1 What iOS 11 Means to the Enterprise MKT EN-US v1.1 Table of Contents Executive Summary Expanding the foundation for Apple in the enterprise iPad Pro delivers a more productive enterprise user experience iOS 11 supports more powerful and secure app development Apple expands enterprise security and management Conclusion 2 3 5 9 12 14 401 East Middlefield Road Mountain View, CA 94043 [email protected]www.mobileiron.com Tel: +1.877.819.3451 Fax :+1.650.919.8006
Transcript
1
What iOS 11 Means to the Enterprise
MKT EN-US v1.1
Table of Contents
Executive Summary
Expanding the foundation for Apple in the enterprise
iPad Pro delivers a more productive enterprise user experience
iOS 11 supports more powerful and secure app development
Apple expands enterprise security and management
Conclusion
2
3
5
9
12
14
401 East Middlefield RoadMountain View, CA [email protected]: +1.877.819.3451Fax :+1.650.919.8006
The release of iOS 11 highlights Apple’s continued commitment to the enterprise by providing more options for organizations that are in the process of replacing older PCs. As a dominant player in the consumer market, Apple is now pursuing a stronger foothold in the enterprise market with many new features and capabilities released in iOS 11. For example, new multitasking and Multi-Touch capabilities are designed to deliver a more robust, desktop-like experience on the new iPad Pro. In fact, with all the new features, it appears that the iPad Pro is intended to be a desktop replacement or “light laptop” for employees who want a more travel-friendly device without compromising productivity.
In addition to productivity features, iOS 11 has also introduced new development tools and APIs that are clearly designed to help developers grow the ecosystem of more powerful and secure apps for a variety of enterprise use cases.
Although iOS 11 has introduced a vast range of new features, this paper primarily covers those most relevant to the enterprise. It also discusses the role of enterprise mobility management (EMM) solutions in managing and deploying some of these new capabilities. Ultimately, enterprise IT should have a good understanding of how Apple’s latest release may impact their organizations so they can prepare to manage and leverage these new features to securely support their business processes.
3
Global enterprise organizations are rapidly shifting from legacy PC computing to modern operating systems and cloud-based applications to help increase business agility and reduce costs. On top of that, employees have become so dependent on their personal devices that they expect the same intuitive experience in their work lives as well. As organizations start to phase out aging Windows PCs, they are looking to replace them with devices that combine full-featured desktop productivity with increased mobility, cloud computing, and simplified security and management.
The release of iOS 11 and the new iPad Pro is clearly designed to meet this need by providing a compelling option for enterprise organizations as they upgrade their legacy PC architectures. Several years ago, Apple led the market by enabling organizations to securely manage devices with EMM solutions. Microsoft is also heading in this direction with Windows 10, which is significant because it means that more organizations will be adopting EMM as their primary desktop and mobile device management (MDM) platform. As Computerworld noted, “By focusing on EMM as a total management approach, businesses can become even more device agnostic — allowing workers to be more productive on the devices they already have.”1 This is especially good news for enterprise iOS and macOS users, because it will further reduce barriers to using their preferred Apple devices for work.
With all the new productivity features available in iOS 11 and the iPad Pro,
business users will expect their IT organizations to fully support these
upgrades. New multitasking and Multi-Touch capabilities such as drag
and drop, Dock, app switcher, split view, and expanded file management
features like the new Files app will make the iPad — and especially the
iPad Pro — a valid contender for enterprise desktop replacements.
With all the new productivity features available in iOS 11 and the iPad Pro, business users will understandably expect their IT organizations to fully support these upgrades. New multitasking and Multi-Touch capabilities such as drag and drop, Dock, app switcher, split view, and expanded file management features like the new Files app will make the iPad — and especially the iPad Pro — a valid contender for enterprise desktop replacements.2
Expanding the foundation for Apple in the enterprise
4
Other enterprise features include expanded near-field communication (NFC) support for developers, password autofill for apps, and DeviceCheck APIs that generate a temporary token to uniquely identify a device while maintaining user privacy.3 The release of these and other key features in iOS 11 makes the iPad an elegant and powerful tool to bridge any gap between tablets and smart laptops. Other capabilities, such as augmented reality (AR) app support with ARKit and machine learning development tools with Core ML are enhancing the foundation for Apple’s future expansion in the enterprise.
