Apple’s latest release, iOS 12, is here, and we’re excited to announce that MobileIron once again offers zero-day compatibility across all of our management platforms. With this release, Apple follows the continuum of extending more controls to institutionally-owned or “supervised” devices, notably around password management. Overall, there is a lot of exciting new functionality in iOS 12, with much of it focused on security. Today we’d like to share the features we think will pack the most punch for our customers.
OAuth 2.0 and the native mail app
While we’ve already published an in-depth overview of this topic here, this news is worth repeating. Admins can now configure the iOS native email client over the air with OAuth 2.0. Using this modern framework, admins can augment an Exchange configuration with an OAuth 2.0 capability while still preserving the appropriate DLP and open-in controls they have come to expect.
Some companies may still be concerned about a capability that became available with iOS 11, where OAuth connections, primarily to Office 365, could be initiated by a user when manually adding a new email account on a device. Not every organization wanted to allow this behavior from unmanaged devices, and many turned to innovative products like MobileIron Access to make sure only authorized users and devices could access company email. Click here to learn more about how OAuth 2.0 works on iOS devices and how MobileIron Access ensures that only the right devices receive corporate email.
Password security enhancements
Apple delivered a new capability in iOS 11.3 that allowed iOS devices to share Wi-Fi passwords with other nearby Apple devices. Although the password was never displayed in clear text, there were concerns about passing credentials to company-owned Wi-Fi networks. With iOS 12, Apple has introduced controls over password sharing for supervised devices with three new restrictions. Admins can now prevent supervised devices from sharing passwords and can deny requests from nearby devices for passwords. Rounding out the password enhancement is the ability to prevent AutoFill of passwords, for example, when a user saves a password in Safari for a frequently visited website.
Beginning with iOS 11.3, contacts deployed using UEM were treated as managed and couldn’t be shared with unmanaged iOS apps, unless admins enabled the sharing of managed data to all unmanaged apps, something many organizations were reluctant to do. Imagine an admin had deployed an Exchange ActiveSync configuration that contained contacts, and an employee wanted to send messages to the contacts using an unmanaged version of Whatsapp. With iOS 11.3 this wasn’t possible without creating a broad rule that allowed company data to be accessed by all unmanaged apps. In iOS 12, Apple is introducing specific controls for managed contact data, and admins can now share just the contact data to unmanaged apps.
New data governance capabilities for macOS
Beginning with macOS Mojave (10.14), Apple is introducing a new way to manage how some files and apps share data with other apps. The new setting is called Preferences Policy Control and will be configurable in an upcoming release. Essentially, admins will be able to pre-approve which apps can access data from the Calendar, Contacts, and other apps and files located in the Security & Privacy section of System Preferences. This feature is significant because it’s the first Data Loss Prevention (DLP) capability for macOS apps that can be deployed over-the-air using an Apple configuration profile, which is the building blocks of modern MDM/UEM frameworks.
You can read more about this feature in Apple’s article Prepare your institution for iOS 12 or macOS Mojave,
Some certificate authorities will no longer be trusted
Beginning with iOS 12, Apple will no longer trust Symantec certs, and by association, certs issued by Thawte, a company acquired by Symantec in 2010. In addition, the Federal Common Policy Root CA will also be distrusted. If your organization is using certificates from these companies to manage services such as web servers, the iOS devices may generate warnings about connecting to an untrusted service.
From the enterprise viewpoint, iOS 12 delivers some solid, security-focused capabilities. Admins will like the new controls over saving and sharing passwords, and many will take advantage of the ability to share contact data to unmanaged apps without the need to share other company data. The new OAuth 2.0 configuration capability in Exchange payloads will allow for better governance of the native email app. It’s clear that Apple is listening to enterprise customers and providing them with the ability to offer employees an exceptional user experience without the need to sacrifice security.