Intro
Contents
No one should be leaving their organization exposed — MDM is not just a nicety, it’s necessary to protect even a small business or organization. In advance of MacTech InDepth: Mobile Device Management seminar coming up on December 7, 2011 in San Francisco, MacTech Magazine has released its MDM primer. This primer gives a top level view of the issues that you should be concerned about. While the seminar covers these issues and more, it also gives you an opportunity to talk face-to-face to vendors and lay out your game plan.
Mobile Device Management (MDM) Primer
Fall, 2011
Your guide to getting started with managing iOS devices
by Russell Poucher, Creative Resources Technology Group
Mobile Device Management (MDM) software secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises. MDM functionality typically includes over-the-air distribution of applications, data and configuration settings for all types of mobile devices, including mobile phones, smartphones, tablet computers, ruggedized mobile computers, mobile printers, mobile POS devices, etc. These policies apply to both company-owned and employee-owned devices across the enterprise or mobile devices owned by consumers.
By controlling and protecting the data and configuration settings for all mobile devices in the network, MDM can greatly reduce support costs and business risks. The intent of MDM is to optimize the functionality and security of a mobile communications network while minimizing cost and downtime.
With mobile devices becoming ubiquitous and applications flooding the market, mobile monitoring is growing in importance. Numerous vendors help mobile device manufacturers, content portals and developers, test and monitor the delivery of their mobile content, applications and services. This testing of content is done real time by simulating the action of thousands of customers and detecting and correcting bugs in the applications. (www.wikipedia.com)
Figure 1 – Managed Devices
Implementation
Typically, MDM solutions include a server component, which sends out the management commands and controls to the mobile devices, and a client component (called profiles), which runs on the target device and receives and implements the management commands. In most, true, MDM solutions, the client software does not need to be installed. It is part of the profile that the device is to be enrolled in.
With the proliferation of mobile devices reaching the masses, the management of mobile devices is ever evolving over time to meet the needs of the users, with new software and hardware being distributed, rapidly. No longer is it required to have a hard connection to the device or install a SIM in order to make changes and updates; scalability problems may just become a thing of the past.
Central remote management, using commands sent over the air, is here and now. An administrator needs only access to a web portal, from a desktop, laptop or another mobile device, to update or configure any one device, group or groups of devices. This obviously provides scalability benefits particularly useful when the fleet of managed devices is large in size.
Prime functionality of and MDM server often includes the following features:
- Firmware and/or base OS over the air updates
- Remote diagnostics
- Remote configuration and provisioning
- Security, including complex passcode requirements
- Backup/restore functionality, both local and remote
- Network usage and end-user support
- Server deployment, management and configurations
- Mobile asset tracking and management
- Remote lock and wipe
- Local device provisioning
- Software installation, updates and maintenance
- Data provisioning and feeds
- Troubleshooting and diagnostic tools
- Policy application (similar to Group Policy on Active Directory or Managed Clients on Open Directory)
- Logging and reporting
- Remote control and administration
- Location tracking
Figure 2 – Device Configuration
Device Configuration Overview
There are many factors that need to be considered before one can determine how their organizations’ IT staff is going to configure and support the needs of their users.
- Some organizations allow the user to handle the entire configuration. If IT gets involved, at all, it is typically after the fact to add in their email or setup the VPN tunnels.
- A second way that organizations may setup the devices is to build the initial payloads, deploy the image out and allow the users full access to make changes as they see fit. From a security perspective, this “set it and forget it” scenario turns full control back over to the users to maintain, making support much more difficult.
- The third way (which is the target of this article) is to setup the device, from the ground up, and enroll it into one of the many MDM solutions on the market today.
User configured/owned device (The “No Management” option)
When an iOS device is manually configured, the end user enters settings such as account name, password, and various server settings on the device itself. These end users may be responsible for updates to the iOS, backups, security, etc.
