iOS 10 was released earlier this week and many users have already upgraded their devices. For IT departments, any major OS or software update can bring challenges and opportunities. One challenge is that with users having near total control over their devices IT must respond to these upgrades in real-time rather than planning a controlled rollout. The likeliest exception: devices that are corporate-liable and heavily managed, something typical only in a handful of industries like healthcare, finance, government and retail.
IT needs to understand the major changes in iOS 10 that affect business users, IT systems and infrastructure -- as well as any new management controls they can use to improve security, network performance and workflows. The good news is the iOS 10 offers a range of technologies that make the iPhone and iPad even better enterprise devices and network citizens.
The bad news: There are potential security concerns associated with a couple of the new features.
Here's a rundown of what IT shops should look for as iOS 10 arrives:
Cisco QoS integration: The most significant enterprise feature in iOS 10 is its support for Cisco's Fast Lane quality of service (QoS) functionality in managed Wi-Fi configurations. When enabled, IT can use MDM/EMM solutions to define apps that get priority over the network to optimize traffic. This helps ensure that business apps receive adequate bandwidth and consumer apps or games don't overload the network.
CallKit with Cisco Spark (and other services): One of the major features in iOS 10 from a consumer and business perspective is CallKit, which allows apps to directly handle voice calls, including integration with the native dialer and address book. Much like FaceTime calls, CallKit apps behave much like traditional voice calls. CallKit offers potential for all users because it unifies and streamlines calling across the board.
One of the first enterprise companies to implement CallKit is Cisco, which has built CallKit into its Spark collaboration suite. That allows workers to make and receive video and voice calls as if they were using any other desktop VoIP option supported by Spark.
MobileIron's Sean Ginevan pointed out to me that this "is particularly useful for regulated verticals" like healthcare, financial services or government because it allows an employee to use their iPhone to make calls using Spark (or other VoIP services that integrate CallKit). But it also ensures that those calls are associated with a business phone number and it ensures that an organization has access to a complete log of calls made by the employee. That's something not available if the employee is using a personal iPhone and his or her personal phone number.
It's also worth noting, as JAMF did in a blog post, that IT can define a default calling app. This allows an organization to ensure that the appropriate VoIP or collaboration solution is the option that will automatically be used unless a user specifies a different app.
Managing cellular data user per app: For organizations that provide iPhones (and cellular iPads) to employees, controlling data usage can be a major concern, since the company is often on the hook for service and overages -- with little way to determine how much of it was business related. iOS 10 adds the ability to manage cellular data usage on a per-app basis. This means IT can specify that only approved business-related apps can use cellular data. This control can be implemented granularly so that even some apps installed by the organization (or via an enterprise app store) can be excluded from using cellular data.
App integration with built-in services (Siri and iMessage): For developers, the ability to integrate built-in functionality like Siri and Messages offers an amazing amount of potential. It allows for a far more integrated app experience. Both of these technologies have huge enterprise potential.
Imagine being able to ask Siri to bring up a report you've been working on, using natural language rather than having to manually look for and open it. Or using Siri to launch a predefined workflow within a single app or even across multiple apps. These could be custom enterprise apps, off-the-shelf business/productivity apps or a mix of the two.
Even more interesting is the potential for integrating business and enterprise apps with Messages. Ginevan posited two potential options. The first is an approval process where a manager receives a request (time off, expense or procedural) via a message and can immediately respond or ask for more information directly from the message itself without switching to another app. The second is the ability to escalate issues, where an escalation from a call center, field service worker or other employee can be handled as a message. He noted that this integration capability "puts [Messages] on par with other communications platforms," similar to functionality available in services like Slack.
Restrict Bluetooth access: For organizations where security is paramount (or where devices must interoperate with specific Bluetooth devices and resources), iOS 10 lets you restrict users from modifying Bluetooth settings, including enabling/disabling Bluetooth support or devices. This control is limited to devices in Supervised mode, an option that allows greater device management and security typically for organization-owned devices such as those in healthcare, field services, retail and education.
VPN IKEv2 EAP-only mode support: iOS 10 supports VPN IKEv2 EAP-only mode, which enables organizations to provide more secure VPN connectivity from iOS devices. Some firms have hesitated to allow VPN access from devices that didn't support this functionality. As an expansion of the existing iOS VPN capabilities, including per-app VPN connections, this move makes iOS devices even better corporate citizens.
Universal clipboard: As I noted, there are a couple of iOS 10 features that should give IT pros pause, and this is one of them. Universal clipboard allows a user to copy items (text, images, video) on one device and paste them into an app on another device associated with the same Apple ID. This is a great productivity advance for consumers and business users, but it also creates an opportunity for enterprise data to leak out onto personal devices or Macs.
Apple doesn't seem to have created a specific management control that IT can use to disable this feature (though one may be included in a future iOS release). One solution that should work in theory, but which I haven't seen tested, might be to make use of the existing copy/paste controls that already exist in iOS to prevent users from copying data from a managed app (one installed by IT or through an enterprise app store) to an unmanaged one.
Raise to wake: Raise to wake is another iOS feature that presents security concerns. Much like the Apple Watch, iOS 10 devices can now detect when a user picks them up and automatically wake to the lock screen. If a user has a device set to display notifications on the lock screen and/or allows access to Notification Center while locked, it's possible that business notifications, including those displaying confidential information, might be displayed.
Although this feature is new, the overall concern isn't, as the only thing that's really changed here is whether someone needs to press the home or power button to wake a device to the lock screen. The more expansive nature of Notification Center and the lock screen in iOS 10 means that more data might be displayed than in previous releases. iOS has existing controls for limiting what is shown on or can be accessed from the lock screen. iOS 9.3, released this spring, included the ability to specifically manage whether and how notifications from managed apps are displayed.
Apple Watch access: One growing concern in many IT departments involves the Apple Watch and other wearables. As these devices become more capable, the potential for their use in business will grow -- as will the amount of business data accessed by or stored on them. Although, there was hope that iOS 10 would deliver new management controls for the Apple Watch beyond the existing ability to disable an iPhone from pairing to an Apple Watch (introduced in iOS 9), this appears not to be the case. As a result, IT departments should use the release of iOS 10 and watchOS 3 as an opportunity to educate users on potential data security issues associated with accessing business content via the watch.
App Transport Security (coming soon): Although not directly related to the initial release of iOS 10, App Transport Security (ATS) is something that all developers, including enterprise developers, and IT pros should consider. Apple announced in June that beginning on Jan. 1, all apps submitted to the App Store must support ATS, a feature introduced in iOS 9 that ensures all traffic between an app and remote services is secure during transmission. When ATS is enabled, network requests are automatically made over HTTPS instead of HTTP.
This has obvious implications for developers, who must implement ATS. But it also affects service providers and any backend systems with which an app needs to communicate. Such systems must be able (and configured) to provide the Transport Layer Security Layer (TLS) 1.2. This means IT needs to ensure any internal and external services that apps use can meet these requirements. Apps themselves or workflows built on top of them and various services should all be verified to meet the ATS requirement before the end of the year.