Transcript
>> Dave Rahardja: Welcome to Session
108: Managing Mobile Devices.
My name is Dave Rahardja and I'm joined
here with my colleague Chris Skogen.
Now with a title for our session called Managing
Mobile Devices I'm guessing there are two groups
of people here who will make up the majority of you.
So the first group I think are IT managers,
IT developers who are trying to figure out how
to integrate iPhone into your enterprises.
Right? [applause] So this talk is for you.
And the second group of people who are probably here
are developers of enterprise appliances and server apps
and you're trying to figure out how to make
your next killer app to sell to the enterprise
and this talk is also for you, so let's get started.
When we talk about managing mobile devices
and the enterprise we're probably talking
about three specific requirements.
So the first thing that you got to do to manage
your mobile device is you need to configure them.
You need to set up email, you need to set up VPN,
Wi-Fi access, as well you need to set up restrictions
such as passcode complexity limitations, or
disabling certain features on the device.
So that's the first thing you got
to do, configure your device.
Now once you do that you need to enroll a large
number of devices into your management system.
You don't want to have to manually configure
every device that comes into your organization
because you might have thousands
or tens of thousands of devices.
So how do you get these devices enrolled in your
management system without manual intervention?
So that's the second requirement and
the third requirement is management.
Once you've configured these devices your
configurations will change over time.
So certificates expire, server addresses change,
people move from one department to another.
How do you keep their devices up to date?
So that's the third key to the puzzle, management.
And in iOS 4 we have three great solutions for you to
address these three specific requirements so the first one
for configuration we have configuration profiles.
For enrollment we have Over-the-Air
Enrollment and brand new for iOS 4
to manage your devices we have Mobile Device Management.
[ applause ]
So three key technologies that we are presenting to you
in 4 to make your life easier as an IT administrator
and developer and to help you make your next killer app.
So let's take a look at these three during the next hour.
Starting with configuration profiles: so a lot of
you are already familiar with configuration profiles,
they're just XML files, they're simple XML files, they look
like this, it's a P-list so if you're familiar with P-list
on OS 10 and you use these files to configure
accounts and settings using what's called payloads.
So a single configuration profile
contains one or more payloads.
Each payload can be an exchange setting, email accounts,
VPN etc. or it can also be restrictions
and passcode requirements.
You can make these things using iPhone
Configuration Utility which is a free download,
because they're XML files you can use your own script
on your server, or you can purchase a third party app
to integrate this with your server management system.
So let's take a look at how iPhone Configuration Utility
helps you to create these configuration profiles.
So over to Chris.
>> Chris Skogen: Thanks Dave.
There we go.
I don't know how many of you ever seen iPhone
Configuration Utility before but this is it.
We're going to take a quick tour around.
iPhone Configuration Utility or iPCU as we like to call it.
iPCU is the primary means, you know, for Apple to
generate configuration profiles for your devices.
In addition to using it to create configuration profiles
you can also use iPCU to store those configuration profiles.
You can also store enterprise applications
and you can also store provisioning profiles
that can be later installed on devices.
iPCU typically does all of its installation to devices via
the tether so it tends for that type of feature it tends
to be a really good tool for small shops but
for making configuration profiles it excels.
Here on the left side of iPCU we have a library with
source list and you'll see where it contains devices
that have been connected to iPCU via tether.
It also contains a list of applications
that I can deploy to devices.
It also has a place for provisioning
profiles for those applications
and here's the one we're most interested
in for the purposes of this demo.
This is configuration profiles.
Once I've selected the source for configuration profiles
on the right side I see like a master detail view
where the upper portion will show me all of the
configuration profiles that I have in my library
and below I get the editor for each
of those configuration profiles.
So to begin making a configuration profile what
we do is we go up to the toolbar and we hit New.
Creates a configuration profile here called profile name,
and I'm automatically selected on the general payload
so in the general payload I would enter a specific name
to help me remember what this is for and I'm also required
to enter in a identifier for the configuration profile.
Com.apple.myprofile, something like that.
Then going down the list I have the rest
of the payload types that iPCU supports.
We see passcode restrictions or passcode requirements,
we see restrictions, we see Wi-Fi, VPN, email,
exchange accounts, LDAP accounts,
CALDAV, CARDAV, subscribe calendars.
