7 enterprise security improvements in iOS 7

7 enterprise security improvements in iOS 7

Summary: iOS 7 is a major step forward in enterprise mobile security. Apple has institutionalized security techniques for which, until now, enterprises had to go to an independent MDM/MAM vendor.

SHARE:

 |  Image 3 of 8

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Thumbnail 7
  • Thumbnail 8
  • Find My iPhone, now with remote lock

    If your phone is lost or stolen, Find My iPhone allows you to locate or wipe it. iOS 7 improves the feature greatly by letting the user provide a message to display on the phone and prevent all other use. Even if the phone is wiped, iOS 7 will still prevent all use until the registered owner logs in to the proper iCloud account.

    This is the one the ones that everyone knows about. For the most part, the same rationale for this feature apply both to business and consumer use. Nobody wants their phone to get lost or stolen. If it's lost they want to make it easy for someone to return it. If it's stolen they want the data protected from access and the phone to be useless to the thieves.

    It's because of this feature and similar ones from Microsoft and Google that I think the incentive for phone theft will diminish a great deal in the next few years.

    If IT wants to, they can manage the Find My iPhone setting through the new MDM interfaces (more about that just ahead), including putting the device in "lost" mode. But in order to make it manageable, the phone's user (specifically, someone with the phone's iCloud credentials) will first need to disable the setting.

    Remote wipe still works on remotely-locked systems, but then a user would still need to enter the phone's iCloud credentials when booting out of the wipe.

    Image: Apple

  • MDM, MAM, EMM - Apple catches up some

    Mobile Device Management (MDM) was invented by BlackBerry, but the MDM business was created by Apple when they ripped off the BlackBerry API and opened it up to outside management systems. Now there are scores of companies selling mobile management and some, like MobileIron, AirWatch and Good Technology, are quite large.

    But Apple's MDM API was quite limited (until just recently). These 3rd parties came in and devised new techniques to manage applications and costs and to provide more precise device management. These techniques have come to be known as Mobile Application Management (MAM) and Enterprise Mobility Management (EMM).

    Now, in iOS 7, Apple has vastly expanded the management capabilities of iOS. Some examples: IT can prevent an iOS user from making changes to or removing accounts on the device. IT can control which devices a managed iOS 7 device can pair with over Bluetooth. IT can control user changes to device settings like wallpaper, can disable a personal hotspot, can query the device to see if various settings are made, and can limit ad tracking. An enterprise can even specify MDM enrollment at the time of purchase. Some other capabilities deserve specific treatment, which I provide in the pages to come.

    It's not clear that the established MDM companies are seriously threatened by Apple bundling these features. Few large customers are going to mandate iOS clients and the independent companies can also support Android and Windows Phone, and many of the companies can claim far better features. But strong baseline security is always a good thing for overall security of the installed base.

    Image: Apple

  • iOS 7 patches scores of vulnerabilities in iOS 6

    Every new version of iOS fixes security problems in the previous one, but iOS 7 does more of this than usual. As I wrote about separately, iOS 7 patches 80 vulnerabilities in iOS 6. This alone puts heavy pressure on users and IT to upgrade, as Apple is not going to patch iOS 6.

    Every new iOS device also usually casts some old one into the "unsupported" bin. The iPhone 3GS and iPad (first generation) can't upgrade to iOS 7 and therefore will remain vulnerable.

    Two specific vulnerabilities demonstrate the severity of the situation: CVE-2013-1025 is a buffer overflow in iOS CoreGraphics, allowing an attacker to take control of the process with a malicious PDF, but only in the context of the sandboxed browser. CVE-2013-3953 is a privilege escalation vulnerability which allows a malicious program to break out of the sandbox. Combined, CVE-2013-1025 and CVE-2013-3953 can lead to full control just by viewing a web site. This, incidentally is exactly what the famous JailbreakMe did: combining code execution and privilege escalation vulnerabilities to create a complete compromise via simple web browsing.

    Yes, both the CVE-2013-1025 and CVE-2013-3953 are now patched patched, but it shows that these things happen on iOS. 

