Apple's iPhone and iPad have seen increased adoption by the enterprise, but IT pros integrating the devices could need to institute additional security policies, according to a new Forrester report.
Apple has enjoyed increased enterprise adoption of the
iPhone and iPad-but a new Forrester Research report makes it clear that, if
companies are to accept the devices into their fold, certain security policies
need to be implemented first.
The Aug. 2 report authored by Forrester analyst Andrew
Jaquith suggests that, while Apple has instituted more stringent security for
its devices, enterprises need to be proactive about instituting policies of
their own for the iPad and iPhone.
Those seven security policies include:
- Requiring e-mail session encryption
- Wiping the contents of lost or stolen devices
- Protecting devices with a passcode lock
- Autolocking devices after a period of inactivity
- Autowiping devices after failed unlock attempts
- Continually refreshing policies
- Protecting the configuration profile
"These seven Apple mobile device policies satisfy the basic
security needs of most enterprises," Jaquith wrote. Enterprises should consider
instituting provisions to acceptable-use policies, he added, including the requirement
that employees back up their devices using iTunes.
Certain enterprises, such as health care, demand more
stringent security policies. For those companies, Jaquith recommends additional
configuration profile settings: seven-character alphanumeric passcodes for
stronger protection, hardware encryption with an AES-256 symmetric key,
certificate-based authentication, and the application encryption supported by
Those more-stringent requirements would also demand new policy
provisions, including a company right to emergency device confiscation, and a requirement
that users scrub their address books of sensitive information such as social
At the top level of stringency, an enterprise can institute
policies for Apple devices that include blocking use of the iPhone camera,
prohibiting access to the App Store, turning off the screen-capture feature,
and preventing use of the browser. However, Forrester apparently "regards these
policy options as excessive for personally owned devices, as we recommend that
you implement these policies only sparingly."
Even with Apple's more robust security measures, the report
suggests that the iPhone and iPad "still lack some key security and management
refinements that enterprises require." These include the iPhone's inability to
automate installation tasks, even as it generates configuration profiles; a
lack of mature enterprise device management tools and support for smart-card
authentication; no compliance with FIPS 140-2; and zero capability for logging
and archiving SMS messages.
In addition, the iPhone and iPad lacks support for client
e-mail end-to-end encryption, fine grained application control, and the native
ability to compartmentalize work and business environments on the device.
"While most enterprises can use Apple mobile devices
securely, some require higher levels of authentication assurance, resistance to
attack, manageability, and logging that the iPad or iPhone can provide," Jaquith
wrote. "For these customers, Research In Motion's BlackBerry still rules the