iOS 9.3 and EMM: 5 New Features That Will Matter to You
Jake Woodhams | March 23, 2016
Here at MobileIron, we are excited about new capabilities that Apple is introducing in iOS 9.3 to address organizational use cases. This may very well be the first time Apple has introduced this much new content in a point release. When you look at all the things Apple is doing with the Volume Purchase Program (VPP), the Device Enrollment Program (DEP), and the newest capabilities introduced in iOS 9.3, it is clear that Apple is serious about the enterprise.
The Apple VPP program allows institutions to bulk purchase and manage app licenses for their users and devices. Apple’s DEP program simplifies and accelerates deployments of institutionally purchased and issued Apple devices. DEP enables EMM enrollment and wireless device supervision when the device is activated. Supervised mode enables additional security and management controls and restrictions for an EMM like MobileIron. These additional controls and restrictions address use cases for institutionally owned and issued devices.
Let’s take a closer look at some of the new iOS 9.3 Enterprise features.
1. Home Screen Layout
Enterprises can customize the home screen layout of supervised devices running iOS 9.3 or greater. Mobile IT administrators can create custom home screens by controlling the apps, icons, and web-clips on the home screen. Folders can be administratively created to group apps and commonly used apps can be placed in the dock for easy access. We expect these new capabilities to find traction in industry applications such as retail, trade shows, hospitality, or other use cases that require a single app or limited app kiosk-style device applications. Educators may also enjoy the ability to create a consistent end user experience for their device users.
2. Blacklist and Whitelist Restrictions
The concept of whitelisting and blacklisting apps is not new to MobileIron. However, with iOS 9.3, Apple has extended the underlying capabilities that EMMs can leverage. Rather than reactively taking compliance actions when blacklisted apps are detected, the new app blacklisting feature in iOS 9.3 can be invoked proactively to prevent blacklisted apps from being used at all.
Apple has also included a new app whitelisting feature so that mobile IT administrators can create stringent app distribution policies. Devices can be locked down to only the trusted, selected apps in the whitelist, defined by IT. Apps that are not enumerated in the whitelist will not be available to the end user, with the exception of the native phone app on the iPhone and Settings.
Both the new iOS 9.3 app blacklisting and whitelisting features require device supervision and target any use cases where stringent controls over the apps on organizationally-owned devices are required. For example, there may be compliance and regulatory concerns that obviate any personal enablement on iOS devices. Moreover, these capabilities could be a good fit for devices operating in a kiosk type application.
3. MDM Lost Mode
Loss or theft of institutionally issued devices is a huge concern for mobile IT administrators, so Apple has added a new MDM Lost Mode feature to iOS 9.3. When the new lost mode is invoked, devices will report their geolocation to their EMM even if location services are disabled on the device! MDM Lost Mode requires a device to be both enrolled in Apple DEP and supervised. This is a feature that only applies to institutionally purchased and issued devices, not BYOD deployments.
4. MDM Initiated Activation Lock
The iOS Find My Phone Activation Lock function makes it harder to use or resell lost or stolen iOS devices. With iOS 9.3, EMM providers can work with Apple’s DEP servers to enforce activation lock on the device and override the activation lock if necessary. The feature only works for Apple DEP enrolled devices, so again, this feature applies only to institutionally purchased and issued devices, not BYOD deployments. Apple has devised an ingenious architecture that protects the device from unauthorized activation lock bypass, but gives mobile IT administrators power to secure their DEP enrolled devices with Find My Phone Activation Lock.
5. Notifications Controls
With iOS 9.3, mobile IT administrators will have more granular control over the notifications received by apps. Administrators will be able to customize how notifications for different apps are delivered based on the app’s bundle ID. So, for example, mobile IT administrators will be able to turn off notifications for mission critical apps, which may carry sensitive data, or restrict notifications to a certain level for selected apps. Additionally, on supervised devices, mobile IT administrators will be able to prevent users from changing the notification settings.
Mobile IT administrators may want to consider these new controls to restrict how messages to instant messaging client and collaboration apps are displayed since messages within these apps might contain sensitive, proprietary, or confidential information.
There are, of course, other iOS 9.3 feature relevant to organizations. For a more detailed look at these features, check out MobileIron's iOS 9.3 Solution Brief. Additionally, MobileIron’s latest software releases are compatible with iOS 9.3. For questions about MobileIron’s compatibility with iOS 9.3, please talk to your MobileIron representative. You can also join us at our upcoming Mobile First Conference, where we will also be talking extensively about Apple DEP, VPP, and iOS deployment and management strategies.