sign in sign up
<<
Home , Drag and drop, Files (Apple), Find My iPhone, IOS 11, IOS 9, TestFlight

What iOS 11 Means to the Enterprise

Table of Contents

Executive Summary 2

Expanding the foundation for Apple in the enterprise 3 401 East Middlefield Road iPad Pro delivers a more productive enterprise user experience 5 Mountain View, CA 94043 [email protected] iOS 11 supports more powerful and secure app development 9 www.mobileiron.com

Apple expands enterprise security and management 12 Tel: +1.877.819.3451 Fax :+1.650.919.8006 Conclusion 14

MKT EN-US v1.1 1 Executive Summary

The release of iOS 11 highlights Apple’s continued commitment to the enterprise by providing more options for organizations that are in the process of replacing older PCs. As a dominant player in the consumer market, Apple is now pursuing a stronger foothold in the enterprise market with many new features and capabilities released in iOS 11. For example, new multitasking and Multi-Touch capabilities are designed to deliver a more robust, desktop-like experience on the new iPad Pro. In fact, with all the new features, it appears that the iPad Pro is intended to be a desktop replacement or “light laptop” for employees who want a more travel- friendly device without compromising productivity.

In addition to productivity features, iOS 11 has also introduced new development tools and that are clearly designed to help developers grow the ecosystem of more powerful and secure apps for a variety of enterprise use cases.

Although iOS 11 has introduced a vast range of new features, this paper primarily covers those most relevant to the enterprise. It also discusses the role of enterprise mobility management (EMM) solutions in managing and deploying some of these new capabilities. Ultimately, enterprise IT should have a good understanding of how Apple’s latest release may impact their organizations so they can prepare to manage and leverage these new features to securely support their business processes.

2 Expanding the foundation for Apple in the enterprise

Global enterprise organizations are rapidly shifting With all the new productivity features available from legacy PC computing to modern operating in iOS 11 and the iPad Pro, business users will systems and cloud-based applications to help understandably expect their IT organizations to fully increase business agility and reduce costs. On top support these upgrades. New multitasking and Multi- of that, employees have become so dependent on Touch capabilities such as , Dock, app their personal devices that they expect the same switcher, split view, and expanded management intuitive experience in their work lives as well. As features like the new app will make the iPad — organizations start to phase out aging Windows and especially the iPad Pro — a valid contender for PCs, they are looking to replace them with devices enterprise desktop replacements.2 that combine full-featured desktop productivity with increased mobility, cloud computing, and simplified security and management.

The release of iOS 11 and the new iPad Pro is With all the new productivity features clearly designed to meet this need by providing available in iOS 11 and the iPad Pro, a compelling option for enterprise organizations business users will expect their IT as they upgrade their legacy PC architectures. Several years ago, Apple led the market by enabling organizations to fully support these organizations to securely manage devices with EMM upgrades. New multitasking and solutions. is also heading in this direction Multi-Touch capabilities such as drag with , which is significant because it and drop, Dock, app switcher, split means that more organizations will be adopting EMM as their primary desktop and view, and expanded file management management (MDM) platform. As Computerworld features like the new Files app will noted, “By focusing on EMM as a total management make the iPad — and especially the approach, businesses can become even more device iPad Pro — a valid contender for agnostic — allowing workers to be more productive on the devices they already have.”1 This is especially enterprise desktop replacements. good news for enterprise iOS and macOS users, because it will further reduce barriers to using their preferred Apple devices for work.

1 http://www.computerworld.com/article/3201055/apple-ios/with-ios-11-apple-focuses-on-enterprise-users.html 2 http://www.brianmadden.com/opinion/Apple-WWDC-2017-Here-are-the-enterprise-management-updates-for-iOS-11

3 Other enterprise features include expanded near- field communication (NFC) support for developers, password autofill for apps, and DeviceCheck APIs that generate a temporary token to uniquely identify a device while maintaining user privacy.3 The release of these and other key features in iOS 11 makes the iPad an elegant and powerful tool to bridge any gap between tablets and smart laptops. Other capabilities, such as (AR) app support with ARKit and machine learning development tools with Core ML are enhancing the foundation for Apple’s future expansion in the enterprise.

