Upload
trinhhuong
View
213
Download
0
Embed Size (px)
Citation preview
Learn how iPad integrates seamlessly into enterprise environments with these deployment scenarios.
• MicrosoftExchangeActiveSync
• Standards-BasedServices
• VirtualPrivateNetworks
• Wi-Fi
• DigitalCertificates
• Security
• MobileDeviceManagement
• iTunesDeployment
iPad in BusinessDeploymentScenarios
November2010
iPad in Business Exchange ActiveSync
iPadcommunicatesdirectlywithyourMicrosoftExchangeServerviaMicrosoftExchangeActiveSync(EAS),enablingpushemail,calendar,andcontacts.ExchangeActiveSyncalsoprovidesuserswithaccesstotheGlobalAddressList(GAL),andprovidesadministratorswithpasscodepolicyenforcementandremotewipecapabilities.iPadsupportsbothbasicandcertificate-basedauthenticationforExchangeActiveSync.IfyourcompanycurrentlyenablesExchangeActiveSync,youhavethenecessaryservicesinplacetosupportiPad—noadditionalconfigurationisrequired.IfyouhaveExchangeServer2003,2007,or2010butyourcompanyisnewtoExchangeActiveSync,reviewthefollowingsteps.
ExchangeActiveSyncSetupNetwork configuration overview
• Checktoensureport443isopenonthefirewall.IfyourcompanyallowsOutlookWebAccess,port443ismostlikelyalreadyopen.
•OntheFront-EndServer,verifythataservercertificateisinstalledandenableSSLfor theExchangeActiveSyncvirtualdirectoryinIIS.
• Ifyou’reusingaMicrosoftInternetSecurityandAcceleration(ISA)Server,verifythataservercertificateisinstalledandupdatethepublicDNStoresolveincomingconnections.
•MakesuretheDNSforyournetworkreturnsasingle,externallyroutableaddresstotheExchangeActiveSyncserverforbothintranetandInternetclients.ThisisrequiredsothedevicecanusethesameIPaddressforcommunicatingwiththeserverwhenbothtypesofconnectionsareactive.
• Ifyou’reusingaMicrosoftISAServer,createaweblisteneraswellasanExchangewebclientaccesspublishingrule.SeeMicrosoft’sdocumentationfordetails.
• Forallfirewallsandnetworkappliances,settheIdleSessionTimeoutto30minutes.Forinformationaboutheartbeatandtimeoutintervals,refertotheMicrosoftExchangedocumentationathttp://technet.microsoft.com/en-us/library/cc182270.aspx.
• Configuremobilefeatures,policies,anddevicesecuritysettingsusingtheExchangeSystemManager.ForExchangeServer2007and2010,thisisdoneintheExchangeManagementConsole.
• DownloadandinstalltheMicrosoftExchangeActiveSyncMobileAdministrationWebTool,whichisnecessarytoinitiatearemotewipe.ForExchangeServer2007and2010,remotewipecanalsobeinitiatedusingOutlookWebAccessortheExchangeManagementConsole.
Supported Exchange ActiveSync security policies
• Remotewipe• Enforcepasswordondevice• Minimumpasswordlength• Maximumfailedpasswordattempts (beforelocalwipe)
• Requirebothnumbersandletters• Inactivitytimeinminutes(1to60minutes)
Additional Exchange ActiveSync policies (for Exchange 2007 and 2010 only)
• Alloworprohibitsimplepassword• Passwordexpiration• Passwordhistory• Policyrefreshinterval• Minimumnumberofcomplexcharacters
in password• Requiremanualsyncingwhileroaming• Allowwebbrowsing
2
Basic authentication (username and password)• EnableExchangeActiveSyncforspecificusersorgroupsusingtheActiveDirectory service.TheseareenabledbydefaultforallmobiledevicesattheorganizationallevelinExchangeServer2003,2007,and2010.ForExchangeServer2007and2010,seeRecipientConfigurationintheExchangeManagementConsole.
• Bydefault,ExchangeActiveSyncisconfiguredforbasicuserauthentication.It’srecommendedthatyouenableSSLforbasicauthenticationtoensurecredentials areencryptedduringauthentication.
Certificate-based authentication• Installenterprisecertificateservicesonamemberserverordomaincontrollerinyourdomain(thiswillbeyourcertificateauthorityserver).
• ConfigureIISonyourExchangeFront-EndserverorClientAccessServertoaccept certificate-basedauthenticationfortheExchangeActiveSyncvirtualdirectory.
• Toalloworrequirecertificatesforallusers,turnoff“Basicauthentication”andselecteither“Acceptclientcertificates”or“Requireclientcertificates.”
• Generateclientcertificatesusingyourcertificateauthorityserver.ExportthepublickeyandconfigureIIStousethiskey.ExporttheprivatekeyanduseaConfigurationProfiletodeliverthiskeytoiPad.Certificate-basedauthenticationcanonlybeconfiguredusingaConfigurationProfile.
Formoreinformationoncertificateservices,pleaserefertoresourcesavailablefromMicrosoft.
Other Exchange ActiveSync services• GlobalAddressListlookup• Acceptandcreatecalendarinvitations• SyncReplyandForwardflagswithExchangeServer2010
• MailsearchonExchangeServer2007and2010• SupportformultipleExchangeActiveSyncaccounts
• Certificate-basedauthentication• Emailpushtoselectedfolders• Autodiscover
3
Firewall Firewall
ProxyServerInternet
ExchangeFront-EndorClientAccessServer
CertificateServer
ActiveDirectory
PrivateKey(Certificate)
PublicKey (Certificate)
*Dependingonyournetworkconfiguration,theMailGatewayorEdgeTransportServermayresidewithintheperimeternetwork(DMZ).
ExchangeMailboxor Back-EndServer(s)
MailGatewayorEdgeTransportServer*
ConfigurationProfile
BridgeheadorHubTransportServer
443
1
4
56
3
2
iPadrequestsaccesstoExchangeActiveSyncservicesoverport443(HTTPS).(ThisisthesameportusedforOutlookWebAccessandothersecurewebservices,soinmanydeploymentsthisportisalreadyopenandconfiguredtoallowSSLencryptedHTTPStraffic.)
ISAprovidesaccesstotheExchangeFront-EndorClientAccessServer.ISAisconfiguredasaproxy,orinmanycasesareverseproxy,toroutetraffictotheExchangeServer.
ExchangeServerauthenticatestheincominguserviatheActiveDirectoryserviceandthecertificateserver(ifusingcertificate-basedauthentication).
IftheuserprovidesthepropercredentialsandhasaccesstoExchangeActiveSyncservices,theFront-EndServerestablishesa connectiontotheappropriatemailboxontheBack-EndServer(viatheActiveDirectoryGlobalCatalog).
TheExchangeActiveSyncconnectionisestablished.Updates/changesarepushedtoiPadover-the-air,andanychangesmadeoniPadarereflectedontheExchangeServer.
SentmailitemsoniPadarealsosynchronizedwiththeExchangeServerviaExchangeActiveSync(step5).Torouteoutboundemailtoexternalrecipients,mailistypicallysentthroughaBridgehead(orHubTransport)ServertoanexternalMailGateway(orEdgeTransportServer)viaSMTP.Dependingonyournetworkconfiguration,theexternalMailGatewayorEdgeTransportServercouldresidewithintheperimeternetworkoroutsidethefirewall.
©2010AppleInc.Allrightsreserved.Apple,theApplelogo,andiPadaretrademarksofAppleInc.,registeredintheU.S.andothercountries.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecificationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.November2010L422495A
ExchangeActiveSyncDeploymentScenarioThisexampleshowshowiPadconnectstoatypicalMicrosoftExchangeServer2003,2007,or2010deployment.
