iPad is becoming increasingly popular in the enterprise: it’s a new and fashionable device to read mails and documents, arrange meetings and expose your presentations and probably your top management is pushing IT dept. to acquire and deploy the new platform. It could be a good solution or not but our mission is to secure the device improving overall security. To do this we need to implement or enforce security features: setting up devices manually, creating your personal security profile using IPCU (iPhone Configuration Utility) or installing a third party suite.
IPCU is available for Mac OS X and Windows platform. Using this tool you can create a profile (based on XML) for your mail, vpn, security settings and more to be transferred via iTunes, mail or HTTP/HTTPS on your devices. You can choose to encrypt the configuration using a Digital Certificate. I have made some test using an iPad 64Gb WiFi + 3G and iOS 4.0.2
The purpose of the test was to create an iPAD platform that supports the following features:
- Push Mail connected with Exchange Server
- Intranet access
- Device Encryption
- Application Control
- Password Protection
Please upgrade your firmware to the last available. Actually I’m testing 4.0.2 (multitasking, Cisco AnyConnect Mobile support, PDF vulnerability fix and more…)
Push Mail connected with Exchange Server
iOS support ActiveSync and Exchange Server (ActiveSync for Exchange Server 2003 SP2 and ActiveSync for Exchange Server 2007 SP1)
Intranet Access and VPN
You can use Safari Browser to browse your Intranet. Obviously I don’t suggest to expose your internal intranet servers directly on Internet or DMZ !! iOS include VPN support for Cisco IPsec, L2TP and PPTP and you can configure one of these according to the company requirements. If you want to use Cisco IPsec Client you can authenticate with username/password or digital certificates. Unfortunately, Cisco client does not support certificates issued by your internal private CA. The problem is that every imported certificate use a “profile” that includes only one certificate. In order to authenticate you must have a User Certificate and a Root CA certificate in the same profile. My suggestion is to install Cisco AnyConnect Mobile (you can download it from AppleStore fo free and require iOS 4.0.x) to have SSL VPN on your device. Using AnyConnect Mobile you can import both certificates (User and Root CA) and select User Only during the client setup. The first time you will connect on your company a warning pop will appear because the certificate is not valid, but you can skip the warning and continue. I know that this is just a workaround and is not so secure, but actually this is the only working configuration I have found. If you have any other suggestions or solutions, please post them as comment. Please consider to buy Cisco AnyConnect Mobile extension license.
Using the VPN-SSL Tunnel you can browse your Intranet pages, but if your web portal requires Windows Authentication you must manually authenticate typing username and password using DOMAINUSER syntax.
iPad use a built-in hardware encryption using AES 256-bit encoding. This key prevents data from being accessed when the device is locked. The encryption key is generated on user’s device password.
Using IPCU or third party solutions, you can lock down iPad devices in order to avoid applications setup from users. This is really useful when you want to manage all devices with same applications and prevents conflicts between Company-realated applications and user apps.
iPad support long alphanumeric passwords to protect the device. You can choose expiring time, complexity, password history and more. My personal suggestion is to use a password longer than 8 chars with lowercase, uppercase, numbers and special chars. Set up an expiration period of 30 days. iPad permits 5 consecutive login attempt without delay. Starting from the 6th attempt you must wait 1 minute, 2 minutes, 5 minutes, etc…
If you lost your device, you can remotely wipe all data using third party solutions or MobileMe. After wiping all data will be erased (or mail and settings only depending on your choice) and the device will require iTunes activation. If you have a backup you can restore it.
Protect your profile
When you have finished to setup your policies, protect your profile settings with pincode to avoid users uninstall !!
If you want to have a central console to manage all your devices, enforce policies, encrypt mail communications, check devices compliance, etc… you can buy a third party Mobile Management solutions: