Learn how iPad integrates seamlessly into enterprise environments with these deployment scenarios.

• MicrosoftExchangeActiveSync

• Standards-BasedServices

• VirtualPrivateNetworks

• Wi-Fi

• DigitalCertificates

• Security

• MobileDeviceManagement

• iTunesDeployment

iPad in BusinessDeploymentScenarios

November2010

iPad in Business Exchange ActiveSync

iPadcommunicatesdirectlywithyourMicrosoftExchangeServerviaMicrosoftExchangeActiveSync(EAS),enablingpushemail,calendar,andcontacts.ExchangeActiveSyncalsoprovidesuserswithaccesstotheGlobalAddressList(GAL),andprovidesadministratorswithpasscodepolicyenforcementandremotewipecapabilities.iPadsupportsbothbasicandcertificate-basedauthenticationforExchangeActiveSync.IfyourcompanycurrentlyenablesExchangeActiveSync,youhavethenecessaryservicesinplacetosupportiPad—noadditionalconfigurationisrequired.IfyouhaveExchangeServer2003,2007,or2010butyourcompanyisnewtoExchangeActiveSync,reviewthefollowingsteps.

ExchangeActiveSyncSetupNetwork configuration overview

• Checktoensureport443isopenonthefirewall.IfyourcompanyallowsOutlookWebAccess,port443ismostlikelyalreadyopen.

•OntheFront-EndServer,verifythataservercertificateisinstalledandenableSSLfor theExchangeActiveSyncvirtualdirectoryinIIS.

• Ifyou’reusingaMicrosoftInternetSecurityandAcceleration(ISA)Server,verifythataservercertificateisinstalledandupdatethepublicDNStoresolveincomingconnections.

•MakesuretheDNSforyournetworkreturnsasingle,externallyroutableaddresstotheExchangeActiveSyncserverforbothintranetandInternetclients.ThisisrequiredsothedevicecanusethesameIPaddressforcommunicatingwiththeserverwhenbothtypesofconnectionsareactive.

• Ifyou’reusingaMicrosoftISAServer,createaweblisteneraswellasanExchangewebclientaccesspublishingrule.SeeMicrosoft’sdocumentationfordetails.

• Forallfirewallsandnetworkappliances,settheIdleSessionTimeoutto30minutes.Forinformationaboutheartbeatandtimeoutintervals,refertotheMicrosoftExchangedocumentationathttp://technet.microsoft.com/en-us/library/cc182270.aspx.

• Configuremobilefeatures,policies,anddevicesecuritysettingsusingtheExchangeSystemManager.ForExchangeServer2007and2010,thisisdoneintheExchangeManagementConsole.

• DownloadandinstalltheMicrosoftExchangeActiveSyncMobileAdministrationWebTool,whichisnecessarytoinitiatearemotewipe.ForExchangeServer2007and2010,remotewipecanalsobeinitiatedusingOutlookWebAccessortheExchangeManagementConsole.

Supported Exchange ActiveSync security policies

• Remotewipe• Enforcepasswordondevice• Minimumpasswordlength• Maximumfailedpasswordattempts (beforelocalwipe)

• Requirebothnumbersandletters• Inactivitytimeinminutes(1to60minutes)

Additional Exchange ActiveSync policies (for Exchange 2007 and 2010 only)

• Alloworprohibitsimplepassword• Passwordexpiration• Passwordhistory• Policyrefreshinterval• Minimumnumberofcomplexcharacters

in password• Requiremanualsyncingwhileroaming• Allowwebbrowsing

2

Basic authentication (username and password)• EnableExchangeActiveSyncforspecificusersorgroupsusingtheActiveDirectory service.TheseareenabledbydefaultforallmobiledevicesattheorganizationallevelinExchangeServer2003,2007,and2010.ForExchangeServer2007and2010,seeRecipientConfigurationintheExchangeManagementConsole.

• Bydefault,ExchangeActiveSyncisconfiguredforbasicuserauthentication.It’srecommendedthatyouenableSSLforbasicauthenticationtoensurecredentials areencryptedduringauthentication.

Certificate-based authentication• Installenterprisecertificateservicesonamemberserverordomaincontrollerinyourdomain(thiswillbeyourcertificateauthorityserver).

• ConfigureIISonyourExchangeFront-EndserverorClientAccessServertoaccept certificate-basedauthenticationfortheExchangeActiveSyncvirtualdirectory.

• Toalloworrequirecertificatesforallusers,turnoff“Basicauthentication”andselecteither“Acceptclientcertificates”or“Requireclientcertificates.”

• Generateclientcertificatesusingyourcertificateauthorityserver.ExportthepublickeyandconfigureIIStousethiskey.ExporttheprivatekeyanduseaConfigurationProfiletodeliverthiskeytoiPad.Certificate-basedauthenticationcanonlybeconfiguredusingaConfigurationProfile.

Formoreinformationoncertificateservices,pleaserefertoresourcesavailablefromMicrosoft.

Other Exchange ActiveSync services• GlobalAddressListlookup• Acceptandcreatecalendarinvitations• SyncReplyandForwardflagswithExchangeServer2010

• MailsearchonExchangeServer2007and2010• SupportformultipleExchangeActiveSyncaccounts

• Certificate-basedauthentication• Emailpushtoselectedfolders• Autodiscover

3

Firewall Firewall

ProxyServerInternet

ExchangeFront-EndorClientAccessServer

CertificateServer

ActiveDirectory

PrivateKey(Certificate)

PublicKey (Certificate)

*Dependingonyournetworkconfiguration,theMailGatewayorEdgeTransportServermayresidewithintheperimeternetwork(DMZ).

ExchangeMailboxor Back-EndServer(s)

MailGatewayorEdgeTransportServer*

ConfigurationProfile

BridgeheadorHubTransportServer

443

1

4

56

3

2

iPadrequestsaccesstoExchangeActiveSyncservicesoverport443(HTTPS).(ThisisthesameportusedforOutlookWebAccessandothersecurewebservices,soinmanydeploymentsthisportisalreadyopenandconfiguredtoallowSSLencryptedHTTPStraffic.)

ISAprovidesaccesstotheExchangeFront-EndorClientAccessServer.ISAisconfiguredasaproxy,orinmanycasesareverseproxy,toroutetraffictotheExchangeServer.

ExchangeServerauthenticatestheincominguserviatheActiveDirectoryserviceandthecertificateserver(ifusingcertificate-basedauthentication).

IftheuserprovidesthepropercredentialsandhasaccesstoExchangeActiveSyncservices,theFront-EndServerestablishesa connectiontotheappropriatemailboxontheBack-EndServer(viatheActiveDirectoryGlobalCatalog).

TheExchangeActiveSyncconnectionisestablished.Updates/changesarepushedtoiPadover-the-air,andanychangesmadeoniPadarereflectedontheExchangeServer.

SentmailitemsoniPadarealsosynchronizedwiththeExchangeServerviaExchangeActiveSync(step5).Torouteoutboundemailtoexternalrecipients,mailistypicallysentthroughaBridgehead(orHubTransport)ServertoanexternalMailGateway(orEdgeTransportServer)viaSMTP.Dependingonyournetworkconfiguration,theexternalMailGatewayorEdgeTransportServercouldresidewithintheperimeternetworkoroutsidethefirewall.

©2010AppleInc.Allrightsreserved.Apple,theApplelogo,andiPadaretrademarksofAppleInc.,registeredintheU.S.andothercountries.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecificationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.November2010L422495A

ExchangeActiveSyncDeploymentScenarioThisexampleshowshowiPadconnectstoatypicalMicrosoftExchangeServer2003,2007,or2010deployment.

2

3

4

5

6

1

4

iPad in Business Standards-Based Services

WithsupportfortheIMAPmailprotocol,LDAPdirectoryservices,CalDAVcalendaringandCardDAVcontactsprotocols,iPadcanintegratewithjustaboutanystandards-basedmail,calendar,andcontactsenvironment.AndifyournetworkenvironmentisconfiguredtorequireuserauthenticationandSSL,iPadprovidesasecureapproachtoaccessingstandards-basedcorporateemail,calendar,andcontacts.

