and different management api, batch icons differ at different releases and espesially samsung devices – to ease support provide the same email app across both mobile os

2019-06-09 07_00_15-MobileIron Email+ - Apps on Google Play

2019-06-09 07_00_05-‎MobileIron Email+ on the App Store

mobile application management also named non-MDM managed your data within an app or a entire framework, the app is’t capable to control your device, e.g. to enforce device pin or encryption – major mdm vendor like airwatch, mobileiron, blackberry formerly good and citrix provide a framework to secure your data over serveral productivity apps, without the need to rely on device api

blackberry_uem-logos

microsoft offer with it’s office 365 apps the capability to secure business data with app protection policies without the need to enroll your device to a unified endpoint management, 3rd party mdm could optinally integrate these features with graph api

Conceptual image that shows company data being protected by policies

when it comes to enterpise integration with full device vpn support, certificate authentication or kiosk (single use) devices there is no way around a uem solution

don’t be a fool, select your prefered solution, based on the requirement for each usecase

apple, innovation

whole new iOS13 with more privacy in enterprise

tim cook recently spoke about user data and privacy, while criticizing technology companies, like google or facebook

iOS is enterprise’s first choice for mobile activity, egnyte‘s enterprise insight showed a clear weighting and content is getting more more mobile

How-Businesses-Work-in_employees-840x1087

the biggest change since iOS5 introduced supervised devices and open-in management debuted in iOS7

iOS 13 will available in fall 2019 – since google is pushing hard with android enterprise to fit business needs, with it’s buildin containerization based on samsung’s KNOX – iOS 13 provide more granular security and better privacy restriction

enrollment methods

there are already rolled out thousands of iOS devices with either manually installing a mdm profile (uamdm) or centralized with device enrollment program (dep) to get the device under control of a unified endpoint management (uem) – additionally you can enable your iOS device as supervised either while dep enrolled or via apple configurator connected to a mac

newly added – user enrollment – previously an administrator of a managed device was able to retrieve the installed apps, remove the passcode or wipe the entire device – at least the privacy controls of the registered uem prohibit this features to individuals – with user enrollment there are huge improvements to the users privacy

  • user needs to login with managed apple id
  • uem unable to retrieve device information like IMEI, serial or mac address
  • private apps aren’t reported to uem
  • no control about device passcode or to wipe the entire device
  • still the configuration of wifi, vpn or exchange accounts will available
  • other existing restrictions reserved for supervised devices, see listing below

restriction changes

  • allowSafari, available since iOS 4, require supervised device as of iOS 13
  • allowVideoConferencing, available since iOS 4, require supervised device as of iOS 13
  • allowWiFiPowerModification, available for supervised iOS 13 devices
  • safariAllowAutoFill, available since iOS 4, require supervised device as of iOS 13
  • allowAddingGameCenterFriends, available since iOS 4.2.1, require supervised device as of iOS 13
  • allowAppInstallation, available since iOS 4, require supervised device as of iOS 13
  • allowCamera, available since iOS 4, require supervised device as of iOS 13
  • allowCloudBackup, available since iOS 5, require supervised device as of iOS 13
  • allowCloudDocumentSync, available since iOS 5, require supervised device as of iOS 13
  • allowCloudKeychainSync, available since iOS 7, require supervised device as of iOS 13
  • allowContinuousPathKeyboard, available for supervised iOS 13 devices
  • allowExplicitContent, available since iOS 4, require supervised device as of iOS 13
  • allowFindMyDevice, available for supervised iOS 13 devices
  • allowFindMyFriends, available for supervised iOS 13 devices
  • allowiTunes, available since iOS 4, require supervised device as of iOS 13
  • allowMultiplayerGaming, available since iOS 4.1, require supervised device as of iOS 13

read a full list of apple’s device management restrictions here

Sign in with Apple vs. managed Apple ID

while sign in with apple is the approach to to compete with google or facebook as a identity provider (idp) for external services, for business on the other hand managed Apple IDs were so far to manage functions of Apple Business Manager, since WWDC 2019 it’s necessary to register with user  enrollment, enterprise create additional account’s for byod user to add to their device, keeps data completely separated between both accounts, hopefully compared to now:

iPadOS

along with iOS13 apple separate to path between iPhone and iPad with a standalone OS, finally iPadOS can provide more feature to the tablet, a classic desktop replacement could possible – view the demo below

stay tuned for final release around mid-september with likely new 2019 iPhone


apple

apple adds more barriers to increase security

as far fas know from this ios 12.2 beta, there are several improvement/changes, at least in regards to the users security

enroll here: beta.apple.com


ssl security

not just since edward snowden, chelsea manning and other leaked infromation – your data matters – apple adds the noticable change in safari when browsing at webages that a not secure

@ios.gadgethacks.com
This image has an empty alt attribute; its file name is arrow-e1536485014760.jpg

read more about ssl strip @wifi security today and attack vectors


profile installation

profile at ios devices mean everything in enterprise, to enroll a private users device in emm system it is nessccary to manually install the ios mdm profile – before ios 12.2 the profile popped up to install – beginning with the new release, after successfully authenticated with emm the ios profile is download, user needs to manually navigate to settings and select to install profile

motion data

the new motion & orientation access stetting is toggled off by default, a webpage is unable to get accelerometer and gyroscope data from the iPhone – test at what web can to today website with iOS 12.2 beta

ios13 should be available in about 4 months

innovation, technology

progressive web apps

progressive web apps (pwa) getting more popular due to their ability to send push notifications – provide offline content and add to homescreen – no need to install pwa, improve functionallity above browsers with less costs compared to apps – load faster than web – enhanced conversion – scroll 60 frames per second

@google developers training

test your browser online, the featureset differs a lot between mobile platform and browser-  compatibility estimated by appswithlove.com

https://whatwebcando.today

2015 a chrome developer coined progressive web app, adopted by apple and even windows 10 joined as well


Some good examples what pwa’s can do and how already using it:

how to deal with acceleated mobile pages (amp) in times of pwa, how to choose between faster loading or offline functionality, it’s possible to combine both like washington post

read more: acceleated mobile pages


in an enterprise perspective it is about how to deploy applications, with mdm it is quite easy to push an app to a device, even silent installation is possible with android enterprise or apple vpp…

…but pwa’s aren’t that apps anymore and there is no api to remote set homescreen icon 

apple, google, innovation, microsoft, technology

unified endpoint management

today’s employees use at least two or more devices to do daily work on various os at different versions – it is time for a new class of tools – unified endpoint management (uem) combine the management of multiple endpoint types in a single console

evolution

from pc configuration lifecycle management (pcclm) via client management tools (cmt) to unified endpoint management (uem) – companies listed in the client management tools magic quadrant already transformed, other a overruled

content

emm

while enterprise mobility management (emm) is highly competitive and rapidly transforming — for instance, good technology, which was in gartner’s magic quadrant in 2015, was acquired by blackberry, airwatch was acquired by vmware in 2014 – emm contains of:

  • mobile device management (mdm)
  • mobile application management (mam)
  • mobile identity (mi)
  • mobile content management (mcm)

uem combine cmt + emm + iot

benefit

  1. reduce it management cost – a single tool
  2. improved security – get the best of both
  3. better insights – reporting
  4. prepared – enterprise of things

gartner

magic quadrant reports the ability to execute and completeness of vision for vendors – read full report here

Magic Quadrant for Unified Endpoint Management Tools

tco

according to gartner research, the annual tco of a fully managed smartphone using emm is almost
80% lower than the annual tco of a fully managed desktop using cmt

@mobileiron