Managing Mobile Devices

Session 108 WWDC 2010

Devices running iPhone OS are as easy to configure and manage as they are to use. Learn about the new Mobile Device Management architecture and discover how to use new Over-The-Air (OTA) capabilities to erase or lock a device and query for important device information. OTA also lets you remotely deploy configuration profiles, install in-house applications, and make managed iPhone deployments even more manageable.

Dave Rahardja: Welcome to Session 108: Managing Mobile Devices.

My name is Dave Rahardja and I'm joined here with my colleague Chris Skogen.

Now with a title for our session called Managing Mobile Devices I'm guessing there are two groups of people here who will make up the majority of you.

So the first group I think are IT managers, IT developers who are trying to figure out how to integrate iPhone into your enterprises.

Right? [applause] So this talk is for you.

And the second group of people who are probably here are developers of enterprise appliances and server apps and you're trying to figure out how to make your next killer app to sell to the enterprise and this talk is also for you, so let's get started.

When we talk about managing mobile devices and the enterprise we're probably talking about three specific requirements.

So the first thing that you got to do to manage your mobile device is you need to configure them.

You need to set up email, you need to set up VPN, Wi-Fi access, as well you need to set up restrictions such as passcode complexity limitations, or disabling certain features on the device.

So that's the first thing you got to do, configure your device.

Now once you do that you need to enroll a large number of devices into your management system.

You don't want to have to manually configure every device that comes into your organization because you might have thousands or tens of thousands of devices.

So how do you get these devices enrolled in your management system without manual intervention?

So that's the second requirement and the third requirement is management.

Once you've configured these devices your configurations will change over time.

So certificates expire, server addresses change, people move from one department to another.

How do you keep their devices up to date?

So that's the third key to the puzzle, management.

And in iOS 4 we have three great solutions for you to address these three specific requirements so the first one for configuration we have configuration profiles.

For enrollment we have Over-the-Air Enrollment and brand new for iOS 4 to manage your devices we have Mobile Device Management.

[ applause ]

So three key technologies that we are presenting to you in 4 to make your life easier as an IT administrator and developer and to help you make your next killer app.

So let's take a look at these three during the next hour.

Starting with configuration profiles: so a lot of you are already familiar with configuration profiles, they're just XML files, they're simple XML files, they look like this, it's a P-list so if you're familiar with P-list on OS 10 and you use these files to configure accounts and settings using what's called payloads.

So a single configuration profile contains one or more payloads.

Each payload can be an exchange setting, email accounts, VPN etc. or it can also be restrictions and passcode requirements.

You can make these things using iPhone Configuration Utility which is a free download, because they're XML files you can use your own script on your server, or you can purchase a third party app to integrate this with your server management system.

So let's take a look at how iPhone Configuration Utility helps you to create these configuration profiles.

So over to Chris.

Chris Skogen: Thanks Dave.

There we go.

I don't know how many of you ever seen iPhone Configuration Utility before but this is it.

We're going to take a quick tour around.

iPhone Configuration Utility or iPCU as we like to call it.

iPCU is the primary means, you know, for Apple to generate configuration profiles for your devices.

In addition to using it to create configuration profiles you can also use iPCU to store those configuration profiles.

You can also store enterprise applications and you can also store provisioning profiles that can be later installed on devices.

iPCU typically does all of its installation to devices via the tether so it tends for that type of feature it tends to be a really good tool for small shops but for making configuration profiles it excels.

Here on the left side of iPCU we have a library with source list and you'll see where it contains devices that have been connected to iPCU via tether.

It also contains a list of applications that I can deploy to devices.

It also has a place for provisioning profiles for those applications and here's the one we're most interested in for the purposes of this demo.

This is configuration profiles.

Once I've selected the source for configuration profiles on the right side I see like a master detail view where the upper portion will show me all of the configuration profiles that I have in my library and below I get the editor for each of those configuration profiles.

So to begin making a configuration profile what we do is we go up to the toolbar and we hit New.

