Earlier today Apple released the final version of iOS 9 to developers worldwide (with public release set for Sept 16, and a new iOS 9.1 beta drop available). Over the past few months, we have been busy working to ensure that Intune is fully compatible with this latest version of Apple’s mobile operating system, and we are happy to announce that Microsoft Intune has Day 0 support for managing iOS 9 devices. All the existing Intune features currently available for managing iOS devices will continue to work seamlessly as users upgrade their devices to iOS 9. As a member of the Intune Product Engineering team that works closely with Apple on support for its platforms, I want to share insights into some of the new iOS 9 features for IT and the Enterprise and how they are supported in Microsoft Intune. As we continuously update the Intune service, you will begin to see these new features and many more.
UPDATE: The iOS 9 extension is now available for System Center Configuration Manager.
Managed App Conversion
One of the most significant changes in iOS 9 is the ability to retroactively convert a personally-installed app to an Intune-managed app. Previously in iOS 8 and earlier, organizations wanting to take advantage of our family of managed Microsoft apps could deploy the managed apps using Intune. But in many cases, users had one of our popular productivity apps like Microsoft Word already installed. For Intune to manage that app, the user would have to manually un-install their “personal” version and allow the Intune-managed version to install. This was confusing and time-consuming, and since last year we’ve been discussing with Apple ways to improve the flow for managing apps on iOS devices.
Now in iOS 9, Intune has the ability (with the user’s permission) to “take over” management of an app already installed on the device. Rest assured that after “conversion” of the app, all the same Intune mobile app management (MAM) policies and data protection mechanisms are immediately put in place for the app and its data. And with our new support for multi-identity app management, users can leverage a single productivity app for personal and work use while Intune manages only the corporate account.
Under the covers, iOS 9 introduces a new “ChangeManagementState” key to the InstallApplication MDM command that Intune uses to push apps to devices. Setting this key to the value of “Managed” allows Intune to prompt the user to convert the app. Users on down-level versions (iOS 8 and earlier) will be unaffected by this new feature and will continue to see the “old” experience. This new iOS 9 capability will be made available in the next monthly update to the Intune service.
UPDATE: This new feature is now available for all customers and will take effect automatically when deploying apps to iOS 9 devices.
From the IT administrator’s perspective, iOS 9 introduces a number of new configuration options and enterprise-ready features. I’ll highlight some of the most impactful changes to the MDM framework and enterprise feature set here. You can check out the full set of new MDM restrictions in the MDM Configuration Profile.
- A new App Trust Flow now prevents side-loaded apps from launching by default.
- Support for Exchange ActiveSync v16 protocol is enabled in the native Mail and Calendar apps (see more details on the Outlook dev blog).
- AirDrop can now be designated as an unmanaged storage location, helping to prevent a potential source of data leakage.
- iCloud Photo Library can be disabled to ensure photos containing sensitive content are not uploaded to third-party cloud services.
- A new MDM restriction hides the App Store icon while still allowing app installs and updates.
App Trust Flow
As of a result of increased awareness of malicious apps, iOS 9 has heightened the security model for launching side-loaded apps. After upgrading to iOS 9, users will discover that any apps installed from sources other than the official App Store will be blocked from running by default. To enable the side-loaded app, users must navigate a new app “Trust Flow”, which involves diving into the system settings and manually choosing to “Trust” the publisher of the side-loaded app. Once a publisher has been trusted, all current and future apps from that same publisher are enabled. Note that any apps deployed through Intune MDM are implicitly “trusted” by the device and will not require that the user navigate the Trust Flow. In addition, a new MDM restriction “allowEnterpriseAppTrust” can be set on Supervised iOS devices to prevent end-users from trusting any side-loaded apps. This restricts the device to App Store apps and MDM-deployed apps only.
This enhanced security mechanism is likely a result of the widespread “Masque Attack” last year in which malicious apps masquerading as legitimate App Store apps were side-loaded on victims’ devices and attempted to gain access to sensitive data and user credentials.
We’ve previously discussed Microsoft’s multi-layered approach to data protection (protecting the device, app, file, and identity). One of the key security models iOS uses to ensure device-level protection is the concept of “unmanaged” vs. “managed” data. To ensure the security of corporate data, you want to prevent managed data from leaking into unmanaged locations.
Back in iOS 7, Apple added iOS support for the wireless transfer protocol AirDrop – effectively adding a new data storage location. Around the same time, the MDM framework was updated to allow MDM providers to disable this file-sharing feature. The problem is that the MDM restriction only works on Supervised iOS devices, leaving BYOD users susceptible to accidental data leakage. With iOS 9, a new MDM setting “forceAirDropUnmanaged” designates AirDrop as an “unmanaged” destination for data storage. This setting pairs nicely with the “Allow managed documents in other unmanaged apps” restriction (found in the “Apps” section of the iOS Configuration Policy template in the Intune admin console) – and both settings work on any BYOD or corporate device (no supervision required)! Our guidance is to set the first restriction (AirDrop) to YES and the second restriction to NO. This will ensure users cannot accidentally wirelessly transit corporate data to another iOS or Mac device using AirDrop.
iCloud Photo Library
As part of the iOS 8.1 update last year, a new feature called iCloud Photo Library made its debut. The successor to Photo Stream, iCloud Photo Library automatically syncs your entire collection of photos and videos to Apple’s cloud service, enabling anywhere access from any other device, and making it easy to share the content with contacts or family members – perfect for sharing photos of your recent snorkeling adventures in Hawaii; but problematic for snapshots of the whiteboard at yesterday afternoon’s quarterly sales meeting. The iOS 9 update adds an important new MDM setting “allowCloudPhotoLibrary” which disables this cloud syncing feature. Users can still share photos manually without the risk of accidentally leaking corporate images to the cloud.