2
3
4
5
6
1
4
iPad in Business Standards-Based Services
WithsupportfortheIMAPmailprotocol,LDAPdirectoryservices,CalDAVcalendaringandCardDAVcontactsprotocols,iPadcanintegratewithjustaboutanystandards-basedmail,calendar,andcontactsenvironment.AndifyournetworkenvironmentisconfiguredtorequireuserauthenticationandSSL,iPadprovidesasecureapproachtoaccessingstandards-basedcorporateemail,calendar,andcontacts.
Inatypicaldeployment,iPadestablishesdirectaccesstoIMAPandSMTPmailserverstoreceiveandsendemailover-the-air,andcanalsowirelesslysyncnoteswithIMAP-basedservers.iPadcanconnecttoyourcompany’sLDAPv3corporatedirectories,givingusersaccesstocorporatecontactsintheMail,Contacts,andSMSapplications.SynchronizationwithyourCalDAVserverallowsiPaduserstowirelesslycreateandacceptcalendarinvitationsandreceivecalendarupdates.AndCardDAVsupportallowsyouruserstomaintainasetofcontactssyncedwithyourCardDAVserverusingthevCardformat.AllnetworkserverscanbelocatedwithinaDMZsubnetwork,behindacorporatefirewall,orboth.WithSSL,iPadsupports128-bitencryptionandX.509rootcertificatesissuedbythemajorcertificateauthorities.
NetworkSetupYourITornetworkadministratorwillneedtocompletethesestepstoenableaccessfromiPadtoIMAP,LDAP,CalDAV,andCardDAVservices:
•Opentheappropriateportsonthefirewall.Commonportsinclude993forIMAPmail, 587forSMTPmail,636forLDAPdirectoryservices,8443forCalDAVcalendaring,and8843forCardDAVcontacts.It’salsorecommendedthatcommunicationbetweenyourproxyserverandyourback-endIMAP,LDAP,CalDAVandCardDAVserversbesettouseSSLandthatdigitalcertificatesonyournetworkserversbesignedbyatrustedcertificateauthority(CA)suchasVeriSign.ThisensuresthatiPadrecognizesyourproxyserverasatrustedentitywithinyourcorporateinfrastructure.
• ForoutboundSMTPemail,port587,465,or25mustbeopenedtoallowemailtobesentfromiPad.iPadsequentiallychecksforport587,then465,andthen25.Port587isthemostreliable,secureportbecauseitrequiresuserauthentication.Port25doesnotrequireauthentication,andsomeISPsblockthisportbydefaulttopreventspam.
Common ports• IMAP/SSL:993• SMTP/SSL:587• LDAP/SSL:636• CalDAV/SSL:8443,443• CardDAV/SSL:8843,443
IMAP or POP-enabled mail solutionsiPadsupportsindustry-standardIMAP4-andPOP3-enabledmailserversonarangeofserverplatforms,includingWindows,UNIX,Linux,andMacOSX.
CalDAV and CardDAV standardsiPadsupportstheCalDAVcalendaringandCardDAVcontactsprotocols.BothprotocolshavebeenstandardizedbytheIETF.MoreinformationcanbefoundthroughtheCalConnectconsortiumathttp://caldav.calconnect.org/andhttp://carddav.calconnect.org/.
5
Firewall Firewall
ReverseProxyServerInternet
MailServer
LDAPDirectoryServer
3
6
CalDAVServer
CardDAVServer
2
4
5
1
636 (LDAP)
8843(CardDAV)
993(IMAP)587(SMTP)
8443 (CalDAV)
DeploymentScenarioThisexampleshowshowiPadconnectstoatypicalIMAP,LDAP,CalDAV,andCardDAVdeployment.
©2010AppleInc.Allrightsreserved.Apple,theApplelogo,iPad,andMacOSaretrademarksofAppleInc.,registeredintheU.S.andothercountries.UNIXisaregisteredtrademarkofTheOpenGroup.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecificationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpur-posesonly;Appleassumesnoliabilityrelatedtoitsuse.November2010L422496A
iPadrequestsaccesstonetworkservicesoverthedesignatedports.
Dependingontheservice,iPadusersmustauthenticateeitherwiththereverseproxyordirectlywiththeservertoobtainaccesstocorporatedata.Inallcases,connectionsarerelayedbythereverseproxy,whichfunctionsasasecuregateway,typicallybehindthefirewall.Onceauthenticated,userscanaccesstheircorporatedataontheback-endservers.
iPadprovideslookupservicesonLDAPdirectories,givinguserstheabilitytosearchforcontactsandotheraddressbook informationontheLDAPserver.
ForCalDAVcalendars,userscanaccessandupdatecalendarsoniPad.
CardDAVcontactsarestoredontheserverandcanalsobeaccessedlocallyoniPad.ChangestofieldsinCardDAVcontactsaresyncedbacktotheCardDAVserver.
ForIMAPmailservices,existingandnewmessagescanbereadoniPadthroughtheproxyconnectionwiththemailserver.OutgoingmailoniPadissenttotheSMTPserver,withcopiesplacedintheuser’sSentfolder.
1
2
3
4
5
6
6
iPad in Business Virtual Private Networks (VPN)
SecureaccesstoprivatecorporatenetworksisavailableoniPadusingestablished industry-standardVPNprotocols.Userscaneasilyconnecttoenterprisesystemsvia thebuilt-inVPNclientorthroughthird-partyapplicationsfromJuniperandCisco.
Outofthebox,iPadsupportsCiscoIPSec,L2TPoverIPSec,andPPTP.Ifyourorganizationsupportsoneoftheseprotocols,noadditionalnetworkconfigurationorthird-partyapplicationsarerequiredtoconnectiPadtoyourVPN.
Additionally,iPadsupportsSSLVPN,enablingaccesstoJuniperSASeriesandCisco ASASSLVPNservers.UserssimplydownloadaVPNclientapplicationdevelopedby JuniperorCiscofromtheAppStoretogetstarted.LikeotherVPNprotocolssupported oniPad,SSLVPNcanbeconfiguredmanuallyoniPadorviaConfigurationProfile.
iPadsupportsindustry-standardtechnologiessuchasIPv6,proxyservers,andsplit- tunneling,providingarichVPNexperiencewhenconnectingtocorporatenetworks. AndiPadworkswithavarietyofauthenticationmethodsincludingpassword,two- factortoken,anddigitalcertificates.Tostreamlinetheconnectioninenvironments wherecertificate-basedauthenticationisused,iPadfeaturesVPNOnDemand, whichdynamicallyinitiatesaVPNsessionwhenconnectingtospecifieddomains.
SupportedProtocolsandAuthenticationMethodsSSL VPNSupportsuserauthenticationbypassword,two-factortoken,andcertificates.
Cisco IPSec Supportsuserauthenticationbypassword,two-factortoken,andmachineauthenticationbysharedsecretandcertificates.
L2TP over IPSecSupportsuserauthenticationbyMS-CHAPv2Password,two-factortoken,and machineauthenticationbysharedsecret.
PPTPSupportsuserauthenticationbyMS-CHAPv2Passwordandtwo-factortoken.
7
VPNOnDemandForconfigurationsusingcertificate-basedauthentication,iPadsupportsVPNOnDemand.VPNOnDemandwillestablishaconnectionautomaticallywhenaccessingpredefineddomains,providingaseamlessVPNconnectivityexperienceforiPadusers.
ThisisafeatureofiOSthatdoesnotrequireadditionalserverconfiguration.Theconfig-urationofVPNOnDemandtakesplaceviaaConfigurationProfileorcanbeconfiguredmanuallyonthedevice.
TheVPNOnDemandoptionsare:
AlwaysInitiatesaVPNconnectionforanyaddressthatmatchesthespecifieddomain.
NeverDoesnotinitiateaVPNconnectionforaddressesthatmatchthespecifieddomain, butifVPNisalreadyactive,itmaybeused.
Establish if neededInitiatesaVPNconnectionforaddressesthatmatchthespecifieddomainonlyafter aDNSlookuphasfailed.
