It's a refrain I've heard more and more from IT managers in my travels in recent months: Yes, we can secure devices using Exchange or mobile device management tools, but what we really worry about is the support burden that iPads and iPhones will put on us. I'm happy to say that the IT support burden should not increase meaningfully -- or at all -- as employees bring in iOS devices.
But first, a caveat: Android is a different story due to all the permutations in the OS from vendor to vendor and the uncertainty over which apps are legitimate, though some principles I describe here for supporting iOS devices such as the iPad and iPhone should apply as well. And unlike with iOS, you'll get calls from employees who can't connect to your secured wireless network due to the lack of support in Android 2.x and 3.x for PEAP-secured Wi-Fi networks. Ditto for those Android 2.x smartphone users whose devices can't support many of your Exchange ActiveSync policies such as on-device encryption and complex passwords. I can't help you there.
[ Learn how to manage iPhones, Androids, BlackBerrys, and other smartphones in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights via Twitter and with the Mobile Edge blog and Mobilize newsletter. ]
First, a recent study shows that iOS devices require the least support of the major mobile platforms. The device that IT prefers, the Research in Motion BlackBerry, is more difficult to support, but as they continue to fade from the business environment, the IT mobile support burden should decrease. In fact, aggressively replacing BlackBerrys with iPhones is probably the quickest way to lighten the IT mobile support load. Android devices require the most support, but their current lack of basic enterprise security and manageability means you're not likely to allow their use for business purposes and, thus, don't need to support them. (Motorola Mobility's crop of business-savvy Androids are the notable exception.)
If you use IBM's Lotus Notes and Domino, you can't impose these policies on the iOS device (using the 8.5.2 or later version of Notes Server), just on the Lotus client. That's an IBM limitation, not an Apple one. The same is true, for the same reason, on the GroupWise email server, assuming you have the Data Mobility Pack installed to add EAS support. For these two old-school email systems, you should look at deploying a mobile device management (MDM) tool that supports multiple mobile OSes via policies. What you can do with IBM's and Novell's EAS support is wipe the devices completely or just the email server's data.
iOS also supports certificates, such as for PEAP-secured Wi-Fi access and VPN access. Again, these should be the same as you use for any device.
Use configuration profiles
But it's the provisioning profiles that you really should invest in, as they can save you lots of time in putting together a user self-configuration service.
Apple's provisioning certificates are based on XML, so you can generate them through several means. MDM tools generate them, for example. Mac OS X Lion Server also generates and remotely installs them on a per-user or per-device basis, tying into your Active Directory or Open Drectory infrastructure so that you can set and apply policies for individuals, groups, devices, and device groups. The Web interface is simple, and the policies can be applied to Lion-based Macs. It does mean using a separate tool, but that's no different than using BlackBerry Enterprise Server (BES) to do the same for BlackBerrys. Mac OS X Lion Server is much cheaper than an MDM tool, especially if its policies cover your needs. (Lion Server costs just $50 to upgrade a Lion-based Mac to it, and $80 from a Snow Leopard-based Mac.)
If you have some configurations that are universal and others that are specific to a role or department, create a separate configuration profile. You should do so hierarchically, so only the universal profile sets the universal settings and only the local profiles set the local settings. iOS lets you install multiple configurations, so you can layer the configurations and later update just the universal one or just the local one without affecting the other configurations' settings.
When you save the profile, you can then share it with as many users as you want. You can email the profiles, and when the users open the profile on their iOS devices, they get a prompt to install them. Alternatively -- better for a self-service approach -- you can include the links to these profiles from Web page or intranet site (such as a new-user welcome page that also contains the employee manual, time sheets, and payroll direct-deposit forms, or a departmental hub page), so users can simply install their own. Because these profiles configure their iPhones and iPads to work with your network and other resources, you know they will -- if they're really using the devices for business purposes, anyhow.
The downside of the iPhone Configuration Utility is that it can't update installed profiles automatically, as an MDM tool or Lion Server can; users have to download the newest version to get it. That is, unless you want to create your own over-the-air policy server -- Apple has provided instructions on how to do so using the SCEP protocol and a Cisco IOS or Microsoft Windows Server platform.
Unfortunately, I'm aware of no similar way to create such self-install profiles for BlackBerry, Android, or other mobile platforms.
The other piece you can do for employee self-service is to provide Web pages with links to your preferred apps. Apple has created an iTunes minisite that lists popular business apps; it's a good place to find recommended titles.
iOS may be intuitive for most users, but not everything is obvious from the get-go. Plus, troubleshooting issues always come up with any device. Some, like lost passwords, IT support should already have a universal system in place for managing. But here are a few questions that are likely to arise and would be useful to know or at least consider as part of a self-support FAQ:
- When iCloud is released this month, it will automatically back up device settings to users who sign in via their Apple ID or iCloud account. That will greatly help restoration of a system that gets reset somehow. App data is not backed up, however, to iCloud. iTunes also tracks all the apps and media purchased through it, so those can be redownloaded if a device is wiped or reset, and they can be downloaded to a new device if the employee loses the current one -- at no charge. Also, iTunes backs up user data, as well as settings, so by syncing the iOS device to iTunes periodically, a user can self-restore a wiped device or transfer the apps, data, and settings to a new device. iOS 5's wireless backup should make that backup process even easier.
- iOS has no visible file system (files are stored within their apps' containers, as a security measure), so users often are confused on how to attach items to emails and otherwise bring content into apps. The trick is to start with the content. For example, to email a photo, go to the Photos app, select the photos, then use the Share menu to send it via email. Most apps use that menu or a simialr one. Also, to move files among applications, look for the Open In menu -- you may get it from tapping and holding a document, by using the Share menu, or via some other app-specific methods -- to open a document from the current app into another one (only compatible apps are listed). Apps have to specifically support Open In, so some apps may not have this capability.
- If an employee has trouble when not near an IT support staffer, he or she can easily take screenshots to show the state and email them to the help desk. Press the Sleep/Wake and Home buttons simultaneously to take a screenshot, which then appears in the Photo app's Camera Roll album. There's no limit on the number of screenshots one can take.
- Most apps provide a quick-scroll option: Tap the top of the screen and the app's screen usually jumps to the top of its content (such as the list of email messages). Unfortunately, there's no equivalent to jump to the bottom of content.
- A few gestures are universal: Scroll within an app with one finger; scroll within a pane or window within an app (usually this is for websites) with two fingers. Pinch together a finger and thumb to zoom in; reverse that gesture to zoom out. Double-tap the Home button to open the multitasking bar that shows all running apps and lets you switch to any of them (as well as quit any of them by tapping an holding an app and then tapping its Close box).
If you're concerned about a tidal wave of iOS devices drowning your support team, relax. They're easier to support than you fear -- and the techniques here can reduce the burden even more by providing self-service options to your employees.
This article, "The simple way for IT to support iPads and iPhones," was originally published at InfoWorld.com. Read more of Galen Gruman's Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen's mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.