Creates a configuration profile here called profile name, and I'm automatically selected on the general payload so in the general payload I would enter a specific name to help me remember what this is for and I'm also required to enter in a identifier for the configuration profile.

Com.apple.myprofile, something like that.

Then going down the list I have the rest of the payload types that iPCU supports.

We see passcode restrictions or passcode requirements, we see restrictions, we see Wi-Fi, VPN, email, exchange accounts, LDAP accounts, CALDAV, CARDAV, subscribe calendars.

I'm not going to go through all of these today 'cause there's many but I'm going to kind of go down the list and touch on the things that are new in iOS 4.

If I go over to restrictions to add a restrictions payload to this profile I just hit Configure and the UI will change to show me the restrictions editor.

The restrictions editor are really things that you can put on the device to stop your user from using the feature or save ratings from movies or content from the store and also for iOS 4 we've also added a few new ones.

You'll see allowed voice dialing, you can actually force your users to encrypt backups here.

We've also allowed in iOS 4 we've allowed control over Safari so here I can disable Safari's use of auto fill.

I can also force my user Safari to block pop-ups and we've also added ratings down here at the bottom for the store so we can say well, ok, I want my users only to be able to see PG-13 or less movies.

In iOS 4 another new feature is multiple exchange accounts.

Previously we allowed a single exchange account on a device in a configuration profile now we can do multiples.

We just merely hit that second button there and there's another exchange account configured for the device.

In iOS 4 we've also added Card dev.

I just click configure, enter in the account name, host name and port, URLs, things like that to let my users access the Card dev.

In Web Clips we've added a new feature to configuration profiles that enable you to fire the web clip in full screen modes so it kind of looks like a complete app when it runs.

You'll also see the Mobile Device Management payload, which Dave is going to talk about in detail later.

So for the sake of this demo let's go ahead I have a profile up here that I've already built.

I'm going to get rid of the one.

So I have a profile here that I pre-built that has a passcode.

It's going to require my users to have a passcode on their device.

It also has a web clip that's going to give them access to a URL and my enterprise.

It's also got an exchange account so they can get to their email.

When I install this on a phone all of those payloads are going to be deployed at one time and there's no way to separate them so when we see this go we're going to be forced to put on a passcode and in exchange for that we're going to get access to email and that web clip.

So when a phone is connected in iPCU to the 30 pin, as this one is, you'll see it on the left side as a connected device.

So I click on that and it will show me what configuration profiles are currently on that device and it also shows me the ones in my library that I can add to the device.

So here's the one that we want to target for this device so I'm going to go ahead and hit install.

I'm going to flip over to the device itself, it's pretty hard to make out.

That's pretty harsh.

Chris: Yeah it's pretty bright.

Does anybody know how to get that down?

[ pause in speaking ]

Just adjustments on the projector.

Chris: Once I hit install on iPCU the phone actually prompts me with this install screen for installing the profile.

Right here it says what's, you know, the name of the profile?

It shows that it's verified.

When we send it over from iPCU we sign it and encrypt it.

It'll also show you the different payloads that are in the profile.

You'll see a web clip, an exchange account and a password policy; those are the three that we put in.

Now go ahead and hit Install.

It'll prompt me to confirm it, we'll see that it's installing the profile, takes a couple of seconds.

What it's doing now at this point is it's going to go through and evaluate the payloads typically with the exchange account it's going to try to make contact I believe so we're just going to wait for that to happen.

We're just going to let that run and continue on.

So anyways that is iPCU trying to install the profile and I will drop back and if that ever finishes, the rest of the connected device screen you'll see here is provisioning profiles that might be on the device, applications that are on the device and iPCU also lets you see the console on the device and save it and export it to a disk file.

That is iPCU and this thing is not done so I'm going to send it back to Dave to keep it going.

Dave: Alright thank you Chris.

So with iPhone Configuration Utility it's really easy for you to create profiles that contain the settings that you want, using a very user friendly UI and you can install these profiles on a device by tethering it directly to the device and sending the profile over that way.

So let's take a little closer look about configuration profiles.