Inatypicaldeployment,iPadestablishesdirectaccesstoIMAPandSMTPmailserverstoreceiveandsendemailover-the-air,andcanalsowirelesslysyncnoteswithIMAP-basedservers.iPadcanconnecttoyourcompany’sLDAPv3corporatedirectories,givingusersaccesstocorporatecontactsintheMail,Contacts,andSMSapplications.SynchronizationwithyourCalDAVserverallowsiPaduserstowirelesslycreateandacceptcalendarinvitationsandreceivecalendarupdates.AndCardDAVsupportallowsyouruserstomaintainasetofcontactssyncedwithyourCardDAVserverusingthevCardformat.AllnetworkserverscanbelocatedwithinaDMZsubnetwork,behindacorporatefirewall,orboth.WithSSL,iPadsupports128-bitencryptionandX.509rootcertificatesissuedbythemajorcertificateauthorities.

NetworkSetupYourITornetworkadministratorwillneedtocompletethesestepstoenableaccessfromiPadtoIMAP,LDAP,CalDAV,andCardDAVservices:

•Opentheappropriateportsonthefirewall.Commonportsinclude993forIMAPmail, 587forSMTPmail,636forLDAPdirectoryservices,8443forCalDAVcalendaring,and8843forCardDAVcontacts.It’salsorecommendedthatcommunicationbetweenyourproxyserverandyourback-endIMAP,LDAP,CalDAVandCardDAVserversbesettouseSSLandthatdigitalcertificatesonyournetworkserversbesignedbyatrustedcertificateauthority(CA)suchasVeriSign.ThisensuresthatiPadrecognizesyourproxyserverasatrustedentitywithinyourcorporateinfrastructure.

• ForoutboundSMTPemail,port587,465,or25mustbeopenedtoallowemailtobesentfromiPad.iPadsequentiallychecksforport587,then465,andthen25.Port587isthemostreliable,secureportbecauseitrequiresuserauthentication.Port25doesnotrequireauthentication,andsomeISPsblockthisportbydefaulttopreventspam.

Common ports• IMAP/SSL:993• SMTP/SSL:587• LDAP/SSL:636• CalDAV/SSL:8443,443• CardDAV/SSL:8843,443

IMAP or POP-enabled mail solutionsiPadsupportsindustry-standardIMAP4-andPOP3-enabledmailserversonarangeofserverplatforms,includingWindows,UNIX,Linux,andMacOSX.

CalDAV and CardDAV standardsiPadsupportstheCalDAVcalendaringandCardDAVcontactsprotocols.BothprotocolshavebeenstandardizedbytheIETF.MoreinformationcanbefoundthroughtheCalConnectconsortiumathttp://caldav.calconnect.org/andhttp://carddav.calconnect.org/.

5

Firewall Firewall

ReverseProxyServerInternet

MailServer

LDAPDirectoryServer

3

6

CalDAVServer

CardDAVServer

2

4

5

1

636 (LDAP)

8843(CardDAV)

993(IMAP)587(SMTP)

8443 (CalDAV)

DeploymentScenarioThisexampleshowshowiPadconnectstoatypicalIMAP,LDAP,CalDAV,andCardDAVdeployment.

©2010AppleInc.Allrightsreserved.Apple,theApplelogo,iPad,andMacOSaretrademarksofAppleInc.,registeredintheU.S.andothercountries.UNIXisaregisteredtrademarkofTheOpenGroup.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecificationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpur-posesonly;Appleassumesnoliabilityrelatedtoitsuse.November2010L422496A

iPadrequestsaccesstonetworkservicesoverthedesignatedports.

Dependingontheservice,iPadusersmustauthenticateeitherwiththereverseproxyordirectlywiththeservertoobtainaccesstocorporatedata.Inallcases,connectionsarerelayedbythereverseproxy,whichfunctionsasasecuregateway,typicallybehindthefirewall.Onceauthenticated,userscanaccesstheircorporatedataontheback-endservers.

iPadprovideslookupservicesonLDAPdirectories,givinguserstheabilitytosearchforcontactsandotheraddressbook informationontheLDAPserver.

ForCalDAVcalendars,userscanaccessandupdatecalendarsoniPad.

CardDAVcontactsarestoredontheserverandcanalsobeaccessedlocallyoniPad.ChangestofieldsinCardDAVcontactsaresyncedbacktotheCardDAVserver.

ForIMAPmailservices,existingandnewmessagescanbereadoniPadthroughtheproxyconnectionwiththemailserver.OutgoingmailoniPadissenttotheSMTPserver,withcopiesplacedintheuser’sSentfolder.

1

2

3

4

5

6

6

iPad in Business Virtual Private Networks (VPN)

SecureaccesstoprivatecorporatenetworksisavailableoniPadusingestablished industry-standardVPNprotocols.Userscaneasilyconnecttoenterprisesystemsvia thebuilt-inVPNclientorthroughthird-partyapplicationsfromJuniperandCisco.

Outofthebox,iPadsupportsCiscoIPSec,L2TPoverIPSec,andPPTP.Ifyourorganizationsupportsoneoftheseprotocols,noadditionalnetworkconfigurationorthird-partyapplicationsarerequiredtoconnectiPadtoyourVPN.

Additionally,iPadsupportsSSLVPN,enablingaccesstoJuniperSASeriesandCisco ASASSLVPNservers.UserssimplydownloadaVPNclientapplicationdevelopedby JuniperorCiscofromtheAppStoretogetstarted.LikeotherVPNprotocolssupported oniPad,SSLVPNcanbeconfiguredmanuallyoniPadorviaConfigurationProfile.

iPadsupportsindustry-standardtechnologiessuchasIPv6,proxyservers,andsplit- tunneling,providingarichVPNexperiencewhenconnectingtocorporatenetworks. AndiPadworkswithavarietyofauthenticationmethodsincludingpassword,two- factortoken,anddigitalcertificates.Tostreamlinetheconnectioninenvironments wherecertificate-basedauthenticationisused,iPadfeaturesVPNOnDemand, whichdynamicallyinitiatesaVPNsessionwhenconnectingtospecifieddomains.

SupportedProtocolsandAuthenticationMethodsSSL VPNSupportsuserauthenticationbypassword,two-factortoken,andcertificates.

Cisco IPSec Supportsuserauthenticationbypassword,two-factortoken,andmachineauthenticationbysharedsecretandcertificates.

L2TP over IPSecSupportsuserauthenticationbyMS-CHAPv2Password,two-factortoken,and machineauthenticationbysharedsecret.

PPTPSupportsuserauthenticationbyMS-CHAPv2Passwordandtwo-factortoken.

7

VPNOnDemandForconfigurationsusingcertificate-basedauthentication,iPadsupportsVPNOnDemand.VPNOnDemandwillestablishaconnectionautomaticallywhenaccessingpredefineddomains,providingaseamlessVPNconnectivityexperienceforiPadusers.

ThisisafeatureofiOSthatdoesnotrequireadditionalserverconfiguration.Theconfig-urationofVPNOnDemandtakesplaceviaaConfigurationProfileorcanbeconfiguredmanuallyonthedevice.

TheVPNOnDemandoptionsare:

AlwaysInitiatesaVPNconnectionforanyaddressthatmatchesthespecifieddomain.

NeverDoesnotinitiateaVPNconnectionforaddressesthatmatchthespecifieddomain, butifVPNisalreadyactive,itmaybeused.

Establish if neededInitiatesaVPNconnectionforaddressesthatmatchthespecifieddomainonlyafter aDNSlookuphasfailed.

VPNSetup• iPadintegrateswithmanyexistingVPNnetworks,withminimalconfiguration necessary.ThebestwaytopreparefordeploymentistocheckwhetheriPad supportsyourcompany’sexistingVPNprotocolsandauthenticationmethods.

