Search
  • Videos
  • Windows 10
  • 5G
  • Best VPNs
  • Cloud
  • Security
  • AI
  • more
    • TR Premium
    • Working from Home
    • Innovation
    • Best Web Hosting
    • ZDNet Recommends
    • Tonya Hall Show
    • Executive Guides
    • ZDNet Academy
    • See All Topics
    • White Papers
    • Downloads
    • Reviews
    • Galleries
    • Videos
    • TechRepublic Forums
  • Newsletters
  • All Writers
    • Preferences
    • Community
    • Newsletters
    • Log Out
  • Menu
    • Videos
    • Windows 10
    • 5G
    • Best VPNs
    • Cloud
    • Security
    • AI
    • TR Premium
    • Working from Home
    • Innovation
    • Best Web Hosting
    • ZDNet Recommends
    • Tonya Hall Show
    • Executive Guides
    • ZDNet Academy
    • See All Topics
    • White Papers
    • Downloads
    • Reviews
    • Galleries
    • Videos
    • TechRepublic Forums
      • Preferences
      • Community
      • Newsletters
      • Log Out
  • us
    • Asia
    • Australia
    • Europe
    • India
    • United Kingdom
    • United States
    • ZDNet around the globe:
    • ZDNet France
    • ZDNet Germany
    • ZDNet Korea
    • ZDNet Japan

7 enterprise security improvements in iOS 7

1 of 8 NEXT PREV
  • A big step forward for enterprise security

    A big step forward for enterprise security

    In most ways, iOS is no more "secure by design" than most other operating systems, and yet, as a practical matter, security problems have been slight in the real world. Apple has gotten away with doing far less than they might have, in no small part because third party security vendors filled in the gaps.

    The deficiencies in Apple's security management spawned the Mobile Device Management (MDM) and Mobile Application Management (MAM) industries. It is in these areas, which allow IT to manage and control the usage of mobile devices, where iOS 7's strongest improvements lie.

    There are features with broader appeal, such as Touch ID, the first usable biometrics in a phone, and remote lock, which protects lost and stolen phones. And there are other important improvements that are even more obscure than MDM improvements.

    In the pages that follow I describe seven improvements that make iOS 7 a much more secure operating system in an enterprise setting than iOS 6.

    Published: September 30, 2013 -- 11:57 GMT (04:57 PDT)

    Photo by: Apple

    Caption by: Larry Seltzer

  • Find My iPhone, now with remote lock

    Find My iPhone, now with remote lock

    If your phone is lost or stolen, Find My iPhone allows you to locate or wipe it. iOS 7 improves the feature greatly by letting the user provide a message to display on the phone and prevent all other use. Even if the phone is wiped, iOS 7 will still prevent all use until the registered owner logs in to the proper iCloud account.

    This is the one the ones that everyone knows about. For the most part, the same rationale for this feature apply both to business and consumer use. Nobody wants their phone to get lost or stolen. If it's lost they want to make it easy for someone to return it. If it's stolen they want the data protected from access and the phone to be useless to the thieves.

    It's because of this feature and similar ones from Microsoft and Google that I think the incentive for phone theft will diminish a great deal in the next few years.

    If IT wants to, they can manage the Find My iPhone setting through the new MDM interfaces (more about that just ahead), including putting the device in "lost" mode. But in order to make it manageable, the phone's user (specifically, someone with the phone's iCloud credentials) will first need to disable the setting.

    Remote wipe still works on remotely-locked systems, but then a user would still need to enter the phone's iCloud credentials when booting out of the wipe.

    Published: September 30, 2013 -- 11:57 GMT (04:57 PDT)

    Photo by: Apple

    Caption by: Larry Seltzer

  • MDM, MAM, EMM - Apple catches up some

    MDM, MAM, EMM - Apple catches up some

    Mobile Device Management (MDM) was invented by BlackBerry, but the MDM business was created by Apple when they ripped off the BlackBerry API and opened it up to outside management systems. Now there are scores of companies selling mobile management and some, like MobileIron, AirWatch and Good Technology, are quite large.

    But Apple's MDM API was quite limited (until just recently). These 3rd parties came in and devised new techniques to manage applications and costs and to provide more precise device management. These techniques have come to be known as Mobile Application Management (MAM) and Enterprise Mobility Management (EMM).