As you saw with iPCU profiles can be signed and encrypted.

Now with iPCU the encryption keys are exchanged between the device and the computer via the USB cable but as we move on you're going to see that you need the device to have the private key to decrypt the profile before you can encrypt the profile for that device and that presents a challenge which we're going to address with the other technologies that we're going to present later today in this session.

You can install profiles over USB but you can also install it over the air using the other technologies in this presentation.

Now here's the key fact that you have that you can use to your advantage.

All of the payloads installed in the profile are installed together or not at all.

So all the payloads are installed together or not at all and this gives you the ability to combine restrictions and account access in a single payload and this is a technique we call the carrot and stick.

So the carrot and stick basically says if you want access to my email servers you must have a passcode of a certain standard on your device.

If you want access to my VPN then you can only let your device idle for five minutes before it locks the screen.

So you combine the carrot which is access to your resources with the stick which is the restriction that you put in place to get that access and since the profile needs to be installed together the user can't remove the restriction without also removing the access.

So use this to your advantage.

Carrot and stick combine your restrictions and your account access in a single profile.

So that's configuration profiles.

It allows you to configure your iPhone very easily using XML files that you can generate and install them, get your accounts in there, your restrictions, your certificates, etc. So now you can do that with iPCU you can connect your phone to your computer and that's great and then you get 20 iPhones and then you get 50 iPhones and you get 100 iPhones and 1,000 and 10,000 iPhones you don't want to handle each one of them by hand because you'd be doing nothing else.

So is there a way to get these iPhones configured without manual intervention?

And the technology we use to solve that problem is Over-the-Air Enrollment.

So let's take a look at that.

Over-the-Air Enrollment allows you to use a web portal to set up the iPhones so the user logs into your web portal and gets their iPhones configured.

Because you know their login you can create a custom profile for each login and this is useful because you may want to configure a phone owned by an employee on the west coast a certain way, Wi-Fi and VPN access for them, versus somebody in the east coast.

You may want to configure a phone that belongs to engineering a certain way versus something that belongs to a user in sales.

So you can make these decisions and deliver custom profiles using OT Enrollment based on the user's login.

As an added benefit of OT Enrollment we use a protocol called SCEP: Simple Certificate Enrollment Protocol to exchange certificate information so that the phone has a private key and a public key and then your server has the public key to that iPhone and now you can encrypt profiles for the iPhone, so let's take a look at how that works.

So by the way I have an iPad here that I'm using to control a server behind the scenes so I'm not actually controlling the iPhone from here but this is just a console so I'm going to stage a profile for enrollment.

So the first thing you see in OTA Enrollment is a login screen.

So the user visits a login screen and they type the user name and password so Chris is going to login here [ pause in speaking ]

and he gets a view that shows him that he's enrolling in a configuration service so go ahead and install that.

Now the device is using SCEP to exchange their public key with the server and then it installs a profile.

Ah, this time it works.

Thanks for turning off your MiFis.

So set a passcode, this is the same profile that were set up using iPCU a few minutes ago so we require a passcode and we're going to configure an exchange account and a web clip.

Notice that you are prompted for a passcode before the profile is actually installed and it's installed, tap done, so let's go back to the home screen and there's our web clip, the Apple web clip and oh, we have an email, our email is set up, there you go.

So that's Over-the-Air configuration.

You go from a login to a custom-configured iPhone and this is of course very scalable because you don't have to do any manual steps once you've configured your web server and you can put in rules that configure devices according to your IT policy and you can deliver custom profiles based on a user's login.

So let's take a closer look at how this actually works behind the scenes.

The first thing you want to do is you want to send your user to visit a URL, so you can do this using SMS, you can send them an SMS with URL in it, you can send them an email instructions, or just tell them to go to the IT page and tap a link or some combination of those, so get them to go to a portal.

The user will then log in with their credentials.

Now you know who they are and you can decide whether the user is eligible for your enrollment service or not.

If they are, your server then sends a device authentication challenge which will show up as that view with the install button on the device.