• It’srecommendedthatyoureviewtheauthenticationpathtoyourauthentication servertomakesurestandardssupportedbyiPadareenabledwithinyour implementation.

• Ifyouplantousecertificate-basedauthentication,ensureyouhaveyourpublickeyinfrastructureconfiguredtosupportdevice-anduser-basedcertificateswiththe correspondingkeydistributionprocess.

• IfyouwanttoconfigureURL-specificproxysettings,placeaPACfileonawebserverthatisaccessiblewiththebasicVPNsettingsandensurethatitishostedwiththeapplication/x-ns-proxy-autoconfigMIMEtype.

ProxySetupForallconfigurationsyoucanalsospecifyaVPNproxy.Toconfigureasingleproxyforallconnections,usetheManualsettingandprovidetheaddress,port,andauthentica-tionifnecessary.Toprovidethedevicewithanauto-proxyconfigurationfileusingPACorWPAD,usetheAutosetting.ForPACS,specifytheURLofthePACSfile.ForWPAD,iPadwillqueryDHCPandDNSfortheappropriatesettings.

8

Firewall Firewall

VPNServer/Concentrator

PublicInternet

PrivateNetwork

Certificate,Token, or Password

AuthenticationCertificateorToken

ProxyServer

VPNAuthenticationServerToken Generation or Certificate Distribution

1 4

3a 3b

2

5

DirectoryService

1

2

3

4

5

©2010AppleInc.Allrightsreserved.Apple,theApplelogo,andiPadaretrademarksofAppleInc.,registeredintheU.S.andothercountries.AppStoreisaservicemarkofAppleInc.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecificationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.November2010L422497A

DeploymentScenarioTheexampledepictsatypicaldeploymentwithaVPNserver/concentratoraswellasanauthenticationservercontrollingaccesstoenterprisenetworkservices.

iPadrequestsaccesstonetworkservices.

TheVPNserver/concentratorreceivestherequestandthenpassesittotheauthenticationserver.

Inatwo-factortokenenvironment,theauthenticationserverwouldthenmanageatime-synchronizedtokenkeygenerationwiththekeyserver.Ifacertificateauthenticationmethodisdeployed,anidentitycertificateneedstobedistributedtoiPadpriortoauthentication.Ifapasswordmethodisdeployed,theauthenticationprocessproceedswithuservalidation.

Onceauserisauthenticated,theauthenticationservervalidatesuserandgrouppolicies.Afteruserandgrouppoliciesare validated,theVPNserverprovidestunneledandencryptedaccesstonetworkservices.

Ifaproxyserverisinuse,iPadconnectsthroughtheproxyserverforaccesstoinformationoutsidethefirewall.

FormoreinformationregardingVPNoniPad,visitwww.apple.com/ipad/business/integration

9

iPad in Business Wi-Fi

Wireless security protocols• WEP• WPAPersonal• WPAEnterprise• WPA2Personal• WPA2Enterprise

802.1X authentication methods• EAP-TLS• EAP-TTLS• EAP-FAST• EAP-SIM• PEAPv0(EAP-MS-CHAPv2)• PEAPv1(EAP-GTC)• LEAP

Outofthebox,iPadcansecurelyconnecttocorporateorguestWi-Finetworks, makingitquickandsimpletojoinavailablewirelessnetworkswhetheryou’reon campusorontheroad.

iPadsupportsindustrystandardwirelessnetworkprotocols,includingWPA2Enterprise,ensuringcorporatewirelessnetworkscanbeconfiguredquicklyandaccessedsecurely.WPA2Enterpriseuses128-bitAESencryption,aproven,block-basedencryptionmethod,providinguserswiththehighestlevelofassurancethattheirdatawillremainprotected.

Withsupportfor802.1X,iPadcanbeintegratedintoabroadrangeofRADIUSauthenticationenvironments.802.1XwirelessauthenticationmethodssupportedoniPadincludeEAP-TLS,EAP-TTLS,EAP-FAST,EAP-SIM,PEAPv0,PEAPv1,andLEAP.

UserscansetiPadtojoinavailableWi-Finetworksautomatically.Wi-Finetworksthatrequirelogincredentialsorotherinformationcanbequicklyaccessedwithoutopeningaseparatebrowsersession,fromWi-FisettingsorwithinapplicationssuchasMail.Andlow-power,persistentWi-FiconnectivityallowsiPadapplicationstouseWi-Finetworkstodeliverpushnotifications.

Forquicksetupanddeployment,wirelessnetwork,security,andauthenticationsettingscanbeconfiguredusingConfigurationProfiles.

WPA2EnterpriseSetup• Verifynetworkappliancesforcompatibilityandselectanauthenticationtype(EAPtype)supportedbyiPad.

• Checkthat802.1Xisenabledontheauthenticationserverand,ifnecessary,installaservercertificateandassignnetworkaccesspermissionstousersandgroups.

• Configurewirelessaccesspointsfor802.1XauthenticationandenterthecorrespondingRADIUSserverinformation.

• Ifyouplantousecertificate-basedauthentication,configureyourpublickeyinfrastructuretosupportdevice-anduser-basedcertificateswiththecorrespondingkeydistributionprocess.

• Verifycertificateformatandauthenticationservercompatibility.iPadsupportsPKCS#1(.cer,.crt,.der)andPKCS#12.

• ForadditionaldocumentationregardingwirelessnetworkingstandardsandWi-FiProtectedAccess(WPA),visitwww.wi-fi.org.

10

WirelessAccessPointwith802.1XSupport

DirectoryService

NetworkServices

AuthenticationServerwith802.1XSupport(RADIUS)

CertificateorPasswordBasedon

EAPType

1

2

3

4

Firewall

WPA2Enterprise/802.1XDeploymentScenarioThisexampledepictsatypicalsecurewirelessdeploymentthattakesadvantageofRADIUS-basedauthentication.

iPadrequestsaccesstothenetwork.iPadinitiatestheconnectioninresponsetoauserselectinganavailablewirelessnetwork, orautomaticallyinitiatesaconnectionafterdetectingapreviouslyconfigurednetwork.

Aftertherequestisreceivedbytheaccesspoint,therequestispassedtotheRADIUSserverforauthentication.

TheRADIUSservervalidatestheuseraccountutilizingthedirectoryservice.

Oncetheuserisauthenticated,theaccesspointprovidesnetworkaccesswithpoliciesandpermissionsasinstructedbythe RADIUSserver.

©2010AppleInc.Allrightsreserved.Apple,theApplelogo,andiPadaretrademarksofAppleInc.,registeredintheU.S.andothercountries.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecificationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.November2010L422498A

1

2

3

4

11

iPadsupportsdigitalcertificates,givingbusinessuserssecure,streamlinedaccesstocorporateservices.Adigitalcertificateiscomposedofapublickey,informationabouttheuser,andthecertificateauthoritythatissuedthecertificate.Digitalcertificatesareaformofidentificationthatenablesstreamlinedauthentication,dataintegrity,andencryption.

OniPad,certificatescanbeusedinavarietyofways.Signingdatawithadigitalcertificatehelpstoensurethatinformationcannotbealtered.Certificatescanalsobeusedtoguaranteetheidentityoftheauthoror“signer.”Additionally,theycanbeusedtoencryptConfigurationProfilesandnetworkcommunicationstofurtherprotectconfidentialorprivateinformation.

UsingCertificatesoniPadDigital certificatesDigitalcertificatescanbeusedtosecurelyauthenticateuserstocorporateserviceswithouttheneedforusernames,passwords,orsofttokens.OniPad,certificate-basedauthenticationissupportedforaccesstoMicrosoftExchangeActiveSync,VPN,andWi-Finetworks.