Settings that end users can manually configure include:
- Microsoft Exchange ActiveSync accounts (supporting Exchange Server 2003, 2007 and 2010)
- Standards-based email, contacts, and calendars (IMAP, POP, CardDAV and CalDAV)
- VPN security settings (Cisco IPSec, L2TP, PPTP, SSL VPN)
- Wi-Fi networks SSID’s and passwords (any standard 802.11x wireless network)
- Configuration of security settings (requirement of passcode, simple vs. complex passcode)
- Restrictions for certain apps and services (locking down Safari, YouTube, iTunes, installation of apps, deletion of apps, allowed content)
Reasons for Mobile Device Management
Organizations typically opt for a managed approach of devices to ease the job of IT departments. This also provides a consistent experience for end users. In a traditional sense, the managed approach used on desktop and laptop machines is known as Group Policy (GPO) on the Windows/Active Directory side, and Managed Preferences under OS X (MCX) on the Macintosh/Open Directory side.
MDM is a set of capabilities built into iOS 4 and above that allows a managed approach. It delivers a comprehensive set of tools that IT departments can use to wirelessly configure and update settings, monitor compliance with corporate policies, secure devices, guide users, provide consistency and even wipe or lock managed iOS devices.
IT departments can exercise tight controls over the devices, whether owned by the organization or by the individual, all based on the profile delivered to the device.
Figure 3 – Configuration Profiles
Configuration Profiles
Configuration profiles are lists of settings that IT departments use to quickly set up iOS devices. These profiles may be setup to configure end users’ devices to access Microsoft Exchange servers, the corporate VPN tunnel, Wi-Fi networks and corporate resources. Configuration profiles also give IT the ability to lock the settings.
Configuration profiles can be created with the iPhone Configuration Utility (iPCU), a free application for Mac OS X (10.6.x and 10.7.x) and Windows (XP, Vista and 7).
Figure 4 – iPCU Configuration Profiles
What are configuration profiles?
A configuration profile is an XML file that can be used to distribute configuration information to iOS devices. IT administrators will use these configuration profiles to configure specific, single or multiple, settings for iOS devices. Each configuration profile contains one or more “payloads,” which detail out all of the settings that one can possibly set on an iOS device, which include:
- Passcode – requirement of passcode, simple vs. complex passcode
- Restrictions – locking down Safari, YouTube, iTunes, installation of apps, deletion of apps, allowed content
- Wi-Fi – networks SSID’s and passwords (any standard 802.11x wireless network)
- VPN – Cisco IPSec, L2TP, PPTP, SSL VPN
- Email – Standards-based email, contacts, and calendars (IMAP, POP, CardDAV and CalDAV)
- Exchange ActiveSync – supporting Exchange Server 2003, 2007 and 2010
- LDAP – directory service settings
- CalDAV – calendar service settings for shared calendars
- CardDAV – group address book
- Subscribed Calendars – read only access to shared calendars
- Web clips – URL’s to a specific website, shortcut
- Credentials – PKCS1 and PKCS12 certificates to install on the device
- SCEP – Simple Certificate Enrollment Protocol allows the device to obtain certificates from a certificate authority
- Mobile Device Management – configures the device so that its configuration is managed over the air by an MDM server
- Advanced – Cellular network settings (APN)
Best Practices for Protecting Configuration Profiles
Administrators should sign and/or encrypt a configuration profile to prevent it from being altered or viewed. You can also protect a configuration profile by locking it with a passcode so that an end user can’t remove it.
Figure 5 – Setting Security
Signing and encryption
The data on a configuration profile can contain sensitive information such as account information and passwords. iPCU allows three options for exporting out the profiles you have built and protect your data.
A signed profile may only be replaced by another profile with the same Identifier and signed by the same copy of iPCU. iPCU may be used to both encrypt and sign configuration profiles, locking them down to a specific device and preventing others from changing or viewing the settings of the profile.
Security on profiles is available as follows, upon Export:
- None – Creates a plain text .mobileconfig file that can be installed on any device. Data is not encrypted and may be viewed in any text editor. There is no security in place.
