iOS 8 is out, so it’s time to talk about how it affects enterprise mobility management. Naturally there are many new enterprise and consumer-oriented features, but despite all that I think it’s somewhat of a mixed bag. For organizations that are able to commit to doing everything the “Apple way,” there’s a lot to like. For the rest of us, though, it’ll be business as usual.
Management the “Apple way”
The previous version of iOS introduced several new mobile app management features like Kerberos-based single sign on, per-app VPN, and document open-in restrictions, enabling a degree of separation for work and personal apps and email accounts. This started a whole new conversation about the idea of having MAM features built into the operating system instead of built directly into apps themselves. To be clear, this is a big deal. (For more read here and here.)
iOS 8 builds on this by adding the concept of managed domains and managed documents. Managed domains means that files downloaded from specific websites in Safari can only be opened using apps that were pushed to the device using MDM. Combine this with the existing per-domain VPN features, and then you have yourself a good way to deal with internal web apps, intranets, and SharePoint sites. For managed documents, MDM can be used to push eBooks and PDFs to the iBooks app.
iOS 8 also finishes the job of making the Volume Purchase Program, the Device Enrollment Program, and Supervised Mode extremely comprehensive. (There's too much to go into here, but trust me, there's a lot of thought that went into how these programs work these days.)
Altogether, this adds up to an impressive number things you can do with just iOS itself, Safari, iBooks, and the built-in mail app. For institutions that deploy large numbers of iOS devices, like schools, this is great news—they can go full-on with the “Apple way” and get a lot out of it. (You do have to be sure that your MDM is up to the task of building complex policies, though—this stuff goes way beyond just pushing out a few basic device configurations.)
But as advanced as iOS 8 is, most companies will still need to go beyond it. They’ll need more advanced MAM features like better sharing controls, geofencing, and different types of connectivity. They’ll also need MAM that doesn’t rely on MDM, for situations where they don’t want to manage the device, aren’t allowed to (by law), or have to co-exist with data from other organizations. They’ll want encryption that doesn’t rely on the device. They'll want full-scale enterprise file sync and share. And most important, they’ll need to go beyond the basics and figure out how to do many other apps.
All this means that even though iOS 8 adds some important tools, overall enterprise mobility management strategies won’t be dramatically changed—there’s still a lot of work to be done.
New email functions
The built-in iOS email app has several new features, too, like per-message S/MIME, the ability to look up the availability of colleagues when scheduling meetings, out-of-office support, an option for notifications on specific threads, and even a new contact import feature. While these will be awesome for users, they could actually turn out to make life harder for IT departments that want to use third-party email clients. (Remember, there are plenty of good reasons to use both techniques.)
How is this? IT might want to use third-party clients for increased management capabilities, encryption that’s not dependent on the device, tighter lockdown, or other security reasons. But generally when it comes to performance and background syncing and attachment downloads, these haven’t had the best reputation for user experience. One way to make the tradeoff acceptable is to add other user-facing enterprise mail features that the built-in app didn’t have. Now that the built in app has all these new features, the bar is raised for third-party email apps, and it’ll be harder for IT to convince users to use these apps for security reasons alone.
No upgrade controls
Around this time of year another major complaint is that IT departments have no way to control when users upgrade iOS. Even though Apple does its best to make this a smooth process, there will invariably be problems. Some apps may not be ready for the new version, bugs in new iOS releases are not uncommon, and not all MDM products have immediate support.
It would be possible to create a policy around this—send an email asking users not to update, then use MDM to query the device to see what OS version is in place and take some sort of remediating management action for devices that are not in compliance. This isn’t ideal, but it's a headache we have to deal with no matter what.
And there’s more
There’s more that’s being touted as the “enterprise” features. There’s Swift, the new programming language that’s supposed to be easier to use. But building enterprise mobile apps still a huge undertaking. There’s TouchID for third-party apps. But remember that TouchID isn’t really a 2nd factor for authentication, it’s an alternative factor. (I won’t argue that it’s not convenient, though.) There are the new “extensibility” options that will make multi-app workflows easier. (That'll be pretty awesome, too.) And there are new restrictions around new device features, but those are pretty much to be expected. Many of them are more appropriate or only work for Supervised devices, though. And there's even more... (The general iOS enterprise overview with links to several Apple-produced white papers is here.)
Don’t get me wrong—all of these features are great to have. For institutions that have homogenous iOS deployments and go full in on doing things the “Apple way,” things are great.
But for most of us, while we’re getting some good new features, enterprise mobility management with iOS 8 will mostly be business as usual.