The new app-management protocols also let IT specify apps to be installed automatically on iOS devices and Macs, based on the new ability to buy and distribute app licenses rather than individual (per-user) redemption codes. MDM servers can manage which apps are available to whom and which are auto-installed (the others show up in the Purchased pane in the App Store app on the user's device, available for download if desired).
Licenses to such managed apps can be revoked, so apps no longer automatically become owned by the user, as in the case of redemption codes. (However, content licenses -- such as for books -- stay with the user and cannot be revoked.) Revoked iOS apps continue to work for a 30-day grace period, and a prompt to buy a noncorporate copy appears. (You'll need to manage access to information separately, such as by disabling VPN or email access using their own policies.) Revoked OS X apps stop working immediately, quitting on launch. For this to work, managed apps need to check their receipt status.
These licenses and their installation management are available for apps in the Apple corporate app store, aka the App Store Volume Purchase Program, and do not apply to apps in the public App Store -- Apple considers those to be personal apps that companies have no rights over. It's a clear separation: Even though there's one user interface, iOS and OS X tracks which apps and content come from the corporate app store, Exchange or other server, and any management servers, then provides IT control over those. Whatever the user buys from the public App Store or accesses from his or her own email and other accounts belongs to that user -- including the Apple ID.
That principle has been in iOS since version 4.2, but the new APIs and protocols extend it more deeply into the application and content domains. As a result, most organizations' data protection and app isolation needs should be supported without relying on specific vendors' management tools and APIs. IT can use a broader variety of corporate apps without being locked in to specific management vendors -- and thus should be able to get control over more apps than is possible today. Users avoid the hassle of switching between personas, a clunkier approach adopted by BlackBerry 10's Balance feature, Samsung's Knox protocol, General Dynamics' Android version, and Android tools such as Enterproid's two-year-old Divide. After all, who needs clunky?
Finally, the new iPhone 5s has a fingerprint reader on its Home button that saves the user from entering the unlock password or iTunes Store password. This TouchID feature is a surrogate way to enter a password -- the user still has a traditional password that the fingerprint reader issues when it recognizes the user's fingerprint. TouchID is not available to other apps, just for unlocking and the iTunes Store. And its fingerprint hash is stored only on the device, so is not sent to Apple or anywhere else.
Ignore all the talk about biometrics and the pros and cons of that security technique. For now, TouchID is simply a faster way to enter a password to unlock a device or confirm an iTunes Store account. It's great for users but has no other implications for apps or IT.
This article, "How iOS 7's new APIs change the game for business," was originally published at InfoWorld.com. Read more of Galen Gruman's Smart User blog. For the latest business technology news, follow InfoWorld.com on Twitter.