EnterpriseServices Intranet,Email,VPN,Wi-Fi

CertificateAuthority DirectoryServiceAuthenticationRequest

Server certificatesDigitalcertificatescanalsobeusedtovalidateandencryptnetworkcommunications.Thisprovidessecurecommunicationtobothinternalandexternalwebsites.TheSafaribrowsercancheckthevalidityofanX.509digitalcertificateandsetupasecuresessionwithupto256-bitAESencryption.Thisverifiesthatthesite’sidentityislegitimateandthatcommunicationwiththewebsiteisprotectedtohelppreventinterceptionof personalorconfidentialdata.

NetworkServicesHTTPSRequest CertificateAuthority

iPad in Business Digital Certificates

Supported certificate and identity formats:

• iPadsupportsX.509certificates withRSAkeys.

• Thefileextensions.cer,.crt,.der,.p12 and.pfxarerecognized.

Root certificatesOutofthebox,iPadincludesanumberofpreinstalledrootcertificates.Toviewalist ofthepreinstalledsystemroots,seetheAppleSupportarticleathttp://support.apple.com/ kb/HT3580.Ifyouareusingarootcertificatethatisnotpreinstalled,suchasaself-signedrootcertificatecreatedbyyourcompany, youcandistributeittoiPadusingoneofthemethodslistedinthe“DistributingandInstallingCertificates”sectionofthisdocument.

12

©2010AppleInc.Allrightsreserved.Apple,theApplelogo,iPad,andSafariaretrademarksofAppleInc.,registeredintheU.S.andothercountries.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecificationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.November2010L422499A

DistributingandInstallingCertificatesDistributingcertificatestoiPadissimple.Whenacertificateisreceived,userssimplytaptoreviewthecontents,thentaptoaddthecertificatetotheirdevice.Whenan identitycertificateisinstalled,usersarepromptedforthepassphrasethatprotectsit.Ifacertificate’sauthenticitycannotbeverified,userswillbepresentedwithawarningbeforeitisaddedtotheirdevice.

Installing certificates via Configuration ProfilesIfConfigurationProfilesarebeingusedtodistributesettingsforcorporateservices suchasExchange,VPN,orWi-Fi,certificatescanbeaddedtotheprofiletostreamlinedeployment.

Installing certificates via Mail or SafariIfacertificateissentinanemail,itwillappearasanattachment.Safaricanalsobeusedtodownloadcertificatesfromawebpage.YoucanhostacertificateonasecuredwebsiteandprovideuserswiththeURLwheretheycandownloadthecertificateontotheir devices.

Installation via the Simple Certificate Enrollment Protocol (SCEP)SCEPisdesignedtoprovideasimplifiedprocesstohandlecertificatedistributionforlarge-scaledeployments.ThisenablesOver-the-AirEnrollmentofdigitalcertificatesoniPadthatcanthenbeusedforauthenticationtocorporateservices,aswellasenrollmentwithamobiledevicemanagementserver.

FormoreinformationonSCEPandOver-the-AirEnrollment,visitwww.apple.com/ipad/business/resources.

Certificate removal and revocationTomanuallyremoveacertificatethathasbeeninstalled,chooseSettings>General>Profiles.Ifyouremoveacertificatethatisrequiredforaccessinganaccountornetwork,thedevicewillnolongerbeabletoconnecttothoseservices.

Toremovecertificatesover-the-air,amobiledevicemanagementservercanbeused. Thisservercanviewallcertificatesonadeviceandremovethoseithasinstalled.

Additionally,theOnlineCertificateStatusProtocol(OCSP)issupportedtocheckthe statusofcertificates.WhenanOCSP-enabledcertificateisused,iPadvalidatesittomakesurethatithasnotbeenrevokedbeforecompletingtherequestedtask.

13

iPad in Business Security Overview

iPadcansecurelyaccesscorporateservicesandprotectdataonthedevice.iPadprovidesstrongencryptionfordataintransmission,provenauthenticationmethodsforaccesstocorporateservices,andhardwareencryptionforalldatastoredonthedevice.iPadalsoprovidessecureprotectionthroughtheuseofpasscodepoliciesthatcanbedeliveredandenforcedover-the-air.Andifthedevicefallsintothewronghands,usersandITadministratorscaninitiatearemotewipecommandtoeraseprivateinformation.

WhenconsideringthesecurityofiPadforenterpriseuse,it’shelpfultounderstand thefollowing:

•DeviceSecurity:Methodsthatpreventunauthorizeduseofthedevice•DataSecurity:Protectingdataatrest,evenwhenadeviceislostorstolen•NetworkSecurity:Networkingprotocolsandtheencryptionofdataintransmission• ApplicationSecurity:ThesecureplatformfoundationofiOS

Thesecapabilitiesworkinconcerttoprovideasecuremobilecomputingplatform.

DeviceSecurityEstablishingstrongpoliciesforaccesstoiPadiscriticaltoprotectingcorporate information.Devicepasscodesarethefrontlineofdefenseagainstunauthorizedaccessandcanbeconfiguredandenforcedover-the-air.iPadusestheuniquepasscodeestablishedbyeachusertogenerateastrongencryptionkeytofurtherprotectmailandsensitiveapplicationdataonthedevice.Additionally,iPadprovidessecuremethodstoconfigurethedeviceinanenterpriseenvironmentwherespecificsettings,policies,andrestrictionsmustbeinplace.Thesemethodsprovideflexibleoptionsforestablishingastandardlevelofprotectionforauthorizedusers.

Passcode PoliciesAdevicepasscodepreventsunauthorizedusersfromaccessingdatastoredoniPadorotherwisegainingaccesstothedevice.iOS4allowsyoutoselectfromanextensivesetofpasscoderequirementstomeetyoursecurityneeds,includingtimeoutperiods,passcodestrength,andhowoftenthepasscodemustbechanged.

Thefollowingpasscodepoliciesaresupported:• Requirepasscodeondevice• Allowsimplevalue• Requirealphanumericvalue•Minimumpasscodelength•Minimumnumberofcomplexcharacters•Maximumpasscodeage• Auto-lock• Passcodehistory•Graceperiodfordevicelock•Maximumnumberoffailedattempts

Device protection• Strongpasscodes• Passcodeexpiration• Passcodereusehistory• Maximumfailedattempts• Over-the-airpasscodeenforcement• Progressivepasscodetimeout

Data security• Hardwareencryption• Dataprotection• Remotewipe• Localwipe• EncryptedConfigurationProfiles• EncryptediTunesbackups

Network security• Built-inCiscoIPSec,L2TP,PPTPVPN• SSLVPNviaAppStoreapps• SSL/TLSwithX.509certificates• WPA/WPA2Enterprisewith802.1X• Certificate-basedauthentication• RSASecurID,CRYPTOCard

Platform security• Runtimeprotection• Mandatorycodesigning• Keychainservices• CommonCryptoAPIs• Applicationdataprotection

14

Policy EnforcementThepoliciesdescribedabovecanbesetoniPadinanumberofways.PoliciescanbedistributedaspartofaConfigurationProfileforuserstoinstall.Aprofilecanbedefinedsothatdeletingtheprofileisonlypossiblewithanadministrativepassword,oryoucandefinetheprofilesothatitislockedtothedeviceandcannotberemovedwithoutcompletelyerasingallofthedevicecontents.Additionally,passcodesettingscanbeconfiguredremotelyusingMobileDeviceManagementsolutionsthatcanpushpoliciesdirectlytothedevice.Thisenablespoliciestobeenforcedandupdatedwithoutanyactionbytheuser.

Alternatively,ifthedeviceisconfiguredtoaccessaMicrosoftExchangeaccount,ExchangeActiveSyncpoliciesarepushedtothedeviceover-the-air.Keepinmind thattheavailablesetofpolicieswillvarydependingontheversionofExchange (2003,2007,or2010).RefertotheEnterpriseDeploymentGuideforabreakdownofwhichpoliciesaresupportedforyourspecificconfiguration.