Topics: Security, Apple, iPhone, iPad, Mobile OS, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

Talkback

41 comments
Log in or register to join the discussion
  • And One Enterprise Security Failure in iOS 7

    iOS 7 and 7.0.2 have broken our prior ability to open attachments contained within S/MIME encrypted messages.

    http://snnyc.com/2013/09/ios7-smime-fail/
    Snnyc
    • was this reported in beta?

      With so many enterprises testing it and so many of them using Outlook you'd think a bug like this would stand out
      Larry Seltzer
    • Do you have any other links?

      I checked yours and the links in the tweet gadget to the right - all of those links go back to your page. Or could you possibly post a screenshot?
      athynz
      • a screen shot of the pulsating attachment?

        It's in the post. Here's the direct image URL: http://snnyc.com/wp-content/uploads/2013/09/pulsating.gif
        Larry Seltzer
        • Exactly!

          I personally do not use S/MIME encrypted messages so I can't say for sure if this is an actual error or not. A pulsating GIF on a website that the OP runs - at least that is my assumption based on his pseudonym's similarity to the website - does not constitute proof that this exists. I would think if this was an actual issue there would be a lot more press on it. That's why I was asking if he had any more proof such as a screenshot for the iOS device.
          athynz
          • Followup...

            Athynz - A healthy skepticism is appropriate on the Internet, but this S/MIME attachment handling issue in iOS 7 - 7.0.2 is a real problem. If there were anyone at Apple or a high-profile customer who needed proof, I could certainly demonstrate it via a WebEx session using Reflector to mirror an iPad's live screen, or just send them a device configured with test e-mail accounts and certificates.
            Snnyc
  • Improvements? Yes. or not....

    Work announced we can now have the 5S.
    Installed work apps and certs.
    - restricted iCloud (no change from 5)
    - restricted Siri (no change from 5)
    - turn off fingerprint use on Lockscreen (can use for other things)
    - some exchange features having issues (some graphics and attachments)
    rhonin
    • Biometrics

      Fingerprint device login was shut off. It fails corporate security requirements regarding biometric login. Seeing as this is predominately hardware, is it an iOS7 improvement.
      rhonin
  • "Find My iPhone, now with remote lock"

    Windows Phone had this long before Apple. Who is follwiong who?
    pfdsotm
    • I do mention that...

      ... in the article I link to on that page: http://www.zdnet.com/apple-google-microsoft-make-progress-against-phone-theft-7000021171/
      Larry Seltzer
    • Couple of features

      doesn't mean anyone is following. Why does someone always feel the need to keep track of these things? Who cares?!
      new gawker
      • Enterprises

        That is who cares. Or maybe, if your company hasn't been thinking about what a lost cell phone can cost the company, it won't matter to you. We offer employees $35/month to use their own cell phones instead of enterprise phones. Very few takers. They don't want their phone wiped if they misplace it (really should not be a big deal if people back up theuir phones). And they don't want their phones locked by policy. people are way to lazy about corporate security even with a lost laptop garnering over $1.25 million in fines these days (HIPAA for a large government organization).
        hforman9
    • Questionable isn't it.

      It's not the first biometric device either, by a long shot.

      Also MDM is painful if the device isn't work-only. Other platforms have adopted a separate scope for work and personal, or are looking to app launchers or apps like Sencha space for mobile app containers.
      dawesi
  • Apple really should continue patching iOS 6

    iOS 6 is slightly older than a year and support is already being discontinued?
    ye
    • Loyalty

      Just goes to show you how much Apple really cares about it's consumers. I'm sure there's a few million 3S owners out there that are perfectly happy with their phone. Now they're being kicked to the curb............
      svfiat
      • ????

        One does not have to upgrade either their phone or their OS and apps. It's not like Apple is holding a gun to anyone's head. I'm still running iOS 6 on my 4S and it works fine. What exactly is your issue?
        athynz
        • Not Quite Right

          Already starting to see app updates that contain bug fixes and new features. iOS7 is required.
          rhonin
          • security is the other issue

            There are 80 unpatched vulnerabilities in 6.
            Larry Seltzer
        • The issue is there are known vulnerabilities.

          And the only way to patch them is to upgrade to iOS 7. Something I am unable to do as I have business applications which do not work on iOS 7.
          ye
        • Security

          Most of the iPhone users I know have extremely confidential email and contacts on their phones. This is a discussion of "enterprise" issues and not who will care about a photo of my GF.
          hforman9