- Sign configuration profile (good security) – Creates a signed .mobileconfig file that can be installed on any device, provided the profile hasn’t been altered. After installation, the profile can be updated only by another profile with the same Identifier and signed by the same copy of iPCU. The profile is signed with the public key associated with a device’s identity certificate. This public key can be obtained by connection through USB to a computer running iPCU or using over-the-air enrollment.
- Create and sign encrypted configuration profile for each selected device (best security) – Signs the profile so it cannot be altered, encrypts all the contents so the profile cannot be viewed in a text editor, and can be installed only on specific devices that appear in the Devices list. Separate .mobileconfig files are created for each of the devices you select from the Devices list. In most cases, this is the best option to select and offers the highest amount of security.
Locking Profiles
A profile may also be distributed that’s locked to a device so that after it’s installed, it can be removed only by wiping the device of all data (full reset) or, by entering a passcode. Locking a configuration profile is recommended to prevent end users from deleting it from a device. The following three choices are available for locking:
- Always – The end user may remove the profile at any time.
- With Authorization – Password is set, and needed, for removal of profile.
- Never – Profile may only be updated with a new version, but not be removed.
Installing configuration profiles
Profiles can be installed via one of several methods:
Figure 6 – Hard-wired USB Connections
- USB – for smaller installations, this is a viable way of getting payloads onto your mobile devices. As the quantity goes up, the benefits to this method go down and it becomes much more work. This process is, typically, done by IT directly. The USB method is meant for low-quantity deployments, such as 50 or less devices.
Figure 7 – Wireless Connections - Wirelessly – Profiles can be distributed wirelessly via email, website and over the air. When an end user downloads the profile from the web or opens it as an attachment in Mail, the device recognizes the .mobileconfig extension as a profile and begins installation when the user taps Install. If a passcode has been set on the device, the user will be prompted to enter in their credentials.
- Email – Distribution of profiles via email. The end user receives the email message on the iOS device and then taps on the attachment to install the profile. This process does require the end user to accept and install.
- Website – Distribution of profiles via a corporate website require the user to follow a specific link to download a profile. The end users can navigate to the web page on their device and then download the profile onto it. This process does require the end user to accept and install.
- Over the air – IT can use a secure enrollment and configuration process enabled by the Simple Certificate Enrollment Protocol (SCEP) to distribute encrypted configuration profiles over the air. SCEP does require some infrastructure to be setup, but makes the process much easier for IT departments to manage in the long run.
Mobile Device Management lifecycle
The MDM capabilities build into iOS the functionality for MDM on other platforms. Apple has taken the approach that the device belongs to whomever hands it is currently in. To that extent, there is quite a bit of management we can put into place, as long as the end-user continues to allow this management. By wiping the device, it is now back in full control of the end user.
Overall, MDM has four major categories and core capabilities: enrollment, configuration, querying, and management.
Prior to the setup of any MDM software, you may need to purchase an iOS Enterprise Program account ($299 per year). If you have an iOS Developer Program account ($99 per year), you must create a new account (separate credentials) to complete this process. This, typically, takes about two weeks for the qualification/verification. If using Apple’s Profile Manager, and a few other third-party MDM solutions, an iOS Enterprise account may not be needed. Please check with your MDM provider for their requirements.
[Note: As of this writing, several of the MDM vendors have not updated their software to handle the free APNS and will need to come out with an update. As of today (mid-November 2011), about half of them have a patch already in place or will have one in place by the end of this month. -Ed.]
Figure 8 – Creating an APNS
APNS
The Apple Push Notification Service (APNS) is a notification service, provided by Apple, that provides priority to notifications. It requires an Internet connection and access to Apple’s service. When the MDM server sends out a command, it is routed through APNS, which notifies the MDM server once the message has been received by the device. Commands and query responses are not sent by APNS. Rather, the APNS is telling the mobile device to check in with the MDM server and receive its command/queries.
In terms of security, APNS is only in place to request that the mobile devices “phone home” or check in with their server.
The MDM process continues with enrollment, which is the process of establishing a relationship between the device and MDM server. The MDM server sends a notification to the device, via Apple, telling it to check in with your server. When the device responds, it is provided with a list of actions the MDM administrator has slated for the device. These actions can include:
- Enrollment tasks – this typically only happens once, and is a URL that the user must follow and accept to load the profile.