Secure Device ConfigurationConfigurationProfilesareXMLfilesthatcontaindevicesecuritypoliciesandrestrictions,VPNconfigurationinformation,Wi-Fisettings,emailandcalendaraccounts,andauthenticationcredentialsthatpermitiPadtoworkwithyourenterprisesystems.TheabilitytoestablishpasscodepoliciesalongwithdevicesettingsinaConfigurationProfileensuresthatdeviceswithinyourenterpriseareconfiguredcorrectlyandaccordingtosecuritystandardssetbyyourorganization.AndbecauseConfigurationProfilescanbeencryptedandlocked,thesettingscannotberemoved,altered,orshared with others.

ConfigurationProfilescanbebothsignedandencrypted.SigningaConfigurationProfileensuresthatthesettingsitenforcescannotbealteredinanyway.EncryptingaConfigurationProfileprotectstheprofile’scontentsandpermitsinstallationonlyonthedeviceforwhichitwascreated.ConfigurationProfilesareencryptedusingCMS(CryptographicMessageSyntax,RFC3852),supporting3DESandAES128.

ThefirsttimeyoudistributeanencryptedConfigurationProfile,youinstallthemviaUSBsyncusingtheConfigurationUtilityorwirelesslyviaOver-the-AirEnrollment.Inadditiontothesemethods,subsequentdistributionofencryptedConfigurationProfilescanbedeliveredviaemailattachment,hostedonawebsiteaccessibletoyourusers,orpushedtothedeviceusingMobileDeviceManagementsolutions.

Device Restrictions DevicerestrictionsdeterminewhichiPadfeaturesyouruserscanaccessonthedevice.Typically,theseinvolvenetwork-enabledapplicationssuchasSafari,YouTube,ortheiTunesStore,butrestrictionscanalsocontroldevicefunctionalitysuchasapplicationinstallation.Devicerestrictionsletyouconfigurethedevicetomeetyourrequirements,whilepermittinguserstoutilizethedeviceinwaysthatareconsistentwithyourbusinesspractices.Restrictionscanbemanuallyconfiguredoneachdevice,enforcedusingaConfigurationProfile,orestablishedremotelywithMobileDeviceManagementsolutions.Additionally,web-browsingrestrictionscanbeenforcedover-the-airviaMicrosoftExchangeServer2007and2010.

Inadditiontosettingrestrictionsandpoliciesonthedevice,theiTunesdesktopapplicationcanbeconfiguredandcontrolledbyIT.Thisincludesdisablingaccesstoexplicitcontent,definingwhichnetworkservicesuserscanaccesswithiniTunes,anddeterminingwhethernewsoftwareupdatesareavailableforuserstoinstall.

Available restrictions• AccesstoiTunesStore• Accesstoexplicitmediaandcontent ratingsiniTunesStore

• UseofSafariandsecuritypreferences• UseofYouTube• UseofAppStoreandin-apppurchase• Installingapps• Abilitytoscreencapture• Automaticsyncwhileroaming• Useofvoicedialing• EnforceencryptediTunesbackups

15

DataSecurityProtectingdatastoredoniPadisimportantforanyenvironmentwithahighlevelofsensitivecorporateorcustomerinformation.Inadditiontoencryptingdataintransmission,iPadprovideshardwareencryptionforalldatastoredonthedevice,andadditionalencryptionofemailandapplicationdatawithenhanceddataprotection.

Ifadeviceislostorstolen,it’simportanttodeactivateanderasethedevice.It’salsoagoodideatohaveapolicyinplacethatwillwipethedeviceafteradefinednumberoffailedpasscodeattempts,akeydeterrentagainstattemptstogainunauthorizedaccessto the device.

EncryptioniPadoffershardware-basedencryption.iPadhardwareencryptionusesAES256-bitencodingtoprotectalldataonthedevice.Encryptionisalwaysenabled,andcannotbedisabledbyusers.

Additionally,databackedupiniTunestoauser’scomputercanbeencrypted.Thiscanbeenabledbytheuser,orenforcedbyusingdevicerestrictionsettingsinConfigurationProfiles.

Data ProtectionBuildingonthehardwareencryptioncapabilitiesofiPad,emailmessagesandattachmentsstoredonthedevicecanbefurthersecuredbyusingdataprotectionfeaturesbuiltintoiOS4.Dataprotectionleverageseachuser’suniquedevicepasscodeinconcertwiththehardwareencryptiononiPadtogenerateastrongencryptionkey.Thiskeypreventsdatafrombeingaccessedwhenthedeviceislocked,ensuringthatcriticalinformationissecuredevenifthedeviceiscompromised.

EnablingdataprotectionrequiresthatexistingdevicesbefullyrestoredfrombackupwhenupgradingtoiOS4.NewdevicesthatshipwithiOS4willalreadyhavethis capability.Toturnonthedataprotectionfeature,simplyestablishapasscodeon thedevice.Theeffectivenessofdataprotectionisdependentonastrongpasscode, soitisimportanttorequireandenforceapasscodestrongerthanfourdigitswhenestablishingyourcorporatepasscodepolicies.Userscanverifythatdataprotection isenabledontheirdevicebylookingatthepasscodesettingsscreen.MobileDeviceManagementsolutionsareabletoquerythedeviceforthisinformationaswell.

ThesedataprotectionAPIsarealsoavailabletodevelopers,andcanbeusedtosecureenterprisein-houseorcommercialapplicationdata.

Remote WipeiPadsupportsremotewipe.Ifadeviceislostorstolen,theadministratorordeviceownercanissuearemotewipecommandthatremovesalldataanddeactivatesthedevice.IfthedeviceisconfiguredwithanExchangeaccount,theadministratorcaninitiatearemotewipecommandusingtheExchangeManagementConsole(ExchangeServer2007)orExchangeActiveSyncMobileAdministrationWebTool(ExchangeServer2003or2007).UsersofExchangeServer2007canalsoinitiateremotewipecommandsdirectlyusingOutlookWebAccess.RemotewipecommandscanalsobeinitiatedbyMobileDeviceManagementsolutionsevenifExchangecorporateservicesarenotinuse.

Progressive passcode timeoutiPadcanbeconfiguredtoautomaticallyinitiateawipeafterseveralfailedpasscodeattempts.Ifauserrepeatedlyentersthewrongpasscode,iPadwillbedisabledforincreasinglylongerintervals.Aftertoomanyunsuccessfulattempts,alldataandsettingsonthedevicewillbeerased.

16

VPN protocols• CiscoIPSec• L2TP/IPSec• PPTP• SSLVPN

Authentication methods• Password(MSCHAPv2)• RSASecurID• CRYPTOCard• x.509DigitalCertificates• Sharedsecret

802.1X authentication protocols• EAP-TLS• EAP-TTLS• EAP-FAST• EAP-SIM• PEAPv0,v1• LEAP

Supported certificate formatsiPadsupportsX.509certificateswith RSAkeys.Thefileextensions.cer,.crt, and.derarerecognized.

Local WipeDevicescanalsobeconfiguredtoautomaticallyinitiatealocalwipeafterseveralfailedpasscodeattempts.Thisprotectsagainstbruteforceattemptstogainaccesstothedevice.Whenapasscodeisestablished,usershavetheabilitytoenablelocalwipedirectlywithinthesettingsoniPad.Bydefault,iPadwillautomaticallywipethedeviceafter10failedpasscodeattempts.Aswithotherpasscodepolicies,themaximumnumberoffailedattemptscanbeestablishedviaaConfigurationProfile,setbyaMobileDeviceManagementserver,orenforcedover-the-airviaMicrosoftExchangeActiveSyncpolicies.

NetworkSecurityMobileusersmustbeabletoaccesscorporateinformationnetworksfromanywhereintheworld,yetit’salsoimportanttoensurethatusersareauthorizedandthattheirdataisprotectedduringtransmission.iPadprovidesproventechnologiestoaccomplishthesesecurityobjectivesforbothWi-Fiandcellulardatanetworkconnections.

