iPhones and iPads are flooding the workplace, threatening to dislodge IT-issued BlackBerries and netbooks. As a result, IT groups need fast-yet-effective ways to secure employee-liable devices. One solution: AirWatch Enterprise MDM for Apple iOS4, a Mobile Device Manager (MDM) that can be purchased as a cloud service.

Back in July, we tested AirWatch Enterprise v5.11, focusing on its ability to track, trouble-shoot, and provision Windows Mobile phones – see part one of this review. At the time, AirWatch could track iPhones, but more was expected in iOS4.

In part two, we review AirWatch Enterprise MDM using new iOS4 interfaces to manage iPads, iPhones, and iPod touches. Although these features took awhile to mature, they were well worth the wait. Using this Software-as-a-Service (SaaS), any IT group can deliver rich remote management for iOS4 devices – and the apps that run on them – with little effort. But there's a caveat: this service is a continuing work-in-progress.

Managing iOS4

As described in part one, authorized admins can use the web-based AirWatch Console to manage a diverse array of smartphones, from Windows Mobile and Symbian to iOS and soon Android. However, the control that can be exerted over any device depends on vendor/model and OS version. Like other third-party MDMs, AirWatch Enterprise is ultimately constrained by each phone's capabilities and SDK APIs.

For iPhones, iPads, and iPods, developers are further limited by Apple's rules and procedures. Specifically, the AirWatch MDM Agent had to comply with SDK rules and pass Apple review to be published at the AppStore. But with iOS4, developers get to loosen these shackles a wee bit by using Apple's shiny new MDM interfaces.

When the first iPhone was released, it had little security and no remote configuration. Over time, passcode and encryption features became configurable via XML profiles. Apple's iPhone Configuration Utility could be used to generate profiles to be posted at websites for user installation. Eventually, ActiveSync support was extended so that Exchange servers could check passcode/encryption settings and remotely wipe lost iPhones.

MDMs like AirWatch began to use profiles and ActiveSync to manage iPhones, supplemented by data gathered by Agent apps. Although OS 3.x Agents could not run in the background, they could receive messages from the Apple Push Notification Service (APNS). These hooks were a starting point, but MDM was too user-dependent and employers still could not remotely install or control other iPhone apps.

Fortunately, Apple has now addressed this by adding native MDM to iOS4 (PDF). Employers are no longer limited to ActiveSync checks, desktop-generated profiles, or user-installed Agents. Instead, iOS4 devices and all of the apps that run on them can now be provisioned and tracked by enterprise MDM consoles, requiring near-zero user involvement.

In a nutshell, here's how iOS4 MDM works. Each user browses to an employer-designated MDM provisioning portal to install Apple's Global MDM Configuration Profile. During installation, the iPhone/iPad/iPod generates a device certificate and enrolls with the employer's MDM. This process establishes an MDM relationship between the employer's server and managed device.




Figure 1


Thereafter, commands sent by the employer's MDM are relayed through APNS to managed devices. Devices respond directly the requesting MDM over HTTPS, creating a secure conduit over which to query settings, receive reports, install/remove profiles, and provision apps. Although Exchange can still apply ActiveSync checks to iOS4 devices, native MDM enables far greater control and visibility.

Vendors that have announced support for iOS4 MDM include AirWatch, BoxTone, MobileIron, Sybase, Tangoe, and Zenprise. However, starting with the same API does not result in identical functionality or usability. As we learned, an MDM's power comes from how devices are presented and administered – and not for just one device, but for many.

Getting Started with iOS4

AirWatch Enterprise MDM for iOS4 can be deployed as an appliance ($5000/100 devices), licensed software on your own server ($30/device), or a subscription service ($2/month/device). For app management, add $10/device (software) or $1/month/device (service).

We reviewed the service, delivered by a multi-tenant Enterprise MDM 5.11 server, hosted by AirWatch. As such, there was no hardware to procure and no software to install. However, MDM for iOS4 requires a unique APNS certificate. This cert must be obtained from Apple by using an iOS Developer Enterprise account ($299/year) to generate an X.509 request and download the Apple-issued response.

Page 2: Review: AirWatch Enterprise MDM for Apple iOS4