iPad management: Securing iPads in a regulated world

When the sales department started using iPads, the IT security manager was tasked with locking them down. Learn how one infosec pro took charge of iPad security.

Last summer, IT manager Robert Cockerill heard his CEO utter words he'd dreaded: “These iPads are great. I want all our sales people to use them.”

If a device is reported lost, we can remote wipe or remote kill it, or disable it until the user finds it. Fortunately, no iPads have been lost yet.

Robert Cockerill, IT Manager, Thames River Capital

The request had huge security implications. The Financial Services Authority (FSA) heavily regulates their company, Thames River Capital, an investment firm with more than $14 billion in assets under management. Letting users loose with what was essentially a consumer device with few security features could open the company up to all sorts of problems.

However, the CEO had good reason for wanting the iPad. A weekend playing with one had convinced him it was the ideal platform for sales people to use when dealing with wealthy clients on a one-to-one basis. He felt laptops take too long to load up and created a barrier between sales associates and the customer,, while the iPad comes on immediately and would allow a salesperson and client to sit side-by-side, using the intuitive touch screen to work through presentations. 

“In short, it would present the right sort of image to the high-worth individuals we deal with,” Cockerill said.

The challenge was making it all work within the FSA rules. “We had to make sure the data stayed secure,” Cockerill said. “Salespeople are on the road all the time, so there’s a danger of loss or theft. Apple devices are highly desirable -- you’ll never get them back if they get lost -- and the chances of someone wiping the data before they put it on eBay are fairly low.”

Not that mobile devices were new to the company. Staff has been using BlackBerrys for nearly a decade, mainly to receive email and financial market updates. But, it was a leap to move from the tightly controlled ecosystem of the BlackBerry to the less regulated world of the iPad and the Apple App Store.

Cockerill scoured the market for products that could help him, and, working with adviser BlueFort Security Ltd, selected the Virtual Smartphone Platform from MobileIron for securing iPads. The main reason for the choice was the range of mobile devices supported by the MobileIron product, and its ability to enforce policies across different device types, such as the iPhones and BlackBerrys already in use at the company. The annual cost for protecting each user is about £50.

Installation and configuration of the Linux-based software took a couple of hours, and registration of each mobile device was swift. “It took one person an afternoon to get the whole system up and running in our test environment,” Cockerill said.

He also selected the DirectDesktop remote desktop system from Array Networks, which allows users to access their Windows desktop applications from the iPad, although they are prevented from storing central information on their mobile devices.

When not using the remote desktop, the iPads are mainly used for email, and this is encrypted online per FSA requirements.  Users are allowed to load other apps, but these are closely watched and restricted by the central policy. The iPad management policy specifically prevents any copying and pasting of information locally, which could create a point of data leakage. Salespeople, therefore, receive their presentations as email attachments, which they can then open when dealing with clients.

The tight controls have satisfied Thames River Capital’s compliance and risk department, and a recent audit by the FSA confirmed the company’s security is up to scratch.

“With MobileIron we can maintain control over what information is on the devices and whether it is encrypted or not. We also can see where the device is, because it has GPS built in,” Cockerill said. “So if people tell us they have lost a device, we can tell if they have just left it at home, probably wedged behind the sofa.”

The company currently has about 40 iPads registered to the system, as well as some iPhones and 140 BlackBerrys. “MobileIron gives us a central view of all the devices in one view,” he said. “It is cross-platform so we can get all that information for our BlackBerrys as well, all in the same consolidated view. If a device is reported lost, we can remote wipe or remote kill it, or disable it until the user finds it. Fortunately, no iPads have been lost yet.”

Although the central IT department handled initial registration of users, new users can register themselves by going to the Apple App Store and downloading MobileIron's [email protected] IOS management app, which automatically connects to the Virtual Smartphone Platform and picks up the policies assigned to the user.

And, if users decide that some other new tablet is even cooler than the iPad, then Cokerill said the MobileIron platform will be able to handle it. “It covers all the major platforms. If someone wants an Android, for instance, it’s no longer a problem. I’m prepared.”

Read more on Endpoint security