Enforcing the security and integrity of notebooks and netbooks is hard enough, but what about the next generation
of endpoint devices now flooding corporate networks? Tablets are hitting the workplace, and chief among them is the Apple iPad. There's no question that enterprise iPad usage will increase in the months to come.
To use this popular tablet productively, workers require access to enterprise apps and data, but providing that access also means insulating enterprise resources from out-of-policy or jailbroken iPads. Let's consider the endpoint integrity enforcement options currently available to those who want to embrace the iPad as a corporate network endpoint.
Approach No. 1: Guest endpoints
As Wi-Fi-enabled devices, iPads can connect to any open WLAN, including guest WLANs. As a result, one approach is to treat employee-owned iPads by default like any other unmanageable guest endpoint.
Network access control (NAC) products are often used to control guest network access, subjecting endpoints to connect-time or post-connect security scans, but NAC servers can't push persistent NAC clients onto iPads or force them to run browser-based scans. Instead, iPads may be given Web-only or Internet-only access.
In this approach, NAC probes and network IDS can be used to fingerprint iPads, monitor post-connect activity, and even disconnect unruly devices. While these techniques can deliver visibility and protect the network, limiting these devices to vanilla guest access does not embrace the iPad as a corporate endpoint, and will in turn limit the device's capabilities.
Approach No. 2: Remote endpoints
Alternatively, iPads can be treated like remote endpoints, even on a local WLAN. For example, Internet-connected iPads can retrieve corporate email via Exchange ActiveSync or use VPN clients from vendors Cisco Systems Inc. or Juniper Networks Inc. to obtain broader-than-guest network access.
iPad users can be instructed to navigate to IT-supplied URLs to install configuration profiles governing a slew of settings, such as device encryption and password requirements, digital certificates, VPN and Exchange parameters and restrictions (e.g., disable camera). Profiles can be locked and encrypted to prevent sharing or tampering, but the trick is still enforcement; installing a profile does not ensure that each iPad remains compliant.
One enforcement option is using Exchange ActiveSync to check selected iPad settings whenever email is read, blocking non-compliant endpoints. For example, Exchange ActiveSync policies can stop iPads with unsigned apps from reading corporate email. Similarly, it can push policies to iPads that have Exchange access, and iPads can be set to periodically refresh policies.
Another option is installing an iOS-compatible VPN client with integrity assessment. For example, Juniper's Junos Pulse Mobile Security Suite combines an SSL VPN client with endpoint security measures like antivirus, antispam and application control that can be required for a corporate network connection. This VPN client can even roam between Wi-Fi and cellular access while being subjected to the same authentication, integrity and authorization policies. Cisco AnyConnect is an alternative iOS-compatible VPN option.
Approach No. 3: Managed endpoints
Ultimately, many enterprises may fully embrace iPads by bringing them under some flavor of mobile device management (MDM) control. This can be accomplished today for iPads running iOS4.
In iOS4, Apple has added interfaces used by vendors like AirWatch LLC, BoxTone Inc., MobileIron Inc., Sybase Inc., Tangoe Inc. and Zenprise Inc. to manage iPads from afar. With this approach, users browse IT-supplied URLs to establish a relationship between a corporate MDM server and their iPads. Thereafter, MDM requests and responses are relayed by Apple's Push Notification Service. Using this conduit, configuration profiles and enterprise apps can be pushed over-the-air to each managed iPad, and settings and events can be retrieved.
These hooks enable near-real-time integrity assessment and enforcement. For example, a configuration profile can be pushed to configure corporate VPN or Exchange access. If access is later revoked, MDM can remove those profiles, deleting all associated corporate data, including email messages, contacts and calendar entries. Similarly, if MDM detects that an iPad has been jailbroken, the MDM relationship can be severed, disabling previously installed enterprise apps.
Settings that can be controlled through iOS4 MDM, and commands that can be executed are limited by Apple. Specifically, you cannot force installation of recommended App Store apps, which would be handy to install security programs like VPN clients or malware scanners. Although iOS4 version can be determined, it is not currently possible to force over-the-air iOS4 updates; those must still be installed by iTunes.
However, MDM products are starting to use these interfaces to assess and enforce iPad compliance. For example, AirWatch can check apps installed on any iPad against an IT-defined blacklist, taking actions ranging from warning the user, to remotely wiping the iPad. MobileIron can (among other things) delete Exchange, VPN or WLAN profiles on any iPad with outdated policies, disabled encryption or unauthorized hardware versions, and so on.
Tablets like the iPad require new tools to implement, assess and enforce endpoint integrity. But, like notebooks and netbooks, iPad security policy approaches range from hands-off with superficial visibility to tightly integrated tools that offer extensive control. Some enterprises may apply more than one approach, based on need; for example, managing iPads that run enterprise apps while treating the rest as guests. To learn more about iPad configuration profiles and security settings, consult Apple's "iPhone in Business" (.pdf) guide.
About the author:
Lisa Phifer is president of Core Competence, a consulting firm focused on business use of emerging network and security technologies.