This paper will focus on three key enterprise upgrades introduced in iOS 11:
iPad Pro delivers a more productive enterprise user experience
Together, iOS 11 and the new iPad Pro are increasingly blurring the line between enterprise and consumer experiences. The latest releases don’t just add a few new consumer-oriented features; together they enable a more full-featured enterprise experience and free up workers to be even more productive either inside or out of the office.
The new iPad Pro
With iOS 11, the iPad Pro has evolved into a true content creation device that enables more than just basic web and app usage — its functionality now resembles that of a light laptop. These significant improvements in usability and productivity clearly show that Apple is trying to close the gap between the tablet and laptop user experience. Until now, the iPad was not viewed as a laptop replacement, but with new features such as a 10.5-inch screen, brighter and sharper display, 30% faster CPU, 40% faster GPU, 12-megapixel camera, and 4K video, Apple is trying to deliver a much more robust, laptop-like experience on the iPad.4 In addition to these essential hardware upgrades, Apple is also making the new iPad Pro more customizable and “desktop-like” while keeping the experience predictable across its broad user base. These enhancements include:
FilesFiles is a completely new iOS capability that can find, organize, open, and delete all the files on an iOS 11 device, in iCloud, and from third-party storage services like Box or Google Drive. It supports drag
With iOS 11, the iPad Pro has evolved into a true content creation device that enables more than just basic web and
app usage — its functionality now resembles that of a light laptop.
and drop functions as well as nested folders, tags, and a persistent search bar. The search function does not yet search within the content of the files, but it can find files by name within subfolder structures.
Files offers significant productivity advantages for enterprise users. For example, an employee may work in IT but also need access to marketing documents. However, these departments use completely different storage repositories, such as Box for IT and Google Drive for marketing. With Files, the employee can quickly find the documents in one place on the new iPad Pro.
Professional users will probably find Files very useful for keeping track of content from different sources and physically on the device. However, from a security perspective, corporate IT should consider implementing the iOS managed open-in rules
6
through EMM. They should also evaluate additional protections to ensure that only authorized users can access corporate content within supported apps and containers.
Dock enhancementsThe iPad Pro Dock can now be filled with more apps in much the same way it functions on an iMac. The Dock makes switching between apps much faster, and it enables multitasking features on compatible devices. For instance, opening the Dock while using an app and dragging a Dock icon upwards will open a new window, which can be pulled into a slide-over or split-view multitasking arrangement. The Dock enhancements make it much easier to access apps because the new actions mimic how a Mac desktop works. The result is a more consistent experience across the Apple device ecosystem from desktop to mobile.
New app switcherAccompanying the Dock is a new app switcher that essentially brings the macOS Mission Control experience to the iPad. It shows all of the most recently used apps and offers access to Control Center settings. When activated, the user can see (and switch between) each window and maintain split-view apps. This makes it very easy to seamlessly work with and within multiple apps and
tie in other multitasking features such as drag-and-drop operations during document creation.
Drag and drop with Multi-TouchApple also introduced drag-and-drop functionality throughout iOS 11. This allows the user to drag and drop images, text, links, and more within an app or between apps or documents. That alone is a great productivity enhancement, but Apple also went beyond current PC capabilities. For instance, the new drag-and-drop actions can be superimposed on the iPad to stack multiple items. This Multi-Touch functionality is revolutionary because it is no longer limited to one or two fingers. The iPad’s computing power and screen real estate make it the ideal device for this new functionality because stacking multiple items is far more intuitive on an iPad than an iPhone.
