Posts Tagged ‘Apple’

« Older Entries

Device Encryption on Apple iPhones

Tuesday, July 20th, 2010

Following up from my last post on enforcing security policies devices such as iPhones, I thought it might be worth clarifying how iPhones deal with encryption.

Essentially iPhones from the 3GS onwards are encrypted by default, this isn’t something the end user or administrator can control.  Earlier devices such as the iPhone and iPhone 3G do not support encryption at all, they’re simply not powerful enough apparently (Apple told me this!).

So if you use Exchange and wish to set the encryption security policies onto iPhones the ‘Require Encryption on the Device’ doesn’t actually do much in of itself – the device is either already encrypted or just can’t be. 

Where it is useful is if you wish to block access to devices that cannot be encrypted.  In this case you simply set the ‘Require Encryption on the Device’ policy and uncheck the ‘Allow Non-Provisional Devices’ policy.  The iPhones will report back their support for encryption and Exchange uses this to evaluate whether they should be allowed on not.  So iPhone’s and 3GS’s will be blocked.

Further info on iPhone support for Exchange ActiveSync Policies can be found here.

Tags: , , , , , ,
Posted in Tech | No Comments »

Android and iPhone Exchange Activesync Policies

Monday, July 19th, 2010

Over the past couple of weeks I’ve been doing some work on how best to secure data on the myriad of mobile devices that are used these days to access email and calendar information.

It’s a hot topic at the moment, and so it should be.  Recently here in the UK the information commissioner brought in a £500,000 fine for each instance of information data loss.  Of course it would depend on the information lost, but hands up anyone who understands everything that’s on their companies smartphones and PDA’s… with info creeping out in email attachments or iPhone apps that cache your work username and passwords, it’s a real risk.

If you use MS Exchange, one of simplest ways to apply a level of security to mobile devices is to use the Exchange Activesync Policies that are included out the box.  These allow you to apply – and more importantly enforce – a range of configuration options on devices and block access to devices that don’t meet a minimum standard you decide on.

At the bottom of this post I’ve attached a spreadsheet which I’ve put together which details the policies available and the devices they are compatible with.  To get the information I spoke to MS, Google and Apple (thanks Jason) directly, so it should be accurate.  But I don’t have any contacts at Nokia or Palm so that info was taken from their deployment guides.

Part of the reason I thought I’d post this up is that I noticed a very similar doc was added to Wikipedia, but it doesn’t include some important information about the level of Exchange Client Access Licence (CAL) need to use some of the policies, nor does it talk about the differences between hardware versions of iPhone.  If I can bring myself to dive into the wiki mark-up language I’ll amend the article to include the info but for now I hope this spreadsheet helps some of you.

If you’re not currently implementing any policies in Exchange there are a few things to consider before you do. 

First think about the types of device currently connecting.  If you’ve been using Exchange EAS for a while the chances are you’ll have a range of kit from Windows Mobile 5 onwards.  This older equipment may not support many of the available policies, so if they’re company owned devices you may want to look at upgrading them rather than cut the users off entirely.  Unfortunately it’s not just older devices that don’t support all EAS policies correctly.  Modern OS’s such as Google’s Android and Palms WebOS don’t either. 

There are some simple reports that an be run using PowerShell that will list out all the device that connect in, including device type, versions and usernames.  Unfortunately the iPhone doesn’t report back its hardware version until iOS4 however.  I’ll try to follow up this post with the query details.

Remember that neither Google’s Android, Applies iPhone or iPhone 3G support any level of device encryption, which from a business perspective is a little scary considering their popularity.  What’s worse, early versions of the iOS3 firmware apparently mislead the Exchange server into thinking early iPhone were encrypted.  If you have a lot of these things out there but still want to apply a level of security you can buy yourself some time using the ‘Allow non-provisional devices’ policy. 

One option would be to create a basic security policy with all the PIN settings you want to apply and enforce that by un-checking the ‘allow non-provisional devices’ policy.  This will ensure that if a device doesn’t support the policy it can’t connect.  You could then create a seperate policy with the encryption settings and the ‘allow non-provisional devices’ enabled.  In that case the policy should apply only to those phones that support it.

As always, communication out to your end users is going to be key, especially if you have personal devices connecting to Exchange in addition to your company ones.  Whilst having a PIN etc is probably a fair exchange for the Exchange functionality they’ll receive, suddenly finding that your personal phone has had a PIN enforced and that your SD of music and photos has been encrypted is likely to annoy…  Something to keep in mind!