This paper will focus on three key enterprise upgrades introduced in iOS 11:

1. More productive enterprise user experience

2. Powerful and secure app development tools

3. Improved enterprise security and management

3 http://www.brianmadden.com/opinion/Apple-WWDC-2017-Here-are-the-enterprise-management-updates-for-iOS-11

4 iPad Pro delivers a more productive enterprise user experience

Together, iOS 11 and the new iPad Pro are increasingly blurring the line between enterprise and consumer experiences. The latest releases don’t just add a few new consumer-oriented features; together they enable a more full-featured enterprise experience and free up workers to be even more productive either inside or out of the office. With iOS 11, the iPad Pro has evolved into a true content creation device that The new iPad Pro enables more than just basic web and With iOS 11, the iPad Pro has evolved into a true app usage — its functionality now content creation device that enables more than just resembles that of a light laptop. basic web and app usage — its functionality now resembles that of a light laptop. These significant improvements in usability and productivity clearly and drop functions as well as nested folders, tags, show that Apple is trying to close the gap between and a persistent search bar. The search function does the tablet and laptop user experience. Until now, not yet search within the content of the files, but it the iPad was not viewed as a laptop replacement, can find files by name within subfolder structures. but with new features such as a 10.5-inch screen, brighter and sharper display, 30% faster CPU, 40% Files offers significant productivity advantages faster GPU, 12-megapixel camera, and 4K video, for enterprise users. For example, an employee Apple is trying to deliver a much more robust, laptop- may work in IT but also need access to marketing 4 like experience on the iPad. In addition to these documents. However, these departments use essential hardware upgrades, Apple is also making completely different storage repositories, such as the new iPad Pro more customizable and “desktop- for IT and for marketing. With like” while keeping the experience predictable across Files, the employee can quickly find the documents its broad user base. These enhancements include: in one place on the new iPad Pro.

Files Professional users will probably find Files very useful Files is a completely new iOS capability that can for keeping track of content from different sources find, organize, open, and delete all the files on an and physically on the device. However, from a iOS 11 device, in iCloud, and from third-party storage security perspective, corporate IT should consider services like Box or Google Drive. It supports drag implementing the iOS managed open-in rules

4 https://www.mobileiron.com/en/smartwork-blog/wwdc-looking-enterprise-easter-eggs

5 through EMM. They should also evaluate additional tie in other multitasking features such as drag-and- protections to ensure that only authorized users can drop operations during document creation. access corporate content within supported apps and containers. Drag and drop with Multi-Touch Apple also introduced drag-and-drop functionality Dock enhancements throughout iOS 11. This allows the user to drag and The iPad Pro Dock can now be filled with more apps drop images, text, links, and more within an app or in much the same way it functions on an iMac. The between apps or documents. That alone is a great Dock makes switching between apps much faster, productivity enhancement, but Apple also went and it enables multitasking features on compatible beyond current PC capabilities. For instance, the devices. For instance, opening the Dock while using new drag-and-drop actions can be superimposed an app and dragging a Dock upwards will open on the iPad to stack multiple items. This Multi-Touch a new , which can be pulled into a slide-over functionality is revolutionary because it is no longer or split-view multitasking arrangement. The Dock limited to one or two fingers. The iPad’s computing enhancements make it much easier to access apps power and screen real estate make it the ideal device because the new actions mimic how a Mac desktop for this new functionality because stacking multiple works. The result is a more consistent experience items is far more intuitive on an iPad than an iPhone. across the Apple device ecosystem from desktop to mobile. While the iPad with iOS 11 is a more powerful and cost-effective computing device, the new iPad Pro has transformed into a true workhorse. This is especially great news for enterprise organizations looking to support more devices for cloud-based computing. As enterprises increasingly shift apps and data to the cloud, with enhanced enterprise functionality will be critical to enabling anytime, anywhere access to those resources. IT teams can simplify the task of keeping corporate and personal information separate, secure, and private through EMM as these capabilities become more widely adopted on mixed-use devices.