VPNManyenterpriseenvironmentshavesomeformofvirtualprivatenetworkingestablished.ThesesecurenetworkservicesarealreadydeployedandtypicallyrequireminimalsetupandconfigurationtoworkwithiPad.

Outofthebox,iPadintegrateswithabroadrangeofcommonlyusedVPNtechnologiesthroughsupportforCiscoIPSec,L2TP,andPPTP.Additionally,iPadsupportsSSLVPNthroughapplicationsfromJuniperandCisco.SupportfortheseprotocolsensuresthehighestlevelofIP-basedencryptionfortransmissionofsensitiveinformation.

InadditiontoenablingsecureaccesstoexistingVPNenvironments,iPadoffersprovenmethodsforuserauthentication.Authenticationviastandardx.509digitalcertificatesprovidesuserswithstreamlinedaccesstocompanyresourcesandaviablealternativetousinghardware-basedtokens.Additionally,certificateauthenticationenablesiPadtotakeadvantageofVPNOnDemand,makingtheVPNauthenticationprocesstransparentwhilestillprovidingstrong,credentialedaccesstonetworkservices.Forenterpriseenvironmentsinwhichatwo-factortokenisarequirement,iPadintegrateswithRSASecurIDandCRYPTOCard.

iPadsupportsnetworkproxyconfigurationaswellassplitIPtunnelingsothattrafficto publicorprivatenetworkdomainsisrelayedaccordingtoyourspecificcompanypolicies.

SSL/TLSiPadsupportsSSLv3aswellasTransportLayerSecurity(TLSv1.0),thenext-generationsecuritystandardfortheInternet.Safari,Calendar,Mail,andotherInternetapplicationsautomaticallystartthesemechanismstoenableanencryptedcommunicationchannelbetweeniPadandcorporateservices.

WPA/WPA2iPadsupportsWPA2Enterprisetoprovideauthenticatedaccesstoyourenterprisewirelessnetwork.WPA2Enterpriseuses128-bitAESencryption,givingusersthehighestlevelofassurancethattheirdatawillremainprotectedwhentheysendandreceivecommunicationsoveraWi-Finetworkconnection.Andwithsupportfor802.1X,iPadcanbeintegratedintoabroadrangeofRADIUSauthenticationenvironments.

17

ApplicationSecurityiOSisdesignedwithsecurityatitscore.Itincludesa“sandboxed”approachtoapplicationruntimeprotectionandrequiresapplicationsigningtoensurethatapplicationscannotbetamperedwith.iOSalsohasasecureframeworkthatfacilitatessecurestorageofapplicationandnetworkservicecredentialsinanencryptedkeychain.Fordevelopers,itoffersacommoncryptoarchitecturethatcanbeusedtoencrypt application data stores.

Runtime ProtectionApplicationsonthedeviceare“sandboxed”sotheycannotaccessdatastoredbyotherapplications.Inaddition,systemfiles,resources,andthekernelareshieldedfromtheuser’sapplicationspace.Ifanapplicationneedstoaccessdatafromanotherapplication,itcanonlydosousingtheAPIsandservicesprovidedbyiOS.Codegeneration is also prevented.

Mandatory Code SigningAlliPadapplicationsmustbesigned.TheapplicationsprovidedwiththedevicearesignedbyApple.Third-partyapplicationsaresignedbythedeveloperusinganApple-issuedcertificate.Thisensuresthatapplicationshaven’tbeentamperedwithoraltered.Additionally,runtimechecksaremadetoensurethatanapplicationhasn’tbecomeuntrustedsinceitwaslastused.

Theuseofcustomorin-houseapplicationscanbecontrolledwithaprovisioningprofile.Usersmusthavetheprovisioningprofileinstalledtoexecutetheapplication.Provisioningprofilescanbeinstalledorrevokedover-the-airusingMobileDeviceManagementsolutions.Administratorscanalsorestricttheuseofanapplicationtospecificdevices.

Secure Authentication FrameworkiPadprovidesasecure,encryptedkeychainforstoringdigitalidentities,usernames,andpasswords.Keychaindataispartitionedsothatcredentialsstoredbythird-partyapplicationscannotbeaccessedbyapplicationswithadifferentidentity.ThisprovidesthemechanismforsecuringauthenticationcredentialsoniPadacrossarangeofapplications and services within the enterprise.

Common Crypto ArchitectureApplicationdevelopershaveaccesstoencryptionAPIsthattheycanusetofurtherprotecttheirapplicationdata.DatacanbesymmetricallyencryptedusingprovenmethodssuchasAES,RC4,or3DES.Inaddition,iPadprovideshardwareaccelerationforAESencryptionandSHA1hashing,maximizingapplicationperformance.

Application Data ProtectionApplicationscanalsotakeadvantageofthebuilt-inhardwareencryptiononiPad tofurtherprotectsensitiveapplicationdata.Developerscandesignatespecificfiles fordataprotection,instructingthesystemtomakethecontentsofthefilecrypto-graphicallyinaccessibletoboththeapplicationandtoanypotentialintruderswhenthedeviceislocked.

18

©2010AppleInc.Allrightsreserved.Apple,theApplelogo,iPad,iTunes,andSafariaretrademarksofAppleInc.,registeredintheU.S.andothercountries.AppStoreisaservicemarkofAppleInc.iTunesStoreisaservicemarkofAppleInc.,registeredintheU.S.andothercountries.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecificationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.November2010L422500A

RevolutionaryDevice,SecureThroughoutiPadprovidesencryptedprotectionofdataintransit,atrest,andwhenbacked uptoiTunes.Whetherauserisaccessingcorporateemail,visitingaprivatewebsite, orauthenticatingtothecorporatenetwork,iPadprovidesassurancethatonlyauthorizeduserscanaccesssensitivecorporateinformation.And,withitssupportforenterprise-gradenetworkingandcomprehensivemethodstopreventdataloss,youcandeployiPadwithconfidencethatyouareimplementingprovenmobiledevicesecurityanddataprotection.

ForadditionalinformationanddeploymentresourcesforiPadvisit: www.apple.com/ipad/business/integration/

19

iPad in Business Mobile Device Management

iPadsupportsMobileDeviceManagement,givingbusinessestheabilitytomanagescaleddeploymentsofiPadacrosstheirorganizations.TheseMobileDeviceManage-mentcapabilitiesarebuiltuponexistingiOStechnologieslikeConfigurationProfiles,Over-the-AirEnrollment,andtheApplePushNotificationserviceandcanbeintegratedwiththird-partyserversolutions.ThisgivesITdepartmentstheabilitytosecurely enrolliPadinanenterpriseenvironment,wirelesslyconfigureandupdatesettings,monitorcompliancewithcorporatepolicies,andevenremotelywipeorlockmanaged iPad devices.

ManagingiPadManagementofiPadtakesplaceviaaconnectiontoamobiledevicemanagementserver.Asnoted,thisservercanbepurchasedfromathird-partysolutionprovider.WhenamobiledevicemanagementserverwantstocommunicatewithiPad,asilentnotificationissenttothedevicepromptingittocheckinwiththeserver.Thedevicecommunicateswiththeservertoseeiftherearetaskspendingandrespondswiththeappropriateactions.Thesetaskscanincludeupdatingpolicies,providingrequesteddeviceornetworkinformation,orremovingsettingsanddata.

Managementfunctionsarecompletedbehindthesceneswithnouserinteractionrequired.Forexample,ifanITdepartmentupdatesitsVPNinfrastructure,themobiledevicemanagementservercanconfigureiPadwithnewaccountinformationover-the-air.ThenexttimeVPNisusedbytheemployee,theappropriateconfigurationisalreadyinplace,sotheemployeedoesn’tneedtocallthehelpdeskormanuallymodifysettings.

ToillustratethecapabilitiesofMobileDeviceManagement,thisdocumentisorganizedintofourcategoriesofdeployment:Enroll,Configure,Query,andManage.