I'm not going to go through all of these today 'cause
there's many but I'm going to kind of go down the list
and touch on the things that are new in iOS 4.
If I go over to restrictions to add a restrictions
payload to this profile I just hit Configure
and the UI will change to show me the restrictions editor.
The restrictions editor are really things that you can
put on the device to stop your user from using the feature
or save ratings from movies or content from the store
and also for iOS 4 we've also added a few new ones.
You'll see allowed voice dialing, you can
actually force your users to encrypt backups here.
We've also allowed in iOS 4 we've allowed control over
Safari so here I can disable Safari's use of auto fill.
I can also force my user Safari to block pop-ups and we've
also added ratings down here at the bottom for the store
so we can say well, ok, I want my users
only to be able to see PG-13 or less movies.
In iOS 4 another new feature is multiple exchange accounts.
Previously we allowed a single exchange account on a
device in a configuration profile now we can do multiples.
We just merely hit that second button there and there's
another exchange account configured for the device.
In iOS 4 we've also added Card dev.
I just click configure, enter in the
account name, host name and port, URLs,
things like that to let my users access the Card dev.
In Web Clips we've added a new feature to configuration
profiles that enable you to fire the web clip
in full screen modes so it kind of
looks like a complete app when it runs.
You'll also see the Mobile Device Management payload,
which Dave is going to talk about in detail later.
So for the sake of this demo let's go ahead I
have a profile up here that I've already built.
I'm going to get rid of the one.
So I have a profile here that I
pre-built that has a passcode.
It's going to require my users to
have a passcode on their device.
It also has a web clip that's going to give
them access to a URL and my enterprise.
It's also got an exchange account
so they can get to their email.
When I install this on a phone all of those payloads
are going to be deployed at one time and there's no way
to separate them so when we see this go we're going
to be forced to put on a passcode and in exchange
for that we're going to get access
to email and that web clip.
So when a phone is connected in
iPCU to the 30 pin, as this one is,
you'll see it on the left side as a connected device.
So I click on that and it will show me what
configuration profiles are currently on that device
and it also shows me the ones in my
library that I can add to the device.
So here's the one that we want to target for this
device so I'm going to go ahead and hit install.
I'm going to flip over to the device
itself, it's pretty hard to make out.
>> That's pretty harsh.
>> Chris: Yeah it's pretty bright.
Does anybody know how to get that down?
[ pause in speaking ]
>> Just adjustments on the projector.
>> Chris: Once I hit install on
iPCU the phone actually prompts me
with this install screen for installing the profile.
Right here it says what's, you
know, the name of the profile?
It shows that it's verified.
When we send it over from iPCU we sign it and encrypt it.
It'll also show you the different
payloads that are in the profile.
You'll see a web clip, an exchange account and a
password policy; those are the three that we put in.
Now go ahead and hit Install.
It'll prompt me to confirm it, we'll see that it's
installing the profile, takes a couple of seconds.
What it's doing now at this point is it's going
to go through and evaluate the payloads typically
with the exchange account it's going to try to make contact
I believe so we're just going to wait for that to happen.
We're just going to let that run and continue on.
So anyways that is iPCU trying to install the profile
and I will drop back and if that ever finishes,
the rest of the connected device screen you'll see here
is provisioning profiles that might be on the device,
applications that are on the device and iPCU
also lets you see the console on the device
and save it and export it to a disk file.
That is iPCU and this thing is not done so I'm
going to send it back to Dave to keep it going.
>> Dave: Alright thank you Chris.
So with iPhone Configuration Utility it's really easy
for you to create profiles that contain the settings
that you want, using a very user friendly UI and you can
install these profiles on a device by tethering it directly
to the device and sending the profile over that way.
So let's take a little closer look
about configuration profiles.
As you saw with iPCU profiles can be signed and encrypted.
Now with iPCU the encryption keys are exchanged between the
device and the computer via the USB cable but as we move
on you're going to see that you need
the device to have the private key
to decrypt the profile before you can encrypt the
profile for that device and that presents a challenge
which we're going to address with the other technologies
that we're going to present later today in this session.
You can install profiles over USB
but you can also install it
over the air using the other technologies
in this presentation.
Now here's the key fact that you have
that you can use to your advantage.
All of the payloads installed in the profile
are installed together or not at all.
So all the payloads are installed together or not at all
and this gives you the ability to combine restrictions
and account access in a single payload and this
is a technique we call the carrot and stick.