New app switcher iOS 11 updates go well beyond Accompanying the Dock is a new app switcher multitasking that essentially brings the macOS Mission Control experience to the iPad. It shows all of the most Password autofill for apps recently used apps and offers access to Control With so many passwords to remember, users often Center settings. When activated, the user can take and carelessly store usernames see (and switch between) each window and and passwords in personal cloud apps (or other maintain split-view apps. This makes it very easy to unsecured apps) for the sake of convenience. For seamlessly work with and within multiple apps and instance, if users have to remember and routinely

6 change passwords for enterprise apps like ADP or Screen recording Concur, they may store them in an unencrypted A new screen recording feature is now available Evernote account if single sign-on (SSO) is not natively in iOS 11. To record screen actions, a user activated. They may also use the same tactic to store swipes to the Control Center, records the screen, passwords for highly restricted accounts such as and the file is saved to Photos. The feature also personal banking or a confidential corporate account. has its own dedicated button in the revised iOS 11 Control Center. The recording can be shared like any Apple is fully aware that end-user convenience is a other piece of content, which can be very useful for major factor in improving security, which is why it help-desk troubleshooting or training videos. It can recently ported the password autofill feature from be controlled by IT with EMM via the screenshot macOS to iOS 11. Password autofill in Safari restriction. 11.0 stores passwords in the iCloud and saves users from having to remember passwords New lock screen design for various consumer apps. Password autofill also The and lock screen will also be provides a consumer-level workaround for sites and merged into a single screen under iOS 11. The user apps which previously allowed , , now scrolls up or down (instead of sideways) to jump or LinkedIn accounts to provide authentication to to notifications, but aside from this small adjustment, apps and services like OpenTable. That type of the new lock screen design simplifies the UI and authentication is now being deprecated by Apple. improves access to utility functions. Users can now perform more tasks, such as answer texts, begin a To ensure password autofill complies with screen recording, or turn on the camera directly from corporate security policies, IT should investigate the lock screen. IT security teams can still enable or EMM-integrated SSO and certificate-based disable notifications on supervised devices. authentication methods for corporate sites and content.

7 Peer-to-peer Automatic setup Apple Pay is the number This new setup feature in iOS 11 resembles the one NFC payment service workflow Apple previously used to automatically set on mobile devices and up an . The updated feature is designed accounts for nearly 90% to make it much easier for users to upgrade to a of all mobile transactions new device by simplifying and accelerating the data globally. Apple Pay has transfer process. Rather than relying on iTunes or gained the strongest iCloud backups in the transition process, this setup momentum in international option can transfer settings directly from an existing markets with an average iOS 11 device (which needs to be updated first). of three out of four Apple The two devices, when held in proximity, provide Pay transactions occurring instructions to pair for setup using the camera on the outside the U.S.5 older device to scan an image on the screen of the new device. After the user settings are transferred, To help expand the international mobile the process enables simplified setup for Touch ID payment infrastructure, Apple Pay now and settings like iPhone, location services, and analytics. (Apple Pay and have to be allows money to be sent through iMessage configured separately.) In addition, corporate EMM or Siri so users can take advantage of the settings and content require re-enrollment to meet IT credit and debit stored in Wallet security requirements.

To help expand the international mobile payment Note: Although this feature may ease the transition infrastructure, Apple Pay now allows money to be between BYOD devices, it does not apply to sent through iMessage or Siri so users can take DEP-enabled devices configured to bypass Setup advantage of the credit and debit cards stored in Assistant and enroll in EMM. Wallet. Money received goes into an Apple Pay cash account, which can either be used to make purchases through Apple Pay or sent to a bank account. If organizations plan to use this new feature to transact business with Apple’s savvy e-commerce user base, they will need to ensure their mobile security framework can meet relevant financial compliance and regulatory standards.

