The simple way for IT to support iPads and iPhones

It’s a refrain I’ve heard more and more from IT managers in my travels in recent months: Yes, we can secure devices using Exchange or mobile device management tools, but what we really worry about is the support burden that iPads and iPhones will put on us. I’m happy to say that the IT support burden should not increase meaningfully — or at all — as employees bring in iOS devices.

But first, a caveat: Android is a different story due to all the permutations in the OS from vendor to vendor and the uncertainty over which apps are legitimate, though some principles I describe here for supporting iOS devices such as the iPad and iPhone should apply as well. And unlike with iOS, you’ll get calls from employees who can’t connect to your secured wireless network due to the lack of support in Android 2.x and 3.x for PEAP-secured Wi-Fi networks. Ditto for those Android 2.x smartphone users whose devices can’t support many of your Exchange ActiveSync policies such as on-device encryption and complex passwords. I can’t help you there.

First, a recent study shows that iOS devices require the least support of the major mobile platforms. The device that IT prefers, the Research in Motion BlackBerry, is more difficult to support, but as they continue to fade from the business environment, the IT mobile support burden should decrease. In fact, aggressively replacing BlackBerrys with iPhones is probably the quickest way to lighten the IT mobile support load. Android devices require the most support, but their current lack of basic enterprise security and manageability means you’re not likely to allow their use for business purposes and, thus, don’t need to support them. (Motorola Mobility’s crop of business-savvy Androids are the notable exception.)

That study points to an unsurprising reason: The iOS user interface is easier for users, so they tend to need less help. Reports from Forrester Research and Aberdeen Research shows that users who choose their own devices (no matter who pays for them) are more self-supporting. Plus, if the device is a personal possession, even if also accessed for business, users are much more careful about not losing and not damaging the item. All of this explains the lower support overhead for iOS devices.

But at some point, IT will have to deal with iOS devices directly. When that happens, here are ways to keep the effort low while meeting users’ needs.

Use security policies and certificates

iOS supports more Exchange ActiveSync (EAS) policies than any other modern mobile OS; only the long-dead Windows Mobile still used in government and some businesses supports more. When anyone tries to access email from Exchange or corporate Gmail (if EAS is enabled), the email server validates the policies immediately, forcing users to comply in return for access. Because iOS uses standard EAS policies, you merely need to set them up, without regard for whether the user has iOS — it can be the same policy set you use for desktop access.

If you use IBM’s Lotus Notes and Domino, you can’t impose these policies on the iOS device (using the 8.5.2 or later version of Notes Server), just on the Lotus client. That’s an IBM limitation, not an Apple one. The same is true, for the same reason, on the GroupWise email server, assuming you have the Data Mobility Pack installed to add EAS support. For these two old-school email systems, you should look at deploying a mobile device management (MDM) tool that supports multiple mobile OSes via policies. What you can do with IBM’s and Novell’s EAS support is wipe the devices completely or just the email server’s data.

iOS also supports certificates, such as for PEAP-secured Wi-Fi access and VPN access. Again, these should be the same as you use for any device.

Use configuration profiles

But it’s the provisioning profiles that you really should invest in, as they can save you lots of time in putting together a user self-configuration service.

Apple’s provisioning certificates are based on XML, so you can generate them through several means. MDM tools generate them, for example. Mac OS X Lion Server also generates and remotely installs them on a per-user or per-device basis, tying into your Active Directory or Open Drectory infrastructure so that you can set and apply policies for individuals, groups, devices, and device groups. The Web interface is simple, and the policies can be applied to Lion-based Macs. It does mean using a separate tool, but that’s no different than using BlackBerry Enterprise Server (BES) to do the same for BlackBerrys. Mac OS X Lion Server is much cheaper than an MDM tool, especially if its policies cover your needs. (Lion Server costs just $50 to upgrade a Lion-based Mac to it, and $80 from a Snow Leopard-based Mac.)

There’s also Apple’s free iPhone Configuration Utility, which is the still-available predecessor to OX Lion Server’s policy manager. The iPhone Configuration Utility runs on both Windows (XP through 7) and Macs (both Snow Leopard and Lion), so many IT organizations may prefer it to Lion Server. You can create profiles for each device, then sync them to the device directly over USB, by emailing it to the user, or by placing the file on a Web page and having the user open that link.

But what you really want to do for a self-service approach is create configuration profiles for various classes of users, rather than handle each user individually. You can do that too in the iPhone Configuration Utility: Create configuration profiles by selecting Configuration Profiles in the Sidebar’s Library section. Then click New. You get several panes, one or each type of policy or configuration you want to set. Go through each one in turn.

For example, you might set up the VPN shared secret credentials, so you or the user doesn’t have to enter that manually on each device — the user would only have to enter his or her own credential (which you want them to do anyhow so if the device is lost your VPN is not accessible to someone else), such as the one managed by ActiveDirectory. Likewise, you could add the Exchange Server address, the setup for internal Wi-Fi access points. LDAP configurations, shared calendar details, load security credentials, specify a required MDM server, and so on — all the common stuff to a group.