So the carrot and stick basically says if you want access
to my email servers you must have a passcode
of a certain standard on your device.
If you want access to my VPN then you can only let your
device idle for five minutes before it locks the screen.
So you combine the carrot which is access to your resources
with the stick which is the restriction that you put
in place to get that access and since the profile needs
to be installed together the user can't remove
the restriction without also removing the access.
So use this to your advantage.
Carrot and stick combine your restrictions
and your account access in a single profile.
So that's configuration profiles.
It allows you to configure your iPhone very easily
using XML files that you can generate and install them,
get your accounts in there, your
restrictions, your certificates,
etc. So now you can do that with iPCU you can
connect your phone to your computer and that's great
and then you get 20 iPhones and then you get
50 iPhones and you get 100 iPhones and 1,000
and 10,000 iPhones you don't want to handle each one
of them by hand because you'd be doing nothing else.
So is there a way to get these iPhones
configured without manual intervention?
And the technology we use to solve that
problem is Over-the-Air Enrollment.
So let's take a look at that.
Over-the-Air Enrollment allows you to use a web
portal to set up the iPhones so the user logs
into your web portal and gets their iPhones configured.
Because you know their login you can create a custom profile
for each login and this is useful because you may want
to configure a phone owned by an
employee on the west coast a certain way,
Wi-Fi and VPN access for them,
versus somebody in the east coast.
You may want to configure a phone that
belongs to engineering a certain way
versus something that belongs to a user in sales.
So you can make these decisions and deliver custom
profiles using OT Enrollment based on the user's login.
As an added benefit of OT Enrollment we use a protocol
called SCEP: Simple Certificate Enrollment Protocol
to exchange certificate information so that
the phone has a private key and a public key
and then your server has the public key to
that iPhone and now you can encrypt profiles
for the iPhone, so let's take a look at how that works.
So by the way I have an iPad here that I'm
using to control a server behind the scenes
so I'm not actually controlling the iPhone
from here but this is just a console
so I'm going to stage a profile for enrollment.
So the first thing you see in OTA
Enrollment is a login screen.
So the user visits a login screen and they type the
user name and password so Chris is going to login here
[ pause in speaking ]
and he gets a view that shows him that he's enrolling
in a configuration service so go ahead and install that.
Now the device is using SCEP to exchange their public
key with the server and then it installs a profile.
Ah, this time it works.
Thanks for turning off your MiFis.
So set a passcode, this is the same profile that were set
up using iPCU a few minutes ago so we require a passcode
and we're going to configure an
exchange account and a web clip.
Notice that you are prompted for a passcode before the
profile is actually installed and it's installed, tap done,
so let's go back to the home screen and there's
our web clip, the Apple web clip and oh,
we have an email, our email is set up, there you go.
So that's Over-the-Air configuration.
You go from a login to a custom-configured iPhone and
this is of course very scalable because you don't have
to do any manual steps once you've configured
your web server and you can put in rules
that configure devices according to your IT policy and
you can deliver custom profiles based on a user's login.
So let's take a closer look at how
this actually works behind the scenes.
The first thing you want to do is you want to send
your user to visit a URL, so you can do this using SMS,
you can send them an SMS with URL in it, you can send
them an email instructions, or just tell them to go
to the IT page and tap a link or some combination
of those, so get them to go to a portal.
The user will then log in with their credentials.
Now you know who they are and you can decide whether
the user is eligible for your enrollment service or not.
If they are, your server then sends a device
authentication challenge which will show up as
that view with the install button on the device.
If the user taps install, what happens is then the iPhone
is going to talk to your server and tell your server
about its hardware and configuration, so it
tells it what model it is, what OS version it has
and serial numbers and a handful of other information.
At this point, your server can make another decision
whether to continue with enrollment or whether
to deliver a custom profile based on the device type.
For example, iPod Touch versus iPhone versus iPad.
If your server decides to go on we then use SCEP:
Simple Certificate Enrollment Protocol to exchange keys,
and this is how it works, so the iPhone
generates a public and private key pair.
It then takes the public key and sends it
to your certificate authority server
as a certificate signing request.
Your server then signs the certificate, keeps a copy for
itself and sends the signed certificate back to the device.
At the end of that process the device has a private
key and a public key in the form of a certificate
that has been signed by you and you
have the copy of the public key,
now you can encrypt profiles for
the phone, which is what you do.