For a while now, it’s been possible to limit the ability of end-users to install and uninstall apps on their device using these two MDM restrictions: allowAppInstallation and allowAppRemoval. Setting both of these to FALSE disables the App Store functionality (the icon disappears from the homescreen) and also disables the option to uninstall apps (the “x” symbol over the jiggling icons just doesn’t show up). This allows IT administrators to manage a device, provision it with all the requisite apps, then flip on the restrictions to prevent the user from disrupting the apps installed on the device. This works well enough – until one of the apps needs updating or a new app needs to be added. With the App Store disabled, neither of these actions is possible.
Fortunately, iOS 9 introduces a much-needed new setting: allowUIAppInstallation (note the “UI” part of the setting name). Setting this restriction on a Supervised iOS device removes the App Store icon from the homescreen, but allows app updates and new apps to continue to be deployed through MDM. This effectively limits the user’s ability to add or changes apps on the device, while offering the IT administrator maximum flexibility to continue deploying apps and updates to the device. The result: true app whitelisting capability on iOS.
All of these new iOS 9 MDM restrictions (and any of the MDM settings from previous releases) are supported today in Intune using iOS Custom Policy. So go ahead and take advantage of the new enterprise capabilities as your users upgrade to the latest version of iOS.
Every new release of iOS brings with it exciting new features and security enhancements that enable apps to interact more deeply with the device and the user. The Intune engineering team has evaluated all the facets of iOS 9 and assessed the potential impact on corporate data security of apps.
- Search integration for apps. For apps that implement this feature, two new indexes are created: a private on-device index, and a public “Apple cloud index.” The private index is stored securely on the device and never uploaded to third-party cloud services or synced across devices. For the cloud index, app developers must opt-in to have specific data anonymously-hashed and indexed, ensuring that by default corporate content is never indexed in the public cloud.
- Multi-tasking. The latest iPad Air 2 hardware supports multi-tasking, for the first time allowing multiple third-party apps to run side by side in the foreground. We’ve updated our Intune App SDK so that it’s ready to handle multi-tasking apps and keep content secure in the foreground and the background.
- canOpenURL limits. Due to recent concerns around apps “scanning” a user’s device to determine what other apps may be installed (which is both a privacy and security concern), iOS 9 now requires apps pre-declare which custom URL schemes they wish to open. This effectively prevents apps from indiscriminately calling canOpenURL repeatedly in order to query the presence of other apps on the device.
DEP and VPP
From the WWDC Enterprise content as well as our continued discussions with Apple a strong theme has emerged: managing corporate-owned iOS devices is best accomplished by leveraging Apple’s Device Enrollment Program (DEP) for enrollment and Apple’s Volume Purchase Program (VPP) for app deployment. DEP is Apple’s streamlined mechanism for pre-enrolling corporate-owned devices into MDM. We’ve previously discussed how to use Intune with Apple DEP. As part of the iOS 9 release, Apple has enabled a highly-requested new capability: Using MDM, IT administrators can now push OS updates to DEP-enrolled iOS devices. This makes it possible to ensure all the corporate iOS devices on your network are up to date with the latest security patches and management features. Unfortunately, this new feature does not work for devices enrolled through Apple Configurator; DEP is required.
VPP is a mechanism for enterprises to easily purchase, manage, and distribute apps to their users. To read more about the Intune VPP management capabilities head to the TechNet page here.
The iOS 9 release is not all about new features and additional MDM settings. From a networking perspective, iOS 9 opens up a world of opportunity by enabling third-parties to implement custom enterprise VPN solutions on the platform. In iOS 8 and earlier, a limited set of third-party VPN providers (such as Cisco AnyConnect and F5 Edge) were supported on the iOS platform. You can use Intune to configure these VPN services on iOS devices. On iOS 9, any third-party VPN provider can interface with the device using the Network Extension Framework. Developers can build a special “VPN app” which runs in the background and handles network traffic tunneling (at the IP layer or the app layer). The app itself can provide UI for configuring and controlling the VPN tunnel. This new framework further enhances the extensibility of the platform and enables access to additional enterprise VPN services on the device.
For a complete list of all the new features and settings in iOS 9, check out Apple’s IT/enterprise resources and iOS 9 developer resources (PC users can download the WWDC videos or stream them using Microsoft Edge browser on Windows 10).
And feel free to continue the conversation with the engineering team at our Intune feedback site – tell us what favorite iOS 9 enhancement you’d like to see added to the Intune service!
-Kieran Gupta, Program Manager
Microsoft Intune Device Experiences Team