To help you get the most out of Jamf Now, I'd like to answer a few of the most common questions I receive from Jamf Now customers concerning iPhone and iPad security. I'll also offer some simple best practices companies should consider when it comes to making their device management security plans.
Q: Many people know about restrictions, but can get lost in how many there are. What are a few that people can start with to get themselves going?
Before we dive in, I think it is important that we make sure people know that when it comes to security there is not a one-size-fits-all strategy and plan. Today we can talk about some common use cases and suggestions, but it really depends on your individual needs, how you plan on using the devices and what industry you are a part of. For example, the security needs of a property management company may be different than those in the Healthcare industry trying to comply with HIPAA or other regulations. So, just keep in mind as you are reading these that you may have to put your own spin on it or apply it a little differently to get the most out of it.
There are two levels of device management: supervised devices and unsupervised. Supervision is when devices are enrolled using automated device enrollment and offers a high level of management and control. In order to take advantage of some restrictions, devices will need to be supervised. Read the article linked above about supervision and look at our list of restrictions to learn which require setting up supervision.
Usually we don’t talk about Jamf Now as a restriction product. We like to focus on how companies can enable their teams and employees to give them the best tools to do their best work. But when it comes to security and privacy, restrictions can be your best friend. With more than 75 restrictions to dive into, it can be overwhelming. So I am going to focus on four restrictions to start with when you are planning your deployment.
- Prevent changes to accounts: This prevents employees or team members from adding, removing or modifying accounts like email or iCloud beyond the work email that you set up. Some administrators are all right with allowing personal emails or iCloud in case the need for using Activation Lock arises. However, if you are already using Jamf Now you have all the abilities of Activation Lock at your disposal. By denying the ability to log into iCloud, you prevent unwanted backups of data and communications that could lower overall security.
- Disable installing apps: This restriction disables a user’s ability to download apps to iPhone and iPad devices and disables the App Store. By doing this a company will have 100% of the control over and knowledge of what apps are being used. This prevents employees from introducing an unsecure app or having an unknown app storing and containing company data that has not been preapproved.
- Disable erase all content and settings: While the ability to erase all content and settings does have its purposes, in the wrong hands it can allow an employee to completely erase the MDM profile that is stored on the devices. This would render it rogue of the management capabilities Jamf Now offers, making it potentially vulnerable.
- Managed app data segregation: This restriction allows an organization to dictate that only specified, managed apps can open documents and email attachments. This allows you to preserve data in known, controlled locations instead of scattered around. By doing this you maintain control of the sharing and use of internal communications and, potentially, customer information. This is a huge feature in Healthcare, where HIPAA compliance is the top priority.
I would say that these are four of the most-used and simplest restrictions for added security. They're a great place to start. However, if you want additional help, you can look at industry-recommended blueprints within Jamf Now. They come with a security rating to help guide you.
Also, check out our article for a full list of restrictions.
Q: Can you tell me a little bit about passcodes?
Absolutely. I know it sounds very simple— you may think every company out there is demanding passcodes for their company devices, but you might be surprised to learn how many are not. Unless you have a very good reason for not requiring it (perhaps for a display device at a tradeshow) your company could benefit from this security step. It’s the first line of defense on the physical device should any security breaches occur. Preventing unwanted access to the device, or making it more difficult to access, gives you more time to lock it down or wipe it, if necessary. In addition, as soon as that passcode is set, the built-in encryption capabilities will take effect – a critical security function.
Some people are unaware of all of the additional options you have to take your passcode security to the next level. You can set up iPad or iPhone passwords to be four numbers, six numbers, or contain letters and numbers like a Mac— and you can change the frequency that users are mandated to refresh their passcode. Changing passcodes regularly is a pretty standard security best practice. I should note some companies don’t do this because they believe regularly changing passwords causes employees to lower the quality of their password knowing they will have to change it again in the future, but each organization should implement what works for them.
Companies can also create settings concerning “Maximum Auto Lock” and “Grace Period." Maximum Auto Lock is the time it takes for a device to go to sleep and lock after being idle, while Grace Period is the time a person has before having to input their password again after locking the device. These should be shaped based on your team’s usage of the device and level of security desired. Finally, companies have the ability to have the device locked down and erased after “x” number of incorrect password attempts. When that number is reached the device will lockdown and wipe itself. This is an option for organizations needing very tight security.
Q: How can a company use OS updates for security purposes?
Free OS updates is hands-down one of the largest benefits to investing in Apple devices. These updates come with bug fixes, patches and security enhancements. They force external app developers to maintain and update their work to comply with new standards. Apple does all of this to raise the quality and level of security for users, so you should be taking advantage of them.
By using an MDM like Jamf Now, businesses can manage their fleet of devices from anywhere. Gone are the days of needing to physically hold a device to upgrade it to the latest operating system. By leveraging Jamf Now as a central management platform, you can make sure every device in your company is on the latest operating system and has the highest level of security. Keeping your systems up-to-date can help prevent external security threats.
However, when Apple releases a new OS, it can cause some apps to falter. Oftentimes, to comply with the new security demands, apps need development work. But as a business, you likely need that app to continue functioning to continue your team’s work without interruption. What you should do in that case is delay your OS update (up to 90 days). This will allow you to prevent your team from updating their devices before apps are ready to be used. By delaying updates, you can test the new OS, test how your apps perform on it and make sure everyone on your team is ready to use it.
Q: Talk about some of the added security a user gets with the Jamf Now Plus plan features.
There are features on the Jamf Now Plus plan that offer additional levels of control of devices that provide extra security measures. These include website whitelisting/blacklisting and website content filtering, app whitelisting/blacklisting and VPN deployment.
With the controls around website whitelisting/blacklisting, you can create a list of acceptable (whitelist) and unacceptable (blacklist) websites people may visit. Take it one step further with content filtering. Content filtering allows you to prohibit websites based on their content rating or maturity ranking. This allows you to put some simple filters in place to capture anything your list of white and black listed sites don’t grab.
App whitelisting and blacklisting is very similar to website whitelisting and blacklisting but has a simple additional use case used by many Jamf Now accounts. This feature allows you to throttle native apps or limit the number of apps that employees can use on their iPad or iPhone. In addition to using this feature to ensure that only IT-approved apps are used, some have used it as they might the Single App Mode feature —but for when specific devices need two or three apps.
The modern working world no longer conforms to the 9-5 in-office mold. That means security needs to be taken into account when staff are not in the office. By upgrading to the Jamf Now Plus plan, you gain the ability to use Custom Profiles to deploy a VPN — providing a secure and encrypted connection to give users greater levels of privacy and security.
These are just a few simple, easy ways to get started planning or updating the security you have in place. Not every aspect will work for every business, so it is important to make sure your plans fit your iPhone and iPad security needs.
If this is a piece that you enjoyed, stay tuned for a similar piece on Mac security, or download our ebook on Apple Security Basics.