VPNSetup• iPadintegrateswithmanyexistingVPNnetworks,withminimalconfiguration necessary.ThebestwaytopreparefordeploymentistocheckwhetheriPad supportsyourcompany’sexistingVPNprotocolsandauthenticationmethods.
• It’srecommendedthatyoureviewtheauthenticationpathtoyourauthentication servertomakesurestandardssupportedbyiPadareenabledwithinyour implementation.
• Ifyouplantousecertificate-basedauthentication,ensureyouhaveyourpublickeyinfrastructureconfiguredtosupportdevice-anduser-basedcertificateswiththe correspondingkeydistributionprocess.
• IfyouwanttoconfigureURL-specificproxysettings,placeaPACfileonawebserverthatisaccessiblewiththebasicVPNsettingsandensurethatitishostedwiththeapplication/x-ns-proxy-autoconfigMIMEtype.
ProxySetupForallconfigurationsyoucanalsospecifyaVPNproxy.Toconfigureasingleproxyforallconnections,usetheManualsettingandprovidetheaddress,port,andauthentica-tionifnecessary.Toprovidethedevicewithanauto-proxyconfigurationfileusingPACorWPAD,usetheAutosetting.ForPACS,specifytheURLofthePACSfile.ForWPAD,iPadwillqueryDHCPandDNSfortheappropriatesettings.
8
Firewall Firewall
VPNServer/Concentrator
PublicInternet
PrivateNetwork
Certificate,Token, or Password
AuthenticationCertificateorToken
ProxyServer
VPNAuthenticationServerToken Generation or Certificate Distribution
1 4
3a 3b
2
5
DirectoryService
1
2
3
4
5
©2010AppleInc.Allrightsreserved.Apple,theApplelogo,andiPadaretrademarksofAppleInc.,registeredintheU.S.andothercountries.AppStoreisaservicemarkofAppleInc.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecificationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.November2010L422497A
DeploymentScenarioTheexampledepictsatypicaldeploymentwithaVPNserver/concentratoraswellasanauthenticationservercontrollingaccesstoenterprisenetworkservices.
iPadrequestsaccesstonetworkservices.
TheVPNserver/concentratorreceivestherequestandthenpassesittotheauthenticationserver.
Inatwo-factortokenenvironment,theauthenticationserverwouldthenmanageatime-synchronizedtokenkeygenerationwiththekeyserver.Ifacertificateauthenticationmethodisdeployed,anidentitycertificateneedstobedistributedtoiPadpriortoauthentication.Ifapasswordmethodisdeployed,theauthenticationprocessproceedswithuservalidation.
Onceauserisauthenticated,theauthenticationservervalidatesuserandgrouppolicies.Afteruserandgrouppoliciesare validated,theVPNserverprovidestunneledandencryptedaccesstonetworkservices.
Ifaproxyserverisinuse,iPadconnectsthroughtheproxyserverforaccesstoinformationoutsidethefirewall.
FormoreinformationregardingVPNoniPad,visitwww.apple.com/ipad/business/integration
9
iPad in Business Wi-Fi
Wireless security protocols• WEP• WPAPersonal• WPAEnterprise• WPA2Personal• WPA2Enterprise
802.1X authentication methods• EAP-TLS• EAP-TTLS• EAP-FAST• EAP-SIM• PEAPv0(EAP-MS-CHAPv2)• PEAPv1(EAP-GTC)• LEAP
Outofthebox,iPadcansecurelyconnecttocorporateorguestWi-Finetworks, makingitquickandsimpletojoinavailablewirelessnetworkswhetheryou’reon campusorontheroad.
iPadsupportsindustrystandardwirelessnetworkprotocols,includingWPA2Enterprise,ensuringcorporatewirelessnetworkscanbeconfiguredquicklyandaccessedsecurely.WPA2Enterpriseuses128-bitAESencryption,aproven,block-basedencryptionmethod,providinguserswiththehighestlevelofassurancethattheirdatawillremainprotected.
Withsupportfor802.1X,iPadcanbeintegratedintoabroadrangeofRADIUSauthenticationenvironments.802.1XwirelessauthenticationmethodssupportedoniPadincludeEAP-TLS,EAP-TTLS,EAP-FAST,EAP-SIM,PEAPv0,PEAPv1,andLEAP.
UserscansetiPadtojoinavailableWi-Finetworksautomatically.Wi-Finetworksthatrequirelogincredentialsorotherinformationcanbequicklyaccessedwithoutopeningaseparatebrowsersession,fromWi-FisettingsorwithinapplicationssuchasMail.Andlow-power,persistentWi-FiconnectivityallowsiPadapplicationstouseWi-Finetworkstodeliverpushnotifications.
Forquicksetupanddeployment,wirelessnetwork,security,andauthenticationsettingscanbeconfiguredusingConfigurationProfiles.
WPA2EnterpriseSetup• Verifynetworkappliancesforcompatibilityandselectanauthenticationtype(EAPtype)supportedbyiPad.
• Checkthat802.1Xisenabledontheauthenticationserverand,ifnecessary,installaservercertificateandassignnetworkaccesspermissionstousersandgroups.
• Configurewirelessaccesspointsfor802.1XauthenticationandenterthecorrespondingRADIUSserverinformation.
• Ifyouplantousecertificate-basedauthentication,configureyourpublickeyinfrastructuretosupportdevice-anduser-basedcertificateswiththecorrespondingkeydistributionprocess.
• Verifycertificateformatandauthenticationservercompatibility.iPadsupportsPKCS#1(.cer,.crt,.der)andPKCS#12.
• ForadditionaldocumentationregardingwirelessnetworkingstandardsandWi-FiProtectedAccess(WPA),visitwww.wi-fi.org.
10
WirelessAccessPointwith802.1XSupport
DirectoryService
NetworkServices
AuthenticationServerwith802.1XSupport(RADIUS)
CertificateorPasswordBasedon
EAPType
1
2
3
4
Firewall
WPA2Enterprise/802.1XDeploymentScenarioThisexampledepictsatypicalsecurewirelessdeploymentthattakesadvantageofRADIUS-basedauthentication.
iPadrequestsaccesstothenetwork.iPadinitiatestheconnectioninresponsetoauserselectinganavailablewirelessnetwork, orautomaticallyinitiatesaconnectionafterdetectingapreviouslyconfigurednetwork.
Aftertherequestisreceivedbytheaccesspoint,therequestispassedtotheRADIUSserverforauthentication.
TheRADIUSservervalidatestheuseraccountutilizingthedirectoryservice.
Oncetheuserisauthenticated,theaccesspointprovidesnetworkaccesswithpoliciesandpermissionsasinstructedbythe RADIUSserver.
©2010AppleInc.Allrightsreserved.Apple,theApplelogo,andiPadaretrademarksofAppleInc.,registeredintheU.S.andothercountries.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecificationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.November2010L422498A
1
2
3
4
11
iPadsupportsdigitalcertificates,givingbusinessuserssecure,streamlinedaccesstocorporateservices.Adigitalcertificateiscomposedofapublickey,informationabouttheuser,andthecertificateauthoritythatissuedthecertificate.Digitalcertificatesareaformofidentificationthatenablesstreamlinedauthentication,dataintegrity,andencryption.
OniPad,certificatescanbeusedinavarietyofways.Signingdatawithadigitalcertificatehelpstoensurethatinformationcannotbealtered.Certificatescanalsobeusedtoguaranteetheidentityoftheauthoror“signer.”Additionally,theycanbeusedtoencryptConfigurationProfilesandnetworkcommunicationstofurtherprotectconfidentialorprivateinformation.
UsingCertificatesoniPadDigital certificatesDigitalcertificatescanbeusedtosecurelyauthenticateuserstocorporateserviceswithouttheneedforusernames,passwords,orsofttokens.OniPad,certificate-basedauthenticationissupportedforaccesstoMicrosoftExchangeActiveSync,VPN,andWi-Finetworks.
