iOS device policies in WSO2 Device cloud

Today, many organizations allow employees to bring their devices to work and this introduces new risks to corporate data as people typically use their devices for work purposes. To minimise the risk of exposing corporate data to unintended parties, organization may want to manage the devices of their employees and enforce rules or policies on what each user can do with their devices. WSO2 device cloud is capable of managing devices and enforcing strict policies on devices to increase the information security of an organization. Let's take a look at the policies [1] that are available for iOS devices in WSO2 device cloud.
Passcode Policy

This is one of the most common policies that provides an OS level security to a device. With the passcode policy, administrators can make sure that every user has a strong passcode for their devices and make the user adhere to the the rules defined by the administrator when setting up a password. When a passcode policy is set on a device, the device will prompt the users to add a passcode that adheres with the policy.




Restrictions
                                                                         
Restrictions allow the administrator to restrict the devices from performing some actions. For example the administrator may need to
  • Disable users from using their cameras within the organization.
  • Disallow iCloud backup to stop any corporate data being backed up to iCloud.
  • Allow voice and video conferencing.
There are over 50 restriction[2] that iOS restriction policy provides and these policies allow an administrator to have fine grained control over what each use can and cannot do with their iOS devices.
WiFi Configuration Policy

This policy will allow an administrator to configure the Wi-Fi setting on enrolled devices. In an organization, it is important for employees to use a secure company provided Wi-Fi network when performing their work related tasks. In such a situation, administrators should configure each and every employee's device with the company Wi-Fi configurations. Wi-Fi policy allows administrator to perform this task remotely without having to configure each and every device manually.



Email Configuration Policy
Similar to Wi-Fi policies, Email policy will configure the user's email client so that each user is automatically configured with the necessary setting to access their email. This configuration can be used to connect to POP or IMAP email accounts.
AirPlay Settings Policy


AirPlay is a feature that is available in iOS that lets iOS devices stream media such as photos and videos to AirPlay enabled receiving devices such as AppleTvs and speakers. In an organisation, AppleTVs can be shared with many users. Therefore,  the  administrators need to restrict access to these devices. In such a situation, AirPlay configurations can make sure the devices are only allowed to connect to a predefined set of AirPlay destinations and security can be tightened  by adding an AirPlay password for each destination device so that a password is required to access it if a user want to connect their device.
Managed Domains Policy


Using managed organizations can  specify which domains are considered as corporate domains. When a user tries to send an email to an outside party, the email client will warn the user that they are sending the email outside of the managed domain.
LDAP Configurations Policy


An LDAP policy allow the administrator to send the corporate LDAP connection details to the user devices and configure it remotely. Once the configurations are set up on the device, the user’s contacts app will be synced with the contacts available in the LDAP. This makes the communication within an organization much more faster as searching for contact details is made easier.
Calendar Configuration And Subscription Policy
In an organization, having a shared corporate calendar is important since this allows users to create invites to event, receive invites from others, keep track of events, and have reminders to event. This is achievable with a corporate CalDAV server and the calendar configuration allows the administrator to configure the user devices for them to connect to the CalDAV server of the organisation.
Cellular Network Settings Policy
When a corporate network connection(sim) is provided to a user, it might be necessary to configure the APN settings of the device in order for users to access mobile data. With the help of cellular network settings policy, this can be done remotely so that user can easily connect to mobile data without having to configure there settings on their own.


VPN Configuration Policy
When connecting to a corporate network through a public network, it is very important to have a secure channel to communicate. This is achievable by having a VPN server and it allows the devices to connect via VPN. The VPN configuration profile allows the configurations of the VPN server to be pushed to every device remotely.
These are the policies that are currently available for iOS devices in the WSO2 device cloud. These policies can be used to manage devices effectively in any organization.

Comments

Post a Comment

Popular posts from this blog

MDM vendor singing and MDM APNS certificate generation for WSO2 Iot server

Image
When we look at how Apple has created the device management protocol for iOS devices, one thing that we notice is they have tried to make the process as secure as possible. In this article, we will look at what is the MDM APNS certificate and how we can generate and use them. When managing iOS devices, the device management commands are typically executed by a native client available in the iOS operating system itself. When a device management server needs to send a command to this client, the command has to be sent though Apple APNS server. However, since these commands are executed by the operating system it self, using a general APNS certificate, does not make sense. Therefore Apple has made it mandatory that the device management servers use a special MDM APNS certificate when sending commands to a device. These certificates expire annually and the admins have to renew then annually. MDM APNS certificate generation is bit of a complex process and to make things simpler, I ha
Read more

Android device owner concepts

Image
With Android 5.0, Google has introduced Device owner and device profile concepts to make android enterprise ready. Device owner app is an application with special privileges to perform task such as monitor and manage settings and other privileged tasks. This means in a literal sense,the devices ownership is given to the organization managing it making the device owner concept ideal for COPE scenario. Once the device ownership is assigned to an app, in order to remove it, the device needs to be factory reseted, for example in a situation where the device needs to be given to a different user.  When the device ownership is given to a specific app, the app gets access to a set of Android APIs that are only available to device owner app. These APIs are not available to regular Android apps. At a given time there can only be one device owner app in a device, which prevents another device owner app overriding the policies enforced by the first device owner app.  The service app prov
Read more

[APIM] Send emails to users upon self-sign up aproval

When using the self sign up of WSO2 API manager, the user needs to wait for the admin to approve their signup request. However when the admin approves/rejects the request, users may like to receive an email with the status of the approval. This can be achieved by the extension points provided by APIM. In this article we will consider how this can be achieved, First step is to set up the user sign up work flow as described in the documentation[1]. After following the documentation, you should be able to self sign up and attach a workflow to the to the self sign up process. After self signup, you can login to the admin portal of APIM and approve or reject a request to sign up. This portal can be address through https://HOSTNAME :PORT /admin for example https://10.100.9.174:9443/admin Next we need to extend from UserSignUpWSWorkflowExecutor of APIM and write your own logic to send out an email. In this case, we have overriden the complete method of UserSignUpWSWorkflowExecutor. In the
Read more