While the iPad with iOS 11 is a more powerful and cost-effective computing device, the new iPad Pro has transformed into a true workhorse. This is especially great news for enterprise organizations looking to support more devices for cloud-based computing. As enterprises increasingly shift apps and data to the cloud, iPads with enhanced enterprise functionality will be critical to enabling anytime, anywhere access to those resources. IT teams can simplify the task of keeping corporate and personal information separate, secure, and private through EMM as these capabilities become more widely adopted on mixed-use devices.
iOS 11 updates go well beyond multitasking
Password autofill for appsWith so many passwords to remember, users often take shortcuts and carelessly store usernames and passwords in personal cloud apps (or other unsecured apps) for the sake of convenience. For instance, if users have to remember and routinely
7
change passwords for enterprise apps like ADP or Concur, they may store them in an unencrypted Evernote account if single sign-on (SSO) is not activated. They may also use the same tactic to store passwords for highly restricted accounts such as personal banking or a confidential corporate account.
Apple is fully aware that end-user convenience is a major factor in improving security, which is why it recently ported the password autofill feature from macOS Safari to iOS 11. Password autofill in Safari 11.0 stores passwords in the iCloud keychain and saves users from having to remember passwords for various consumer apps. Password autofill also provides a consumer-level workaround for sites and apps which previously allowed Facebook, Twitter, or LinkedIn accounts to provide authentication to apps and services like OpenTable. That type of authentication is now being deprecated by Apple.
To ensure password autofill complies with corporate security policies, IT should investigate EMM-integrated SSO and certificate-based authentication methods for corporate sites and content.
Screen recordingA new screen recording feature is now available natively in iOS 11. To record screen actions, a user swipes to the Control Center, records the screen, and the file is saved to Photos. The feature also has its own dedicated button in the revised iOS 11 Control Center. The recording can be shared like any other piece of content, which can be very useful for help-desk troubleshooting or training videos. It can be controlled by IT with EMM via the screenshot restriction.
New lock screen designThe Notification Center and lock screen will also be merged into a single screen under iOS 11. The user now scrolls up or down (instead of sideways) to jump to notifications, but aside from this small adjustment, the new lock screen design simplifies the UI and improves access to utility functions. Users can now perform more tasks, such as answer texts, begin a screen recording, or turn on the camera directly from the lock screen. IT security teams can still enable or disable notifications on supervised devices.
8
Peer-to-peer Apple PayApple Pay is the number one NFC payment service on mobile devices and accounts for nearly 90% of all mobile transactions globally. Apple Pay has gained the strongest momentum in international markets with an average of three out of four Apple Pay transactions occurring outside the U.S.5
To help expand the international mobile payment infrastructure, Apple Pay now
allows money to be sent through iMessage or Siri so users can take advantage of the
credit and debit cards stored in Wallet
To help expand the international mobile payment infrastructure, Apple Pay now allows money to be sent through iMessage or Siri so users can take advantage of the credit and debit cards stored in Wallet. Money received goes into an Apple Pay cash account, which can either be used to make purchases through Apple Pay or sent to a bank account. If organizations plan to use this new feature to transact business with Apple’s savvy e-commerce user base, they will need to ensure their mobile security framework can meet relevant financial compliance and regulatory standards.
Automatic setupThis new setup feature in iOS 11 resembles the workflow Apple previously used to automatically set up an Apple Watch. The updated feature is designed to make it much easier for users to upgrade to a new device by simplifying and accelerating the data transfer process. Rather than relying on iTunes or iCloud backups in the transition process, this setup option can transfer settings directly from an existing iOS 11 device (which needs to be updated first). The two devices, when held in proximity, provide instructions to pair for setup using the camera on the older device to scan an image on the screen of the new device. After the user settings are transferred, the process enables simplified setup for Touch ID and settings like Find My iPhone, location services, and analytics. (Apple Pay and Siri have to be configured separately.) In addition, corporate EMM settings and content require re-enrollment to meet IT security requirements.
Note: Although this feature may ease the transition between BYOD devices, it does not apply to DEP-enabled devices configured to bypass Setup Assistant and enroll in EMM.
