iPhone in the Enterprise

Following it’s announcement on Monday I think its fair to say that the 3G iPhone has stirred up quite a bit of interest with people.  And rightly so I believe.

In preparation for the inevitable requests from people out in our business I thought I would do a little digging into what Enterprise support Apple have built in this time round. 

With the original iPhone business users were pretty much ignored.  There was no real support for businesses, even to the point were (in the UK at least) you had to be an individual to buy one – it was available on personal contracts only, there were no businesses tariffs at all.

Here’s a few notes on what I found in case it’s useful:

Exchange Support
Apple have licensed Exchange ActiveSync from Microsoft so can connect directly to exchange for push email, calendars and contacts.  Providing you already have Exchange (2003 or 2007) adding iPhone support should be trivial.  From the device perspective it shouldn’t be any different to setting up a Windows Smartphone.

In addition to messaging support, the iPhone now also supports ActiveSync security policies for:

– Remote wipe
– Password Enforcement
– Forcing password complexity
– Forcing alphanumeric passwords
– Specifying password length
– Defining inactivity times before the phone ‘locks’

These are increasingly important to business, especially with the current media attention on data loss and privacy.

Device Configuration
To help reduce the support overhead of deploying smartphones companies (us included) often make arrangements to have company specific settings applied by some for of automated process.  This is so that end users can be up and running as soon as possible when, and hopefully ensure everything is set up correctly avoiding extra support calls etc.

For the iPhone 2.0 software apple has built in support for remote deployment of configuration using either email or a website.

You use an iPhone Configuration Utility to build up a preferred config, and then export that setup as an XML config file.  That file can then be:

– hosted on a website that users can browse to
– Emailed to the user as an attachment

In both cases the end user will need to open or run the attachment/file.  During the installation they will be prompted for any additional information needed such as passwords.

it would have been nice to have seen some support for over-the-air config like Windows Smartphones, but its a pretty good solution nonetheless.

Within the configuration utility you can configure:

– Exchange settings (server, domain, account etc)
– Wireless settings (network, authentication etc)
– VPN Settings (server, account, passwords, groups, proxies etc)
– Password policy (complexity, attempts, length, age, timeout (etc)
– Email settings (POP, IMAP, servers, accounts etc)
– Certificates (Deploy PKCS1 and PKCS12 certs)
– Policy and Restrictions (Control 3rd party apps, iTunes, content etc)

The device also allows these settings to be signed so that you can be sure they are from your company and not a rouge source.  This might be particularly important.

Virtual Private Networks
iPhone 2.0 now has built in support most of the common VPN protocols:

– PPTP
– L2TP/IPSec
– Cisco IPSec

and authentication methods:

– MS-CHAPv2 (standard passwords)
– RSA SecureID
– CRYPTOCard
– Certificates (PKCS1 and PKCS12)
– Shared Secret

The settings for both can be deployed using the Configuration Utility described above.

Wireless
The iPhone now supports the following wireless security protocols:

– WEP
– WPA Personal
– WPA Enterprise
– WPA2 Personal
– WPA2 Enterprise

It also supports the following 802.1x authentication protocols:

– EAP-TLS
– EAP-TTLS
– EAP-FAST
– PEAPv0 (EAP-MSCHAPv2)
– PEAPv1 (EAP-GTC)
– LEAP

All of these can be setup with an configuration profile and applied using the Configuration utility over email or the web.

IMAP Mail
For organisations not using Exchange the iPhone provides support for IMAP so should be able to access more or less any email system that allows it.  Within this is support for encryption and X.509 root certificates. 

There also appears to be some support for enterprise application distribution, but I’ve not found too much info about that yet so will probably add some more info on this later.

 

Overall I think apple has done a good job here.  It’s hard to say for sure without having an iPhone to test with, but for now it looks like it supports most of the things we currently look to do with our Windows Smartphones.  Perhaps its not quite as much as we’d look to do if implementing something like Mobile Device Manager or B2M’s mProdigy, and I’d like to see support for data encryption, but it’s a great start an should make the lives of Enterprise IT departments quite a bit easier.  They might not become preferred device’ within companies, but there’s certainly no major reasons why they shouldn’t exist happily within the Enterprise any more.

The big question for me at the moment is how O2 will see them to business customers and what costs will be involved – especially for customers with existing contracts and data agreements.