- Configuration tasks – specific policy being pushed to the device, include password restrictions, base payload, embedded links, mail and security configuration, etc.
- Query tasks – asking the device to report back on the hardware configuration/state and network information
- Management tasks – removing settings, data, apps, etc.
All of these tasks may be set on a repetitive basis, as determined by the IT staff.
Figure 9 – Server Configuration
Enrollment
The first step of managing devices through your MDM is to enroll. This process allows the server and client to speak with each other, establishing a chain of trust. The enrollment process is accomplished via one of the means listed above.
You should, at this point, make the end user aware of the implications of opting into a management solution, especially if this is their personal device. The administrator of the MDM has the capability to wipe any device that is tied into their management console.
Figure 10 – Creating a Cert
Configuration
The next step in the MDM process is configuration of the devices through various settings and policies. Once enrolled in the MDM, the administrator has the ability to make changes to the configuration (profile) and push this out to any and all devices, as applicable. The trust relationship has already been set up, so all devices being controlled by the MDM have extensive access to make changes. Based on these profiles, IT has control over corporate assets and security, ensuring the users have proper access to confidential information.
Remember, IT can control the device and the access it has, but you have no way of knowing who the user is at the other end of the device. Requiring passcodes, of any type, is a necessary part of the process to help control who has access to confidential resources.
MDM device configuration is quite flexible: you can push managed configuration profiles at any time to configure a device for a new end user or to access a new infrastructure. You can also use MDM to remove functionality from a device by revoking a configuration profile that contains configuration settings necessary for access to corporate Wi-Fi or VPN.
Managed profiles use the same configuration settings available with standard configuration profiles (as is available through iPCU); some MDM vendors add minor, additional settings, that push the envelope, but may not, necessarily be approved by Apple.
Figure 11 – Device Query
Device query
The MDM server can also query devices for details about the device itself, network information, installed apps, and compliance and security data. Device queries can be scheduled on a repetitive basis, or pulled on an as-needed basis to ensure that compliance, security and usage policies are being followed. The following is a list of information that may be queried from devices enrolled in your MDM:
Device details
- Unique Device Identifier (UDID)
- Device name
- iOS and build version
- Model name and number
- Serial number
- Capacity and space available
- IMEI
- Modem firmware
Network information
- ICCID
- Bluetooth and Wi-Fi MAC addresses
- Current carrier network
- SIM carrier network
- Carrier settings version
- Phone number
- Data roaming setting (on/off)
Applications
- Applications installed
- Application ID
- Application name
- Application version
- Application and application data size
- Provisioning profiles installed with expiration dates
Compliance and security data
- Configuration profiles installed
- Certificates installed
- List of all restrictions enforced
- Hardware encryption capability
- Data Protection enabled
- Passcode present
Management
With the management component of MDM, you can remove and install settings wirelessly. The management function does not, typically, enable the MDM to remove apps or prevent app installation, however, you would be able query the device for notification that an app has been installed and an end user can be notified to remove a specific app.
Some specific actions that an MDM server can administer include:
- Remote wipe – sets the device back to factory defaults. Once the command is issued, the device immediately starts the process, requiring no other user intervention. All data and settings are lost.
- Remote lock – immediately locks the device, requiring the user to enter the passcode in order to move on.
- Clear passcode – if a user forgets their passcode, you can send the command to remove their prior passcode and enter a new one, enforcing your current passcode policy.
Configuration and provisioning profiles – To configure devices and provision in-house apps, MDM servers can add and remove configuration profiles and app provisioning profiles, as well as their associated data, remotely.
MDM technologies
Before exploring how you can use MDM for device management, let’s look at the technologies that enable MDM on iOS. MDM capabilities are built on existing iOS technologies such as managed configuration profiles, over-the-air enrollment, and the Apple Push Notification Service (APNS). You can leverage these technologies by using third-party MDM solutions.