5 https://www.apple.com/investor/earnings-call/
9
iOS 11 supports more powerful and secure app development
To help expand the ecosystem of iOS enterprise apps, Apple has introduced platform enhancements to encourage developers to create new productivity tools. iOS 11 has also made changes designed to help apps run faster and deliver a higher quality user experience.
New core NFC framework
With iOS 11, Apple is enabling developers to build more enterprise apps that incorporate NFC. As mentioned previously, Apple Pay accounts for nearly 90% of all NFC transactions, and Apple is looking to expand the ecosystem of NFC-enabled apps. In addition to developer tools, it appears that Apple is opening up the iPhone NFC chip in order to recognize tags, which would allow an iPhone to pick up data from those tags and take relevant action. For example, an iPhone user checking into a hotel could tap on a tag to view the hotel’s Wi-Fi password.6
DeviceCheck API
The new DeviceCheck API is a type of device fingerprinting that helps balance user privacy with fraud prevention. DeviceCheck allows the developer to tag the device with time stamps and other data that persists on the device. For example, a company offering a 30-day software trial can use DeviceCheck to tag the device with the date and time of installation and a couple of unique bytes of data to identify the device. After the trial expires, the user cannot reinstall the same app to try and get a different token and extend the trial. The unique
token is stored securely in the Apple backend and can determine if the device has already completed the trial. Or, if an enterprise employee accidentally deletes an enterprise app, the token can identify the user and device combination and either allow the user to log in or mandate a request for a new PIN. This will depend on company policy and how the enrollment app is configured with DeviceCheck.
iMessage is now open to developers
Apple has opened iMessage to developers so enterprise organizations can build their own custom iMessage app extensions. This offers great potential to extend customer service options through iMessage. At WWDC 2017, Apple demonstrated how iMessage could be extended to other types of apps. For example, airline passengers could use a seat selector app that allows them to tap on their preferred seats for an upcoming flight.
In addition, Apple has added a new iMessage feature called Business Chat, which allows users to start a conversation with a business by tapping Message icons that appear next to business names in Spotlight searches, Siri, Maps, or by scanning a QR code with the camera. Together, Business Chat and iMessage app extensions could greatly simplify customer support by allowing customers to quickly and easily converse with help desk or support teams through their iOS devices.7
Apple shifts to 64-bit apps
To support faster apps with richer experiences, Apple is officially transitioning to 64-bit apps and ending support for 32-bit apps. This means if a user tries to open a 32-bit app when running iOS 11, the
app will not launch. In addition, 32-bit apps will no longer appear in the App Store when viewing it from an iOS 11 device. macOS High Sierra will be the last macOS release to support 32-bit apps. Enterprise organizations should inventory their existing iOS app deployments now to ensure critical software isn’t impacted by the change. Organizations should also note that the iPhone 5 and 5c and the iPad 4 and older will not be supported.
New App Transport Security deadline
Apple introduced App Transport Security (ATS) in iOS 9 and OS X 10.11. The goal of ATS is to improve user security and privacy by requiring apps to use secure network connections over HTTPS. The strength of certificates used for secure connections has also been mandated to a higher level. At WWDC 2016, Apple announced that apps submitted to the App Store would need to support ATS by January 2017. However, that deadline has been extended and developers now have until January 2018 to incorporate ATS in their apps.
App Store
Apple has redesigned the Apple Store to allow for phased app releases and more user-friendly downloads. Organizations can now roll out new releases and updates to specific users and groups, which provides much greater enterprise control and app management flexibility.
TestFlight enhancements
TestFlight is a beta testing program with tools for developers who use the iTunes Connect app submission process for the App Store. The program now includes: Support for multiple buildsTestFlight now lets developers distribute and test multiple builds at the same time so testers can choose from a number of builds to test.
Improvements to testing groupsFor example, developers can now create groups of TestFlight users and each group can test a different build.
