Last week the enterprise mobility management industry got a nice little treat when Apple posted a web page giving more details about the MDM improvements that are coming with iOS 7. Since most of the details about iOS 7 are still only available to registered developers, we can’t be 100% sure what the full effect will be. However, given what we do know publicly, we can see the impact will be significant in certain situations. Let’s take a look at the new details that Apple gave us, and see what we can determine. (The text and features listed in italics are quoted directly from Apple’s iOS 7 and Business webpage.)
New mobile app management features
Some of the most interesting announcements were around iOS 7’s ability to manage apps:
“Managed open in: Protect corporate data by controlling which apps and accounts are used to open documents and attachments. Managed open in gives IT the ability to configure the list of apps available in the sharing panel. This keeps work documents in corporate apps and also prevents personal documents from being opened in managed apps.”
This is probably the single most important change. One of the biggest challenges with MDM is that it doesn’t give any way to keep corporate and personal data separate. The only options have been to either lock down the device and blacklist apps that could potentially leak data, or to keep corporate data in managed corporate apps using mobile app management techniques. That will all change with iOS 7, as it will be possible to control attachments and documents are shared between any apps. This should also ease some of the concerns about where to get apps that are compatible with MAM.
One of the practices that managed open in could replace is email-attachment encryption. There are several vendors that keep corporate data isolated from personal apps by encrypting attachments before email messages are delivered to the built-in iOS email client. Once on the device, the encrypted attachments can only be opened managed corporate apps. Of course “open in” is not the only way for apps to leak data—other ways include the shared calendar and contacts frameworks, cut and paste, and this new feature does nothing to protect against these ways. However, by their current use of the “encrypted attachments” technique, many companies have already indicated that protecting only the attachments—and not those other forms of data—is an acceptable threshold of risk.
Essentially, what now requires specialized apps (and/or a way to encrypt attachments, if you're using that email technique) will be available to any apps on any iOS devices using iOS 7's new MDM features.
“Per app VPN: Apps can now be configured to automatically connect to VPN when they are launched. Per app VPN gives IT granular control over corporate network access. It ensures that data transmitted by managed apps travels through VPN — and that other data, like an employee's personal web browsing activity, does not.”
“Enterprise single sign on: Authenticating into corporate apps is now as simple doing it once. Enterprise single sign on (SSO) means user credentials can be used across apps, including apps from the App Store. Each new app configured with SSO verifies user permissions for enterprise resources, and logs users in without requiring them to re-enter passwords.”
Per app VPNs, single sign on, and managed open in are currently strictly the province of mobile app management-compatible apps. However, when iOS 7 comes out these features will be available to any MDM solution. And there are a lot more vendors that just do iOS MDM because is it’s much simpler than building a third-party MAM solution (with all the SDKs, app wrapping tools, specialized apps, and whatnot) from the ground up. You can almost consider these iOS 7 changes the “democratization” of mobile app management.
So with these changes, does this mean that there’s going to be a big shake-up for third-party vendors that offer MAM? Without out a doubt, there are some MAM use cases that will now be possible with just MDM, but MAM will continue to be important. Here are several reasons:
- There will still be a need to go beyond these basic features. Many MAM products are much more advanced than what iOS 7 will offer, and can really go deep into the functionality of apps.
- If you’re concerned about protecting contacts, cut and paste, calendars, or anything else that’s not a document, it doesn’t look like iOS 7 will help you in that regard.
- It appears that these new MAM features will require apps and the device to be managed with MDM. There are still plenty of cases where people don’t want devices to be managed, or where MDM is overkill.
- Whether you’re using Apple’s MDM protocol or a third-party MAM solution, you still need a management service on the back end. Well-rounded EMM vendors will be fine whichever way you go.
- Vendors will still be competing on how well they implement, scale, and integrate iOS MDM.
