You may be familiar with the proverbial rhyme For Want of a Nail and how it more literally summarizes historical warfare: how something small can lead to the loss of a war. Well most recently a MDM outage lead me to think about this rhyme and how it could relate to business. Mobile Device Management (MDM) has become of massive concern within enterprise organizations, ever since the Apple wave of consumer devices began to enter the workplace.
A couple of weeks back an issue at Apple rendered almost all MDM vendors useless as they were unable to send updates or policy changes to new or existing devices. What became even more concerning with this issue, was both the time of the outage (around 15 hours or more) and the lack of communication from Apple regarding the matter. This led me to consider how viable solutions that solely rely on Apple for iOS management really are.
On April 25th many US enterprises came to realize that they could not send requests to Apple iOS based devices through their Mobile Device Management solutions. Searching the web gave sparse results however the odd technical forum postings pointed to a problem that had started 6 hours earlier. Organizations such as Sophos were reporting the outage to their Asia based customers and people were tweeting about the possible causes. Later that afternoon the issue was resolved, however again, with what appeared to be a lack of information from Apple.
The issue was related to the Apple Push Notification Service (APNS) whereby the service was rejecting connections due to some form of SSL issue. While this would be more noticeable with the many applications that rely upon APNS for notifications, iOS MDM providers also heavily rely upon the service to send and get information from managed devices. Because APNS was rendered inaccessible, Mobile Device Management solutions were unable to ask managed Apple iOS devices to check-in and provide information, or connect and download new policies.
MDM and APNS
MDM solutions, which manage Apple iOS devices, rely heavily on APNS. In short, iOS devices do not listen and therefore there is no simple way for MDM solutions to send information to devices. Instead, to communicate with iOS devices, MDM providers send a specially formatted message through APNS, which basically asks the device to contact the MDM server for instructions. When a user enrolls their device with an MDM provider, they are in essence configuring their device with the URL of the MDM server, as well as providing various tokens to the provider which will be used later. More information on this process can be found on the Apple website.
Once devices are enrolled with their MDM solutions, the process doesn’t really change. If a MDM provider wants to send an updated configuration (such as locking down the camera or enabling a previously locked down feature), they send a message through APNS asking the device to connect to the MDM server and download the new configuration. If there are problems that prevent the device from receiving the APNS message it will never check in with the MDM server and thus never receive its updated configuration.
When the Apple APNS servers began rejecting connections on April 25th, Mobile Device Management providers were unable to request devices to check in and therefore could not apply new configurations or update existing device based policies. For an enterprise organization that needs to enable specific functionality for an executive meeting or similar, this could be a significant issue.
Mobile Application Management (MAM) is not MDM
Mobile Device Management usually refers to technology that deals with the management of the actual device and the functionality available within it. With most MDM iOS solutions this functionality is implemented in pretty much the same way, by making use of APNS and the MDM functionality exposed within the operating system. This is why the APNS issue affected most MDM providers and users began complaining about them on forums etc.
MAM, or Mobile Application Management refers to management at the application level and unlike MDM; there is no standard way to implement such functionality. In addition to MDM, AppSense MobileNow includes a layer of mobile application management, which is implemented using proprietary code outside of the Apple infrastructure. By implementing a layer of MAM technology, AppSense is able to apply policies not only to the device as a whole, but on an application-by-application basis.
AppSense customers are able to configure their solution in either MDM and MAM or MAM only modes and in April when the APNS issue came about, MobileNow users simply changed modes are were largely unaffected by the issues. For MDM providers, especially those providing technology to enterprise organizations it is critical that there not be a single point of failure in their solutions and the APNS issue certainly exposed this for many.
In closing, what the APNS issue taught us is to consider all elements when looking at mobile management solutions. It’s unclear as to whether or not Apple really cares that much about MDM / MAM or even the enterprise as a whole and for this reason, solutions that rely 100% on them could be risky. Apple has always been a consumer-focused business leading to a profitable enterprise focused eco-system being built around them. With this in mind when considering Enterprise solutions that revolve around the Apple world, you may want to look past the fancy icons…