Managed profiles
Managed profiles are configuration profiles installed on devices by the MDM server. This managed profile is analogous to GPO and MCX for the desktop and laptop management in an organization. These managed profiels can be locked to prevent end users from removing them. Once the managed profile has been delivered via enrollment, the profile is completely managed by the MDM server.
There’s no limit to the number of managed or unmanaged configuration profiles that you can install on a device.
The MDM server is designed to update and removes managed profiles, at the complete control of the IT administrator. Because the primary MDM profile must be unlocked, end users can opt out and delete this profile at any time. The end user always has these options available:
- Opt out of MDM altogether – iOS removes all managed profiles and associated data. The trust relationship with the MDM server is revoked and further push notifications from the MDM server will yield no results.
- Remain under management – the user has complete control to remove one or more of the profiles on their device, yet still allow some (or all) level of management by the MDM.
Over-the-air enrollment
iOS over-the-air (OTA) enrollment and configuration allows you to configure mobile devices securely, without a physical connection to a host computer running iPCU. MDM uses Simple Certificate Enrollment Protocol (SCEP) to leverage the OTA framework for enrollment.
The protocol is designed to make the issuing and revocation of digital certificates as scalable as possible. The idea is that any standard network user should be able to request their digital certificate electronically and as simply as possible.
The process of OTA enrollment involves three parts:
- Authentication – The end users authenticate into the MDM server. This process builds our chain of trust, ensuring that the requests are coming from authenticated users within our network. User authentication can be enforced at the time the end user visits the enrollment URL. OTA authentication can use any web authentication scheme, on any published mechanism
- Certificate enrollment – After the end user is authenticated, the device uses the SCEP to generate a certificate enrollment request. This request communicates directly with the enterprise CA and enables the device to receive an identity certificate from the CA in response.
- Device configuration – The third phase of OTA enrollment is profile delivery and configuration. This is a process that is repeated each time a new configuration profile is sent to the device or group of devices. In this part of the process, the MDM server sends an encrypted configuration profile that’s been built for a specific or group of devices. The user must agree to install this profile, authenticating to the device as necessary, then the MDM server takes over and has control to make changes, as necessary.
Figure 12 – Apple’s Profile Manager
Mobile Device Management Solutions
Users have a wide range of choices for MDM providers, each having strengths and weaknesses. It is important to ask the right questions and assess which of the solutions will fit your organization the best. Apple maintains a list of iOS-friendly MDM providers and also offers their own solution, built right into Lion Server.
For a list of iOS MDM providers, visit http://www.apple.com/iphone/business/integration/mdm/. For more information on Apple’s MDM solution, visit http://www.apple.com/macosx/server/.
Questions to ask MDM providers
- Do you need to support iOS 3 and iOS 4? Many vendors only support the feature set of iOS 4 and above.
- When will support be available for iOS 5? All new iPhone and iPads will come with iOS 5 pre-installed.
- Does the product support over the air enrollment?
- Does the product support remote configuration?
- What are the hardware requirements for this server? Ideally, the MDM host should be on a dedicated system with good bandwidth to the Internet.
- Is the admin interface web-based or does it require a native app?
- Is there any access for non-admins? If so, what features are available to standard users?
- Does the product support other mobile devices? Your organization may need support for Symbian, Android, iOS, etc.
- Is there a free trial period to test out the vendor’s MDM solution?
- Can they provide references for other similar installations?
- What are the licensing costs, per device? Are there yearly costs?
- What are the monthly costs if it’s being hosted for me? This saves a significant amount on initial investment of hardware, software and professional services?
- How does the device enrollment process work?
- How quick does technical support respond? How quick do updates come out?
- Is the MDM solution currently shipping and available today?
- Does the product offer an app portal where end users can download apps?
- Is the product available in all countries?
Figure 13 – Profile Manager Web Interface
Russell Poucher is the President of Creative Resources Technology Group (located in Southern California and Hawaii), a national provider of IT Services, Managed Services and Apple Certified Training Classes. He has been in the IT industry for more than 20 years as a Senior System Engineer and Apple Certified Trainer. You can reach him at russell@creativeresources.net.