Security Skeptics Invite iPhone into the Enterprise
The German branch of global IT services firm Logica has taken a different approach in rolling out about 1,400 iPhones, all running the 3.0 firmware, strictly for e-mail and PIM access via Outlook Web Access. "With the OWA capability and Exchange, you don't need any additional products to establish a secure connection between the iPhone and the enterprise back-end," says Jan Kokott, head of mobile devices for Logica Germany.
The connection relies on SSL-based authentication, and Exchange administrators can view basic information about the device, the user and activities. They can also remote wipe the iPhones clean of data if they are lost, stolen or jailbroken.
Kokott says Logica considered using a VPN connection but decided that, at this point, it wasn't necessary. A VPN makes the iPhone a core part of the internal network, he says. That was a level of access and complexity that isn't currently needed. In any case, mobile applications need a completely different design approach. "There is no use in…[just] porting an existing [application] workflow to a mobile device," he says.
The updated iPhone Configuration Utility has become a powerful tool for creating iPhone configuration profiles that implement a range of security policies, such as enforcing strong passwords, shutting off the camera, blocking access to some content such as disabling the Safari browser or access to iTunes or YouTube. Each device can make use of multiple profiles for different kinds of access, such as one for Exchange but a different one for VPN or Wi-Fi connections.
But ICU won't push these out to the handsets. You have to e-mail them or provide users with a link to a Web site. "It's very manual," says Dave Field, with Enterprise Mobile. "The fact that there's not over-the-air push deployment under the hood is a non-starter for many enterprises."But the 3.0 firmware did introduce one over-the-air feature: support for Simple Certificate Enrollment Protocol (SCEP), which authenticates a device for automatic distribution of digital certificates. To the user, it is in effect a super-strong, built-in password. "You don't have to enter it every time you connect," Field says. "You auto-connect to the VPN, and then you can access e-mail servers, or other resources, without knowing you're traversing a VPN."
Encrypting data on iPhones is now possible for the 3GS model. But Apple isn't forthcoming about what exactly what data is encrypted or how, according to Field. "It would be helpful to know how it works, so that an [enterprise] security guy can say 'yes it meets our requirements,'" he says.
Third-party device security and management vendors are adding support for iPhone, often making use of many of the same recently introduced iPhone capabilities. Boxtone recently extended what had been its BlackBerry-only management software to iPhone. Zenprise did so earlier. Sybase just announced support for features in the recent 3.1 firmware release.