Firewall

Third-PartyMDMServerApplePushNotificationService

20

EnrollThefirststepinmanagingiPadistoenrolladevicewithamobiledevicemanagementserver.Thiscreatesarelationshipbetweenthedeviceandtheserver,allowingthedevicetobemanagedondemandwithoutfurtheruserinteraction.ThiscanbedonewirelesslyorbyconnectingiPadtoacomputerviaUSB.

Asascalablewaytosecurelyenrolldevicesinanenterpriseenvironment,iPadsupportsaprocesscalledOver-the-AirEnrollment.

UsingOver-the-AirEnrollment,yourenterprisecanprovideasecurewebportalthroughwhichuserscanenrolltheirdevicesformanagement.Theservercanthenconfiguremanageddeviceswiththeappropriaterestrictionsandaccountaccess.

Process OverviewTheprocessofOver-the-AirEnrollmentinvolvesthreephasesthat,whencombined inanautomatedworkflow,provideasecurewaytoprovisiondeviceswithinthe enterprise.Thesephasesinclude:

1. User authenticationUserauthenticationensuresthatincomingenrollmentrequestsarefromauthorizedusersandthattheuser’sdeviceinformationiscapturedpriortoproceedingwith certificateenrollment.AdministratorscanprompttheusertobegintheprocessofenrollmentbyprovidingaURLviaemailorSMSnotification.

2. Certificate enrollmentAftertheuserisauthenticated,iPadgeneratesacertificateenrollmentrequestusingtheSimpleCertificateEnrollmentProtocol(SCEP).ThisenrollmentrequestcommunicatesdirectlytotheenterpriseCertificateAuthority(CA),andenablesiPadtoreceivetheidentitycertificatefromtheCAinresponse.

3. Device configurationOnceanidentitycertificateisinstalled,iPadcanreceiveencryptedconfigurationinformationover-the-air.ThisinformationcanonlybeinstalledonthedeviceitisintendedforandcontainssettingsforiPadtoconnecttothemobiledevicemanagement server.

Attheendoftheenrollmentprocess,theuserwillbepresentedwithaninstallationscreenthatdescribeswhataccessrightsthemobiledevicemanagementserverwillhaveonthedevice.Byagreeingtotheprofileinstallation,theuser’sdeviceisautomaticallyenrolledwithoutfurtherinteraction.

iPad and SCEPiPadsupportstheSimpleCertificateEnrollmentProtocol(SCEP).SCEPisanInternetdraftintheIETF,andisdesignedtoprovideasimplifiedwayofhandlingcertificatedistributionforlarge-scaledeployments.Thisenablesover-the-airenrollmentofidentitycertificatestoiPadthatcanbeusedforauthenticationtocorporate services.

21

ConfigureOnceadeviceisenrolledasamanageddevice,itcanbedynamicallyconfigured withsettingsandpoliciesbythemobiledevicemanagementserver.Theserver sendsconfigurations,knownasConfigurationProfiles,tothedevicethatareinstalledautomatically.

ConfigurationProfilesareXMLfilesthatcontainconfigurationinformationandsettingsthatpermitiPadtoworkwithyourenterprisesystems,includingaccountinformation,passcodepolicies,restrictions,andotherdevicesettings.

Whencombinedwiththepreviouslydiscussedprocessofenrollment,deviceconfigurationprovidesITwithassurancethatonlytrustedusersareaccessingcorporateservices,andthattheirdevicesareproperlyconfiguredwithestablishedpolicies.

AndbecauseConfigurationProfilescanbesigned,encrypted,andlocked,thesettingscannotbealteredorsharedwithothers.

Supported configurable settingsAccounts

• ExchangeActiveSync• IMAP/POPemail• VPN•Wi-Fi• LDAP• CalDAV• CardDAV• Subscribedcalendars

Policies• Requirepasscode• Allowsimplevalue• Requirealphanumericvalue• Passcodelength•Numberofcomplexcharacters•Maximumpasscodeage• Timebeforeauto-lock•Numberofuniquepasscodesbeforereuse•Graceperiodfordevicelock•Numberoffailedattemptsbeforewipe• ControlConfigurationProfileremoval byuser

Restrictions• Appinstallation• Screencapture• Automaticsyncofmailaccounts

while roaming• Voicedialingwhenlocked• In-applicationpurchasing• RequireencryptedbackupstoiTunes• Explicitmusic&podcastsiniTunes• Allowedcontentratingsformovies, TVshows,apps

• YouTube• iTunesStore• AppStore• Safari• Safarisecuritypreferences

Other settings• Certificatesandidentities•WebClips• APNsettings

22

QueryInadditiontoconfiguringdevices,amobiledevicemanagementserverhastheabilitytoquerydevicesforavarietyofinformation.Thisinformationcanbeusedtoensurethatdevicescontinuetocomplywithrequiredpolicies.

Themobiledevicemanagementserverdeterminesthefrequencyatwhichitgathersinformation.

Supported queriesDevice information

• UniqueDeviceIdentifier(UDID)•Devicename• iOSandbuildversion•Modelnameandnumber• Serialnumber• Capacityandspaceavailable• IMEI•Modemfirmware

Network information• ICCID• Bluetooth®andWi-FiMACaddresses• Currentcarriernetwork• SIMcarriernetwork• Carriersettingsversion

• Phonenumber•Dataroamingsetting(on/off)

Compliance and security information• ConfigurationProfilesinstalled• Certificatesinstalledwithexpirydates• Listofallrestrictionsenforced•Hardwareencryptioncapability• Passcodepresent

Applications• Applicationsinstalled(appID,name, version,size,andappdatasize)

• ProvisioningProfilesinstalledwith expirydates

ManageWhenadeviceismanaged,itcanbeadministeredbythemobiledevicemanagementserverthroughasetofspecificactions.

Supported actionsRemote wipeAmobiledevicemanagementservercanremotelywipeaniPad.ThiswillpermanentlydeleteallmediaanddataontheiPad,restoringittofactorysettings.

Remote lockTheserverlockstheiPadandrequiresthedevicepasscodetounlockit.

Clear passcodeThisactiontemporarilyremovesthedevicepasscodeforuserswhohaveforgottenit. Ifthedevicehasapolicyrequiringapasscode,theuserwillberequiredtocreateanew one.

Configuration and Provisioning ProfilesToconfiguredevicesandprovisionin-houseapplications,mobiledevicemanagement serverscanaddandremoveConfigurationProfilesandApplicationProvisioningProfilesremotely.

23

Firewall

Third-PartyMDMServerApplePushNotificationService

1

2

4

3

5

©2010AppleInc.Allrightsreserved.Apple,theApplelogo,iPad,iTunes,andSafariaretrademarksofAppleInc.,registeredintheU.S.andothercountries.AppStoreisaservicemarkofAppleInc.iTunesStoreisaservicemarkofAppleInc.,registeredintheU.S.andothercountries.TheBluetoothwordmarkisaregisteredtrademarkownedbyBluetoothSIG,Inc.,andanyuseofsuchmarksbyAppleisunderlicense.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecificationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformationpurposesonly;Appleassumesnoliabilityrelatedtoitsuse.November2010L422501A

1

2

3

4

5

ProcessOverviewThisexampledepictsabasicdeploymentofamobiledevicemanagementserver.

AConfigurationProfilecontainingmobiledevicemanagementserverinformationissenttothedevice.Theuserispresentedwithinformationaboutwhatwillbemanagedand/orqueriedbytheserver.

Theuserinstallstheprofiletooptintothedevicebeingmanaged.

Deviceenrollmenttakesplaceastheprofileisinstalled.Theservervalidatesthedeviceandallowsaccess.

Theserversendsapushnotificationpromptingthedevicetocheckinfortasksorqueries.

ThedeviceconnectsdirectlytotheserveroverHTTPS.Theserversendscommandsorrequestsinformation.