If the user taps install, what happens is then the iPhone is going to talk to your server and tell your server about its hardware and configuration, so it tells it what model it is, what OS version it has and serial numbers and a handful of other information.

At this point, your server can make another decision whether to continue with enrollment or whether to deliver a custom profile based on the device type.

For example, iPod Touch versus iPhone versus iPad.

If your server decides to go on we then use SCEP: Simple Certificate Enrollment Protocol to exchange keys, and this is how it works, so the iPhone generates a public and private key pair.

It then takes the public key and sends it to your certificate authority server as a certificate signing request.

Your server then signs the certificate, keeps a copy for itself and sends the signed certificate back to the device.

At the end of that process the device has a private key and a public key in the form of a certificate that has been signed by you and you have the copy of the public key, now you can encrypt profiles for the phone, which is what you do.

You create a custom profile which you then encrypt and send to the phone where it automatically gets installed and new in iOS 4 you can now configure the iPhone to send a confirmation back to your server to said yes, I installed this profile successfully.

So this is how OTA Enrollment works.

You go from a login to creating a custom profile specifically for their user according to your rules, based on their login.

So that's OTA Enrollment.

[ applause ]

So now we can use configuration profiles to configure your phones to set up your accounts and restrictions.

We know how to deliver these custom configurations in a very scalable way using OTA Enrollment.

Now, your configurations changed, right, your email servers may move or your VPN may change, certificates expire and users may move from one department to another and you have to reconfigure your phone.

Well how do you do this?

Well what you do now in iOS versions prior to 4.0 is you tell the users to re-enroll so you go back to the URL, re-enroll your phone reconfigured.

Well that's great but, you know, how can we automate this?

How can we proactively configure someone's phone and while we're at it, why not try and find out what the snapshot of the device state is at that time.

Are you still compliant?

Did you do something to your phone?

Did you upgrade your OS without letting me know?

It would be nice if you could do that, wouldn't it?

Yet now we can because in iOS 4 we have a new technology that we call Mobile Device Management.

Let's take a closer look.

Mobile Device Management: Mobile Device Management allows you to manage iPhones over the air and on demand.

It works over Wi-Fi and cellular so it works with iPhones, it works with iPod Touch, it works with iPad when iOS 4 becomes available for it.

It is mostly transparent to the user; the user wouldn't even know that you're managing their phones.

Things just get magically set up and updated without the user knowing it.

So users buy iPhones and iPads and iPod Touches because the user experience is great and we want to be able to preserve that while giving you the ability to manage the devices.

You get to initiate this process using the Apple Push Notification Service.

Now why do we do this?

Well the Apple Push Notification Service is great for preserving battery life so the device is essentially asleep until it gets a Push Notification, so that's one main reason.

The other is the Apple Push Notification Network is far from being exercised to capacity, there's a lot of bandwidth left and we can use this to our advantage so that you get a response for the device in a reasonable amount of time.

However, once the device wakes up, it talks to your server directly using HTTPS so Apple's network wakes the device up and then gets out of the way and now it's between your server and the device.

You get a comprehensive list of management features using Mobile Device Management.

You get a handful of very useful remote commands and lots of queries.

Let's take a look at those.

So remote commands you can install and remove configuration profiles over the air on demand.

So as your configurations change you can update them, you can install and remove provisioning profiles so if you have in house apps you use this to install provisioning profiles on the devices and keep them up to date so as your provision and profiles expire, before they expire, you replace them with a new provisioning profile and the user doesn't know that it's expired, no alerts no nothing, reduces your help desk calls.

You can lock a device, you can remove a passcode.

Now why would you do this?

Well since you are the IT crowd there's some of you who have made your users have 12 character passcodes with punctuation, no sequential characters and alphanumeric, right?

And what happens?

They forget.

They forget their passcodes.

So this gives your help desk another button to push to support your users so if they forget the passcodes they give you a call, maybe you do somebody else's iPhone, let that sink in for a minute, but now you have the option to send a command to the device to temporarily remove the passcode so that they can enter another one.

Let's take a look at oh you got remote erase so you can erase a device without using exchange.

[ applause ]

So very useful commands, very powerful commands.

Let's take a look at what you can ask the phone.

You can ask it about its network details.

Bluetooth and Wi-Fi Mac addresses, etc. What can you do with this information?

You can tell if a user is roaming.

You can tell if a user is roaming with their data roaming turned on and you can tell them to turn it off.

You can tell when the user has changed their SIM card.

Some of you have policies about that about international travel where you want them to change the SIM card to use a local SIM, you can use this to check whether they've done that and when they change their SIM card their phone numbers change you can ask the phone what is your current phone number and you can update your database, very convenient.

You can ask the phone about its device information, sort of general device information.

So OS build version at that time so on demand if the user upgrades their OS you can detect it.

You can also detect free space available so if you have enterprise apps that require certain amount of free space to download very large documents you can warn the user, hey, you know, you're not going to be able to use this part of the app unless you free up some space.

You can ask the device about application details.

What apps do you have installed?

How much space are they taking up?

And what version are they?

And the version part is important for you because as you deploy enterprise apps you want to make sure users keep updating their versions so that you can keep the support up to date and if the user hasn't updated it you can send them a friendly email, hey please update your app before we drop support for your version and you can do this proactively, and you can of course you can install and a query provisioning profiles so you can see when they're going to expire on the device and install a new one before it expires, and finally you can ask the device for compliance and security information.

So you can ask what configuration profiles are installed, what certificates are installed, when they expire, what restrictions are in effect and this is an interesting one, data protection.

So in iOS 4 we're introducing a new kind of encryption called Data Protection that encrypts your email database and your attachments with an encryption strategy that involves the passcode on the device and it protects the data at rest with your passcode.

Well in order to use this capability the user must have formatted the device in a certain way and not all upgrade paths lead to that formatted state and you can use the query to determine whether the device is actually supporting data protection.

This is of interest to you because you want to know that your devices are protected to the best possible extent.

By the way, the way that you get your devices into the state of data protection is you need to back up the device, restore it to factory settings, and restore the data but make sure that the device is correctly formatted for data protection.

So you can find out if that's working on the device and of course passcode compliance you have a passcode standard you want to know if the user's still compliant.

So network details, device information, application details and compliance and security these are very comprehensive, gives you a comprehensive snapshot of the device at any time, this is on demand.

[ applause ]

Let's see how it works.

Again I'm using my iPad to control a server back there.

I'm not actually controlling the phone from this device, although that would be cool so alright so the first thing we do is we go to OTA Enrollment again just as we saw previously.

Chris is going to log in but instead of delivering the final configured profile, as we did previously, we're going to deliver a profile that just has the MDM payload in it so let's go ahead and install that, SCEP exchanging keys, installing the profile, oh and you get a warning that says hey this guy wants to manage your phone, do you agree?

Sure let's install that and it's installed, so now I'm managing Chris's phone, it's that simple.

So let's see what we can do [laughter].

Be nice. So let's add a web clip to the home page.

Now watch closely I'm going to install profile here and I'm going to send a Push Notification, go.

Boom there it is [ applause ]

Let's see another demo let's go to the mail account Chris.

So nothing there so it says set up your mail account well I don't know about that, maybe I'll configure it for him.

So I'm going to send a mail account, push.

Boom it's configured [ applause ]

It's going to take a second here to download the messages there it is.

So I'm not going to push a passcode restriction to Chris's device.

Now as you can tell the whole process is very unobtrusive.

The user doesn't even have to know that you're doing anything and all of a sudden his emails arrive.

You know it's how did that happen?

Well you did it, right?

So what about passcode restrictions?

How's that going to work?

So let's try that.

So I'm going to install a passcode restriction on his phone, push, and you're going to notice and that's installed ok now it's installed but nothing happens, so let's go to the homepage.

Oh, somebody pushed a passcode restriction on you and you have 60 minutes to comply [laughter].

