Every time a new version of iOS or Android comes out, it introduces features that make IT nervous because so many of those additions can be used to access or transmit corporate data. Thus, Apple and Google typically update their management APIs and related tools so that mobile device management (MDM) vendors can help IT control those new capabilities.
Such is the case this fall, with the release of iOS 9 in mid-September and of Android 6.0 Marshmallow this week. In both instances, the changes in management capabilities are fairly minor, though Apple has put a real emphasis on managing app distribution and Google on managing app permissions. As businesses slowly discover that smartphones and tablets can be used for much more than email and Web browsing, those app controls are critical.
What’s new in iOS 9 management
Apple’s iOS 9 has very few new policies for managing iPhones, iPads, and iPod Touches. But there are some: Using a mobile device management (MDM) tool, IT admins can now force iOS updates and stage their deployment across supervised devices — meaning corporate-issued devices under full IT control. BYOD items cannot have iOS updates forced or staged by IT.
iOS users are quick to update, so IT organizations really should join Apple’s developer program so that they can test new iOS versions before they go live. But the new iOS controls let IT do that final check before implementing the update across all its corporate devices.
There are also new policies in iOS 9 to control whether devices can roam on cellular networks, to enable or disable screen recording, and to control whether they can use Apple’s Mail Drop feature to send large attachments. (Mail Drop stores the documents in iCloud and send the recipient not using an Apple device a link instead to download the attachment from; Apple device users see the normal attachment in their email, even if it exceeds their email server’s attachment-size limits, because Apple Mail reattaches the file automatically behind the scenes.)
For supervised devices only, there are new controls over Apple Watch pairing, the use of iCloud Photo Library, keyboard shortcuts, automatic app downloads, and News app setup. Those supervised policies are designed mainly for shared-use devices, such as in schools or retailers.
Also for supervised devices, IT can control users’ ability to change the device name, password, and wallpaper. This new control is meant to address users who might use profanities or other inappropriate content; Apple’s device management tools chief, Todd Fernandez, told developers at its Worldwide Developers Conference earlier this year that students and others have electronically defaced shared devices that way.
Apple’s major changes in iOS 9 management focus on its Device Enrollment Program and Volume Purchase Program services. DEP is the service to manage fleets of supervised iOS devices and the in-house apps deployed to them, and VPP is the program to manage corporate apps from the App Store across that fleet of devices.
iOS 9 adopts the OS X approach to app management, whereby IT can associate a specific app to any number of devices and/or users, rather than managing each device’s or user’s apps independently. That change should simplify iOS app adminstration considerably.
Apple has also simplified how DEP catalogs apps, so IT can build an app library without having to poll all devices each time. Also, apps can now be installed on supervised devices even if the App Store is disabled on those devices.
In iOS 9, DEP can install in-house apps silently, without user confirmation — the IT organization is treated as trusted developer out of the box now. Users will still have confirm direct DEP installation of corporate apps from other private developers, but once they have confirmed a developer’s app, all future apps from that developer can be silently installed as well.
Apple has also adopted Exchange ActiveSync version 16 in iOS 9, which should make Exchange calendar features and file attachments work more reliably, Apple said at WWDC.
What’s going away in the next iOS
Also at WWDC, Apple warned IT that some current management features would be deprecated after iOS 9, and said MDM providers and IT alike should prepare now for those changes.
In that next version of iOS, MDM tools will no longer be able to manage the following features on unsupervised (BYOD) devices: app installation, app removal, FaceTime, Siri, Safari, iTunes, use of explicit content, iCloud documents and data, and multiplayer gaming. Those controls will remain available for supervised devices.
The rationale is that all those features are personal ones that IT should not be able to restrict on personal devices. IT can either provide supervised devices to users or go with the container approach offered by many MDM providers to separate the corporate portion of an iOS device from the personal portion. Although iOS doesn’t use the same type of container mechanism as Android, iOS allows effectively the same level of separation for corporate-issued apps and the data they contain.
Apple’s Fernandez noted at WWDC that the policies for these nine features predated the introduction of supervised-device capabilities in iOS, so that new method is the better way to manage them now on devices that truly belong to the company. Essentially, Apple is focused on strengthening iOS’s management capabilities for corporate-provisioned apps and data, while at the same time keeping IT from messing with personal apps and data.
What’s new in Android 6.0 Marshmallow
The big change in Android Marshmallow is that its adopts iOS’s approach to app permissions. That means users can now change the permissions that apps have whenever they want, not only choose those permissions at app installation.
In previous versions of Android, many users didn’t know what all those requested permissions meant; plus, they had to accept all or none. As a result, users granted all sorts of iffy permissions.
Now in Android Marshmallow, users can go to the Settings app to see what permissions each app uses and revoke or enable each permission independently at any time.
Better, IT can also manage these app permissions as granularly for apps that reside in Android for Work or other managed container (for BYOD deployments) or on fully managed (supervised) corporate-issued devices, notes Imran Ansari, the Android product manager at MDM provider Soti.
Android Marshmallow’s other policy refinements are similar in their incremental nature to iOS 9’s. For example, new policies let IT force a device’s screen to stay on or a Wi-Fi connection to remain active while the device is plugged in. Soti’s Ansari says these forced-on features will appeal to IT in public-facing deployments, such as for kiosks, payment terminals, ordering systems, and lobby sign-in systems. “Users won’t be greeted by a blank screen or get connection errors,” Ansari says.
Android Marshmallow also lets IT admins disable the use of a smartwatch as an authentication token, so a smartwatch cannot be used to bypass a password requirement. And it lets IT force installation of OS updates as they become available, as well as delay those updates for as long as 30 days, so IT can test apps on a new OS version first.
Finally, Android Marshmallow offers new policies to control whether users can safe-boot their device (booting into safe mode can bypass MDM controls) and to control whether notification details can appear on a paired smartwatch’s screen, to keep company information secret. Android Lollipop (and iOS 8 and 9) let users control the setting, but not IT.