EnterpriseServices Intranet,Email,VPN,Wi-Fi
CertificateAuthority DirectoryServiceAuthenticationRequest
Server certificatesDigitalcertificatescanalsobeusedtovalidateandencryptnetworkcommunications.Thisprovidessecurecommunicationtobothinternalandexternalwebsites.TheSafaribrowsercancheckthevalidityofanX.509digitalcertificateandsetupasecuresessionwithupto256-bitAESencryption.Thisverifiesthatthesite’sidentityislegitimateandthatcommunicationwiththewebsiteisprotectedtohelppreventinterceptionof personalorconfidentialdata.
NetworkServicesHTTPSRequest CertificateAuthority
iPad in Business Digital Certificates
Supported certificate and identity formats:
• iPadsupportsX.509certificates withRSAkeys.
• Thefileextensions.cer,.crt,.der,.p12 and.pfxarerecognized.
Root certificatesOutofthebox,iPadincludesanumberofpreinstalledrootcertificates.Toviewalist ofthepreinstalledsystemroots,seetheAppleSupportarticleathttp://support.apple.com/ kb/HT3580.Ifyouareusingarootcertificatethatisnotpreinstalled,suchasaself-signedrootcertificatecreatedbyyourcompany, youcandistributeittoiPadusingoneofthemethodslistedinthe“DistributingandInstallingCertificates”sectionofthisdocument.
12
©2010AppleInc.Allrightsreserved.Apple,theApplelogo,iPad,andSafariaretrademarksofAppleInc.,registeredintheU.S.andothercountries.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecificationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.November2010L422499A
DistributingandInstallingCertificatesDistributingcertificatestoiPadissimple.Whenacertificateisreceived,userssimplytaptoreviewthecontents,thentaptoaddthecertificatetotheirdevice.Whenan identitycertificateisinstalled,usersarepromptedforthepassphrasethatprotectsit.Ifacertificate’sauthenticitycannotbeverified,userswillbepresentedwithawarningbeforeitisaddedtotheirdevice.
Installing certificates via Configuration ProfilesIfConfigurationProfilesarebeingusedtodistributesettingsforcorporateservices suchasExchange,VPN,orWi-Fi,certificatescanbeaddedtotheprofiletostreamlinedeployment.
Installing certificates via Mail or SafariIfacertificateissentinanemail,itwillappearasanattachment.Safaricanalsobeusedtodownloadcertificatesfromawebpage.YoucanhostacertificateonasecuredwebsiteandprovideuserswiththeURLwheretheycandownloadthecertificateontotheir devices.
Installation via the Simple Certificate Enrollment Protocol (SCEP)SCEPisdesignedtoprovideasimplifiedprocesstohandlecertificatedistributionforlarge-scaledeployments.ThisenablesOver-the-AirEnrollmentofdigitalcertificatesoniPadthatcanthenbeusedforauthenticationtocorporateservices,aswellasenrollmentwithamobiledevicemanagementserver.
FormoreinformationonSCEPandOver-the-AirEnrollment,visitwww.apple.com/ipad/business/resources.
Certificate removal and revocationTomanuallyremoveacertificatethathasbeeninstalled,chooseSettings>General>Profiles.Ifyouremoveacertificatethatisrequiredforaccessinganaccountornetwork,thedevicewillnolongerbeabletoconnecttothoseservices.
Toremovecertificatesover-the-air,amobiledevicemanagementservercanbeused. Thisservercanviewallcertificatesonadeviceandremovethoseithasinstalled.
Additionally,theOnlineCertificateStatusProtocol(OCSP)issupportedtocheckthe statusofcertificates.WhenanOCSP-enabledcertificateisused,iPadvalidatesittomakesurethatithasnotbeenrevokedbeforecompletingtherequestedtask.
13
iPad in Business Security Overview
iPadcansecurelyaccesscorporateservicesandprotectdataonthedevice.iPadprovidesstrongencryptionfordataintransmission,provenauthenticationmethodsforaccesstocorporateservices,andhardwareencryptionforalldatastoredonthedevice.iPadalsoprovidessecureprotectionthroughtheuseofpasscodepoliciesthatcanbedeliveredandenforcedover-the-air.Andifthedevicefallsintothewronghands,usersandITadministratorscaninitiatearemotewipecommandtoeraseprivateinformation.
WhenconsideringthesecurityofiPadforenterpriseuse,it’shelpfultounderstand thefollowing:
•DeviceSecurity:Methodsthatpreventunauthorizeduseofthedevice•DataSecurity:Protectingdataatrest,evenwhenadeviceislostorstolen•NetworkSecurity:Networkingprotocolsandtheencryptionofdataintransmission• ApplicationSecurity:ThesecureplatformfoundationofiOS
Thesecapabilitiesworkinconcerttoprovideasecuremobilecomputingplatform.
DeviceSecurityEstablishingstrongpoliciesforaccesstoiPadiscriticaltoprotectingcorporate information.Devicepasscodesarethefrontlineofdefenseagainstunauthorizedaccessandcanbeconfiguredandenforcedover-the-air.iPadusestheuniquepasscodeestablishedbyeachusertogenerateastrongencryptionkeytofurtherprotectmailandsensitiveapplicationdataonthedevice.Additionally,iPadprovidessecuremethodstoconfigurethedeviceinanenterpriseenvironmentwherespecificsettings,policies,andrestrictionsmustbeinplace.Thesemethodsprovideflexibleoptionsforestablishingastandardlevelofprotectionforauthorizedusers.
Passcode PoliciesAdevicepasscodepreventsunauthorizedusersfromaccessingdatastoredoniPadorotherwisegainingaccesstothedevice.iOS4allowsyoutoselectfromanextensivesetofpasscoderequirementstomeetyoursecurityneeds,includingtimeoutperiods,passcodestrength,andhowoftenthepasscodemustbechanged.
Thefollowingpasscodepoliciesaresupported:• Requirepasscodeondevice• Allowsimplevalue• Requirealphanumericvalue•Minimumpasscodelength•Minimumnumberofcomplexcharacters•Maximumpasscodeage• Auto-lock• Passcodehistory•Graceperiodfordevicelock•Maximumnumberoffailedattempts
Device protection• Strongpasscodes• Passcodeexpiration• Passcodereusehistory• Maximumfailedattempts• Over-the-airpasscodeenforcement• Progressivepasscodetimeout
Data security• Hardwareencryption• Dataprotection• Remotewipe• Localwipe• EncryptedConfigurationProfiles• EncryptediTunesbackups
Network security• Built-inCiscoIPSec,L2TP,PPTPVPN• SSLVPNviaAppStoreapps• SSL/TLSwithX.509certificates• WPA/WPA2Enterprisewith802.1X• Certificate-basedauthentication• RSASecurID,CRYPTOCard
Platform security• Runtimeprotection• Mandatorycodesigning• Keychainservices• CommonCryptoAPIs• Applicationdataprotection
14
Policy EnforcementThepoliciesdescribedabovecanbesetoniPadinanumberofways.PoliciescanbedistributedaspartofaConfigurationProfileforuserstoinstall.Aprofilecanbedefinedsothatdeletingtheprofileisonlypossiblewithanadministrativepassword,oryoucandefinetheprofilesothatitislockedtothedeviceandcannotberemovedwithoutcompletelyerasingallofthedevicecontents.Additionally,passcodesettingscanbeconfiguredremotelyusingMobileDeviceManagementsolutionsthatcanpushpoliciesdirectlytothedevice.Thisenablespoliciestobeenforcedandupdatedwithoutanyactionbytheuser.
Alternatively,ifthedeviceisconfiguredtoaccessaMicrosoftExchangeaccount,ExchangeActiveSyncpoliciesarepushedtothedeviceover-the-air.Keepinmind thattheavailablesetofpolicieswillvarydependingontheversionofExchange (2003,2007,or2010).RefertotheEnterpriseDeploymentGuideforabreakdownofwhichpoliciesaresupportedforyourspecificconfiguration.
