Apple’s Worldwide Developer Conference (WWDC) kicked off yesterday, and one of the big announcements was a major update to iOS—the OS that powers iPhones and iPads. While most of the traditional media and fan blogs focused on the new “flat” styling and the faux-3D home screen, there were actually quite a few major enhancements that are relevant for the world of enterprise IT.
The only “catch” is that many of yesterday’s announcements are a bit vague at this point. While the iOS 7 beta has been released to people who have iOS Developer accounts, accessing that beta means you’re bound to a non-disclosure agreement. (The only place you’re allowed to talk about it is in the official Apple Developer forums.) That means that the rest of us can look forward to a couple of months of speculation, rumors, and leaks.
That said, let’s kick off our iOS 7 coverage with some speculation! (Seriously, we did learn a lot yesterday to get us started, and we know already that enterprise IT has a lot to be excited about for iOS 7.)
How do we even know enough to make educated guesses about new iOS features?
So if the iOS 7 beta is protected by an NDA, how’s it possible for us to have an article today talking about the new features? It turns out there are already a lot of public features mentioned if you look close enough. Apple directly mentioned some of them in the keynote, they mentioned others in a press release, and still others are referenced on Apple.com. There were also a few features that were listed on a slide in the keynote but not mentioned anywhere else. (Yay for screenshots!)
Once we have a list of feature names, we have to figure out how they work, which we can do by making educated guesses based on precedents set by existing MDM functionality. So here are some baseline things to consider:
First, remember that most existing iOS MDM functions get applied to the entire device. For example, if you turn off the camera, none of the apps can use it. If you want a long password, you have to use it for the entire device. With the existing versions of iOS, if you want to apply a policy to just a work app but not a personal app, you’re out of luck. That’s part of what makes MDM so frustrating today—there’s just not enough granularity. That’s also one of the reasons why we have MAM (mobile app management).
That said, back in iOS 5 Apple introduced the concept of using MDM to do some app-level tasks with its “Managed App” functionality, where an admin can use an MDM connection to remotely install any app. This works for both in-house apps and apps from public app. (By the way, we also have to be careful not to confuse “MDM-managed apps”—which is what we’re talking about here—with “MAM-compatible apps,” which is what we talk about most of the time.)
There are only a few controls available for MDM-managed apps today: The MDM server can install and remove them (user confirmation is required for installation but not for removal), they can be uninstalled automatically under certain circumstances, and they can be prevented from using iCloud. While this isn’t very much, it does set the precedent for app-specific policies. This would be a great way to implement many of the new iOS 7 management features.
On the other hand, there’s also the possibility that instead of being available for MDM-managed apps, some of the new iOS 7 features might simply be APIs or frameworks that are incorporated into the OS, meaning that an app would have to be specially built to use them.
One final thing to remember is that certain existing MDM features require the Apple Configurator to set up. In order to get these features, the device has to be connected via USB to a Mac OS X computer running the Apple Configurator. If any of the new iOS 7 features require the Apple Configurator, then they will be less appealing, so just consider that another warning to temper your excitement about all the new stuff.
New enterprise features in iOS 7
Now that we’re refreshed with the various ways that Apple has provided previous MDM features, let’s look at the new ones and make educated guesses about how they might work. This will also help us gauge how important these are to the EMM field. Keep in mind that some of the items on this list were only mentioned in passing, and in a lot of cases we have absolutely no details to go on.
With that, let’s go down the list:
Notification Center and Control Center available from the lock screen
Users can now see content in the Notification Center and change settings in the Control Center (a new feature that gives quick access to basic settings like airplane mode, Bluetooth, and WiFi) without even unlocking the device. You can imagine the security issues when email previews and calendar items show up in the Notification Center. Unfortunately iOS MDM has never had the ability to control a user’s notification settings. Hopefully now that there’s even more information that’s readily accessible on locked devices, there will be corresponding MDM features to keep it in control.
Multitasking and app actions based on push notifications
In the past, multitasking (apps running in the background) was limited to a few specific types of activities (such as playing music or tracking the GPS), but now in iOS 7 any app can run in the background. Also related to this is that in iOS 7, push notifications will be able to automatically “wake up” background apps—something that was only possible with manual user intervention before.
These two improvements would have a huge impact in the EMM space because now third party email apps will finally be able to download mail and synchronize calendars in the background. (Many EMM vendors use third-party email apps to keep users’ random personal apps from accessing corporate data, which is easily accessible when corporate email is synced to a device’s built-in email client.)
Quite honestly this has been one of the biggest drawbacks to EMM on iOS and an area where Android has excelled, so this is huge. Just huge!
AirDrop allows users to wirelessly share content from one device to another over an ad hoc local network. iOS MDM has a poor track record of being able to restrict sharing—pretty much MDM products can do is restrict the use of iCloud. We’ll see what happens here, but unless some robust controls are put in place MDM, we’ll still need MAM to make sure that corporate apps can’t use AirDrop to share (i.e. "leak") data with personal apps.
