iPad at Work For Dummies. Galen Gruman
business, or vice versa. Because both iCloud and Google are considered personal services by IT departments, they’d probably prefer that you use neither for work, but you don’t really have a choice: Microsoft’s Internet Explorer is available only for Windows, and Mozilla’s Firefox is not available for iOS.
Working with Mobile Device Management
As mentioned in the preceding section, one method for separating business and professional information is to use a mobile device management server, a.k.a. MDM and EMM (for enterprise mobility management). These are systems that your IT department has to deploy and manage, usually for a monthly per-user fee, so they tend to be something that only larger companies use.
But even a small company can use some of these services, thanks to cloud-based small-business versions.
Popular providers include BlackBerry, CA Technologies, Citrix Systems, Good Technology, IBM, MobileIron, SAP, and Soti, though dozens of providers are out there.
An MDM server does at least two things:
✔ Manages user devices like iPads, such as by imposing restrictions on what networks you can access, determining what apps you can install, blocking access to iTunes and iCloud, and controlling whether you can open mail attachments in other apps. They can also remotely lock or wipe your device, disable access to corporate systems, and configure the use of virtual private networks (VPNs, described in the next section).
✔ Provide safe “containers” for corporate apps and data. Typically, these services provide their own apps for handling email, contacts, and calendars, and perhaps other functions. They’re kept in a separate part of the iPad’s memory known as a container that serves as a partition from the rest of your iPad’s apps and data. These apps can access corporate servers for documents and other data, but they can’t share that information with other apps on your iPad. These apps may also include a storage container for documents that you can browse, open from, and save to as well.
As a user, you’re restricted to what your IT department has decided it will permit via MDM. If those restrictions are too onerous, all I can recommend is that you don’t use a personal iPad for work but instead require your company to provide you with an alternative tool for business needs, such as a separate iPad or a laptop.
Enforcing basic security without the cost or effort of an MDM server
The iPad natively supports the Exchange ActiveSync (EAS) management policies provided by Microsoft’s popular Exchange server (including the Office 365 service). It’s sort of a budget MDM for small businesses, letting the company require your iPad be protected with a password (including its complexity and how often it must be changed), wipe or lock your device remotely, and remotely configure some security settings such as for Wi-Fi access points and VPNs.
The Exchange or Office 365 administrator for your company sets up which policies apply to which user groups in the management console for Exchange or Office 365.
I encourage any company of any size to at least use these policies to set basic security parameters for users’ iPads. You may not need a full-blown MDM tool, but everyone should set up basics such as password requirements.
Apple has another MDM option on the cheap – two, actually. But they’re Mac-only products. One is the free Apple Configurator (available at the Mac App Store), which lets you set policies similar to what EAS offers as well as impose additional restrictions and apply additional configurations. You create profiles in the application and configure the settings, called payloads, that you want included. Figure 3-6 shows the payload for passwords.
Figure 3-6: Setting up a configuration file in Apple Configurator on the Mac.
You then connect devices to the Mac running Apple Configurator and click Install Profiles in the Prepare pane to select the attached devices to install the profiles to.
Then there’s the $20 OS X Server application (available from the Mac App Store), which lets you remotely apply the same policies and configurations as the Apple Configuration Utility to Macs and iOS devices does. It works like the Apple Configurator, except that it ties into your company’s user directory, which requires some IT administrator expertise to use.
Both the OS X Server and an MDM tool can create configuration files that set up various security and management settings so that users don’t have to do the manual work – and so that IT can ensure that everyone has the correct settings. If you access those configuration files via links on web pages, through OS X Server’s remote delivery feature, or as email attachments, you’ll have to confirm the installation of the configuration file on your iPad, as Figure 3-7 shows.
Figure 3-7: A configuration file has to be accepted by the user to be installed.
Configuration files can be managed in the Settings app. Go to the bottom of the General pane and tap Profile to see a list of installed configurations. Tap a profile to get more details on it, as well as to get to the Delete Profile button. (But note that configuration files can be made undeletable by the user, so not all profiles will offer the Delete Profile button.)
Exploring VPN Connections
You’ve no doubt read the stories about hackers lurking in cafes and lounges that have public Wi-Fi access, using sniffer tools to intercept the communication between computing devices and the Wi-Fi hotspot so that they can pull out usernames and passwords that they can then sell to criminals.
The Wi-Fi snooping risk is real, though greatly exaggerated. A better target, after all, is your home network, where an attacker can camp out nearby and know it’s your information he’s getting. This is something that a high-level exec or rich family might be targeted for. (That’s why you should always use secured networks at home, as described later in this chapter.)
So, many companies insist that you use a virtual private network (VPN) to access at least some of their systems when connecting via the Internet. A VPN provides a secure connection between your device and the corporate server, even if you connect via a network that your IT departments doesn’t manage – including public hotspots, your home network, and hotel networks.
The iPad has built-in support for VPNs, including the popular Cisco IPSec variant. You set up VPN access by going to the Settings app and then following these steps:
1. Go to the General screen.
2. Scroll down until you see VPN; then tap it.
3. In the screen that opens, tap Add VPN Configuration.
4. Select the type of VPN from the tabs at the top; then fill in the required information (your IT department will need to provide it).
Figure 3-8 shows such a setup screen.
5. Tap Save.