5 https://www.apple.com/investor/earnings-call/

8 iOS 11 supports more powerful token is stored securely in the Apple backend and can determine if the device has already completed and secure app development the trial. Or, if an enterprise employee accidentally deletes an enterprise app, the token can identify the To help expand the ecosystem of iOS enterprise user and device combination and either allow the apps, Apple has introduced platform enhancements user to log in or mandate a request for a new PIN. to encourage developers to create new productivity This will depend on company policy and how the tools. iOS 11 has also made changes designed to enrollment app is configured with DeviceCheck. help apps run faster and deliver a higher quality user experience. iMessage is now open to developers

New core NFC framework Apple has opened iMessage to developers so enterprise organizations can build their own custom With iOS 11, Apple is enabling developers to build iMessage app extensions. This offers great potential more enterprise apps that incorporate NFC. As to extend customer service options through mentioned previously, Apple Pay accounts for iMessage. At WWDC 2017, Apple demonstrated nearly 90% of all NFC transactions, and Apple is how iMessage could be extended to other types of looking to expand the ecosystem of NFC-enabled apps. For example, airline passengers could use a apps. In addition to developer tools, it appears that seat selector app that allows them to tap on their Apple is opening up the iPhone NFC chip in order to preferred seats for an upcoming flight. recognize tags, which would allow an iPhone to pick up data from those tags and take relevant action. For In addition, Apple has added a new iMessage example, an iPhone user checking into a hotel could feature called Business Chat, which allows users tap on a tag to view the hotel’s Wi-Fi password.6 to start a conversation with a business by tapping Message icons that appear to business names DeviceCheck API in searches, Siri, Maps, or by scanning a QR code with the camera. Together, Business Chat The new DeviceCheck API is a type of device and iMessage app extensions could greatly simplify fingerprinting that helps balance user privacy customer support by allowing customers to quickly with fraud prevention. DeviceCheck allows the and easily converse with help desk or support teams developer to tag the device with time stamps and through their iOS devices.7 other data that persists on the device. For example, a company offering a 30-day trial can use Apple shifts to 64-bit apps DeviceCheck to tag the device with the date and time of installation and a couple of unique bytes of To support faster apps with richer experiences, data to identify the device. After the trial expires, Apple is officially transitioning to 64-bit apps and the user cannot reinstall the same app to try and get ending support for 32-bit apps. This means if a user a different token and extend the trial. The unique tries to open a 32-bit app when running iOS 11, the

6 http://wccftech.com/ios-11-opens-up-the-nfc-sensor-on-iphone-to-read-tags-data/ 7 https://www.macrumors.com/2017/06/10/apple-business-chat-ios-11-developer-preview/

9 app will not launch. In addition, 32-bit apps will no TestFlight enhancements longer appear in the App Store when viewing it from an iOS 11 device. macOS High Sierra will be the last TestFlight is a beta testing program with tools macOS release to support 32-bit apps. Enterprise for developers who use the iTunes Connect app organizations should inventory their existing iOS app submission process for the App Store. The program deployments now to ensure critical software isn’t now includes: impacted by the change. Organizations should also note that the iPhone 5 and 5c and the iPad 4 and Support for multiple builds older will not be supported. TestFlight now lets developers distribute and test multiple builds at the same time so testers can New App Transport Security deadline choose from a number of builds to test.

Apple introduced App Transport Security (ATS) in Improvements to testing groups iOS 9 and OS X 10.11. The goal of ATS is to improve For example, developers can now create groups of user security and privacy by requiring apps to use TestFlight users and each group can test a different secure network connections over HTTPS. The build. strength of certificates used for secure connections has also been mandated to a higher level. At WWDC Improved testing logistics 2016, Apple announced that apps submitted to the Testers can now continue testing a build when it App Store would need to support ATS by January goes live in the App Store. iTunes Connect users can 2017. However, that deadline has been extended also access all active builds, which allows them to and developers now have until January 2018 to compare different versions. The number of supported incorporate ATS in their apps. testers has also increased from 2,000 to 10,000 and the individual beta release period increased from 60 App Store to 90 days.

Apple has redesigned the to allow macOS 10.13 High Sierra updates for phased app releases and more user-friendly downloads. Organizations can now roll out new macOS 10.13 High Sierra features many releases and updates to specific users and groups, improvements. Enterprise organizations may be which provides much greater enterprise control and particularly interested in Safari updates such as auto- app management flexibility. play blocking and intelligent tracking prevention, which will potentially make Safari faster and more energy-efficient than any other browser. macOS 10.13 will also use the new APFS file system to enhance data protection at rest as well as enable faster boot times and significantly improve storage efficiency.

10 Support for WebRTC tvOS Apple is starting to expand Apple TV for small and Safari 11.0 now includes support for WebRTC.8 This medium-sized businesses as well as enterprise will help open up communications between users companies. As part of this effort, they are providing of iOS apps as well as other platform apps. For the tools developers need to support business needs example, a physician who mainly relies on FaceTime for a variety of use cases. The platform also allows to communicate with healthcare providers and organizations to deploy in-house apps and more patients can now communicate securely across granular security and settings configurations through various device and browser platforms. MDM. This expanded feature set could enable hotels to use Apple TV as their primary room entertainment Overall platform enhancements device and hospitals could use tvOS for in-room patient engagement. While improvements were announced for all Apple OS platforms, WWDC 2017 reinforced macOS as the watchOS lead platform to inform design and structure for other As with tvOS, Apple is encouraging members of the Apple OS family including tvOS and third-party developers to build watchOS. Apple has also unveiled new development new business apps for a variety tools for implementing AR and machine learning of industries and use cases. Apple (ML) in apps. Watch is currently an extension of the iPhone it is paired to for CoreML and ARKit management. This could evolve To help businesses take advantage of AR and ML into more MDM controls as capabilities, Apple announced two new offerings: enterprise applications continue to CoreML and ARKit. CoreML is a new API that expand. supports on-device machine learning capabilities designed to assist apps to predict, learn, and grow As tvOS and watchOS expand their smarter over time. Apple will also be publishing an platform features, enterprises will ARKit SDK to help developers create sophisticated want to secure these devices under AR applications. Although these offerings are still in a single enterprise management the early stages, they will likely make their way into framework, just as they currently compelling new enterprise and business applications do with iPhone, iPad, and other as they evolve. Apple devices.

8 https://developer.apple.com/library/content/releasenotes/General/WhatsNewInSafari/Safari_11_0/Safari_11_0.html

11 OAuth 2.0 for O365 Email Apple expands enterprise In the iOS 10.3 beta cycle, Apple tested support for security and management OAuth 2.0 authentication to 365 when used with Exchange ActiveSync 16.1. Although the feature was rolled back on release, Apple Apple continues to improve security and reintroduced it in the iOS 11 beta cycle for enterprise management across all of its platforms. New testing. OAuth 2.0 uses a secure authorization token features were announced which will provide more for secure access. If OAuth isn’t deployed, the mail restrictions and more configuration options. EMM client defaults to the previous domain auto-discovery solutions will be able to utilize these new features behavior in which a device attempts to find the to expand Apple’s new security and management correct email server based on the domain configured features in the enterprise. in an email address. Corporate IT should consider EMM capabilities to ensure that only pre-approved Enhanced Cisco integrations users with authorized apps on authorized mobile devices can use OAuth authentication. • iOS 11 performance data: On iPhone 7 with iOS 11 and higher and with Cisco AireOS 8.5, Device Enrollment Program updates Apple devices will be able send additional Wi-Fi Customers can now add any device to the Device performance data and Cisco Wi-Fi controllers will Enrollment Program (DEP), not just those purchased display more analytics. from an authorized reseller. The user can remove • High Sierra Fast Lane QoS support: Apple the DEP profile for up to 30 days, but after the extended support for Cisco Fast Lane QoS to provisional period expires only an admin can remove macOS 10.13 High Sierra, which will enable more the profile. This change can be especially useful for efficient roaming for end users. schools and other organizations that receive donated devices, because now any iOS device can be • Cisco Security Connector: This feature was enrolled in DEP. In addition, iOS device supervision announced at Cisco Live for release in the fall and EMM enrollment will now be automatic and of 2017. It will enable iOS 11 integration with mandatory under DEP. Cisco Umbrella and Cisco Clarity. Umbrella, formerly OpenDNS, provides content filtering Single-screen Control Center and protections against phishing attacks by Apple is putting more effort into streamlining monitoring DNS traffic. Cisco Clarity provides controls for iOS devices in the enterprise. For Advanced Malware Protection (AMP) delivered example, the new Control Center in iOS has been as a service to detect malicious files. This level of consolidated into a single, customizable screen. network security integration will provide auditing Aside from a few permanent buttons, users can for security incident investigation, protect iOS completely customize the Control Center to fit their users from connecting to malicious sites, and needs. There are now 18 new controls in addition to safeguard corporate traffic by encrypting Internet the standard toggles for Wi-Fi, , airplane (DNS) requests. Security Connector integration mode, media controls, brightness, volume, rotation will require supervised iOS devices, managed app lock, Do Not Disturb and AirPlay.9 This allows both deployment, and custom configuration profiles businesses and users to customize it for either management — all of which will also require EMM personal or work needs. for streamlined deployment.

