Review: AirWatch Enterprise MDM for Apple iOS4: Page 2
Anyone hoping for a free demo may be dismayed by this dependency. However, enterprises building their iOS apps may already have an Apple Developer account. We used an entry-level account ($99) to fulfill this prerequisite. No matter how you get your cert from Apple, the resulting .p12 file and App Bundle ID must be loaded into AirWatch before any iOS4 device can be enrolled. This cert will be used to authenticate MDM commands sent to enrolled devices.
To kick off enrollment, send your users an email or SMS containing a provisioning page URL, login, and activation code. If desired, AirWatch can even send an SMS to devices using a batch import file. As each user visits the URL, their device is placed into a default location group. (Recall from part one that every AirWatch subscriber is assigned a unique location to be carved into geographic or organizational subgroups.) AirWatch uses this location group to push the appropriate profiles to each newly-enrolled iOS4 device, completing over-the-air provisioning.
During our trial, we enrolled an iPhone4, a couple of iPods, and a few iPads. When all went well, our volunteers found enrollment quick and easy. But when problems surfaced for example, a 3.x iPad that choked on an iOS4 profile we had to contact AirWatch support. In general, the AirWatch Console could only tell us that MDM commands were sent to APNS; it often could not say whether commands were successful or why they had failed. This seems to be a limitation of Apple's MDM architecture; we hope to see more error reporting in future iOS releases.
Something Old, Something New
Once enrolled, iOS4 devices join all other managed devices (e.g., Windows Mobiles, older Apples) on the AirWatch Console. On the Home page, they contribute to health stats charted for each location group. On the Location page, they are returned by filtered searches. On the Devices page, they appear in the Device Dashboard, accompanied by status and OS-specific actions.
For older (3.x) Apple devices, this Dashboard control panel can be used to view device details, request Agent check-in, view event or message logs, view current or historical GPS location, send an SMS message, or request a data wipe. But AirWatch must depend on a device-resident Agent to supply details and process APNS notifications. For example, if a 3.x iPad is sleeping, displayed details or GPS coordinates will not be current. To install a new profile on a 3.x device, AirWatch can only send an APNS notification, suggesting the user click a provisioning URL. Additionally, remote lock, passcode clear, and device query actions are not available for 3.x devices.
However, new iOS4 devices can use native MDM to overcome these limitations, with or without a device-resident AirWatch Agent. For iOS4 devices, this Dashboard control panel can:
- Display device queries: Send a notification to the device, requesting current data (e.g., details, certificates, installed apps, profiles, restrictions), all returned without user prompting.
- View device details, certificates, apps: Display most recently-reported values for example, apps are shown with version, size, timestamp, and deployment method (iTunes or AirWatch).
- View config/app profiles, restrictions: Display all profiles or restrictions pushed to the device by AirWatch, including profile version, content, and creation time.
- Perform a security audit: Use recently-reported values to assess the device's current security posture (below). (Note that audit requirements are not themselves configurable.)
- Send a message: Send the device's user an email message or (for devices associated with a wireless carrier supported by CellTrust only) an SMS text.
- View event or message logs: As for 3.x devices, returns a filtered but very basic list of AirWatch-device interactions (e.g., 4:05 am Server to Device Information Requested).
- Clear passcode or lock: Remotely lock or unlock a managed device. Note that if restrictions require a passcode, the user will be prompted to configure a new one within a grace period.
- Remote wipe: After receiving required admin confirmation, wipe all device settings and data, resetting it to factory default. (Users may restore personal data and apps from iTunes.)
- Remove MDM: Break the MDM relationship established during enrollment, removing all AirWatch-installed profiles, apps, shortcuts, and restrictions.
While some of these actions applied to older devices, many now go deeper or provide stronger control. For example, config profiles and restrictions may now be updated without user assistance in fact, without the user noticing. Enterprise apps can now be deployed over-the-air, while enforcing compliance with IT-defined black lists.
From a security perspective, AirWatch for iOS4 offers major improvements. Help desks can use "clear passcode" to safely lock a lost phone while letting the user back in later. Restrictions like auto-lock duration can now be tightened on the fly, not just when the user checks mail. And black lists can be used to immediately "unmanage" or auto-wipe a device infected with malware.
But iOS4 MDM is still maturing, requiring sometimes awkward adjustments. For example, some details (e.g., IP address, GPS coordinates) are not surfaced by MDM APIs and are only available from devices with installed AirWatch Agents. AirWatch used Apple's jailbreak API to check for hardware compromise an API disabled in iOS 4.2. Dashboard controls for each device should match OS type, but sometimes did not. When using AirWatch to remotely remove MDM, we experienced APNS delays from six minutes to forever. The latter was a one-time anomaly that should never happen, but we still recommend testing features you expect to be fool-proof.
In part one, we showed how AirWatch uses Odyssey to configure Windows Mobiles. However, iPhones, iPads, and iPods must be configured using XML profiles. Readers familiar with Apple's iPhone Configuration Utility will recognize these profiles, because their attributes and encodings are identical, no matter who generates them.
Here, AirWatch brings quite a bit to the table by wrapping profiles inside a centralized scalable GUI. AirWatch makes it easy to create, update, and deploy an extensive set of profiles to selected device models, versions, and locations.