You create a custom profile which you then encrypt and
send to the phone where it automatically gets installed
and new in iOS 4 you can now configure the iPhone
to send a confirmation back to your server
to said yes, I installed this profile successfully.
So this is how OTA Enrollment works.
You go from a login to creating
a custom profile specifically
for their user according to your
rules, based on their login.
So that's OTA Enrollment.
[ applause ]
So now we can use configuration profiles to configure
your phones to set up your accounts and restrictions.
We know how to deliver these custom configurations
in a very scalable way using OTA Enrollment.
Now, your configurations changed, right, your email servers
may move or your VPN may change, certificates expire
and users may move from one department to
another and you have to reconfigure your phone.
Well how do you do this?
Well what you do now in iOS versions prior to 4.0
is you tell the users to re-enroll so you go back
to the URL, re-enroll your phone reconfigured.
Well that's great but, you know, how can we automate this?
How can we proactively configure
someone's phone and while we're at it,
why not try and find out what the snapshot
of the device state is at that time.
Are you still compliant?
Did you do something to your phone?
Did you upgrade your OS without letting me know?
It would be nice if you could do that, wouldn't it?
Yet now we can because in iOS 4 we have a new
technology that we call Mobile Device Management.
Let's take a closer look.
Mobile Device Management: Mobile Device Management
allows you to manage iPhones over the air and on demand.
It works over Wi-Fi and cellular so it works
with iPhones, it works with iPod Touch,
it works with iPad when iOS 4 becomes available for it.
It is mostly transparent to the user; the user
wouldn't even know that you're managing their phones.
Things just get magically set up and
updated without the user knowing it.
So users buy iPhones and iPads and iPod Touches because the
user experience is great and we want to be able to preserve
that while giving you the ability to manage the devices.
You get to initiate this process using
the Apple Push Notification Service.
Now why do we do this?
Well the Apple Push Notification Service is great for
preserving battery life so the device is essentially asleep
until it gets a Push Notification,
so that's one main reason.
The other is the Apple Push Notification Network is far from
being exercised to capacity, there's a lot of bandwidth left
and we can use this to our advantage so that you get a
response for the device in a reasonable amount of time.
However, once the device wakes up, it talks to your server
directly using HTTPS so Apple's network wakes the device up
and then gets out of the way and now
it's between your server and the device.
You get a comprehensive list of management
features using Mobile Device Management.
You get a handful of very useful
remote commands and lots of queries.
Let's take a look at those.
So remote commands you can install and remove
configuration profiles over the air on demand.
So as your configurations change you can update them, you
can install and remove provisioning profiles so if you have
in house apps you use this to install provisioning profiles
on the devices and keep them up to date so as your provision
and profiles expire, before they expire, you replace them
with a new provisioning profile and the user doesn't know
that it's expired, no alerts no
nothing, reduces your help desk calls.
You can lock a device, you can remove a passcode.
Now why would you do this?
Well since you are the IT crowd there's some of you
who have made your users have 12 character passcodes
with punctuation, no sequential
characters and alphanumeric, right?
And what happens?
They forget.
They forget their passcodes.
So this gives your help desk another
button to push to support your users
so if they forget the passcodes they give you
a call, maybe you do somebody else's iPhone,
let that sink in for a minute, but now you
have the option to send a command to the device
to temporarily remove the passcode
so that they can enter another one.
Let's take a look at oh you got remote erase so
you can erase a device without using exchange.
[ applause ]
So very useful commands, very powerful commands.
Let's take a look at what you can ask the phone.
You can ask it about its network details.
Bluetooth and Wi-Fi Mac addresses, etc.
What can you do with this information?
You can tell if a user is roaming.
You can tell if a user is roaming with their data
roaming turned on and you can tell them to turn it off.
You can tell when the user has changed their SIM card.
Some of you have policies about that about international
travel where you want them to change the SIM card
to use a local SIM, you can use this
to check whether they've done that
and when they change their SIM card their phone numbers
change you can ask the phone what is your current phone
number and you can update your database, very convenient.
You can ask the phone about its device
information, sort of general device information.
So OS build version at that time so on demand
if the user upgrades their OS you can detect it.
You can also detect free space available so if you have
enterprise apps that require certain amount of free space
to download very large documents you can warn the user,
hey, you know, you're not going to be able to use this part
of the app unless you free up some space.