Anyway, here’s spreadsheet: Exchange ActiveSync Policies (June2010)

Tags: , , , , , , , , , , ,
Posted in Tech | No Comments »

Apples iPhone 4 Gyroscope

Thursday, July 1st, 2010

Chipworks MEMS gyroscope die

After reading about the iPhone 4’s gyroscope during WWDC, I have to admit I wasn’t sure how such a thing would work.  I’ve only ever really encountered the spinning gyroscopes you get as a kid, and I couldn’t really see something like that fitting in a phone!

Thanks to this Wikipedia entry, and  this article on ifixit.com the mystry is solved – worth a read if you feeling geeky.

Tags: , , ,
Posted in Tech | No Comments »

Windows 8 Details

Tuesday, June 29th, 2010

Over the last few days it seems if a Microsoft Windows 8 presentation aimed at PC OEM’s has leaked out onto the net.  Of course no one has confirmed it’s real, but it looks much like the documents I saw during the Vista and 7 development cycles so I’ve no reason to think it’s not.

I’m not going to republish the slides here, as clearly they should be under NDA, but not this info is in the public domain I’ll discuss major points in general and my take on the implications.

So what’s new in there? 

Industry Trends
Whilst this isn’t exactly news, it’s interesting see what MS sees as the trends that are shaping their development of Win8.  Many of these are focused around the users interaction with computers.

They describe a market in 2012 providing a wide range of hardware form factors and offering users ubiquitous internet access.  In a world where connectivity is assumed MS will continue its ‘Software + Services’ push in Windows 8.  With the recent Windows Live Wave 4 releases already providing a pretty strong platform of local applications coupled with Internet services (Hotmail, Office Web Apps, Photo Gallery etc), they mention that Wave 5 release of these apps is pencilled in for release at around the same time as Win8.

MS are also keen to point out that peoples personal and business computing experiences are rapidly merging.  This is something that I’ve certainly encountered over the past few years, and it will be interesting to see how MS counter this.  The challenge is in keeping corporate applications and data secure, whilst also providing the flexibility people look for in personal computing from the same device.

Solutions out there in the market currently use a pretty heavy handed approach, using perhaps a separate OS instance though a VM or using ‘OS on a Stick’ solutions that effectively turn a personal computer into a thin client that then connects to a business desktop.

I suspect that MS could provide a slightly more elegant solution if they choose to build that abstraction into the OS.  Windows 7 already supports booting from a VDI virtual hard disk, and can use XP Mode or MED-V to provide applications that run from a separate local OS.  I wouldn’t be surprised to see both of these technologies advance further to present a single ‘desktop’ to the user that ties back to separate ‘personal’ and ‘business’ VM’s.  Presumably this may lead to a Client Hypervisor version of Hyper-V along the lines of Citrix’s XenClient.

Apple Envy
One slide that perhaps shows MS’s overall approach to Windows 8 is actually all about Apple.  MS have looked at Apple’s appeal and described a cycle that flows from Brand Promise > User Experience > User Confidence > Realised Value > High Satisfaction and then back to Brand Promise.  In other words if it just works, people like it, you look good and they’ll will return for more of the same.

I’d have hoped that was all a bit obvious to be honest, but it’s interesting to see that it’s a clear part their thinking and even state “This is something people will pay for!”.  Hopefully MS are learning lessons from Apples success, and in fairness their own successful Windows 7 release.

Windows Store
For some time now I’ve been quite critical of MS’s late arrival into the ‘app store’ space.  As far as I know only Windows Phone has an MS operated app delivery mechanism (and to a lesser extent XBox Live).  To my mind both Windows and XBox would benefit hugely from an app store and the ecosystem of developers that it would spawn.  Frankly the PC world is still pretty much in the age of having a choice between Freeware, Shareware or full retail software.  Apple style app stores completely change this by providing users will a trusted source of apps and developers with a permanent market and a method of getting paid for their work.

I’m therefore very happy to see MS outline plans for ‘Windows Store’, an iTunes equivalent.  It seems like I’m not the only one as the slides show feedback suggesting that it “can’t happen soon enough”! 

The concept seems fairly well advanced, the slides include a wireframe storyboard of the app browsing and purchasing experience, which looks quite Zune like – a good thing I reckon.  They also show that a users apps and settings will follow them across PC’s, presumably tied to a Live ID as with XBox Live.  The app store will also provide mechanisms for delivering updates or patches to installed apps.

