Enterprise Mobility and Security Blog

RSS

Earlier this week Apple released iOS 8 to developers (public release on 9/17), and our Intune service is ready to support your use of it. Over the last several months we have been working closely with Apple to understand their changes and to ensure that we deliver outstanding support for their platforms with the Enterprise Mobility Suite.

Because Intunehas Day Zero support for iOS 8 compatibility all the existing features in the live Intune service will continue to work seamlessly as users upgrade their devices to iOS 8. We are continuously upgrading our service and will continue to release new features that integrate elements of support for iOS 8.

You may be using one of our competition’s products, and, if that’s the case, it’s likely that sometime very soon you’ll be required to go through an upgrade to support iOS8.  But, because we are a true multi-tenant cloud service, this is not required for Intune users.  Our cloud infrastructure is already upgraded and ready for iOS8 devices.  They will just work – right now.

clip_image002One of the most significant changes that end users will notice is the complete overhaul of the on-device Settings UI for management profiles. Now all the MDM-delivered settings, restrictions, and content applied to a device are aggregated logically into a single consolidated view. This allows the end user to more easily understand (see image below) how corporate management will impact their device.

From the IT administrator’s perspective, the MDM Configuration Profilein iOS 8 introduces a number of new payloads:

  • E-mails can now be encrypted on a per-message basis (using S/MIME encryption).
  • Data leakage can be avoided by preventing apps from accessing iCloud sync features (such as the new iOS 8 “Handoff” feature).
  • Corporate-owned (supervised) devices can now be more fully managed (by preventing the user from wiping the device or enabling restrictions).

Image source: www.apple.com/ios/ios8/enterprise

For an exhaustive list of all the new features and settings, check Apple’s IT/enterprise developer page.

The following 5 featuresare top of mind for us today. I’ll discuss each of these and talk about how, with Intune, these features provide IT admins with greater control over managed devices (and, of course, how they enable end users to easily access the content they need).

Swift

No discussion of iOS 8 is complete without addressing Apple’s new programming language, Swift. We’re working to ensure that all the app management functionality of our new SDK and the app wrapper work flawlessly with iOS 8 apps – both Objective-C and Swift-built. Of course, to manage Office mobile apps, you don’t need a wrapper or an SDK. The Office mobile apps will ship with native data leakage protection features manageable by Intune. The wrapper and SDK is for instrumenting your internal line of business apps to protect corporate data and interoperate with Office.

Organizations will have the flexibility to choose their preferred development language, and IT admins can continue to manage line of business apps as usual using the SDK or app wrapper.

Managed Domains

One of the more interesting new features in the MDM Configuration Profile is that of Managed Domains. This comes in two flavors: managed email domains and managed web domains.

I’ve previously written about Microsoft’s multi-layered approach to data protection(protecting the device, app, file, and identity), and this new feature provides additional device-level protection for content that originates from enterprise domains. From the IT administrator’s perspective, leveraging this feature is as simple as specifying an array of strings with all the domains that should be considered enterprise domains.

Once configured, iOS will use the knowledge of which domains are managed to help protect corporate information. For example, end users will see a warning indicator if they attempt to use the native mail client to send messages across the Managed Domain boundary (e.g.from a corporate account to a personal email, or vice versa).

What’s really interesting about Managed Domains is that documents downloaded from a Managed Domain using Safari will be automatically tagged and treated as managed documents. This means that these documents can only be opened in managed applications, following the semantics of the Managed Open In functionality. This provides additional native OS-level separation of corporate content. Given the ease of use and immediate utility of this feature, Managed Domains will be one of the first iOS 8 exclusive features available in upcoming updates to the Intune service.

Managed Books

Managed apps have existed on the iOS platform for several iterations, but with iOS 8 we see the introduction of Managed Books. Just like managed apps, an MDM server can direct the device to download a particular book from the iBooks Store and treat it as managed. Books can be retroactively managed, and IT admins can disable iCloud backup and iCloud sync for managed books and user’s notes within those books.

The evolution of the iBooks service to include Managed Books indicates the clear trend toward secure content delivery – a functionality we’re already investigating for Intune. The Managed Books feature has clear value for educational customers, but may not have the necessary level of auditing and management control for enterprises. In the near future, Intune will provide support for Apple’s Volume Purchase Program (VPP) and the Apple Configurator tool for easier device management

Touch ID

dd

When the iPhone 5S debuted alongside iOS 7 in 2013, a key part of the unveiling was the introduction of Touch ID, a fingerprint recognition technology built into the device hardware. As convenient as it is, Touch ID has, thus far, only been available to select 1st-party apps.

With iOS 8, Touch ID is available to 3rd-party apps through the new Local Authentication framework. We are working to incorporate Touch ID app-level protection.

In a future release of the Intune app management SDK and app wrapper, users with biometric-enabled devices will be able to use their enrolled fingerprint to easily authenticate to enterprise apps during the at-launch authentication challenge. This feature provides the same integrity of app protection with additional end user convenience. Devices without biometric support will seamlessly fallback to PIN authentication.

Document Extensions

A major emphasis of this latest release is extensibility, and, to support this, iOS 8 introduces the concept of “Extensions.” By using designated Extension Points, 3rd-party apps are able to interact with the OS, the user, and each other in ways that were not previously possible.

Of the six available extensions in iOS 8, we believe the most interesting is the Document Picker Extension. The disruptive nature of this extension comes from its ability to allow apps to obtain (and persist) read/write access to a document that lives within the secure sandbox of another app. Compared to Android, iOS has traditionally had strict sandboxing isolation rules for 3rd-party apps. With Document Picker Extensions, inter-process data sharing is now possible (with user-initiated consent, of course). This introduces interesting opportunities for app-to-app communication, and it also presents a potential security risk as sensitive data may now leak from enterprise apps to unmanaged apps via the extension point. The Android platform provides a similar functionality through the use of Intents, and our Intune app management solution already provides data leakage prevention by managing this inter-app communication on Android.

As part of our thorough iOS 8 compatibility testing, we are working to ensure enterprise apps managed by the Intune SDK and app wrapper adhere to appropriate management policies so that this extension point cannot be exploited on the system. As the Office mobile apps begin to integrate this and other new features of iOS 8, the native Intune management functionality will allow the apps to leverage the platform’s new capabilities while ensuring better isolation of corporate and personal data with improved ability to both share and control the sharing of data between apps.

For more details on how inter-app data sharing is made possible through the Document Picker Extension, consult the diagram below. App B represents an app that provides access to a document repository (such as OneDrive), and App A represents an app that consumes and edits those documents (such as Word for iPad).

Intune_iOS8_diagram

The features above are just a sampling of the comprehensive support we’ll be continuously rolling out throughout the year. We are pleased to support Apple’s new operating system today, and look forward to helping you manage all of the devices in your environments.

To learn more about the features discussed above, check out these posts:

If you’re not using Windows Intune yet, sign upfor a free 30-day trial today!

Looking ahead to ongoing support from Microsoft: Tomorrow you’ll see a post from me that talks about our new Secure Email workflowSecure Email makes it incredibly easy for end users to bring their new devices into workplace compliance: The user simply receives a quarantine email with simple instructions and a link to click, and a few minutes later the device is workplace-joined to Azure Active Directory and managed by Windows Intune. Once the device is managed, IT Administrators can report on device inventory, app targeting, and device compliance. iOS 8 devices are, of course, one of the platforms on which Secure Email will be well supported via Intune.