As organizations have gradually embraced mobile technology over the years to boost productivity, the task of protecting enterprise networks has become increasingly difficult for IT and security professionals. Each device represents a potentially vulnerable endpoint, and cybercriminals have mastered the art of exploiting these weaknesses to infiltrate corporate networks.

Fortunately, each iteration of Apple’s iOS has made security teams’ jobs easier by introducing new features that can be applied to mobile device management (MDM).

Below is a brief history to show how each release marked another crucial step in the evolution of enterprise mobility.

Apple and the Dawn of Mobile Device Management

In 2010, Apple released iOS 4, which opened the door to the enterprise with MDM capabilities. IT and security leaders gained the ability to enroll iOS devices over the air (OTA) to perform basic MDM functions. These functions included locate, lock and wipe. As an added benefit, iOS 4 also introduced mobile application management (MAM) capabilities, enabling security teams to push apps down to devices and set compliance rules.

The following year, iOS 5 introduced Siri, iCloud and OTA operating system (OS) updates, which could also be managed by an MDM solution. By this point, enrolled devices were subject to more customization from an IT security standpoint, such as disabling Siri and determining what could be synced and backed up to iCloud.

Enterprise Containment and the BYOD Model

The release of iOS 6 in 2012 brought a new facet to MDM capabilities by providing application programming interfaces (APIs) to private developers. At that time, MDM solutions aimed to capitalize on a then-rising enterprise need: containment.

By this point, iOS devices had gained popularity for personal use, and businesses were just catching on to their versatility. The APIs released in this version allowed IT teams to containerize and separate their enterprise information within the user’s device, which brought about the bring-your-own-device (BYOD) model. During this time, organizations frequently used a corporate-owned device model as their standard practice for mobile productivity.

However, the option of containing enterprise data on a user’s personal device — as opposed to purchasing, setting up and deploying a new device — proved to be the more cost-effective business model.

Aside from the BYOD aspect, iOS 6 introduced a supervised mode, making it easier for IT teams to manage corporate-owned devices. Supervised mode gave IT full administrative rights to the device and set restrictions to prevent the user from falling out of compliance.

New Look, New Management Capabilities

In 2013, iOS 7 packed a punch with a completely new OS redesign, upgraded security features and better management capabilities. One of the most noticeable and innovative features of iOS 7 was TouchID. This new security measure was the first of its kind within the Apple product line to use biometric data instead of a passcode for device access. It also provided APIs to enable or disable MDM solutions, allowing IT teams to use TouchID for access to the enterprise container, as well as the device itself.

With iOS 7, Apple included another feature that has saved many an administrator from endless headaches: disabling Activation Lock. The idea behind this feature was that if a device were lost or stolen, it could not be wiped without entering the associated Apple ID.

This feature was a major pain point for IT teams because users often enabled Activation Lock while setting up their device and, when their employment ended, IT teams were left with devices they could not wipe. Since the release of iOS 7, IT teams have been able to toggle the feature on and off and remotely wipe devices (as needed) without having to wait days or weeks to complete the task.

From 2014 through 2016, subsequent releases of iOS 8, 9 and 10 added more capabilities for the supervised mode, such as the Device Enrollment Program (DEP) and an advanced kiosk mode. DEP enabled IT teams to curate their devices, settings, apps and content before they were sent out to users. Once a device was turned on, the user would go through the enrollment process and everything he or she needed would be pushed down over the air. Apple has since expanded on DEP by allowing for retroactive purchases and retailers that are not Apple partners.

The kiosk mode enhancements allowed administrators to control which apps were shown to the user, helping them boost productivity and reduce the risk of users falling out of compliance or downloading malicious apps. These improvements also enabled administrators to control users’ wallpapers and standardize how apps were arranged on their devices.

As superficial as this seems, it was a big win for administrators because it allowed them to establish continuity across all enterprises devices for more granular visibility.

Watch the on-demand webinar: SOS! Remote Support for iOS & Android With UEM

Facing Forward With Biometric Authentication

iOS 11 was released in the fall of 2017 alongside Apple’s 10th-anniversary edition iPhone, which included a new feature called FaceID. Aside from the new hardware features, iOS 11 introduced a new classroom feature, which administrators of educational institutions can use to limit what students have access to on their iOS devices while still providing a rich experience that coincides with their lesson plan. Teachers can now turn off screens, push out apps and deliver presentations from a central device to all their students at once.

Since iOS entered the enterprise, IT teams have needed some form of remote support. Users might be miles away from their IT representative and need fast, effective help. For years, the only method of delivering remote support was through AirPlay, which required both the IT representative and user to be on the same Wi-Fi network. With iOS 11, remote assistance is available with software such as TeamViewer to provide a live look at a user’s device. This feature also integrates with the organization’s MDM solution.

Notable iOS MDM Enterprise Features by Version

  • iOS 4: Apple enters the MDM and MAM field for easy device management for the enterprise.
  • iOS 5: Siri, iCloud and OTA OS updates are introduced — thus bringing granular controls and automatic actions via MDM compliance rules.
  • iOS 6: Apple releases APIs that MDM solutions use to separate work and personal data and a supervised mode, which gives the organization full admin rights over the device.
  • iOS 7: With a full OS redesign, Apple introduces its biometric security feature, TouchID, which can be enabled and disabled via an MDM solution. iOS 7 also brings about the much-desired ability to disable Activation Lock, allowing administrators to remotely wipe a device without an Apple ID.
  • iOS 8: Apple Configurator becomes an OTA solution with DEP, so IT teams can configure and deploy their devices without touching each one.
  • iOS 9: Supervised mode with enhanced kiosk mode, including app lock and app compliance, enables IT administrators to dictate which apps are visible to users for a more customized device.
  • iOS 10: Small enhancements to the supervised mode, such as enabling dictation and spellcheck, are introduced.
  • iOS 11: Apple introduces FaceID, Apple Classroom settings can be managed via MDM and remote support like TeamViewer directly integrates with MDM solutions.
Scroll to view full table

What’s Next for iOS and MDM?

Each iteration of iOS introduces more features that can be applied to MDM capabilities, making the jobs of IT and security leaders easier. Over the years, iOS device management has grown from basic commands to in-depth, complex and customized solutions that fit organizations perfectly. With iOS 12 coming in the fall of 2018, we can only speculate as to what capabilities IT administrators will be able to manage through an MDM solution.

Watch the on-demand webinar: SOS! Remote Support for iOS & Android With UEM

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…