BYOD Basics: Securely Enabling iOS in the Workplace

In light of recent announcements, IT professionals are now awaiting the onslaught of requests to add new iOS devices into the organization or business said IT professional supports.  Embracing BYOD, through proper planning, thwarts the occurrence of Shadow IT and enables IT professionals to stay in control.  Microsoft Virtual Academy provides a great starting point in regards to BYOD enablement in a module entitled System Center 2012 R2 Configuration Manager & Windows Intune .

When planning, IT professionals should break down support of iOS devices in the workplace into the following areas:

  1. Unified management –  Management of smartphones and teblets should be delivered through a single console to ensure simplicity in device management administration
  2. Enabling worker productivity – Providing corporate resources to the information worker while not compromising security
  3. Registration and enrollment – Providing an easy yet secure experience enabling corporate resources on a personally-owned or non-corporate device

One of the challenges that iOS devices will always face is the lack of ability to join a domain.  Domain joining applies features like Windows login scripts and Group Policy which are not applicable for non-Windows devices.  This IT trust issue is a limitation for IT departments tasked with protecting network resources.  The lack of domain affiliation by an iOS device means that the user is denied access to resources, or must continually provide credentials as resources are accessed making the experience frustrating for the end user.  Hence the reason Workplace Join was created.  Workplace Join provides iOS devices with certificates delivered only after the IT professional can confirm that the device is affiliated to a known-trusted user and help the iOS device authenticate within a Windows 8.1 network. Workplace join is however only one piece of the business mobility puzzle.

Device management is another key element needed to apply policies, perform software inventories, or supply apps. Enrollment of personally owned devices only occurs when the device owner consents to allowing some IT-side administrative control of the device.  Once enrollment is completed, management of said iOS devices utilizes Apple Push Notification Services in order to maintain regular communication with the device on any network connection.  This assures that all iOS device requirements are addressed in regards to both protecting company data and resources as well as empowerment of the employees. 

Ty Balascio, a Senior Program Manager focused on managing iOS devices in the workplace using System Center products, provides further insight into deployment and enablement of iOS devices from within the workplace.


User initiating enrollment




Offering the management profile




Enrollment profile installed




Staying productive at work on iOS devices


Microsoft has heavily invested in supporting all of the most typical user requirements when working from their iOS device.   For example, the following capabilities are possible for an enrolled iOS device in an enterprise when using System Center 2012 R2 Configuration Manager:


Connecting to the corporate network


Need to push a Wi-Fi configuration for wireless access?   No problem.  How about VPN profiles or authentication certificates?  You can push those configurations too.  We support a rich array of network settings configurable for mobile devices. Because mobile devices are..., all of the capabilities described within this blog function from any network connection, anywhere.


User-driven access to company resources


The Company Portal app for iOS provides your users with a convenient interface for gaining access to resources necessary for work.  Whether it is a deep-link to the Apple AppStore, an Internet / intranet resource web-clip on the home screen of the device, or even an internal line-of-business app, the Company Portal on iOS devices will enable your users to discover, request, and install the tools they need. 


Do your users rely on more than one device in the workplace?  What happens when those devices become damaged, lost, or replaced?  For most IT departments it means an IT support ticket to de-provision, wipe data, or perform remote-lock.  With the Company Portal app the end-user is now empowered to handle those actions for themselves.  So the next time someone from the Sales team leaves a laptop in a taxicab, they can quickly hop on their iPhone and kick off a WIPE action to protect the corporate data.  At Microsoft, business mobility enablement as both a mechanism for user empowerment as well as an approach to reducing the burden placed on IT professionals when it comes to handling common tasks the user could handle – when empowered with the right tools.


Discovering and accessing a company resource




Unified management




Most mobile devices support an implementation of mobile device management.  We worked hard to build an IT-Pro experience that enables common settings and controls to flow consistently across all platforms.  Set a PIN requirement once, and confidently know it will reach all devices; no matter which platform it applies.  Some settings supported by Apple will only be applicable to iOS.  For example, restricting access to Safari or AppStore content rating policies.  With System Center 2012 R2 Configuration Manager, the most common settings and restrictions are supported. 


 Device state


How many iOS devices are in use within your organization?  What iOS version are they running?  What corporate apps have they installed?  Are any devices in your org jailbroken?  All decision data points necessary for compliance and inventory control are present and routinely refreshed. 




For corporate-owned devices, your IT department will appreciate the level of protection and compliance possible for iOS devices.  Whether the need arises to quickly issue a factory-reset command or push apps / updates to apps, System Center puts you in control.  Even for the employee-owned device, the IT department remotely controls the ability to remove devices from the network, and along with it all of the apps and company resources provided; all while leaving family photos and personal apps intact.


System Center 2012 R2 Configuration Manager, Windows Intune, and Windows Server provide a secure and reliable business mobility solution when enabling an iOS device in the workplace.  Balance is achieved via providing the freedom and convenience for users to be productive as they see fit, but on your organization`s compliance and protection terms.