While Apple offers an option to disable Handoff on managed devices, it appears that option will be an all-or-nothing choice.
One useful security option in iOS 8 is Mail's ability to enable S/MIME encryption for individual messages. This is particularly helpful for organizations operating in regulated industries, though many companies may find it attractive as a general security enhancement. The feature is relatively easy to use, but IT departments that implement it will want ensure that users understand it's there, its advantages and how to use it.
Apple Pay will be less of an issue for techies. It uses the Secure Element in Apple's A8 chip, meaning IT staffers won't have access to any financial data belonging to a user. Beyond that, Apple's approach of not storing actual credit/debit card information on the device — instead, there's a device-specific account number that can be used with the payment service to generate one-time payment tokens or card numbers — provides a high level of user privacy.
Although this limits the technical liability issues associated with Apple Pay on managed devices, it's important that this be spelled out in privacy, mobility and BYOD policies. It is also important that this be clearly conveyed to users of managed devices.
Additional EMM options for iOS devices
In addition to the major changes noted above, Apple added a handful of new EMM commands to iOS 8. As in iOS 6 and 7, these are divided into two categories. The first applies to all iOS devices enrolled in EMM — company-owned and BYOD — and include the following:
- Allow or prevent Internet search results from being included in Spotlight searches.
- Allow or prevent iCloud sync for managed apps.
- Query device to see which managed ebooks are installed (personal ebooks don't get included in the query results).
- Query device to see when it last backed up using iCloud. (As in previous iOS releases, EMM can block iCloud backup.)
- Query device for iTunes account. This option doesn't provide details about a user's account for privacy reasons, but by comparing hashes, an EMM console can let an administrator know whether an account has been removed/replaced on a managed device. That information can dictate whether a device should be cut off from licensed apps and ebooks. (It'd be wise to follow up with the device owner before revoking them.)
The second set of EMM commands applies to supervised devices. These are devices that have been purchased and configured by an organization using Apple's Device Enrollment Program or Apple Configurator and, therefore, support additional restrictions.
- Allow or prevent access to the Erase all Settings and Content function that effectively restores an iOS device to its factory default state.
- Allow or prevent users from setting up app and device restrictions using the Settings app. (If a device already has restrictions in place with a passcode, an administrator can clear the passcode and the disable restrictions.)
- Set the name of the device
Sign up for CIO Asia eNewsletters.