2 of 8Image
A big step forward for enterprise security
In most ways, iOS is no more "secure by design" than most other operating systems, and yet, as a practical matter, security problems have been slight in the real world. Apple has gotten away with doing far less than they might have, in no small part because third party security vendors filled in the gaps.
The deficiencies in Apple's security management spawned the Mobile Device Management (MDM) and Mobile Application Management (MAM) industries. It is in these areas, which allow IT to manage and control the usage of mobile devices, where iOS 7's strongest improvements lie.
There are features with broader appeal, such as Touch ID, the first usable biometrics in a phone, and remote lock, which protects lost and stolen phones. And there are other important improvements that are even more obscure than MDM improvements.
In the pages that follow I describe seven improvements that make iOS 7 a much more secure operating system in an enterprise setting than iOS 6.
Find My iPhone, now with remote lock
If your phone is lost or stolen, Find My iPhone allows you to locate or wipe it. iOS 7 improves the feature greatly by letting the user provide a message to display on the phone and prevent all other use. Even if the phone is wiped, iOS 7 will still prevent all use until the registered owner logs in to the proper iCloud account.
This is the one the ones that everyone knows about. For the most part, the same rationale for this feature apply both to business and consumer use. Nobody wants their phone to get lost or stolen. If it's lost they want to make it easy for someone to return it. If it's stolen they want the data protected from access and the phone to be useless to the thieves.
It's because of this feature and similar ones from Microsoft and Google that I think the incentive for phone theft will diminish a great deal in the next few years.
If IT wants to, they can manage the Find My iPhone setting through the new MDM interfaces (more about that just ahead), including putting the device in "lost" mode. But in order to make it manageable, the phone's user (specifically, someone with the phone's iCloud credentials) will first need to disable the setting.
Remote wipe still works on remotely-locked systems, but then a user would still need to enter the phone's iCloud credentials when booting out of the wipe.
MDM, MAM, EMM - Apple catches up some
Mobile Device Management (MDM) was invented by BlackBerry, but the MDM business was created by Apple when they ripped off the BlackBerry API and opened it up to outside management systems. Now there are scores of companies selling mobile management and some, like MobileIron, AirWatch and Good Technology, are quite large.
But Apple's MDM API was quite limited (until just recently). These 3rd parties came in and devised new techniques to manage applications and costs and to provide more precise device management. These techniques have come to be known as Mobile Application Management (MAM) and Enterprise Mobility Management (EMM).
Now, in iOS 7, Apple has vastly expanded the management capabilities of iOS. Some examples: IT can prevent an iOS user from making changes to or removing accounts on the device. IT can control which devices a managed iOS 7 device can pair with over Bluetooth. IT can control user changes to device settings like wallpaper, can disable a personal hotspot, can query the device to see if various settings are made, and can limit ad tracking. An enterprise can even specify MDM enrollment at the time of purchase. Some other capabilities deserve specific treatment, which I provide in the pages to come.
It's not clear that the established MDM companies are seriously threatened by Apple bundling these features. Few large customers are going to mandate iOS clients and the independent companies can also support Android and Windows Phone, and many of the companies can claim far better features. But strong baseline security is always a good thing for overall security of the installed base.