FormoreinformationonMobileDeviceManagement,visitwww.apple.com/ipad/business/integration

24

iPad in Business iTunes Deployment Overview

IntroductionWhendeployingiPadinyourbusiness,it’simportanttothinkabouttheroleofiTunes.AfewkeyfunctionsrequireiTunes,startingwiththeactivationofthedevice.Afteractivation,iTunesisn’trequiredtoconfigureoruseiPadwithyourenterprisesystems.Itis,however,requiredforinstallingsoftwareupdatesandforcreatingabackupifuserinformationeverneedstoberestoredortransferredtoanewdevice.iTunescanalsobeusedtosynchronizemusic,video,applications,andothercontent.Thesesynchronizationcapabilitiesarenotrequiredforgeneralbusinessuse.

WhetheryouchoosetoinstalliTunesonyourbusinesscomputersorencourageyouremployeestodothesefunctionsfromahomecomputer—corporatedatacanbeencryptedandprotectedthroughouttheprocess.IfyouchoosetosupportiTunes internally,youcantailortheapplicationtomeettheneedsofyourenvironmentorbusinessconductpolicies.Forexample,youcancustomizeiTunesbyrestrictingordisablingnetworkservicessuchastheiTunesStoreorsharedmedialibraries,orcontrollingaccesstosoftwareupdates.YoucanalsodeployiTunesusingcentrallymanageddesktopsoftwaredeploymenttools.

Fortheenduser,iTunesissimpletouse.UserswhoarefamiliarwiththeiTunesinterfaceformanagingcontentandmediaathomewillfinditeasytomanagetheircorporate content on iPad.

UsingiTunesActivationiPadmustbeconnectedtoiTunesviaUSBtobeactivatedforuse.BecauseiTunesisrequiredtocompletetheactivationprocessforiPad,you’llneedtodecidewhetheryouwanttoinstalliTunesoneachuser’sMacorPC,orwhetheryou’llcompleteactivation foreachdevicewithacentralizediTunesinstallation.Eitherway,theactivationprocess isquickandeasy.

UserssimplyconnectiPadtoaMacorPCrunningiTunes,andwithinseconds,iPadisactivatedandreadyforuse.

Afteractivatingadevice,iTunesofferstosyncthedevicewiththecomputer.Toavoidthiswhenyou’reactivatingadeviceforyourusers,turnonactivation-onlymodewithiniTunes.Thisdisablessyncingandautomaticbackupsandpromptsyoutodisconnectthedeviceassoonasactivationisfinished.

Forinstructionsonhowtoenableactivation-onlymode,refertotheEnterpriseDeploymentGuide.

iTunes controls and restrictionsWhendeployingiTunesonyourcorporatenetwork,youcanrestrictthefollowingiTunesfunctionalityusingtheregistryinWindows orSystemPreferencesinMacOSX:

• AccessingtheiTunesStore• Librarysharingwithlocalnetwork computersalsorunningiTunes

• PlayingexplicitiTunesmediacontent• Playingmovies• PlayingTVshows• PlayingInternetradio• EnteringastreamingmediaURL• Subscribingtopodcasts• DisplayingGeniussuggestionswhile browsingorplayingmedia

• Downloadingalbumartwork• UsingVisualizerplug-ins• AutomaticallydiscoveringAppleTV

systems• CheckingfornewversionsofiTunes• Checkingfordevicesoftwareupdates• Automaticallysyncingwhendevices

are connected• RegisteringnewdeviceswithApple• AccesstoiTunes(iTunesU)

25

Syncing mediaYoucanuseiTunestosyncmusic,videos,photos,apps,andmore.iTunesmakesit easytocontrolexactlywhattosync,andyoucanclearlyseehowmuchspaceis availableforcontent.iPadcansynceachtypeofdatatoonlyonecomputerata time.Forexample,youcansyncmusicwithahomecomputerandcontactswitha workcomputerbysettingiTunessyncoptionsappropriatelyonbothcomputers.

Software updatesiTunesisusedtoupdateorreinstalliPadsoftwareandtorestoredefaultsettingsorrestorefrombackup.Whenanupdateisperformed,downloadedapplications,settings,anddataaren’taffected.Toupdate,userssimplyconnectiPadtotheircomputer,andclick“CheckforUpdates.”iTunesinformstheuserifanewerversionofiPadsoftwareisavailable.Ifyouturnoffautomatedanduser-initiatedsoftwareupdatecheckingusingiTunesrestrictions,you’llneedtodistributesoftwareupdatesformanualinstallation.Thiscanbedonebydistributingthe.ipswfileassociatedwitheachversionofthesoftwareandinstructingyourusersonhowtomanuallyinstalltheupdate.

BackupWhilethesynchronizationofdataforbusinessuserswillmostlytakeplaceover-the-airusingcorporateservicessuchasExchangeActiveSync,usingiTunestobackupiPadsettingsisimportantifusersneedtorestoreadevice.WheniPadissyncedwithiTunes,devicesettingsareautomaticallybackeduptothecomputer.ApplicationspurchasedfromtheAppStorearecopiedtotheiTunesLibrary.Applicationsyou’vedevelopedin-houseanddistributedtoyouruserswithenterpriseprovisioningprofileswon’tbebackeduportransferredtotheuser’scomputer.However,thedevicebackupwillincludeanydatafilestheenterpriseapplicationcreates.OnceiPadhasbeenconfiguredtosyncwithaparticularcomputer,iTunesautomaticallymakesabackupofiPadonthatcomputerwhensynced.iTuneswon’tautomaticallybackupaniPadthatisn’tconfiguredtosyncwiththatcomputer.

iTunesbackupscanbeencryptedonthehostmachine—preventingunwanteddata lossfromthehostcomputer.BackupfilesareencryptedusingAES128witha256-bitkey.ThekeyisstoredsecurelyintheiPadkeychain.UsersarepromptedtocreateastrongpasscodewhenbackingupiPadforthefirsttime.

DeployingiTunesInstallationiTunesusesstandardMacOSandWindowsinstallersandcanbedeployedusingmanyofthedesktopmanagementapplicationscommonlyusedbyITprofessionals.iTunes canalsobeinstalledandupdatedwithoutuserinteraction.OncesettingsandpoliciesintheiTunesinstallerhavebeenmodified,iTunescanbedeployedthesamewayotherenterprisesoftwareisdeployed.

WhenyouinstalliTunesonWindowscomputers,bydefaultyoualsoinstallthelatestversionsofQuickTime,Bonjour,andAppleSoftwareUpdate.YoucanomittheBonjourandSoftwareUpdatecomponentsbypassingparameterstotheiTunesinstallerorbypushingonlythecomponentsyouwanttoinstallonyourusers’computers.TheQuickTimecomponent,however,isrequired,andiTuneswillnotrunwithoutit.MaccomputerscomewithiTunesinstalled.TopushiTunestoMacclients,youcanuseWorkgroupManager,anadministrativetoolincludedwithMacOSXServer.

iTunes podcastsiTunescansubscribetoanddownloadaudioand video podcasts. Podcasts are a great waytodelivereverythingfromtrainingandeducationalcontenttocorporatecommunicationsandproductinformation.PodcastscanbeeasilytransferredtoiPad,soyouremployeescanlistenorwatch—wheneverandwherevertheyare.TheiTunesStorealsohasthousandsoffreebusiness-relatedpodcastsavailablefromproviderssuchasHarvardBusinessReview,Wharton,Bloomberg,andmore.

©2010AppleInc.Allrightsreserved.Apple,theApplelogo,AppleTV,Bonjour,iPad,iTunes,Mac,MacOS,andQuickTimearetrade-marksofAppleInc.,registeredintheU.S.andothercountries.AppStoreisaservicemarkofApple,Inc.iTunesStoreisaservicemarkofAppleInc.,registeredintheU.S.andothercountries.Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.Productspecificationsaresubjecttochangewithoutnotice.Thismaterialisprovidedforinformation purposesonly;Appleassumesnoliabilityrelatedtoitsuse.November2010 L422502A

26