Secure Device ConfigurationConfigurationProfilesareXMLfilesthatcontaindevicesecuritypoliciesandrestrictions,VPNconfigurationinformation,Wi-Fisettings,emailandcalendaraccounts,andauthenticationcredentialsthatpermitiPadtoworkwithyourenterprisesystems.TheabilitytoestablishpasscodepoliciesalongwithdevicesettingsinaConfigurationProfileensuresthatdeviceswithinyourenterpriseareconfiguredcorrectlyandaccordingtosecuritystandardssetbyyourorganization.AndbecauseConfigurationProfilescanbeencryptedandlocked,thesettingscannotberemoved,altered,orshared with others.
ConfigurationProfilescanbebothsignedandencrypted.SigningaConfigurationProfileensuresthatthesettingsitenforcescannotbealteredinanyway.EncryptingaConfigurationProfileprotectstheprofile’scontentsandpermitsinstallationonlyonthedeviceforwhichitwascreated.ConfigurationProfilesareencryptedusingCMS(CryptographicMessageSyntax,RFC3852),supporting3DESandAES128.
ThefirsttimeyoudistributeanencryptedConfigurationProfile,youinstallthemviaUSBsyncusingtheConfigurationUtilityorwirelesslyviaOver-the-AirEnrollment.Inadditiontothesemethods,subsequentdistributionofencryptedConfigurationProfilescanbedeliveredviaemailattachment,hostedonawebsiteaccessibletoyourusers,orpushedtothedeviceusingMobileDeviceManagementsolutions.
Device Restrictions DevicerestrictionsdeterminewhichiPadfeaturesyouruserscanaccessonthedevice.Typically,theseinvolvenetwork-enabledapplicationssuchasSafari,YouTube,ortheiTunesStore,butrestrictionscanalsocontroldevicefunctionalitysuchasapplicationinstallation.Devicerestrictionsletyouconfigurethedevicetomeetyourrequirements,whilepermittinguserstoutilizethedeviceinwaysthatareconsistentwithyourbusinesspractices.Restrictionscanbemanuallyconfiguredoneachdevice,enforcedusingaConfigurationProfile,orestablishedremotelywithMobileDeviceManagementsolutions.Additionally,web-browsingrestrictionscanbeenforcedover-the-airviaMicrosoftExchangeServer2007and2010.
Inadditiontosettingrestrictionsandpoliciesonthedevice,theiTunesdesktopapplicationcanbeconfiguredandcontrolledbyIT.Thisincludesdisablingaccesstoexplicitcontent,definingwhichnetworkservicesuserscanaccesswithiniTunes,anddeterminingwhethernewsoftwareupdatesareavailableforuserstoinstall.
Available restrictions• AccesstoiTunesStore• Accesstoexplicitmediaandcontent ratingsiniTunesStore
• UseofSafariandsecuritypreferences• UseofYouTube• UseofAppStoreandin-apppurchase• Installingapps• Abilitytoscreencapture• Automaticsyncwhileroaming• Useofvoicedialing• EnforceencryptediTunesbackups
15
DataSecurityProtectingdatastoredoniPadisimportantforanyenvironmentwithahighlevelofsensitivecorporateorcustomerinformation.Inadditiontoencryptingdataintransmission,iPadprovideshardwareencryptionforalldatastoredonthedevice,andadditionalencryptionofemailandapplicationdatawithenhanceddataprotection.
Ifadeviceislostorstolen,it’simportanttodeactivateanderasethedevice.It’salsoagoodideatohaveapolicyinplacethatwillwipethedeviceafteradefinednumberoffailedpasscodeattempts,akeydeterrentagainstattemptstogainunauthorizedaccessto the device.
EncryptioniPadoffershardware-basedencryption.iPadhardwareencryptionusesAES256-bitencodingtoprotectalldataonthedevice.Encryptionisalwaysenabled,andcannotbedisabledbyusers.
Additionally,databackedupiniTunestoauser’scomputercanbeencrypted.Thiscanbeenabledbytheuser,orenforcedbyusingdevicerestrictionsettingsinConfigurationProfiles.
Data ProtectionBuildingonthehardwareencryptioncapabilitiesofiPad,emailmessagesandattachmentsstoredonthedevicecanbefurthersecuredbyusingdataprotectionfeaturesbuiltintoiOS4.Dataprotectionleverageseachuser’suniquedevicepasscodeinconcertwiththehardwareencryptiononiPadtogenerateastrongencryptionkey.Thiskeypreventsdatafrombeingaccessedwhenthedeviceislocked,ensuringthatcriticalinformationissecuredevenifthedeviceiscompromised.
EnablingdataprotectionrequiresthatexistingdevicesbefullyrestoredfrombackupwhenupgradingtoiOS4.NewdevicesthatshipwithiOS4willalreadyhavethis capability.Toturnonthedataprotectionfeature,simplyestablishapasscodeon thedevice.Theeffectivenessofdataprotectionisdependentonastrongpasscode, soitisimportanttorequireandenforceapasscodestrongerthanfourdigitswhenestablishingyourcorporatepasscodepolicies.Userscanverifythatdataprotection isenabledontheirdevicebylookingatthepasscodesettingsscreen.MobileDeviceManagementsolutionsareabletoquerythedeviceforthisinformationaswell.
ThesedataprotectionAPIsarealsoavailabletodevelopers,andcanbeusedtosecureenterprisein-houseorcommercialapplicationdata.
Remote WipeiPadsupportsremotewipe.Ifadeviceislostorstolen,theadministratorordeviceownercanissuearemotewipecommandthatremovesalldataanddeactivatesthedevice.IfthedeviceisconfiguredwithanExchangeaccount,theadministratorcaninitiatearemotewipecommandusingtheExchangeManagementConsole(ExchangeServer2007)orExchangeActiveSyncMobileAdministrationWebTool(ExchangeServer2003or2007).UsersofExchangeServer2007canalsoinitiateremotewipecommandsdirectlyusingOutlookWebAccess.RemotewipecommandscanalsobeinitiatedbyMobileDeviceManagementsolutionsevenifExchangecorporateservicesarenotinuse.
Progressive passcode timeoutiPadcanbeconfiguredtoautomaticallyinitiateawipeafterseveralfailedpasscodeattempts.Ifauserrepeatedlyentersthewrongpasscode,iPadwillbedisabledforincreasinglylongerintervals.Aftertoomanyunsuccessfulattempts,alldataandsettingsonthedevicewillbeerased.
16
VPN protocols• CiscoIPSec• L2TP/IPSec• PPTP• SSLVPN
Authentication methods• Password(MSCHAPv2)• RSASecurID• CRYPTOCard• x.509DigitalCertificates• Sharedsecret
802.1X authentication protocols• EAP-TLS• EAP-TTLS• EAP-FAST• EAP-SIM• PEAPv0,v1• LEAP
Supported certificate formatsiPadsupportsX.509certificateswith RSAkeys.Thefileextensions.cer,.crt, and.derarerecognized.
Local WipeDevicescanalsobeconfiguredtoautomaticallyinitiatealocalwipeafterseveralfailedpasscodeattempts.Thisprotectsagainstbruteforceattemptstogainaccesstothedevice.Whenapasscodeisestablished,usershavetheabilitytoenablelocalwipedirectlywithinthesettingsoniPad.Bydefault,iPadwillautomaticallywipethedeviceafter10failedpasscodeattempts.Aswithotherpasscodepolicies,themaximumnumberoffailedattemptscanbeestablishedviaaConfigurationProfile,setbyaMobileDeviceManagementserver,orenforcedover-the-airviaMicrosoftExchangeActiveSyncpolicies.
NetworkSecurityMobileusersmustbeabletoaccesscorporateinformationnetworksfromanywhereintheworld,yetit’salsoimportanttoensurethatusersareauthorizedandthattheirdataisprotectedduringtransmission.iPadprovidesproventechnologiestoaccomplishthesesecurityobjectivesforbothWi-Fiandcellulardatanetworkconnections.