The new iCloud Keychain is integrated with Safari. It stores passwords and credit card info; it can auto fill forms; and it includes a password generator. Saving and syncing passwords in the cloud could be an issue, but like so many of the current iOS frameworks, MAM-compatible apps could just disregard it.
Automatic app updates
This caused a lot of grumbling on Twitter, with everybody hoping it could be disabled either by the user or with MDM. There’s always a chance that a buggy update could really mess things up if an app is vital to your company, so hopefully Apple will allow MDM products to shut it off (or MAM products to restrict automatic updates for managed apps while allowing it for personal apps).
If an iPhone is lost and a remote wipe is performed, in iOS 7 it won’t be possible to reactivate the device without using the previous owner’s Apple ID. The idea is that it makes stealing iPhones less attractive. (So somebody just go tell all the iPhone thieves out there to not bother anymore :) It’s nice to have, though probably won’t have a huge impact in the EMM world.
It is interesting though from the corporate perspective to think about employees who could “lock” corporate-owned iOS device with their own personal Apple accounts. We’ll see how secure this is and if the original owner can unlock a device with proof of purchase somehow, but I could see an employee leaving an “F You!” to their employer on the way out the door by locking their phones with their own personal Apple IDs.
This is a major feature for third-party MAM vendors, and it would be great if IT could apply it to any MDM-managed app. Again, however, we just have to wait and see how it’s actually implemented.
"Better protection of work and personal data"
This is mentioned at the bottom of the iOS 7 features page at Apple.com, but we have no idea what it means. Is Apple implying that iOS 7 will have some sort of dual-persona framework like Samsung KNOX or BlackBerry Balance? It’s always possible, but I’m not placing any bets on it. It could just refer collectively to all of the other new features.
Management of app licenses
The Volume Purchase Program (VPP) has been around for awhile, but the current program does not allow a corporation to reclaim app licenses once they’re used unless the app was installed using the Apple Configurator. So our hope is that "management of app licenses" means that VPP licenses can be reclaimed from normal devices over the air.
Wireless app configuration / managed app configuration
This is a total mystery. My guess (or hope?) is that Apple is referring to MDM-managed app features (like I described above). If this brings a lot of MAM-like controls to any app, this will be huge.
There’s also the possibility that it just means centrally configuring settings that apps already expose to users. (Scroll down to the very bottom section in the Settings app to see what I’m talking about.) While that would still be useful, it's not as big as full MAM-style app control.
Enterprise single sign-on
Again, another mystery. Does this mean you can put passwords around individual managed apps? Is it password management using the Keychain? Does it involve corporate directory services? Who knows?
Default data protection for third-party apps
The iOS data protection API has been around for awhile now, but previously third-party apps had to opt in. With data protection enabled by default, things will be a little bit more secure.
New smart mailboxes / improved Mail search
The OS X desktop Mail app already has a feature called Smart Mailboxes, so we can probably expect something similar here. This probably isn’t some sort of crazy built-in email sandboxing thing.
Streamlined MDM enrollment
This could be cool. I don’t want to sound like a broken record, but what are they talking about? We have no idea here. With most MDM solutions, enrolling a device already only takes a few taps, so I'm not sure how much simpler it could be.
How do these new iOS 7 features affect EMM?
One day after the initial iOS 7 announcement, many people have the same questions:
- Will the iOS 7 improvements be enough to keep work and personal apps and data separated (or enable dual-persona) without using a separate MAM solution?
- Will this mean that we don’t have to use third-party email apps anymore?
There’s nothing from the iOS 7 announcement that conclusively indicate that iOS will be able to fully enable dual-persona without using MAM—there are just too many holes to fill. Sure, there will probably be places where the new features mean that iOS’s built-in MDM is “good enough” where it might not have been in the past. However, there will still be many more situations where mobile app management will be needed to go beyond what’s provided by MDM. The new app-level options mentioned today will be great, but what’s needed is extensive control over inter-app sharing and app access to device-wide frameworks. Nothing I saw today suggests that to me. Or what about all the devices for which we don’t want or need device-level management? We’ll need MAM for those, too. And all the device management in the world can’t do anything around delivering enterprise apps and data to users. We need apps and mobile app management for that.
Some people might be thinking that building better management into the device means there’s less of a need for EMM solutions, but that’s true at all. Whether a feature is enabled by the OS or built into an app, there still needs to be a back-end EMM solution to do it. Also keep in mind that most EMM vendors these days have both MDM and MAM. The point is that a few new features in iOS probably won’t put any companies out of business.
Whether working with device management features or working with apps, the changes announced for iOS 7 will bring a lot of new options. In the meantime, we’ll have to grit our teeth and wait for the public release to really know what the full impact of iOS 7 will be.