We have now covered the most simplistic methods which many schools are using to manage iOS devices, and frequently these are shared devices we are talking about, not individual devices owned by the user. The issues that this can bring is that as you grow with the number of devices you have or reduce the amount of time you have available to cover support of the devices you have to look at more efficient and practicable solutions.
The next area covered in the workshop was the concept of profiles. Those who have looked into Group Policy Objects (GPOs) in the world of Windows or the use of WorkGroup Manager (WGM) on Mac OS X can see easy parallels and might look to apply the exact same concepts used to lock down machines. Apple were keen to stress that it is not about locking down but more a case of ensuring that certain settings were enabled and that you knew where the responsibility lay for control / changes of the settings.
In a similar way to the nuts and bolts of GPOs just being a method of forcing changes to the registry on a Windows client, and WGM forcing changes of .plist files on a Mac OS X Client, the iPhone Configuration Utility (IPCU) creates a text file which, when loaded onto an iOS device, changes settings.
It covers a number of areas including security, Wi-Fi, VPN, email, calendar, address book and some application restrictions. We covered some of these setting in the previous post when we looked at on-device settings, but a profile can also be used to set up part of the information required and allowing the user to complete the rest. An example would be to put in all the details for the Exchange Server but leaving some fields blank so the user enters the information relevant to themselves. A more details guide on this can be found on the help section of the Apple website
Another important security area is around passcodes where you can set the complexity including whether you allow simple passcodes (ie repeating / ascending / descending sequences), whether you require alphanumeric values (must contain at least one letter), minimum length, age, auto-lock time period, history and, possibly the most important if considering the device would be used by a member of staff, how many failed attempts before the device is wiped (I’ll talk a bit more at a later date about encryption on iOS devices).
We also have to consider whether the profile can be removed by the user. The options include Always, With Authorization and Never … remembering that if you wipe the device (there are a variety of methods) it will take it back to requiring activation and you start again anyway with a clean slate. Also remember that, in the most basic setup, the profile is something a user (or the person setting it up) has to accept to install. When we look at Profile Manager later on we can consider some of the ethos behind putting particular settings into the profile so that the user has to agree to various settings as a method of gaining access to certain areas (eg email) and a common method of control for this is the granting of access to the secure, wireless network.
Profiles can be loaded via USB, can be emailed out to users to install, can be pulled down from websites or pushed out wirelessly via MDM solutions. One important thing to remember when exporting profiles from IPCU is security. These are text files and if you do a simple export can be read and changed via a plain text editor. You can sign the profile so any changes will noticed by the device if you try to install it but this basically changes it to read only mode. What should be considered as the only option is sign and encrypt the file. Just think … this profile could have all the settings needed by a user to join your hidden wireless network, usernames and passwords for mail servers (if using a profile per person or allocating a specific email account per device) and so on … do you really want that in plain text?
It is simple to sort though by just ensuring you export it signed and encrypted.
The next post will look at some of the uses of the new tool on the block, Apple Configurator, and what we were shown about what looks to be the first stage of a good methodology for managing and deploying devices in bulk.