VPNManyenterpriseenvironmentshavesomeformofvirtualprivatenetworkingestablished.ThesesecurenetworkservicesarealreadydeployedandtypicallyrequireminimalsetupandconfigurationtoworkwithiPad.
Outofthebox,iPadintegrateswithabroadrangeofcommonlyusedVPNtechnologiesthroughsupportforCiscoIPSec,L2TP,andPPTP.Additionally,iPadsupportsSSLVPNthroughapplicationsfromJuniperandCisco.SupportfortheseprotocolsensuresthehighestlevelofIP-basedencryptionfortransmissionofsensitiveinformation.
InadditiontoenablingsecureaccesstoexistingVPNenvironments,iPadoffersprovenmethodsforuserauthentication.Authenticationviastandardx.509digitalcertificatesprovidesuserswithstreamlinedaccesstocompanyresourcesandaviablealternativetousinghardware-basedtokens.Additionally,certificateauthenticationenablesiPadtotakeadvantageofVPNOnDemand,makingtheVPNauthenticationprocesstransparentwhilestillprovidingstrong,credentialedaccesstonetworkservices.Forenterpriseenvironmentsinwhichatwo-factortokenisarequirement,iPadintegrateswithRSASecurIDandCRYPTOCard.
iPadsupportsnetworkproxyconfigurationaswellassplitIPtunnelingsothattrafficto publicorprivatenetworkdomainsisrelayedaccordingtoyourspecificcompanypolicies.
SSL/TLSiPadsupportsSSLv3aswellasTransportLayerSecurity(TLSv1.0),thenext-generationsecuritystandardfortheInternet.Safari,Calendar,Mail,andotherInternetapplicationsautomaticallystartthesemechanismstoenableanencryptedcommunicationchannelbetweeniPadandcorporateservices.
WPA/WPA2iPadsupportsWPA2Enterprisetoprovideauthenticatedaccesstoyourenterprisewirelessnetwork.WPA2Enterpriseuses128-bitAESencryption,givingusersthehighestlevelofassurancethattheirdatawillremainprotectedwhentheysendandreceivecommunicationsoveraWi-Finetworkconnection.Andwithsupportfor802.1X,iPadcanbeintegratedintoabroadrangeofRADIUSauthenticationenvironments.
17
ApplicationSecurityiOSisdesignedwithsecurityatitscore.Itincludesa“sandboxed”approachtoapplicationruntimeprotectionandrequiresapplicationsigningtoensurethatapplicationscannotbetamperedwith.iOSalsohasasecureframeworkthatfacilitatessecurestorageofapplicationandnetworkservicecredentialsinanencryptedkeychain.Fordevelopers,itoffersacommoncryptoarchitecturethatcanbeusedtoencrypt application data stores.
Runtime ProtectionApplicationsonthedeviceare“sandboxed”sotheycannotaccessdatastoredbyotherapplications.Inaddition,systemfiles,resources,andthekernelareshieldedfromtheuser’sapplicationspace.Ifanapplicationneedstoaccessdatafromanotherapplication,itcanonlydosousingtheAPIsandservicesprovidedbyiOS.Codegeneration is also prevented.
Mandatory Code SigningAlliPadapplicationsmustbesigned.TheapplicationsprovidedwiththedevicearesignedbyApple.Third-partyapplicationsaresignedbythedeveloperusinganApple-issuedcertificate.Thisensuresthatapplicationshaven’tbeentamperedwithoraltered.Additionally,runtimechecksaremadetoensurethatanapplicationhasn’tbecomeuntrustedsinceitwaslastused.
Theuseofcustomorin-houseapplicationscanbecontrolledwithaprovisioningprofile.Usersmusthavetheprovisioningprofileinstalledtoexecutetheapplication.Provisioningprofilescanbeinstalledorrevokedover-the-airusingMobileDeviceManagementsolutions.Administratorscanalsorestricttheuseofanapplicationtospecificdevices.
Secure Authentication FrameworkiPadprovidesasecure,encryptedkeychainforstoringdigitalidentities,usernames,andpasswords.Keychaindataispartitionedsothatcredentialsstoredbythird-partyapplicationscannotbeaccessedbyapplicationswithadifferentidentity.ThisprovidesthemechanismforsecuringauthenticationcredentialsoniPadacrossarangeofapplications and services within the enterprise.
Common Crypto ArchitectureApplicationdevelopershaveaccesstoencryptionAPIsthattheycanusetofurtherprotecttheirapplicationdata.DatacanbesymmetricallyencryptedusingprovenmethodssuchasAES,RC4,or3DES.Inaddition,iPadprovideshardwareaccelerationforAESencryptionandSHA1hashing,maximizingapplicationperformance.
Application Data ProtectionApplicationscanalsotakeadvantageofthebuilt-inhardwareencryptiononiPad tofurtherprotectsensitiveapplicationdata.Developerscandesignatespecificfiles fordataprotection,instructingthesystemtomakethecontentsofthefilecrypto-graphicallyinaccessibletoboththeapplicationandtoanypotentialintruderswhenthedeviceislocked.
18
©2010AppleInc.Allrightsreserved.Apple,theApplelogo,iPad,iTunes,andSafariaretrademarksofAppleInc.,registeredintheU.S.andothercountries.AppStoreisaservicemarkofAppleInc.iTunesStoreisaservicemarkofAppleInc.,registeredintheU.S.andothercountries.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecificationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.November2010L422500A
RevolutionaryDevice,SecureThroughoutiPadprovidesencryptedprotectionofdataintransit,atrest,andwhenbacked uptoiTunes.Whetherauserisaccessingcorporateemail,visitingaprivatewebsite, orauthenticatingtothecorporatenetwork,iPadprovidesassurancethatonlyauthorizeduserscanaccesssensitivecorporateinformation.And,withitssupportforenterprise-gradenetworkingandcomprehensivemethodstopreventdataloss,youcandeployiPadwithconfidencethatyouareimplementingprovenmobiledevicesecurityanddataprotection.
ForadditionalinformationanddeploymentresourcesforiPadvisit: www.apple.com/ipad/business/integration/
19
iPad in Business Mobile Device Management
iPadsupportsMobileDeviceManagement,givingbusinessestheabilitytomanagescaleddeploymentsofiPadacrosstheirorganizations.TheseMobileDeviceManage-mentcapabilitiesarebuiltuponexistingiOStechnologieslikeConfigurationProfiles,Over-the-AirEnrollment,andtheApplePushNotificationserviceandcanbeintegratedwiththird-partyserversolutions.ThisgivesITdepartmentstheabilitytosecurely enrolliPadinanenterpriseenvironment,wirelesslyconfigureandupdatesettings,monitorcompliancewithcorporatepolicies,andevenremotelywipeorlockmanaged iPad devices.
ManagingiPadManagementofiPadtakesplaceviaaconnectiontoamobiledevicemanagementserver.Asnoted,thisservercanbepurchasedfromathird-partysolutionprovider.WhenamobiledevicemanagementserverwantstocommunicatewithiPad,asilentnotificationissenttothedevicepromptingittocheckinwiththeserver.Thedevicecommunicateswiththeservertoseeiftherearetaskspendingandrespondswiththeappropriateactions.Thesetaskscanincludeupdatingpolicies,providingrequesteddeviceornetworkinformation,orremovingsettingsanddata.
Managementfunctionsarecompletedbehindthesceneswithnouserinteractionrequired.Forexample,ifanITdepartmentupdatesitsVPNinfrastructure,themobiledevicemanagementservercanconfigureiPadwithnewaccountinformationover-the-air.ThenexttimeVPNisusedbytheemployee,theappropriateconfigurationisalreadyinplace,sotheemployeedoesn’tneedtocallthehelpdeskormanuallymodifysettings.