You can ask the device about application details.
What apps do you have installed?
How much space are they taking up?
And what version are they?
And the version part is important for you
because as you deploy enterprise apps you want
to make sure users keep updating their versions
so that you can keep the support up to date
and if the user hasn't updated it
you can send them a friendly email,
hey please update your app before we drop support
for your version and you can do this proactively,
and you can of course you can install and a query
provisioning profiles so you can see when they're going
to expire on the device and install
a new one before it expires,
and finally you can ask the device for
compliance and security information.
So you can ask what configuration profiles are installed,
what certificates are installed, when they expire,
what restrictions are in effect and this
is an interesting one, data protection.
So in iOS 4 we're introducing a new kind of encryption
called Data Protection that encrypts your email database
and your attachments with an encryption strategy
that involves the passcode on the device
and it protects the data at rest with your passcode.
Well in order to use this capability the user
must have formatted the device in a certain way
and not all upgrade paths lead to that
formatted state and you can use the query
to determine whether the device is
actually supporting data protection.
This is of interest to you because you want to know that
your devices are protected to the best possible extent.
By the way, the way that you get your devices into the
state of data protection is you need to back up the device,
restore it to factory settings,
and restore the data but make sure
that the device is correctly formatted for data protection.
So you can find out if that's working on the device
and of course passcode compliance you have a passcode
standard you want to know if the user's still compliant.
So network details, device information, application details
and compliance and security these are very comprehensive,
gives you a comprehensive snapshot of the
device at any time, this is on demand.
[ applause ]
Let's see how it works.
Again I'm using my iPad to control a server back there.
I'm not actually controlling the phone from this device,
although that would be cool so alright
so the first thing we do is we go to OTA
Enrollment again just as we saw previously.
Chris is going to log in but instead of delivering
the final configured profile, as we did previously,
we're going to deliver a profile that just has the
MDM payload in it so let's go ahead and install that,
SCEP exchanging keys, installing the
profile, oh and you get a warning
that says hey this guy wants to
manage your phone, do you agree?
Sure let's install that and it's installed, so
now I'm managing Chris's phone, it's that simple.
So let's see what we can do [laughter].
Be nice. So let's add a web clip to the home page.
Now watch closely I'm going to install profile
here and I'm going to send a Push Notification, go.
Boom there it is
[ applause ]
Let's see another demo let's go to the mail account Chris.
So nothing there so it says set up your mail account well
I don't know about that, maybe I'll configure it for him.
So I'm going to send a mail account, push.
Boom it's configured
[ applause ]
It's going to take a second here to
download the messages there it is.
So I'm not going to push a passcode
restriction to Chris's device.
Now as you can tell the whole process is very unobtrusive.
The user doesn't even have to know that you're doing
anything and all of a sudden his emails arrive.
You know it's how did that happen?
Well you did it, right?
So what about passcode restrictions?
How's that going to work?
So let's try that.
So I'm going to install a passcode restriction
on his phone, push, and you're going to notice
and that's installed ok now it's installed but
nothing happens, so let's go to the homepage.
Oh, somebody pushed a passcode restriction on
you and you have 60 minutes to comply [laughter].
Well the reason we do this is we don't want to immediately
apply the passcode restriction in case Chris was
at the airport and is looking up flight information and
he's like, oh, I got to enter a passcode while I'm running
to the gate, so we give a little bit of grace
period there and give him 60 minutes to do that.
Now this is going to count down 59, 58, and
once it gets to 0 that later buttons going
to be gone so you have to comply right there.
So he's going to dismiss it, now he's going to do other
things, he's going to email and notice that when he does
that and he goes to the Home button it doesn't appear again
and it only appears the next time
he sleep cycles the device.
So sleep, ok I'll wake it up again, oh there it is,
it's still 60 minutes it will say 59,
58, etc. So let's comply with that.
[ pause in speaking ]
So now he's complied with the passcode.
So he's going to lock the device and try and
enter a passcode here, and alright there you go.
So let's lock the device again
and try another scenario shall we?
So Chris has forgotten his passcode.
I made him enter a 12-character passcode
and he's forgotten, uh-oh, now what?
Help! Oh that's too bad.
So he calls my help desk, your help desk,
now you have the ability to clear a passcode.
