Our last two posts covered iOS data security options on unmanaged devices; now it’s time to discuss partially managed devices.
Our definition is:
Devices that use a configuration profile or Exchange ActiveSync policies to manage certain settings, but the user is otherwise still in control of the device. The device is the user’s, but they agree to some level of corporate management.
The following policies are typically deployed onto partially-managed devices via Exchange ActiveSync:
- Enforce passcode lock.
- Disable simple passcode.
- Enable remote wipe.
This, in turn, enables Data Protection on supporting hardware (including all models currently for sale).
In addition, you can also add the following using iOS configuration profiles – which can also enforce all the previous policies except remote wiping, unless you also use a remote wipe server tool:
- On-demand VPN for specific domains (not all traffic, but all enterprise traffic).
- Manual VPN for access to corporate resources.
- Digital certificates for access to corporate resources (VPN or SSL).
- Installation of custom enterprise applications.
- Automatic wipe on failed passcode attempts (the number of attempts can be specified, unlike the user setting which is simply ON/OFF for wipe after 10 failures, in the Settings app).
The key differences between partially and a fully managed devices are a) the user can still install arbitrary applications and make settings changes, and b) not all traffic is routed through a mandatory full-time VPN.
One key point to administering managed policies on a user-owned device is to ensure that you obtain the user’s consent and notify them of what will happen. The user should sign a document saying they understand that although they own the device, by accessing corporate resources they are allowing management, which may include remote wiping a lost or stolen device. And that the user is responsible for their own backups of personal data.
Enhanced security for existing options
Most of the previous options we have discussed are significantly enhanced when digital certificate, passcode, and Data Protection policies are enforced. This is especially true of all the sandboxed app options – and, in fact, many vendors in those categories generally don’t support use of their tools without a configuration profile to require at least a passcode.
Managed Exchange ActiveSync (or equivalent)
Microsoft’s ActiveSync protocol, despite its name, is separate from the Exchange mail server and included with alternate products, including some that compete with Exchange. iOS natively supports it, so it is the backbone for managed email on iDevices when a sandboxed messaging app isn’t used.
By setting the policies listed above, all email is encrypted to under user’s passcode using Data Protection. Other content is not protected, but remote wipe is supported.
Custom enterprise sandboxed application
Now that you can install an enterprise digital certificate onto the device and guarantee Data Protection is active, you can also deploy custom enterprise applications that leverage this built-in encryption.
This option allows you to use the built-in iOS document viewer within your application’s sandbox, which enables you to fairly easily deploy a custom application that provides fully sandboxed and encrypted access to enterprise documents. Combine it with an on-demand VPN tied to the domain name of the server or a manual VPN, and you have data encrypted both in transit and in storage.
Today a few vendors provide toolkits to build this sort of application. Some are adding document annotation for PDF files, and based on recent announcements we expect to see full editing capabilities also added for MS Office document formats.
Reader interactions
One Reply to “iOS Data Security: Securing Data on Partially-Managed Devices”
Managing devices is not easy. You can’t always detect a jailbreak, and users can (and will) remove policies.
Tools such as this one — https://github.com/joedj/ExchangePolicyCleaner — already exist to do this very thing.
Of course, it is also possible to remove a Window laptop from a domain and wipe out existing forced group policy without even re-installing the OS. However, instead of gaining SYSTEM access and running a set of strange commands — the future of managed mobile devices means that there will be “an app for that”.