A key setting in the General pane is Security: Here, you control whether the user can revoke the configuration certificate, and if so, you can specify the required password. For example, an IT support staffer could revoke the profile manually by knowing the password, but not the user.

If you have some configurations that are universal and others that are specific to a role or department, create a separate configuration profile. You should do so hierarchically, so only the universal profile sets the universal settings and only the local profiles set the local settings. iOS lets you install multiple configurations, so you can layer the configurations and later update just the universal one or just the local one without affecting the other configurations’ settings.

When you save the profile, you can then share it with as many users as you want. You can email the profiles, and when the users open the profile on their iOS devices, they get a prompt to install them. Alternatively — better for a self-service approach — you can include the links to these profiles from Web page or intranet site (such as a new-user welcome page that also contains the employee manual, time sheets, and payroll direct-deposit forms, or a departmental hub page), so users can simply install their own. Because these profiles configure their iPhones and iPads to work with your network and other resources, you know they will — if they’re really using the devices for business purposes, anyhow.

The downside of the iPhone Configuration Utility is that it can’t update installed profiles automatically, as an MDM tool or Lion Server can; users have to download the newest version to get it. That is, unless you want to create your own over-the-air policy server — Apple has provided instructions on how to do so using the SCEP protocol and a Cisco IOS or Microsoft Windows Server platform.

Unfortunately, I’m aware of no similar way to create such self-install profiles for BlackBerry, Android, or other mobile platforms.

Business apps The other piece you can do for employee self-service is to provide Web pages with links to your preferred apps. Apple has created an iTunes minisite that lists popular business apps; it’s a good place to find recommended titles.

In iTunes, right-click an app’s icon and choose Copy Link from the contextual menu. When a user clicks that link, he or she is taken to the iTunes Store on the iOS device to purchase or download the app. Thus, you encourage the adoption of the tools you prefer employees use for business purposes. For Android users, you could set up links to the Google Android Market, as well for your recommended Android apps.

It’s probably easiest to have employees expense these recommended apps, as iTunes emails them a printer-friendly receipt. But if you prefer to manage the purchase of apps yourself, Apple’s Business App Store lets you set up centralized billing and purchase tracking for required and recommended apps, both those from the App Store and those from developers making custom (nonpublic) iOS apps for you.

If you want to restrict users to specific apps, you can do that via policies, but then you’re pretty much killing the point of a bring-your-own device. I’m assuming that most businesses that want to support iOS devices with minimal IT overhead are likewise keeping the burden on employees who use the devices low. After all, the more you impose, the more you need to support.

Troubleshooting iOS may be intuitive for most users, but not everything is obvious from the get-go. Plus, troubleshooting issues always come up with any device. Some, like lost passwords, IT support should already have a universal system in place for managing. But here are a few questions that are likely to arise and would be useful to know or at least consider as part of a self-support FAQ:

• When iCloud is released this month, it will automatically back up device settings to users who sign in via their Apple ID or iCloud account. That will greatly help restoration of a system that gets reset somehow. App data is not backed up, however, to iCloud. iTunes also tracks all the apps and media purchased through it, so those can be redownloaded if a device is wiped or reset, and they can be downloaded to a new device if the employee loses the current one — at no charge. Also, iTunes backs up user data, as well as settings, so by syncing the iOS device to iTunes periodically, a user can self-restore a wiped device or transfer the apps, data, and settings to a new device. iOS 5’s wireless backup should make that backup process even easier.
• iOS has no visible file system (files are stored within their apps’ containers, as a security measure), so users often are confused on how to attach items to emails and otherwise bring content into apps. The trick is to start with the content. For example, to email a photo, go to the Photos app, select the photos, then use the Share menu to send it via email. Most apps use that menu or a simialr one. Also, to move files among applications, look for the Open In menu — you may get it from tapping and holding a document, by using the Share menu, or via some other app-specific methods — to open a document from the current app into another one (only compatible apps are listed). Apps have to specifically support Open In, so some apps may not have this capability.
• If an employee has trouble when not near an IT support staffer, he or she can easily take screenshots to show the state and email them to the help desk. Press the Sleep/Wake and Home buttons simultaneously to take a screenshot, which then appears in the Photo app’s Camera Roll album. There’s no limit on the number of screenshots one can take.
• Most apps provide a quick-scroll option: Tap the top of the screen and the app’s screen usually jumps to the top of its content (such as the list of email messages). Unfortunately, there’s no equivalent to jump to the bottom of content.
• A few gestures are universal: Scroll within an app with one finger; scroll within a pane or window within an app (usually this is for websites) with two fingers. Pinch together a finger and thumb to zoom in; reverse that gesture to zoom out. Double-tap the Home button to open the multitasking bar that shows all running apps and lets you switch to any of them (as well as quit any of them by tapping an holding an app and then tapping its Close box).

If you’re concerned about a tidal wave of iOS devices drowning your support team, relax. They’re easier to support than you fear — and the techniques here can reduce the burden even more by providing self-service options to your employees.

This article, “The simple way for IT to support iPads and iPhones,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen’s mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.