Secure iPhones in the Enterprise

Copy of an free white paper from Zenprise: With over 75 million iPhone OS devices in use, the odds are that someone is connected to your corporate network with an unauthorized iPhone or iPod Touch right now. There’s nothing wrong with allowing your end users to access your network with an iPhone, provided that the device has the appropriate IT security settings. Left unsecured, the iPhone OS however can present security risks to both corporate and customer data. Stolen personally identifiable information or trade secrets is the last crisis any IT manager or executive wants to manage. The compliance risk alone is staggering. As a recent Aberdeen Group report detailed, a single compliance lapse (e.g., SOX, Privacy, PCI, HIPAA) can cost a company up to $2 million USD. A single lost or stolen iPhone incident may encompass multiple compliance lapses. Authorizing, securing, and updating the iPhone OS should be a top priority. The risk is real. Apple is diligent at fixing and patching security risks. But, is your mobile workforce or IT administrator as diligent at applying Apple’s updates? An unpatched iPhone – not the iPhone itself – is the real security risk. In the last two iPhone OS updates alone, Apple identified and fixed 15 security risks.1 Numerous iPhone Safari security patches were made that fixed the device’s vulnerability to exploits from basic web surfing. More worrisome still is the recently repaired recovery mode vulnerability that allowed for someone with physical access to a device to bypass passcode and access user data. Additional remote attacks and security vulnerabilities are identified every month. A secured and updated iPhone can empower mobile workers to be more productive than ever before. There is good news: Apple has taken significant steps to improve iPhone security for the enterprise. You can implement a number of iPhone training, process, and IT best practices that greatly mitigate the security and financial risk to your company. In this white paper, we identify ten best practices that you should consider implementing immediately to best support iPhone OS devices. Overall, we suggest that corporations that support the iPhone OS use Microsoft Exchange 2007 or 2010 with Active Sync and use Apple’s iPhone Configuration Utility. Combing these two applications with other well-known certificate, directory, and authentication security services make implementing these best practices possible. MONITOR FOR AND BAN JAILBROKEN IPHONES Jailbroken iPhones and iPod Touches can represent the largest security threat to an IT department. A jailbroken phone is one that has been modified in order to use the device on non-issuing carriers. Last year, a worm (i.e., ikee-b) was launched that exploited an SSH service activated during the jailbreaking process. This was just the first of many likely attacks against vulnerable iPhones. REQUIRE EXPLICIT IPHONE ACCESS PERMISSION AND CORPORATE DATA ENCRYPTION Require each mobile user to explicitly enroll and configure both employee- and company-owned iPhones. Managing over-the-air enrollment and configuration for the iPhone is possible via the tools provided by Apple. IT departments must create their own iPhone Profile Distribution Service that accepts HTTPS connections, authenticates users, and creates iPhone mobileconfig profiles. Users with new, recently activated iPhones can access a simple URL (e.g.,https://iphone.company.com) via Safari to make the enrollment process seamless. TRAIN EMPLOYEES ON IPHONE DATA SECURITY Every employee who has an iPhone should undergo training on not only how to configure and use the device, but also what to do if the device is lost, stolen or compromised. Trainings can be delivered online or in person, and need to stress the importance of immediately contacting the IT department as the moment a device is lost or stolen. Training employees how and when to react to security issues could save your corporation millions of dollars in security and compliance breaches. CONFIGURE AND ENFORCE IPHONE SECURITY POLICIES Always secure and restrict iPhones. Like any other network-connected system, an iPhone must have welldefined security policies that are monitored and enforced. By using the iPhone Configuration Utility, you can create profiles for different organizations (e.g., sales, marketing, engineering) that have different payload settings. Payload settings define a collection of individual settings for certain purpose, such as VPN settings. Polices can be created for the iPhone that comply with other mobile phone security policies, including: passcode requirements; Wi-Fi settings; application and hardware restrictions; email, calendar, and directory settings; and, credential settings. More from this white paper here>>