Improved testing logisticsTesters can now continue testing a build when it goes live in the App Store. iTunes Connect users can also access all active builds, which allows them to compare different versions. The number of supported testers has also increased from 2,000 to 10,000 and the individual beta release period increased from 60 to 90 days.
macOS 10.13 High Sierra updates
macOS 10.13 High Sierra features many improvements. Enterprise organizations may be particularly interested in Safari updates such as auto-play blocking and intelligent tracking prevention, which will potentially make Safari faster and more energy-efficient than any other browser. macOS 10.13 will also use the new APFS file system to enhance data protection at rest as well as enable faster boot times and significantly improve storage efficiency.
11
Support for WebRTC
Safari 11.0 now includes support for WebRTC.8 This will help open up communications between users of iOS apps as well as other platform apps. For example, a physician who mainly relies on FaceTime to communicate with healthcare providers and patients can now communicate securely across various device and browser platforms.
Overall platform enhancements
While improvements were announced for all Apple OS platforms, WWDC 2017 reinforced macOS as the lead platform to inform design and structure for other members of the Apple OS family including tvOS and watchOS. Apple has also unveiled new development tools for implementing AR and machine learning (ML) in apps.
CoreML and ARKitTo help businesses take advantage of AR and ML capabilities, Apple announced two new offerings: CoreML and ARKit. CoreML is a new API that supports on-device machine learning capabilities designed to assist apps to predict, learn, and grow smarter over time. Apple will also be publishing an ARKit SDK to help developers create sophisticated AR applications. Although these offerings are still in the early stages, they will likely make their way into compelling new enterprise and business applications as they evolve.
tvOSApple is starting to expand Apple TV for small and medium-sized businesses as well as enterprise companies. As part of this effort, they are providing the tools developers need to support business needs for a variety of use cases. The platform also allows organizations to deploy in-house apps and more granular security and settings configurations through MDM. This expanded feature set could enable hotels to use Apple TV as their primary room entertainment device and hospitals could use tvOS for in-room patient engagement.
watchOSAs with tvOS, Apple is encouraging third-party developers to build new business apps for a variety of industries and use cases. Apple Watch is currently an extension of the iPhone it is paired to for management. This could evolve into more MDM controls as enterprise applications continue to expand.
As tvOS and watchOS expand their platform features, enterprises will want to secure these devices under a single enterprise management framework, just as they currently do with iPhone, iPad, and other Apple devices.
Apple continues to improve security and management across all of its platforms. New features were announced which will provide more restrictions and more configuration options. EMM solutions will be able to utilize these new features to expand Apple’s new security and management features in the enterprise.
Enhanced Cisco integrations
• iOS 11 performance data: On iPhone 7 with iOS 11 and higher and with Cisco AireOS 8.5, Apple devices will be able send additional Wi-Fi performance data and Cisco Wi-Fi controllers will display more analytics.
• High Sierra Fast Lane QoS support: Apple extended support for Cisco Fast Lane QoS to macOS 10.13 High Sierra, which will enable more efficient roaming for end users.
• Cisco Security Connector: This feature was announced at Cisco Live for release in the fall of 2017. It will enable iOS 11 integration with Cisco Umbrella and Cisco Clarity. Umbrella, formerly OpenDNS, provides content filtering and protections against phishing attacks by monitoring DNS traffic. Cisco Clarity provides Advanced Malware Protection (AMP) delivered as a service to detect malicious files. This level of network security integration will provide auditing for security incident investigation, protect iOS users from connecting to malicious sites, and safeguard corporate traffic by encrypting Internet (DNS) requests. Security Connector integration will require supervised iOS devices, managed app deployment, and custom configuration profiles management — all of which will also require EMM for streamlined deployment.
OAuth 2.0 for O365 EmailIn the iOS 10.3 beta cycle, Apple tested support for OAuth 2.0 authentication to Microsoft Office 365 when used with Exchange ActiveSync 16.1. Although the feature was rolled back on release, Apple reintroduced it in the iOS 11 beta cycle for enterprise testing. OAuth 2.0 uses a secure authorization token for secure access. If OAuth isn’t deployed, the mail client defaults to the previous domain auto-discovery behavior in which a device attempts to find the correct email server based on the domain configured in an email address. Corporate IT should consider EMM capabilities to ensure that only pre-approved users with authorized apps on authorized mobile devices can use OAuth authentication.
