Creating Enterprise Friendly iOS Apps

MoDevEast 2013 December 12, 2013

About Me

Tony Lenzi

Technical Lead and iOS Developer

tony.lenzi@gmail.com

@tonylenzi

Increasing Demand• 57% of CIOs say that mobile devices and apps

are a high priority or essential to their strategic agenda

• 89% of enterprises support email on mobile phones and tablets

• Communications and productivity apps dominate

Source: “Managing the Complete Customer Experience”, Peggy Anne Salz GigaOm Research

Apps Deliver Value

• Organizations want apps that enable interactions that deliver value to their company and their customers

• Employees are customers too

• MDM solutions make it easier for IT to manage

- IT integrator at a Fortune 500

“I want a Blackberry experience on iOS.”

IT Crackberry• Easy to configure and distribute

• Minutes, not hours

• IT always has control of data on the device

• Normally purchased and owned by the company

• Device separation

Confidentiality

AvailabilityIntegrity

Information!Security

What’s Changed

User Expectations

• Rapidly evolving apps that consumers use every day

• Emphasis on words like “delight”, “engaging”, and “experience”

• Why can’t I do this on my phone or tablet?

Enterprises need the benefits delivered by

consumer driven apps, but they also need to

retain some of the protections provided by

traditional enterprise software.

Data separation, not device separation, enables users and protects the enterprise.

How can we enable enterprises to control the use of their data in our apps?

iOS 7 in the EnterpriseManagement

Authentication

Networking

Data Security

Mobile Device Management• Allows IT to manage devices, (un)install apps and

data

• Single Sign-On

• Per-app VPN

• Managed “Open In”

• iOS 7 allows pushing configuration files to managed apps

App Configuration

• Read a configuration dictionary from an MDM server using [[NSUserDefaults standardUserDefaults] objectForKey: @“com.apple.configuration.managed”]

• Listen for changes using NSUserDefaultsDidChangeNotification

Config Use Cases

• Disable iCloud sharing

• Bootstrap URLs for services

• Company file share location

• Things IT may want to customize to make your app usable on the first run

// config pushed by MDM stored here NSDictionary *mdmConfig = [ [NSUserDefaults standardUserDefaults] dictionaryForKey:@“com.apple.configuration.managed”

]; !NSNumber *enableCloudSync = mdmConfig[@“enableCloudSync”];

!// check that it exists and is the correct type if(enableCloudSync && [enableCloudSync isKindOfClass:[NSNumber class]]) { … } else { // set default value for when unmanaged }

App Feedback• Write feedback to NSUserDefaults key com.apple.feedback.managed!

• MDM server will read this dictionary from managed apps

• Error and usage statistics

• Aggregate and respect privacy

- (void) webServiceTimeOut { self.timeOutCount += 1; NSMutableDictionary *feedback = [ [NSUserDefaults standardUserDefaults] dictionaryForKey:@“com.apple.feedback.managed”] mutableCopy]; ! if(!feedback) feedback = [NSMutableDictionary dictionary]; ! feedback[@“timeOutCount”] = @(self.timeOutCount); [[NSUserDefaults standardUserDefaults] setObject:feedback forKey:@“com.apple.feedback.managed”]; } !

and remember…• NSUserDefaults is unprotected

• Check the defaults every time the app starts

• Validate your input types and values

• Keep it small

• Document your configurable settings

Single App Mode

• MDM can control

• In iOS 7, a managed app may request permission to go to single app mode: UIAccessibilityRequestGuidedAccessSession()

• Client demo mode, cash registers, specific employee roles, quizzes and exams

Single Sign-OnBuilt Into iOS!

• App uses NSURLConnection and/or NSURLSession

• IT defines app bundle IDs on their MDM server

• Secured using Kerberos, password stored in the keychain, not inside the apps

• NSURLConnection is the backbone of AFNetworking, NSURLSession is extended in AFNetworking 2.0

Per-App VPNBuilt Into iOS

App 1 App 2 App 3

VPN

Enterprise

Internet

Control Data Usage

• Enterprise users may want to limit how much cellular data their users use

• urlRequest.allowsCellularAccess = NO;

• Another opportunity to use managed configuration profiles to give IT more control

Data Security

Built Into iOS!

• Installed apps are protected automatically with NSFileProtectionCompleteUntilFirstAuthentication in iOS 7

• Consider the sensitivity of each file or type of data you are saving

• NSFileProtectionNoneread or write anytime

• NSFileProtectionCompleteencrypted unless the device is unlocked

• NSFileProtectionCompleteUnlessOpenif the file is open when unlocked, you may continue to access it even if the user locks the device.

• kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly keeps keychain secrets on one device

Managed “Open In”

• Not every business wants their “business” on Facebook

• Managed apps only share data with other managed apps

App Licensing• Apple is now allowing volume purchasers to buy

licenses that may expire and/or be reassigned to other users

• Opens up purchasing models for schools, others who may share and reuse devices

• If you support this model, you need to be aware of app revocation

Receipts and Revocation• iOS 7 receipts now include volume purchase

information

• Information that ties your app to this device is on the receipt

• Validate that the receipt is still valid using StoreKit

• You can not quit the app if it’s invalid, but you can degrade the features/experience

Questions

References• “Extending your Apps for Enterprise and

Education Use”Session 301, WWDC 2013

• “Managing Apple Devices”Session 300, WWDC 2013

• “Using Receipts to Protect Digital Sales” Session 308, WWDC 2013