ToillustratethecapabilitiesofMobileDeviceManagement,thisdocumentisorganizedintofourcategoriesofdeployment:Enroll,Configure,Query,andManage.
Firewall
Third-PartyMDMServerApplePushNotificationService
20
EnrollThefirststepinmanagingiPadistoenrolladevicewithamobiledevicemanagementserver.Thiscreatesarelationshipbetweenthedeviceandtheserver,allowingthedevicetobemanagedondemandwithoutfurtheruserinteraction.ThiscanbedonewirelesslyorbyconnectingiPadtoacomputerviaUSB.
Asascalablewaytosecurelyenrolldevicesinanenterpriseenvironment,iPadsupportsaprocesscalledOver-the-AirEnrollment.
UsingOver-the-AirEnrollment,yourenterprisecanprovideasecurewebportalthroughwhichuserscanenrolltheirdevicesformanagement.Theservercanthenconfiguremanageddeviceswiththeappropriaterestrictionsandaccountaccess.
Process OverviewTheprocessofOver-the-AirEnrollmentinvolvesthreephasesthat,whencombined inanautomatedworkflow,provideasecurewaytoprovisiondeviceswithinthe enterprise.Thesephasesinclude:
1. User authenticationUserauthenticationensuresthatincomingenrollmentrequestsarefromauthorizedusersandthattheuser’sdeviceinformationiscapturedpriortoproceedingwith certificateenrollment.AdministratorscanprompttheusertobegintheprocessofenrollmentbyprovidingaURLviaemailorSMSnotification.
2. Certificate enrollmentAftertheuserisauthenticated,iPadgeneratesacertificateenrollmentrequestusingtheSimpleCertificateEnrollmentProtocol(SCEP).ThisenrollmentrequestcommunicatesdirectlytotheenterpriseCertificateAuthority(CA),andenablesiPadtoreceivetheidentitycertificatefromtheCAinresponse.
3. Device configurationOnceanidentitycertificateisinstalled,iPadcanreceiveencryptedconfigurationinformationover-the-air.ThisinformationcanonlybeinstalledonthedeviceitisintendedforandcontainssettingsforiPadtoconnecttothemobiledevicemanagement server.
Attheendoftheenrollmentprocess,theuserwillbepresentedwithaninstallationscreenthatdescribeswhataccessrightsthemobiledevicemanagementserverwillhaveonthedevice.Byagreeingtotheprofileinstallation,theuser’sdeviceisautomaticallyenrolledwithoutfurtherinteraction.
iPad and SCEPiPadsupportstheSimpleCertificateEnrollmentProtocol(SCEP).SCEPisanInternetdraftintheIETF,andisdesignedtoprovideasimplifiedwayofhandlingcertificatedistributionforlarge-scaledeployments.Thisenablesover-the-airenrollmentofidentitycertificatestoiPadthatcanbeusedforauthenticationtocorporate services.
21
ConfigureOnceadeviceisenrolledasamanageddevice,itcanbedynamicallyconfigured withsettingsandpoliciesbythemobiledevicemanagementserver.Theserver sendsconfigurations,knownasConfigurationProfiles,tothedevicethatareinstalledautomatically.
ConfigurationProfilesareXMLfilesthatcontainconfigurationinformationandsettingsthatpermitiPadtoworkwithyourenterprisesystems,includingaccountinformation,passcodepolicies,restrictions,andotherdevicesettings.
Whencombinedwiththepreviouslydiscussedprocessofenrollment,deviceconfigurationprovidesITwithassurancethatonlytrustedusersareaccessingcorporateservices,andthattheirdevicesareproperlyconfiguredwithestablishedpolicies.
AndbecauseConfigurationProfilescanbesigned,encrypted,andlocked,thesettingscannotbealteredorsharedwithothers.
Supported configurable settingsAccounts
• ExchangeActiveSync• IMAP/POPemail• VPN•Wi-Fi• LDAP• CalDAV• CardDAV• Subscribedcalendars
Policies• Requirepasscode• Allowsimplevalue• Requirealphanumericvalue• Passcodelength•Numberofcomplexcharacters•Maximumpasscodeage• Timebeforeauto-lock•Numberofuniquepasscodesbeforereuse•Graceperiodfordevicelock•Numberoffailedattemptsbeforewipe• ControlConfigurationProfileremoval byuser
Restrictions• Appinstallation• Screencapture• Automaticsyncofmailaccounts
while roaming• Voicedialingwhenlocked• In-applicationpurchasing• RequireencryptedbackupstoiTunes• Explicitmusic&podcastsiniTunes• Allowedcontentratingsformovies, TVshows,apps
• YouTube• iTunesStore• AppStore• Safari• Safarisecuritypreferences
Other settings• Certificatesandidentities•WebClips• APNsettings
22
QueryInadditiontoconfiguringdevices,amobiledevicemanagementserverhastheabilitytoquerydevicesforavarietyofinformation.Thisinformationcanbeusedtoensurethatdevicescontinuetocomplywithrequiredpolicies.
Themobiledevicemanagementserverdeterminesthefrequencyatwhichitgathersinformation.
Supported queriesDevice information
• UniqueDeviceIdentifier(UDID)•Devicename• iOSandbuildversion•Modelnameandnumber• Serialnumber• Capacityandspaceavailable• IMEI•Modemfirmware
Network information• ICCID• Bluetooth®andWi-FiMACaddresses• Currentcarriernetwork• SIMcarriernetwork• Carriersettingsversion
• Phonenumber•Dataroamingsetting(on/off)
Compliance and security information• ConfigurationProfilesinstalled• Certificatesinstalledwithexpirydates• Listofallrestrictionsenforced•Hardwareencryptioncapability• Passcodepresent
Applications• Applicationsinstalled(appID,name, version,size,andappdatasize)
• ProvisioningProfilesinstalledwith expirydates
ManageWhenadeviceismanaged,itcanbeadministeredbythemobiledevicemanagementserverthroughasetofspecificactions.
Supported actionsRemote wipeAmobiledevicemanagementservercanremotelywipeaniPad.ThiswillpermanentlydeleteallmediaanddataontheiPad,restoringittofactorysettings.
Remote lockTheserverlockstheiPadandrequiresthedevicepasscodetounlockit.
Clear passcodeThisactiontemporarilyremovesthedevicepasscodeforuserswhohaveforgottenit. Ifthedevicehasapolicyrequiringapasscode,theuserwillberequiredtocreateanew one.
Configuration and Provisioning ProfilesToconfiguredevicesandprovisionin-houseapplications,mobiledevicemanagement serverscanaddandremoveConfigurationProfilesandApplicationProvisioningProfilesremotely.
23
Firewall
Third-PartyMDMServerApplePushNotificationService
1
2
4
3
5
©2010AppleInc.Allrightsreserved.Apple,theApplelogo,iPad,iTunes,andSafariaretrademarksofAppleInc.,registeredintheU.S.andothercountries.AppStoreisaservicemarkofAppleInc.iTunesStoreisaservicemarkofAppleInc.,registeredintheU.S.andothercountries.TheBluetoothwordmarkisaregisteredtrademarkownedbyBluetoothSIG,Inc.,andanyuseofsuchmarksbyAppleisunderlicense.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecificationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.November2010L422501A
1
2
3
4
5
ProcessOverviewThisexampledepictsabasicdeploymentofamobiledevicemanagementserver.
AConfigurationProfilecontainingmobiledevicemanagementserverinformationissenttothedevice.Theuserispresentedwithinformationaboutwhatwillbemanagedand/orqueriedbytheserver.
Theuserinstallstheprofiletooptintothedevicebeingmanaged.
Deviceenrollmenttakesplaceastheprofileisinstalled.Theservervalidatesthedeviceandallowsaccess.
Theserversendsapushnotificationpromptingthedevicetocheckinfortasksorqueries.
ThedeviceconnectsdirectlytotheserveroverHTTPS.Theserversendscommandsorrequestsinformation.