Device Enrollment Program updatesCustomers can now add any device to the Device Enrollment Program (DEP), not just those purchased from an authorized reseller. The user can remove the DEP profile for up to 30 days, but after the provisional period expires only an admin can remove the profile. This change can be especially useful for schools and other organizations that receive donated devices, because now any iOS device can be enrolled in DEP. In addition, iOS device supervision and EMM enrollment will now be automatic and mandatory under DEP.
Single-screen Control CenterApple is putting more effort into streamlining controls for iOS devices in the enterprise. For example, the new Control Center in iOS has been consolidated into a single, customizable screen. Aside from a few permanent buttons, users can completely customize the Control Center to fit their needs. There are now 18 new controls in addition to the standard toggles for Wi-Fi, Bluetooth, airplane mode, media controls, brightness, volume, rotation lock, Do Not Disturb and AirPlay.9 This allows both businesses and users to customize it for either personal or work needs.
Configuration profile updatesIf an admin manually installs a configuration profile with a certificate, iOS 10.3 and later won’t trust it for SSL unless the user manually approves it. Although there is an exception for MDM profiles, the goal is to help reduce malicious profiles installed through social engineering.10
MDM network restrictions MDM can now restrict supervised devices to approved Wi-Fi networks only. (These are networks set up via configuration profiles.)11 In iOS 11, single-purpose devices can be restricted to corporate networks to help reduce threats from mobile malware. For example, confidential healthcare data is far more secure if a patient can only connect his iPad to the hospital’s PHI-protected network instead of an unsecured hotspot. This feature is also critical in retail environments where point-of-service (POS) devices are much easier to certify and defend on specially secured PCI-compliant networks.
Additional management updates
New iOS/macOS restrictions
• AirPrint (on supervised devices): Admins can configure AirPrint payloads with a custom port and also specify whether Transport Layer Security (TLS) is required on a per-app and destination basis. Admins can also can restrict the discovery of AirPrint printers using iBeacons, as well as the storage of AirPrint credentials in Keychain. Admins can also require TLS for all AirPrint connections on a device or disable AirPrint completely on a device if required.
• VPN creation (on supervised devices): A new restriction was added to disable users from creating their own VPN configurations.
• VPN IKEv2 and Wi-Fi: The payloads now support configuring minimum and maximum TLS versions.
• AirPlay security payload: AirPlay security payloads can pre-define which Apple TVs the device can use and eliminates the need for user to enter a passcode to connect. This helps create a seamless experience for users while increasing security for the organization.
Do Not Disturb driving modeOne of the key features announced during WWDC is the new Do Not Disturb mode for drivers. When enabled while driving, Do Not Disturb mutes all incoming notifications and can automatically send a text to let the caller know the person is driving and unable to respond. Do Not Disturb for vehicles will come on automatically when an iPhone connects to a car’s Bluetooth, but it can be disabled. As enterprise workforces become increasingly mobile, employee safety on the road is also becoming a bigger priority. Features like Do Not Disturb will help organizations improve safe driving while potentially reducing the liability of accidents caused by distracted drivers at work.
With iOS 11 and the new iPad Pro, Apple is providing more robust desktop-like functionality that gives enterprises a viable option as they upgrade their older PCs. The iPad has emerged as a full-fledged content creation and productivity tool, which will also make it attractive to business users looking for a lighter laptop option for travel.
In addition to new iPad Pro hardware upgrades, iOS 11 has introduced compelling new productivity features, added more developer tools to expand the iOS app ecosystem, and included more security and management features to make enterprise IT’s job a little easier. As with any new OS release, enterprise organizations should evaluate the new features for themselves to determine how to securely enable (or disable) them for business use.
For More InformationTo learn more about iOS 11 and what it means for the enterprise, please visit
mobileiron.com/ios11.
For questions regarding your iOS implementation, please contact MobileIron at [email protected]