For developers there will be a personalised portal to submit apps, track their progress through the approval process and view analytics around sales and usage.  One of the most interesting items shown in the portal is a tab for Telemetry.  This shows that developers will be able to monitor how the apps are used and receive crash dumps that are returned by faults.  As far as I know this is far in advance of any other systems out there and should help ensure that the quality of apps delivered through the system is kept high.

Something that isn’t covered is how the applications themselves will be delivered.  We’ve seen MS dabbling with streaming applications over the Internet with the Office 2010 beta, which I understand was a big success.  Given the current trend towards application virtualisation I could see Windows Store making use of App-V or a similar technology to deliver apps as discrete objects rather than the traditional MSI’s.  Given MS’s own desire to replicate Apple’s ‘It Just Works’ view of the world using virtualised apps would seem to be be a good route for Windows Store.  It would help minimising the errors and incompatibilities that can plague large app portfolios.

Personally I think Windows Store is an incredibly exciting development for users and developers.  What I’m curious about is how this might then relate to business use of Windows.  Presumably it wouldn’t be to hard to extent this model out into the Enterprise space.

There are already solutions out there that provide ‘shopping cart’ style interfaces into Microsoft’s Configuration Manager (SCCM) application delivery tools, but this sort of interface would certainly be a welcome addition for businesses.  I guess there would be a couple of approaches that could be adopted.

For one, Windows Store itself could provide a way for companies to allow users to buy software through it.  This would probably need an approval mechanism to ensure that spend was authorised, and also an alternative method for invoicing and payment.  It would also be desirable for companies to be able white-list or black-list apps. 

It’s a challenge for sure, but it’s not too hard to envision it happening.  With MS’s ability to federate it’s Online services with internal company Active Directories they could potentially access a primitive authorisation matrix through the ‘Manager’ information in AD.  And Group Policy would be a perfect way of switching the Store into a ‘business mode’ that doesn’t bill the users directly.

The second method might be to build a similar interface that can be hosted internally and used with SCCM.  Providing a similar user experience on company machines has obvious benefits to users and IT alike.  Indeed given the focus on bringing together people work and home experiences the ability to switch between them at will is probably worthwhile.

Identity and Authentication
There a couple of slides around Win8’s proposed methods of authentication and how it might handle user data.  The obvious flashy thing here is the proposed use of facial recognition for logon, the idea being that a webcam connected to the computer would recognise that you have say down in front of the computer, determine that it’s you and then log you on.

I’ve played with some tools for this before, and it’s a very nice user experience.  If MS can get it right and fix the false-positive issues that facial recognition systems can have (i.e. holding up a photo of the computers owner to logon…) it could be a very nice addition.

The other item of note was how Win8 will handle user profiles.  It seems that Windows user accounts will be ‘connected to the cloud’ so that user settings, and presumably documents, will follow them from PC to PC.  With Microsoft’s Mesh synchronisation technology now mature and forming part of Windows Live Wave 4, I suspect that this will also be the basis of continuously sync’ing user profiles with a Live back-end service.

I’ve wondered whether they’d do this for some time.  Indeed when Mesh was released I wondered whether having the ability to sync both document data and user personalisation info into the cloud might lead MS to presenting actual Windows desktops from it’s Azure platform.

 

There are plenty of other bit and pieces in the presentation.  But to my mind those are the main things to consider. 

Of the rest the Fast Startup looks good, it’s a hybrid system boot mechanism that uses the hibernate function to cut out some of the boot process and hugely reduce startup time.  It’s worth noting that this and Sleep will be the default startup and shutdown actions in Window 8.

So all in all it’s very positive stuff, I suspect that MS will be very unhappy it’s public.  It certainly gives the opposition something to aim at.  I have to say if I was MS rather than clamping down on the now public info I’d make the most of it – fill in the gaps on what’s already known and start the hype early.

For more info there’s good ccoverage over on Windows Kitchen.

Tags: , , , , , , ,
Posted in Tech | No Comments »

iPhone 4 in business

Thursday, June 10th, 2010

With the iPhone rapidly becoming an accepted business phone for many companies, I’ve been interested to read about the changes that the forthcoming iPhone 4 and iOS 4 will bring.

To be honest there isn’t a huge amount of info out there, but the info that is available is quite positive.  There’s a page on apple.com with some basic details.  The main areas that Apple seem to be addressing are security and management, both of which have been question marks in the past.  Specifically the talk about:

Data Protection
Security enhancements in iPhone OS 4 protect email messages and attachments stored on iPhone 3GS by using the device passcode as an encryption key. New data protection APIs can be used for custom and commercial apps so that business-critical information is protected even if a device is compromised.