- Despite all these improvements, the only data or corporate apps MDM can deliver on its own are email and web apps. To deliver anything else and enable mobile productivity, you still need to figure out things like file syncing, document editing, and and how to mobilize other enterprise applications.
(By the way, all this means that we’re going to have to start making the distinction between types of MAM. So remember, we have MAM features that come as part of the iOS MDM protocol, and MAM features that are built directly into apps using third-party MAM solutions.)
New general MDM features
Besides the big mobile app management stuff, there are several other new features and details mentioned by Apple. They’re just as important, but instead of causing features to be shifted from third-party MAM to iOS MDM, they’re flat-out enabling new use cases and option that were previously non-existent:
“App store license management”
Apple’s Volume Purchase Program (VPP) has been around for a couple of years as a way for companies to buy apps from the Apple App Store in bulk. The only problem is that once apps are installed on users' devices, there's no way to “reclaim” the licenses after users don't need an app anymore. With iOS 7, this will change—it apparently will be possible to retain reclaim corporate app licenses. This is great, but if you consider the fact that most enterprise mobile apps are free front-end clients for services that are paid for outside of the Apple App Store, you realize that the VPP is still not a super big deal.
“New MDM configuration options” The MDM protocol in iOS 7 includes a number of new commands, queries, and configuration options that make third party MDM solutions even more powerful. Wirelessly set up managed apps, install custom fonts, configure accessibility options and AirPrint printers, and whitelist AirPlay destinations.
This is mostly just collectively referring to all of the other features MDM listed, and a strong indication that many of these new features will require MDM to be used.
“Streamlined MDM enrollment”
With older versions of iOS, if you’re deploying a lot of devices, it can be a pain to manually activate them all and manually enrol them in MDM. It appears that this should be a lot easier now. This will be great for schools and companies that are buying lots of corporate devices, but this doesn’t have any impact on companies that are dealing with BYOD or COPE (corporate owned, personally enabled) iPhones and iPads.
The “supervise” feature is probably referring to functions that are currently only available with the Apple Configurator, an iOS management utility from Apple. “Supervised” devices can be locked down to a greater degree than with MDM, but initial configuration has to take place over USB, and the Apple Configurator only runs on OS X. It looks like these functions will be available over the air now.
“Third-party app data protection: Using methods that leverage the user’s passcode to create a strong and unique encryption key, data protection provides IT with peace of mind that corporate data is secured without additional configuration. All third party apps now have data protection enabled automatically, so information stored in App Store apps is protected with the user’s passcode until they first unlock their device after each reboot.”
iOS app developers have always had the option to use the device’s built-in data protection API, so while enabling it by default is a good thing, it’s certainly not an earth-shattering development. Most third-party MAM solutions go beyond the built-in data protection anyway and use more advanced encryption techniques, especially since iOS data protection depends on the user having a passcode.
There’s a new user interface and more might be nice as a user, but for enterprise IT, again this isn’t going to revolutionize our lives. (What we really care about is the managed open in part mentioned above.)
“Caching Server 2 supports iOS 7.”
Great! I hope my office in San Francisco gets this. Our network connection could use the help.
Apple also listed some new features under “iOS 7 and Education” There are some new options for Apple TV (they’ll be manageable with MDM, and you’ll be able to provision Apple TV settings to iPhones and iPads using MDM), and now there will be a mechanism to enable students under age 13 to get parental consent to have Apple IDs.
Remember that until Apple releases iOS 7 to the public, we have to take this all with a grain of salt. It could be that some of these features don’t get implemented quite the way we think they might, or there could be some other catches. There are a lot of blogs out there that are completely disregarding the iOS Developer non-disclosure, and a lot of people think it’s pretty ridiculous to have an NDA. (Since the barrier to entry is simply joining a $99 program, how serious can Apple be about it anyway?) Regardless, we still have to wait until the public release date to really know how it will affect the EMM industry. The vendors have to wait until then to make their big iOS 7 related announcements, too.