The big news from Apple last week was, of course, the arrival of the new iPhone 5s and iPhone 5c. But Apple executives also recapped iOS 7, the next version of Apple’s mobile OS for iPhones, iPads, and the iPod touch.
iOS 7 rolls out on Wednesday, two days before the new phones will be available. And while it has a slew of new features users will like, the updated OS also offers important advances for enterprise users.
iOS 6 already has a number of key enterprise features: mobile management support, the ability to query devices for data like information on installed apps, and a remote wipe option if an iPhone or iPad is lost or stolen. But Apple has until now largely avoided linking iOS devices to enterprise identity systems.
Yes, there’s been support for Exchange and ActiveSync since the release of the iPhone 3G five years ago. And most mobile management tools can pull data from enterprise identity systems like Active Directory to determine what policies are enforced or preconfigured on a given user’s iPhone or iPad. But that’s nowhere near the authentication, authorization, and single sign-on options that Windows PCs (and even modern Macs) deliver.
With iOS 7, that changes in some significant ways. Most importantly, iOS now supports enterprise single sign-on. This is a game-changer because it means that once a user’s identity is verified and trusted, enterprise apps or commercial apps that access enterprise data or services won’t require users to repeatedly authenticate with their Active Directory or enterprise credentials. Better yet, Apple is making it relatively easy for developers to implement its single sign-on model.
Apple’s single sign-on model is itself interesting and somewhat novel. Rather than replicate what’s done on the desktop, as many vendors of mobile management systems that support containerization and/or app-wrapping have done, Apple took inspiration from the existing iOS account management architecture.
In early iOS releases, user accounts were pretty much restricted to email services, Exchange and Mobile Me (iCloud’s predecessor). Even Exchange support had limitations and supported just a handful of sync options: mail, contacts and calendar data. As Apple built in explicit support for other common services like GMail, AOL and Hotmail, it also added new sync options appropriate to each service. GMail, for instance, sports an option to sync calendars and notes.
Support for Twitter and Facebook accounts arrived with iOS 6, and now iOS 7 builds on that with support for LinkedIn. Of course, these accounts are treated differently by iOS than what are essentially mail and related services. Integrating them into the operating system was less about easy setup or syncing personal information than it was about credential-sharing. With iOS 7, users can simply enter credentials that allow iOS itself, the official Twitter and Facebook apps, and any app with an appropriately coded share sheet to access their accounts without requiring another round of authentication.
As a result, you can post a photo to Facebook directly from the Photos app (or any number of third-party apps) or you can tweet from inside Safari and include a link to the page you’re reading. You can even post something without opening any app as long as you include these accounts in the iOS Notification Center. Perhaps most important, you can manage what apps have access to your accounts just as you manage which ones can access your location or your photo library. These restrictions are set under Settings –> Privacy.
This is the foundation for enterprise single sign-on in iOS 7. Your enterprise account and its credentials are stored much like your Twitter or Facebook account info. You enter the information once and then simply allow other apps use it. And you can later revoke that access if you want. itvoice.
This model is different from single sign-on on a PC or Mac, where you generally use your credentials to log in to a computer before you can use it. It’s also different from how most mobile management systems tackle the issue. They usually require app developers to support a given provider’s single sign-on mechanism and specific APIs or integrate them into a secure container using app-wrapping.
Apple’s unique approach is something of an experiment — and a gamble. It has enough of a consumer feel to it that some enterprise IT professionals may be reluctant to consider it. Apple may even find its new approach competing with established products on the market that use a more traditional model and support that model on Android devices (and potentially other mobile platforms).
That said, it’s a solution that will almost certainly appeal to iPhone and iPad users. One complaint about container-based solutions that offer single sign-on across some, but not all, apps is that they feel limited to specific apps. Another is that it can be hard to discern which apps support single sign-on and other security features and which ones don’t. That makes switching between them confusing.
Apple’s approach will almost certainly feel more natural because the entire experience is based on the way people already use their iPhones and iPads.
The model is also likely to score some support with developers who want to offer a form of single sign-on but don’t want to be forced to build support for multiple APIs into their apps. A single option created and supported by Apple could easily be a better option, particularly for commercial apps that will be used by many different business customers.
It’s also worth noting that Apple itself doesn’t really view containerization as an ideal approach to mobile security. That’s because it divides the user experience rather than maintaining a consistent flow between work and personal apps and data. The company tackled that issue in iOS 7 with its new managed “open in” feature. That allows IT shops to restrict where data can go from a managed app by limiting the share or open in dialog within an app. It also limits the ability to copy text, images, or other content from within a managed app.
In doing so, Apple is taking some of the core elements of containerization and applying them in a more light-handed way. IT pros will be happy, as will developers. Best of all, end users get a healthy mix of security and the ease of use for which Apple is still known.