This is good news, but I still think Apple need to be clearer about exactly what sort of encryption is used etc.  The 3GS’s are meant to be encrypted, but there’s pretty strong indications that this isn’t quite as strong as you would hope [1, 2, 3].  If Apple can get this right it’ll open a lot of doors from them in business, as they’re still some way behind RIM’s Blackberry and Microsoft’s Windows Phone platforms.   Both of these offer significantly more control over encryption, and in combination with device management tools can both be configured to accredited security levels (up to ‘RESTRICTED’ I believe).

Mobile Device Management
Deploying and managing large iPhone fleets will be even easier with iPhone OS 4. New Mobile Device Management APIs can be integrated with third-party solutions to wirelessly configure and update settings, monitor compliance with corporate policies, and even wipe or lock managed iPhone devices.

To their credit Apple have supported a level of device management for a while through their implementation of Microsoft’s ActiveSync.  This at least allows basic policy enforcement on devices connecting in through Exchange.  By providing more complete API’s into a management interface however hopefully iPhones will begin to support a much wider range of management features.  The obvious gaps currently are around password/pin polices, encryption and granular control of features and functionality.  There are a number of products in the market to manage mobile devices [1, 2, 3], so hopefully we’ll see these begin to support the iPhone as well.

Wireless App Distribution
iPhone OS 4 enables enterprises to securely host and wirelessly distribute in-house apps to employees over Wi-Fi and 3G. Apps can be updated without requiring users to connect to their computers.

This has the potential to unlock the iPhone/iPad to a new group of developers.  Previously it’s been quite tricky to develop in house Line of Business applications,  and critically, to distribute them out to a fleet of devices.  The ability to deploy in-house apps over the air will make this much more attractive to organisations. 

SSL VPN Support
SSL VPN support in iPhone OS 4 gives users another way to securely access enterprise resources. These new protocols can even be leveraged to connect seamlessly to a corporate network via VPN on Demand. Forthcoming apps from Juniper and Cisco will support SSL VPN on iPhone.

VPN support is obviously a nice thing to have, but I’d be interested to hear how often this is used.  In a world where you’re developing and using internal applications it’ll be a very useful tool if those aren’t published to the internet, but for basic email etc generally the existing ActiveSync connection probably offers enough transport security.  I guess web access policies could also influence the use of VPN’s if you wanted to force your users through a company proxy server of some sort.

Improved Mail
iPhone OS 4 allows users to set up multiple Exchange ActiveSync accounts and now works with Exchange Server 2010. With the new unified inbox feature, users can see messages from all their email accounts conveniently displayed in a single inbox, or they can quickly switch between inboxes to see messages from any single account. If users receive an attachment that they want to save or edit, Mail now lets you open attachments with compatible apps from the App Store.

Again, I think the mail changes are more ‘nice to haves’ rather than significant improvements to the business features.  Though the unified inbox is very well implemented when you see it in use.  With the support for multiple ActiveSync accounts, it will be interesting to see how they have implemented the policy management.  If you have two ActiveSync connections, each with difference policy enforcement settings, which one wins?  Is it whichever is more secure?  If so who decided what the more secure value is?  I also wonder if this could potentially allow information to leak from one system to another.  If mail is synced from one company onto the iPhone, could it then potentially be synced back down to a separate mailbox with the iPhone acting as a hub?  I can see how that might be useful for personal contacts, but for potentially sensitive emails etc, it could be a problem.

Tags: , , , , , , , ,
Posted in Tech | 1 Comment »

SharePoint on your iPhone with Moshare

Sunday, May 16th, 2010

It seems that iPhone’s, and I guess now the iPad, are increasingly being used in business.  While some would probably argue about how appropriate that is, ultimately I think IT organisations should be embracing this change and be working out ways to help their businesses use and benefit from these tools securely.

As the company I work for are big users of both iPhones and SharePoint, I always take a look at apps that try to make the two work together.  One such app is Moshare from Moprise.

Moshare allows you to connect the app to specific SharePoint sites and access the lists, documents etc in the Site.  It seems to work pretty well, you can connect to a site easily provided you know the URL, and the app then displays the various lists and libraries within it (see the pictures below).

Within the libraries documents are listed and can be opened as you’d expect.  I’ve tried it out with the obvious Office documents and PDF’s that you’d expect to find and all open fine.  What’s more it provides searching within the site, though I couldn’t find a way to navigate to sub-sites – they have to be added separately.

Something I’d like to see added would be the ability to enter your password at the time of use.  At the moment you can’t add the site without having to enter your username and password and have the iPhone cache it.  Without details of how those credentials are stored, I can see some IT administrators not liking that at all.

All in all though it’s a nice little app.  As an added bonus at the moment it’s free to celebrate the launch of SharePoint 2010, so head over to the app store and grab a copy.

Moshare-siteview Moshare-LibraryView Moshare-DocumentView

Tags: , , , ,
Posted in Tech | 1 Comment »

Email and Office Windows Phone 7

Thursday, April 29th, 2010

A few months ago when Windows Phone 7 was unveiled there wasn’t really much coverage about the parts of the platorm aimed at business productivity.  I did see a few clips of the new Inbox, but nothing that really showed how it worked in practice.   With smartphones now an important part business life for many, and with iPhones becomming an increasingly common business tool, it’s interesting to see what MS has planned.  Especially as it’s an area in which they were pioneers with the early Windows Mobile phones. 

Anyways, I just spotted the following videos over on Steve Claytons blog.  They show how the new WP7 office apps and inbox will work in practice.  Personally I think they look pretty good. 

 

 

 

Tags: , , , , , ,
Posted in Uncategorized | No Comments »

iDialog Office Communication Server iPhone Client

Sunday, August 23rd, 2009

A few months ago I wrote a few articles about mobile clients for Office Communications Server, and particularly the options available for iPhone users. 

It’s been a while coming, but it seems like there’s now a proper OCS client available in the App Store from Modalty Systems.

iDialog provides presence information on both your personal contacts, and across contacts within the corporate address list (which you can search from the client).  You can then either launch an OCS Instant Messaging conversation, or use the iPhone to call any of the numbers listed in the contact info.

IM conversations can be multi-party, and the client can support many simultaneous conversations.  They are displayed in the familiar threaded text message format from the iPhone. 

IMG_0026

In addition to IM, the client can make use of VoIP call control to manage voice calls to their OCS VoIP end-point.  Incoming VoIP calls to can be forwarded on to either their listed mobile number (presumably the iPhone), voice mail or any other number.  It isn’t however a VoIP endpoint in its own right however.  Presumably it would not have made it through onto the app store if it had.

From a backend perspective it relies on OCS 2007 or 2007 R2, and make use of the Communicator Web Access server role.  Unlike the solution from Web Messenger it doesn’t rely on separate, additional, server infrastructure.

The app is priced at £5.99, which is pricy for both individuals and corporate deployments.  However the web site does mention that corporate licensing options are also available that would – I assume – reduce the per seat licensing.

Link to App Store

Tags: , , , ,
Posted in Tech, Work | 3 Comments »

Windows Mobile 6.5 Touch Gestures

Thursday, July 9th, 2009

Although I now have an iPhone, I have to admit I’ve always quite like Windows Mobile.  It may be a bit clunky compared to Apple’s newer toys, but I’ve had WM phones since the original Orange SPV years ago.

Anyways, I’ve been keeping an eye on how the new version, Windows Mobile 6.5, has been developing.  I managed to have a play with a phone running 6.5 a few months ago and was actually quite impressed.  While you could tell the old WM was underneath, the touch interface was a great improvement on the old home screen, and it felt modern – even next to the iPhone.

I was just going though my rss feeds and noticed this new post from Marcus Perryman over at Microsoft.  He’s written quite an in depth article about how 6.5 implements touch and the gestures you use to navigate and do things.  It’s pretty techie (don’t say I didn’t warn you!), but quite interesting if you’re into that stuff.

Marcus also points out the official touch gesture docs have been published and can be found here:  http://msdn.microsoft.com/en-us/library/ee220920.aspx

Tags: , , , , ,
Posted in Tech | No Comments »

Augmented Reality on the iPhone

Wednesday, July 8th, 2009

A hat tip to Jason Langridge for finding this demo clip of a new Augmented Reality app for the new iPhone 3GS.  Very cool (in a geeky kinda way).

Using the iPhones GPS and Compass the app is able to overlay directions and other info onto the view from the camera.  I’m sure this is just the start… there are so many uses for this sort of technology.

Tags: , ,
Posted in Tech | No Comments »

« Older Entries