    Now, in iOS 7, Apple has vastly expanded the management capabilities of iOS. Some examples: IT can prevent an iOS user from making changes to or removing accounts on the device. IT can control which devices a managed iOS 7 device can pair with over Bluetooth. IT can control user changes to device settings like wallpaper, can disable a personal hotspot, can query the device to see if various settings are made, and can limit ad tracking. An enterprise can even specify MDM enrollment at the time of purchase. Some other capabilities deserve specific treatment, which I provide in the pages to come.

    It's not clear that the established MDM companies are seriously threatened by Apple bundling these features. Few large customers are going to mandate iOS clients and the independent companies can also support Android and Windows Phone, and many of the companies can claim far better features. But strong baseline security is always a good thing for overall security of the installed base.

    Published: September 30, 2013 -- 11:57 GMT (04:57 PDT)

    Photo by: Apple

    Caption by: Larry Seltzer

  • iOS 7 patches scores of vulnerabilities in iOS 6

    iOS 7 patches scores of vulnerabilities in iOS 6

    Every new version of iOS fixes security problems in the previous one, but iOS 7 does more of this than usual. As I wrote about separately, iOS 7 patches 80 vulnerabilities in iOS 6 . This alone puts heavy pressure on users and IT to upgrade, as Apple is not going to patch iOS 6.

    Every new iOS device also usually casts some old one into the "unsupported" bin. The iPhone 3GS and iPad (first generation) can't upgrade to iOS 7 and therefore will remain vulnerable.

    Two specific vulnerabilities demonstrate the severity of the situation: CVE-2013-1025 is a buffer overflow in iOS CoreGraphics, allowing an attacker to take control of the process with a malicious PDF, but only in the context of the sandboxed browser. CVE-2013-3953 is a privilege escalation vulnerability which allows a malicious program to break out of the sandbox. Combined, CVE-2013-1025 and CVE-2013-3953 can lead to full control just by viewing a web site. This, incidentally is exactly what the famous JailbreakMe did: combining code execution and privilege escalation vulnerabilities to create a complete compromise via simple web browsing.

    Yes, both the CVE-2013-1025 and CVE-2013-3953 are now patched patched, but it shows that these things happen on iOS. 

    Published: September 30, 2013 -- 11:57 GMT (04:57 PDT)

    Caption by: Larry Seltzer

  • Managed Open-In

    Managed Open-In

    When a user clicks "Share" to specify an app in which a document should open, he creates many potential software problems: Open in makes a copy of the document and the application may not be considered secure.

    In iOS 7, through the MDM interfaces, IT can specify which apps are allowed to handle specific content types, potentially limiting that access to managed apps. They call this "Managed Open-In."

    Published: September 30, 2013 -- 11:57 GMT (04:57 PDT)

    Caption by: Larry Seltzer

  • Per-app VPNs

    Per-app VPNs

    System-wide VPNs on mobiles are considered undesirable, partly as a security measure and partly because the company doesn't necessarily want to run all a user's personal traffic through their VPN.

    For some time, MDM vendors have been allowing IT to specify per-app VPNs: each instance of each managed app gets its own VPN tunnel. Now iOS 7 allows these per-app VPNs through the MDM interfaces.

    The VPN is managed entirely by IT. When the app is launched it opens up a VPN tunnel and when it terminates it closes that tunnel. The user launches and uses the app as they normally would, and should see no difference from it running through the VPN.

    At the company end, the VPN could be any of dozens of VPN products from F5, Cisco, Juniper or anyone else, but the VPN products may need to be updated to support this feature.

    Published: September 30, 2013 -- 11:57 GMT (04:57 PDT)

    Photo by: Wikimedia Commons

    Caption by: Larry Seltzer

  • Enterprise Single Sign-On

    Enterprise Single Sign-On

    Nobody likes entering passwords, and it's all that much worse typing them on glass on a tiny phone. With Enterprise single sign-on, IT can allow users to enter one set of enterprise credentials and be authenticated for any app.

    Previous versions of iOS allowed this for all apps by the same vendor, but in iOS 7 any app by any vendor can be included.

    IT can also specify a set of URL prefixes to be included for single sign-on. If the user visits any site that starts with the prefix (e.g. http://www.zdnet.com/topic-apple/), iOS will send the credentials to the server.

    Published: September 30, 2013 -- 11:57 GMT (04:57 PDT)

    Caption by: Larry Seltzer

  • Biometrics - Touch ID

    Biometrics - Touch ID

    There have been attempts at biometrics in mobile devices before, but they were never easy to use, reliable and mass-market. It figured that Apple would be the first to do this.

    Touch ID is a fingerprint sensor, so far only on the iPhone 5S, built into the Home button. It handles biometric authentication and authorization and returns a simple yes or no to iOS 7.