FormoreinformationonMobileDeviceManagement,visitwww.apple.com/ipad/business/integration
24
iPad in Business iTunes Deployment Overview
IntroductionWhendeployingiPadinyourbusiness,it’simportanttothinkabouttheroleofiTunes.AfewkeyfunctionsrequireiTunes,startingwiththeactivationofthedevice.Afteractivation,iTunesisn’trequiredtoconfigureoruseiPadwithyourenterprisesystems.Itis,however,requiredforinstallingsoftwareupdatesandforcreatingabackupifuserinformationeverneedstoberestoredortransferredtoanewdevice.iTunescanalsobeusedtosynchronizemusic,video,applications,andothercontent.Thesesynchronizationcapabilitiesarenotrequiredforgeneralbusinessuse.
WhetheryouchoosetoinstalliTunesonyourbusinesscomputersorencourageyouremployeestodothesefunctionsfromahomecomputer—corporatedatacanbeencryptedandprotectedthroughouttheprocess.IfyouchoosetosupportiTunes internally,youcantailortheapplicationtomeettheneedsofyourenvironmentorbusinessconductpolicies.Forexample,youcancustomizeiTunesbyrestrictingordisablingnetworkservicessuchastheiTunesStoreorsharedmedialibraries,orcontrollingaccesstosoftwareupdates.YoucanalsodeployiTunesusingcentrallymanageddesktopsoftwaredeploymenttools.
Fortheenduser,iTunesissimpletouse.UserswhoarefamiliarwiththeiTunesinterfaceformanagingcontentandmediaathomewillfinditeasytomanagetheircorporate content on iPad.
UsingiTunesActivationiPadmustbeconnectedtoiTunesviaUSBtobeactivatedforuse.BecauseiTunesisrequiredtocompletetheactivationprocessforiPad,you’llneedtodecidewhetheryouwanttoinstalliTunesoneachuser’sMacorPC,orwhetheryou’llcompleteactivation foreachdevicewithacentralizediTunesinstallation.Eitherway,theactivationprocess isquickandeasy.
UserssimplyconnectiPadtoaMacorPCrunningiTunes,andwithinseconds,iPadisactivatedandreadyforuse.
Afteractivatingadevice,iTunesofferstosyncthedevicewiththecomputer.Toavoidthiswhenyou’reactivatingadeviceforyourusers,turnonactivation-onlymodewithiniTunes.Thisdisablessyncingandautomaticbackupsandpromptsyoutodisconnectthedeviceassoonasactivationisfinished.
Forinstructionsonhowtoenableactivation-onlymode,refertotheEnterpriseDeploymentGuide.
iTunes controls and restrictionsWhendeployingiTunesonyourcorporatenetwork,youcanrestrictthefollowingiTunesfunctionalityusingtheregistryinWindows orSystemPreferencesinMacOSX:
• AccessingtheiTunesStore• Librarysharingwithlocalnetwork computersalsorunningiTunes
• PlayingexplicitiTunesmediacontent• Playingmovies• PlayingTVshows• PlayingInternetradio• EnteringastreamingmediaURL• Subscribingtopodcasts• DisplayingGeniussuggestionswhile browsingorplayingmedia
• Downloadingalbumartwork• UsingVisualizerplug-ins• AutomaticallydiscoveringAppleTV
systems• CheckingfornewversionsofiTunes• Checkingfordevicesoftwareupdates• Automaticallysyncingwhendevices
are connected• RegisteringnewdeviceswithApple• AccesstoiTunes(iTunesU)
25
Syncing mediaYoucanuseiTunestosyncmusic,videos,photos,apps,andmore.iTunesmakesit easytocontrolexactlywhattosync,andyoucanclearlyseehowmuchspaceis availableforcontent.iPadcansynceachtypeofdatatoonlyonecomputerata time.Forexample,youcansyncmusicwithahomecomputerandcontactswitha workcomputerbysettingiTunessyncoptionsappropriatelyonbothcomputers.
Software updatesiTunesisusedtoupdateorreinstalliPadsoftwareandtorestoredefaultsettingsorrestorefrombackup.Whenanupdateisperformed,downloadedapplications,settings,anddataaren’taffected.Toupdate,userssimplyconnectiPadtotheircomputer,andclick“CheckforUpdates.”iTunesinformstheuserifanewerversionofiPadsoftwareisavailable.Ifyouturnoffautomatedanduser-initiatedsoftwareupdatecheckingusingiTunesrestrictions,you’llneedtodistributesoftwareupdatesformanualinstallation.Thiscanbedonebydistributingthe.ipswfileassociatedwitheachversionofthesoftwareandinstructingyourusersonhowtomanuallyinstalltheupdate.
BackupWhilethesynchronizationofdataforbusinessuserswillmostlytakeplaceover-the-airusingcorporateservicessuchasExchangeActiveSync,usingiTunestobackupiPadsettingsisimportantifusersneedtorestoreadevice.WheniPadissyncedwithiTunes,devicesettingsareautomaticallybackeduptothecomputer.ApplicationspurchasedfromtheAppStorearecopiedtotheiTunesLibrary.Applicationsyou’vedevelopedin-houseanddistributedtoyouruserswithenterpriseprovisioningprofileswon’tbebackeduportransferredtotheuser’scomputer.However,thedevicebackupwillincludeanydatafilestheenterpriseapplicationcreates.OnceiPadhasbeenconfiguredtosyncwithaparticularcomputer,iTunesautomaticallymakesabackupofiPadonthatcomputerwhensynced.iTuneswon’tautomaticallybackupaniPadthatisn’tconfiguredtosyncwiththatcomputer.
iTunesbackupscanbeencryptedonthehostmachine—preventingunwanteddata lossfromthehostcomputer.BackupfilesareencryptedusingAES128witha256-bitkey.ThekeyisstoredsecurelyintheiPadkeychain.UsersarepromptedtocreateastrongpasscodewhenbackingupiPadforthefirsttime.
DeployingiTunesInstallationiTunesusesstandardMacOSandWindowsinstallersandcanbedeployedusingmanyofthedesktopmanagementapplicationscommonlyusedbyITprofessionals.iTunes canalsobeinstalledandupdatedwithoutuserinteraction.OncesettingsandpoliciesintheiTunesinstallerhavebeenmodified,iTunescanbedeployedthesamewayotherenterprisesoftwareisdeployed.
WhenyouinstalliTunesonWindowscomputers,bydefaultyoualsoinstallthelatestversionsofQuickTime,Bonjour,andAppleSoftwareUpdate.YoucanomittheBonjourandSoftwareUpdatecomponentsbypassingparameterstotheiTunesinstallerorbypushingonlythecomponentsyouwanttoinstallonyourusers’computers.TheQuickTimecomponent,however,isrequired,andiTuneswillnotrunwithoutit.MaccomputerscomewithiTunesinstalled.TopushiTunestoMacclients,youcanuseWorkgroupManager,anadministrativetoolincludedwithMacOSXServer.
iTunes podcastsiTunescansubscribetoanddownloadaudioand video podcasts. Podcasts are a great waytodelivereverythingfromtrainingandeducationalcontenttocorporatecommunicationsandproductinformation.PodcastscanbeeasilytransferredtoiPad,soyouremployeescanlistenorwatch—wheneverandwherevertheyare.TheiTunesStorealsohasthousandsoffreebusiness-relatedpodcastsavailablefromproviderssuchasHarvardBusinessReview,Wharton,Bloomberg,andmore.
©2010AppleInc.Allrightsreserved.Apple,theApplelogo,AppleTV,Bonjour,iPad,iTunes,Mac,MacOS,andQuickTimearetrade-marksofAppleInc.,registeredintheU.S.andothercountries.AppStoreisaservicemarkofApple,Inc.iTunesStoreisaservicemarkofAppleInc.,registeredintheU.S.andothercountries.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecificationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformation purposesonly;Appleassumesnoliabilityrelatedtoitsuse.November2010 L422502A
26