Apple's iOS devices meet many enterprise security needs

Yet Blackberry's security is still light years ahead

Apple's iOS, in the newer iPhones and the iPad, is now secure enough for many enterprise to deploy, according to a report from Forrester Research. But even the most recent version of iOS, in the iPhone 4, falls well short of the high security offered by Research in Motion's BlackBerry platform.

Nine real iPad alternatives

Forrester recommends implementing a basic set of iOS-based security features on both company- and employee-owned iPhones, and then layering on additional capabilities and policies to meet more stringent enterprise requirements. But the Apple devices still lack a range of features that high-security organizations may need.

Nearly one in three companies in North America and Europe currently support the iPhone, according to Forrester. That's an unprecedented number given that Apple offers almost nothing in terms of the management and security infrastructure that are hallmarks of both RIM and Microsoft.

But the changes Apple has introduced in iOS 3.1 and this summer in iOS 4 have been winning over IT executives. (See "iPhone winning over some corporate security skeptics"). Today, iPhones and iPads now "satisfy the basic security needs of most enterprises," writes Andrew Jaquith, senior analyst with Forrester.

The Apple platform now implements seven key features that cover these basic requirements, he says:

* Encrypting e-mail to and from iOS devices; via Exchange ActiveSync licensed from Microsoft or SSL-enabled IMPA and SMTP over TLS.

* Remotely wiping data from lost or stolen devices, now able to be done in less than one second.

* Passcode lock, via numeric-only PIN, or via an alphanumeric password; both can be set to varying levels of strength.

* After a set period of inactivity, iOS can lock the device to prevent access to information if it's left unattended.

* Devices can erase themselves automatically after a specified number of failed unlock attempts.

* Signed user configuration profiles, which set the security settings for a given user; the signed profile ensures it hasn't been tampered with.

* Automatically refreshing security policy settings, but only via ActiveSync and Microsoft Exchange 2007; (Lotus Notes Traveler eventually plans also to push updated policies to the device).

The minimum-length PIN, preventing guessable passwords and the autowipe feature combine to ensure that "cybercriminals cannot easily guess passwords without forcing the device to erase itself," Jaquith writes. Autolock and remote wipe mean that it's less likely company data can be gleaned from lost of stolen devices.

These basic features need to be complemented by an updated employee acceptable use policy, Forrester recommends. Among them:

* Employees must accept installation of the company's security profiles on the device in order to access company networks and data.

* Notify IT at once if the device is lost or stolen, or the employee no longer needs company access.

* Codify the company's right to wipe the device, even an employee-owned device, if it's lost or stolen, or the employee leaves the company.

* Require users to back up their iOS device via iTunes.

* Reimbursement policies, if any, are clearly stated.

For companies that need higher level of security, IT can require stronger unlock passcodes, mandate the iOS hardware encryption feature be turned on, make use of certificated-based authentication for e-mail, VPN or Wi-Fi access, via Simple Certificate Enrollment Protocol (supported by Apple) and a PKI and SCEP server; application encryption, via new APIs for this purpose in iOS 4 (Jaquith notes that the iPad won't support iOS 4 until some time later in 2010).

Two other options to consider are: the company's right to confiscated even an employee-owned iPhone or iPad in the event of an emergency (a standard practice in the Department of Defense, according to Forrester); and require nonpublic Personally Identifiable Information (PII) and Protected Health Information (PHI) to be removed from the employee's device, a requirement of some federal and state laws.

For company-owned iOS devices, there are yet more restrictive security options, though, "Forrester regards these policy options as excessive for personally owned devices, and we recommend that you implement these policies only sparingly," according to the report.

These additional steps include banning access to Apple's App Store, or the installation of apps, or both; blocking use of the iPhone camera; turning off the iPhone and iPad screen-capture feature (activated by pressing and holding the Home key); and block use of the apps such as the YouTube app, or even the Safari Web browser.

There are still weak points in implementing security for iOS devices, according to Jaquith. Apple's iPhone Configuration Utility, for example, generates the configuration profiles, but lags in automating various installation steps. This slack is being picked up now by third parties such as Sybase and Trust Digital, Jaquith says.

High-end device management tools are only now starting to become available, with new APIs in iOS 4. Several companies, including Sybase and MobileIron are working with the new APIs to eventually deliver centralized platforms for much more robust iOS device management.

Also missing are support for smart card authentication; compliance with FIPS 140-2 (the iPhone crypto software hasn't yet been certified); end-to-end e-mail encryption; SMS logging and archiving; and the ability to segregate work and personal user environments, data and applications.

John Cox covers wireless networking and mobile computing for "Network World."



Blog RSS feed:

Read more about anti-malware in Network World's Anti-malware section.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags consumer electronicsiosNetworkingsecurityMicrosoftwirelesssmartphonesPhonesForrester ResearchApple

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Cox

Network World
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?