    There's definitely some question as to how secure Touch ID can be . It may not be secure enough for an enterprise. It's also important to note that Touch ID is not two-factor authentication (2FA). You can use a passcode or the fingerprint, but you can't require both. The goal of 2FA, from one perspective, is to make it harder to log in, and Apple isn't interested in that.

    But it's more complicated than that. Touch ID users have to have a passcode as a backup, and if the device is rebooted or hasn't been unlocked in 48 hours the passcode is required. This may make it practical for IT to require very secure passcodes, perhaps 7 or more characters, while still making it easy to access the device on a regular basis.

    Published: September 30, 2013 -- 11:57 GMT (04:57 PDT)

    Photo by: Apple

    Caption by: Larry Seltzer

1 of 8 NEXT PREV
Larry Seltzer

By Larry Seltzer for Zero Day | September 30, 2013 -- 11:57 GMT (04:57 PDT) | Topic: Security

  • A big step forward for enterprise security
  • Find My iPhone, now with remote lock
  • MDM, MAM, EMM - Apple catches up some
  • iOS 7 patches scores of vulnerabilities in iOS 6
  • Managed Open-In
  • Per-app VPNs
  • Enterprise Single Sign-On
  • Biometrics - Touch ID

iOS 7 is a major step forward in enterprise mobile security. Apple has institutionalized security techniques for which, until now, enterprises had to go to an independent MDM/MAM vendor.

Read More Read Less

A big step forward for enterprise security

In most ways, iOS is no more "secure by design" than most other operating systems, and yet, as a practical matter, security problems have been slight in the real world. Apple has gotten away with doing far less than they might have, in no small part because third party security vendors filled in the gaps.

The deficiencies in Apple's security management spawned the Mobile Device Management (MDM) and Mobile Application Management (MAM) industries. It is in these areas, which allow IT to manage and control the usage of mobile devices, where iOS 7's strongest improvements lie.

There are features with broader appeal, such as Touch ID, the first usable biometrics in a phone, and remote lock, which protects lost and stolen phones. And there are other important improvements that are even more obscure than MDM improvements.

In the pages that follow I describe seven improvements that make iOS 7 a much more secure operating system in an enterprise setting than iOS 6.

Published: September 30, 2013 -- 11:57 GMT (04:57 PDT)

Caption by: Larry Seltzer

1 of 8 NEXT PREV

Related Topics:

Security Apple Security TV Data Management CXO Data Centers
Larry Seltzer

By Larry Seltzer for Zero Day | September 30, 2013 -- 11:57 GMT (04:57 PDT) | Topic: Security

Show Comments
LOG IN TO COMMENT
  • My Profile
  • Log Out
| Community Guidelines

Join Discussion

Add Your Comment
Add Your Comment

Related Galleries

  • 1 of 3
  • OnlyKey hardware security key

    This is the ultimate security key for professionals.

  • SoloKeys Solo V2

    Durable, fully reversible connectors, encapsulated in epoxy resin, and with updatable firmware.

  • iVerify: Added security for iPhone and iPad users

    I'm usually wary of security apps, but iVerify by Trail of Bits is different. It comes highly recommended and offers a lot of features in a small download. ...

  • iStorage datAshur BT hardware encrypted flash drive

    FIPS 140-2 Level 3 compliant storage drive with wireless unlock feature and remote management. IP57 rated for dust and water resistance.

  • Netgear BR200 small-business router

    The Netgear BR200 Insight Managed Business Router has been designed to be easy to set up, and features a built-in firewall, VLAN management, and remote cloud monitoring, and can be ...

  • YubiKey 5C NFC: The world’s first security key to feature dual USB-C and NFC connections

    The YubiKey 5C NFC can be used across a broad range of platforms -- iOS, Android, Windows, macOS and Linux -- and on any mobile device, laptop, or desktop computer that supports USB-C ...

  • Apricorn Aegis Secure Key 3NXC

    The new Aegis Secure Key 3NXC builds on Apricorn's Secure Key 3z and Aegis Secure Key 3NX, taking the same proven form-factor and physical keypad, and adding something that users have ...

ZDNet
Connect with us

© 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use

  • Topics
  • Galleries
  • Videos
  • Sponsored Narratives
  • Do Not Sell My Information
  • About ZDNet
  • Meet The Team
  • All Authors
  • RSS Feeds
  • Site Map
  • Reprint Policy
  • Manage | Log Out
  • Join | Log In
  • Membership
  • Newsletters
  • Site Assistance
  • ZDNet Academy
  • TechRepublic Forums