So I'm going to send a clear passcode here and oh
you have to press cancel, let's see what happens.
Oh it's gone and you get the passcode
requirement alert again
[ applause ]
So that's Mobile Device Management and it's pretty cool.
So let's take a look at how this works.
So the first thing you do as you saw
is you go through OTA enrollment.
The user types a login, goes to your server,
you say, ok, this guy, I know him and I'm going
to configure the device through Mobile Device Management.
So you've seen that before.
So you generate an MDM profile, or a
profile that contains an MDM payload in it,
instead of your final configuration you configure it
to just have MDM and it gets installed in the device.
At this point, the device talks to the server, talks to
your MDM server to bind itself to its management service
so it says, hey, I want to be managed by you is that ok?
The server says sure, the device verifies that the
HTTPS certificate is valid, etc., and they're bound.
Once everything's in place the device
basically goes to sleep and listens
for the next notification from your server.
This is the end of initial configuration.
The device is configured.
Now when your server wants to talk
to the device all it has to do is
to send a Push Notification to our Push Notification server.
Our services are going to deliver that to the
device via 3G or Wi-Fi and wake the device up.
Now there is no command inside the notification.
The device talks directly to your server through HTTPS and
at this point your server can talk to the device and ask it
to do things, send commands, send queries, the device
talks to your server and this can be a batch command
so you can send it more than one command, it does it in
a batch, it also saves battery life, do it in a batch
and once it's done the device goes back to
sleep and listens for the next notification.
So it's very simple but very powerful,
gives you access to the device on demand.
There is one thing that we need to remember when we're
managing a device through Mobile Device Management
and it has to do with something we call manage profiles.
So let's take a look at under the hood of an
iPhone after it is being managed by your server.
So the first thing you do as you saw is you
want to install an MDM configuration profile
into the iPhone using OT Enrollment so this is the
root MDM profile, that's the first thing you install.
Once that's installed you can install
other profiles through MDM.
These profiles that you installed are called managed
profiles and these are distinct from profiles
that you install using iPCU for
instance which are not managed profiles.
So what's the difference?
Your MDM server can query for all of the profiles
on the device, including the unmanaged ones
so you can tell what other things the
user has installed on their phone.
However, it can only remove or replace managed profiles.
Right? It can only remove or replace managed profiles, so
if you didn't install it you can look but you can't touch.
Those are the rules.
You can also install profiles through MDM that are locked.
These are profiles that are marked unremoveable
by the user so the user can look in the settings
and there will be no remove button on the profile.
So the user can't remove these profiles but
your root MDM profile may not be locked,
so the user can remove that profile at any time and
terminate their relationship with your management server.
This is very important.
The user can always terminate their relationship
with your management server but if they do
that all of the managed profiles are removed.
So why is this important?
Well remember the carrot and stick.
So you now have two approaches to do carrot and stick.
So the first one you've already seen.
You put your restrictions and your accounts in a single
profile, the user cannot remove one without the other,
so as long as they have access to your accounts
they must have the restrictions in place.
With MDM you can use manage profiles to do another way
of carrot and stick, another way to do carrot and stick.
You install the restrictions first in a locked profile.
The user can't remove it and then you can query the
device if you want, make sure that the users comply
with the 60-second grace period for the passcode,
if you like, and then install the account.
So the user cannot remove the restrictions
without removing also the accounts.
So the only way they can get over the restrictions is
to stop their devices, remove the root MDM profile,
terminate the relationship with your management server
but they lose all the accounts as
well so that's your carrot and stick.
If you want access to my resources
you've got to let me manage your phone.
If you want access to my resources you've
got to have these restrictions in place.
So that's carrot and stick number two so these are the two
choices you can either one of these is fine by the way.
You can use the first carrot and stick approach
with MDM, that's fine you can install a profile
with both the restrictions and account access and so you can
but this is another choice the second way is more granular
because you can install an individual
restrictions or individual accounts.
So pick one that goes with your IT workflow
best or your enterprise server at workflow best
and go with it, so two ways of doing carrot and stick.
So that's Mobile Device Management
[ applause ]
So three key technologies in iOS 4 that helps you
to manage iPhones in your enterprise and help you
to create your next killer app for the enterprise space.
Configuration profiles lets you
configure iPhones with accounts
and restrictions and settings just the way you like it.
