4 of 8Image
MDM, MAM, EMM - Apple catches up some
Mobile Device Management (MDM) was invented by BlackBerry, but the MDM business was created by Apple when they ripped off the BlackBerry API and opened it up to outside management systems. Now there are scores of companies selling mobile management and some, like MobileIron, AirWatch and Good Technology, are quite large.
But Apple's MDM API was quite limited (until just recently). These 3rd parties came in and devised new techniques to manage applications and costs and to provide more precise device management. These techniques have come to be known as Mobile Application Management (MAM) and Enterprise Mobility Management (EMM).
Now, in iOS 7, Apple has vastly expanded the management capabilities of iOS. Some examples: IT can prevent an iOS user from making changes to or removing accounts on the device. IT can control which devices a managed iOS 7 device can pair with over Bluetooth. IT can control user changes to device settings like wallpaper, can disable a personal hotspot, can query the device to see if various settings are made, and can limit ad tracking. An enterprise can even specify MDM enrollment at the time of purchase. Some other capabilities deserve specific treatment, which I provide in the pages to come.
It's not clear that the established MDM companies are seriously threatened by Apple bundling these features. Few large customers are going to mandate iOS clients and the independent companies can also support Android and Windows Phone, and many of the companies can claim far better features. But strong baseline security is always a good thing for overall security of the installed base.
iOS 7 patches scores of vulnerabilities in iOS 6
Every new version of iOS fixes security problems in the previous one, but iOS 7 does more of this than usual. As I wrote about separately, iOS 7 patches 80 vulnerabilities in iOS 6. This alone puts heavy pressure on users and IT to upgrade, as Apple is not going to patch iOS 6.
Every new iOS device also usually casts some old one into the "unsupported" bin. The iPhone 3GS and iPad (first generation) can't upgrade to iOS 7 and therefore will remain vulnerable.
Two specific vulnerabilities demonstrate the severity of the situation: CVE-2013-1025 is a buffer overflow in iOS CoreGraphics, allowing an attacker to take control of the process with a malicious PDF, but only in the context of the sandboxed browser. CVE-2013-3953 is a privilege escalation vulnerability which allows a malicious program to break out of the sandbox. Combined, CVE-2013-1025 and CVE-2013-3953 can lead to full control just by viewing a web site. This, incidentally is exactly what the famous JailbreakMe did: combining code execution and privilege escalation vulnerabilities to create a complete compromise via simple web browsing.
Yes, both the CVE-2013-1025 and CVE-2013-3953 are now patched patched, but it shows that these things happen on iOS.
When a user clicks "Share" to specify an app in which a document should open, he creates many potential software problems: Open in makes a copy of the document and the application may not be considered secure.
In iOS 7, through the MDM interfaces, IT can specify which apps are allowed to handle specific content types, potentially limiting that access to managed apps. They call this "Managed Open-In."