9 https://www.cnet.com/how-to/get-the-most-out-of-ios-11s-revamped-control-center/ 12 Configuration profile updates • VPN creation (on supervised devices): A new If an admin manually installs a configuration profile restriction was added to disable users from with a certificate, iOS 10.3 and later won’t trust it for creating their own VPN configurations. SSL unless the user manually approves it. Although • VPN IKEv2 and Wi-Fi: The payloads now support there is an exception for MDM profiles, the goal is configuring minimum and maximum TLS versions. to help reduce malicious profiles installed through • AirPlay security payload: AirPlay security payloads social engineering.10 can pre-define which Apple TVs the device can MDM network restrictions use and eliminates the need for user to enter a passcode to connect. This helps create a seamless MDM can now restrict supervised devices to experience for users while increasing security for approved Wi-Fi networks only. (These are networks the organization. set up via configuration profiles.)11 In iOS 11, single- purpose devices can be restricted to corporate Do Not Disturb driving mode networks to help reduce threats from mobile One of the key features announced during WWDC malware. For example, confidential healthcare data is the new Do Not Disturb mode for drivers. When is far more secure if a patient can only connect his enabled while driving, Do Not Disturb mutes all iPad to the hospital’s PHI-protected network instead incoming notifications and can automatically send a of an unsecured hotspot. This feature is also critical text to let the caller know the person is driving and in retail environments where point-of-service (POS) unable to respond. Do Not Disturb for vehicles will devices are much easier to certify and defend on come on automatically when an iPhone connects to a specially secured PCI-compliant networks. car’s Bluetooth, but it can be disabled. As enterprise Additional management updates workforces become increasingly mobile, employee safety on the road is also becoming a bigger priority. New iOS/macOS restrictions Features like Do Not Disturb will help organizations improve safe driving while potentially reducing the • AirPrint (on supervised devices): Admins can liability of accidents caused by distracted drivers at configure AirPrint payloads with a custom port work. and also specify whether (TLS) is required on a per-app and destination basis. Admins can also can restrict the discovery of AirPrint printers using iBeacons, as well as the storage of AirPrint credentials in Keychain. Admins can also require TLS for all AirPrint connections on a device or disable AirPrint completely on a device if required.

10 http://www.brianmadden.com/opinion/Apple-WWDC-2017-Here-are-the-enterprise-management-updates-for-iOS-11 13 11 http://www.brianmadden.com/opinion/Apple-WWDC-2017-Here-are-the-enterprise-management-updates-for-iOS-11 Conclusion

With iOS 11 and the new iPad Pro, Apple is providing more robust desktop-like functionality that gives enterprises a viable option as they upgrade their older PCs. The iPad has emerged as a full-fledged content creation and productivity tool, which will also make it attractive to business users looking for a lighter laptop option for travel.

In addition to new iPad Pro hardware upgrades, iOS 11 has introduced compelling new productivity features, added more developer tools to expand the iOS app ecosystem, and included more security and management features to make enterprise IT’s job a little easier. As with any new OS release, enterprise organizations should evaluate the new features for themselves to determine how to securely enable (or disable) them for business use.

For More Information To learn more about iOS 11 and what it means for the enterprise, please visit mobileiron.com/ios11.

For questions regarding your iOS implementation, please contact MobileIron at [email protected]

14