OTA Enrollment allows you to enroll tens
of thousands of devices using a web portal
and now in iOS 4 you have Mobile Device Management that
allows you to monitor and manage these devices on demand
and over the air, but there is one more thing.
There's a new feature in iOS 4 that you've asked us
that will make your lives easier
and today we're giving it to you.
That new feature is Wireless Enterprise App Distribution
[ applause and cheering ]
You can now distribute your enterprise apps
wirelessly without having the user to go
through the tethering process and downloading your apps.
So we use, we allow you to distribute in-house apps in
this protocol using your web server, your own web server.
No need to register your app with iTunes
you serve it up, the user can install it.
There is Xcode integration to make your life
easier to stage your apps for deployment this way.
Let's see how it works.
So I'm still managing Chris's phone, so
I'm still managing his phone through MDM.
So what I'm going to do here is I am going to
install a provisioning profile and a little web clip.
Now remember I can batch these commands so I'm going to
send a push notification now and it's going to do both.
There it is.
Oh it's an app catalogue; it's your app catalogue.
So let's tap that link.
Ah these are your apps.
They're hosted on your web server and this is just a
simple webpage that you serve up on your web server
so let's install the customers app,
maybe this is a CRM application.
Oh sure, install that, and it's installed
[ applause ]
So it's that simple.
So how do you get this thing going?
What do you need?
Well you need a web server but you probably got one already.
You need a distribution provisioning profile.
You can download this through the developer's portal,
it's the same provisioning profile that you've always had.
You need your apps to be packaged in the .IPA format and
you need an XML manifest to help the phone find your app
and figure out how to install it and fortunately
we automate the last two pieces using Xcode.
So you [applause] you click an archive so you do an app
archive and you say share with enterprise or distribute
for enterprise and fill in the forms
with a URL and that's all you need.
It works best with MDM.
Now wireless enterprise app distribution does
not require MDM so you can use this today.
You can deploy your apps today with iOS 4 just
using your web server, tell the users to go here,
grab the app and off they go but it
works best with MDM and here's why.
You can install a web clip for your app
catalogue like I saw and save your user
from having to find where to get the apps.
You can install and renew provisioning
profile which is really cool.
It helps you to prepare the devices to have the
provision and profile before the users install the app
and renew this provision and profiles before
they expire so the user experience remains great.
You can monitor your app versions, which is important again
if you're doing enterprise app development you want your
users to stay on the latest version so you can use MDM
to remind users to upgrade their installations if needed.
So configuration profiles lets you configure the phones with
your accounts and restrictions just the way you like them.
Over-the-Air Enrollment lets you deploy these
configuration in a customized way using your rules,
very scalable solution for tens of
thousands of iPhones using a web portal.
Mobile Device Management lets you manage these devices,
monitor them and keep their configurations up to date
on demand and over the air and now wireless app distribution
allows you to distribute your enterprise apps wirelessly.
Four great technologies in iOS 4 to help you
integrate iPhone at your enterprise better
and to help you make your next killer enterprise app.
So what next?
I'd like you to start using these technologies.
The easiest way to get started of course if you
haven't already download iPhone Configuration Utility.
It's free of charge and it helps you to
get started with configuration profiles.
If you have a very small workgroup, maybe 20-50 iPhones,
this is maybe all you need, this is maybe all you need
for configuring all the devices using a
USB connection but if not I encourage you
to develop your own solution, join
the Enterprise Developer Program.
You can review all the documentations and
you can create your own customized solution,
integrate that with your IT framework
and you know go all the way
and if you're an enterprise app
developer an enterprise appliance
or server app developer this is the route you want to go.
You can integrate iPhone iOS 4 into your application,
into your workflow to your console in very deep way,
or you can buy a third-party solution,
maybe from some of the guys in this room.
Watch for Mobile Device Management
outfits to start supporting iOS 4 soon.
Alright, for more information please contact Mark Malone.
He's our Integration Technologies Evangelist.
Here's some documentation they are
still going through the review process
so we'll make them available to
you soon on the developers website.
If you need early access to this documentation please come
to the lab after this, talk to us, we'll see what we can do
for you and of course Apple Developer Forum is always a great
place to get help from Apple engineers and each other.
So some related sessions: There's one today Creating
Secure Applications right following this session.
There's one on Wednesday and one on
Thursday that you might be interested in.
Thank you very much.
[ applause ]