6 of 8Image
When a user clicks "Share" to specify an app in which a document should open, he creates many potential software problems: Open in makes a copy of the document and the application may not be considered secure.
In iOS 7, through the MDM interfaces, IT can specify which apps are allowed to handle specific content types, potentially limiting that access to managed apps. They call this "Managed Open-In."
System-wide VPNs on mobiles are considered undesirable, partly as a security measure and partly because the company doesn't necessarily want to run all a user's personal traffic through their VPN.
For some time, MDM vendors have been allowing IT to specify per-app VPNs: each instance of each managed app gets its own VPN tunnel. Now iOS 7 allows these per-app VPNs through the MDM interfaces.
The VPN is managed entirely by IT. When the app is launched it opens up a VPN tunnel and when it terminates it closes that tunnel. The user launches and uses the app as they normally would, and should see no difference from it running through the VPN.
At the company end, the VPN could be any of dozens of VPN products from F5, Cisco, Juniper or anyone else, but the VPN products may need to be updated to support this feature.
Image: Wikimedia Commons
Enterprise Single Sign-On
Nobody likes entering passwords, and it's all that much worse typing them on glass on a tiny phone. With Enterprise single sign-on, IT can allow users to enter one set of enterprise credentials and be authenticated for any app.
Previous versions of iOS allowed this for all apps by the same vendor, but in iOS 7 any app by any vendor can be included.
IT can also specify a set of URL prefixes to be included for single sign-on. If the user visits any site that starts with the prefix (e.g. http://www.zdnet.com/topic-apple/), iOS will send the credentials to the server.