Well the reason we do this is we don't want to immediately apply the passcode restriction in case Chris was at the airport and is looking up flight information and he's like, oh, I got to enter a passcode while I'm running to the gate, so we give a little bit of grace period there and give him 60 minutes to do that.

Now this is going to count down 59, 58, and once it gets to 0 that later buttons going to be gone so you have to comply right there.

So he's going to dismiss it, now he's going to do other things, he's going to email and notice that when he does that and he goes to the Home button it doesn't appear again and it only appears the next time he sleep cycles the device.

So sleep, ok I'll wake it up again, oh there it is, it's still 60 minutes it will say 59, 58, etc. So let's comply with that.

[ pause in speaking ]

So now he's complied with the passcode.

So he's going to lock the device and try and enter a passcode here, and alright there you go.

So let's lock the device again and try another scenario shall we?

So Chris has forgotten his passcode.

I made him enter a 12-character passcode and he's forgotten, uh-oh, now what?

Help! Oh that's too bad.

So he calls my help desk, your help desk, now you have the ability to clear a passcode.

So I'm going to send a clear passcode here and oh you have to press cancel, let's see what happens.

Oh it's gone and you get the passcode requirement alert again [ applause ]

So that's Mobile Device Management and it's pretty cool.

So let's take a look at how this works.

So the first thing you do as you saw is you go through OTA enrollment.

The user types a login, goes to your server, you say, ok, this guy, I know him and I'm going to configure the device through Mobile Device Management.

So you've seen that before.

So you generate an MDM profile, or a profile that contains an MDM payload in it, instead of your final configuration you configure it to just have MDM and it gets installed in the device.

At this point, the device talks to the server, talks to your MDM server to bind itself to its management service so it says, hey, I want to be managed by you is that ok?

The server says sure, the device verifies that the HTTPS certificate is valid, etc., and they're bound.

Once everything's in place the device basically goes to sleep and listens for the next notification from your server.

This is the end of initial configuration.

The device is configured.

Now when your server wants to talk to the device all it has to do is to send a Push Notification to our Push Notification server.

Our services are going to deliver that to the device via 3G or Wi-Fi and wake the device up.

Now there is no command inside the notification.

The device talks directly to your server through HTTPS and at this point your server can talk to the device and ask it to do things, send commands, send queries, the device talks to your server and this can be a batch command so you can send it more than one command, it does it in a batch, it also saves battery life, do it in a batch and once it's done the device goes back to sleep and listens for the next notification.

So it's very simple but very powerful, gives you access to the device on demand.

There is one thing that we need to remember when we're managing a device through Mobile Device Management and it has to do with something we call manage profiles.

So let's take a look at under the hood of an iPhone after it is being managed by your server.

So the first thing you do as you saw is you want to install an MDM configuration profile into the iPhone using OT Enrollment so this is the root MDM profile, that's the first thing you install.

Once that's installed you can install other profiles through MDM.

These profiles that you installed are called managed profiles and these are distinct from profiles that you install using iPCU for instance which are not managed profiles.

So what's the difference?

Your MDM server can query for all of the profiles on the device, including the unmanaged ones so you can tell what other things the user has installed on their phone.

However, it can only remove or replace managed profiles.

Right? It can only remove or replace managed profiles, so if you didn't install it you can look but you can't touch.

Those are the rules.

You can also install profiles through MDM that are locked.

These are profiles that are marked unremoveable by the user so the user can look in the settings and there will be no remove button on the profile.

So the user can't remove these profiles but your root MDM profile may not be locked, so the user can remove that profile at any time and terminate their relationship with your management server.

This is very important.

The user can always terminate their relationship with your management server but if they do that all of the managed profiles are removed.

So why is this important?

Well remember the carrot and stick.

So you now have two approaches to do carrot and stick.

So the first one you've already seen.

You put your restrictions and your accounts in a single profile, the user cannot remove one without the other, so as long as they have access to your accounts they must have the restrictions in place.

With MDM you can use manage profiles to do another way of carrot and stick, another way to do carrot and stick.

You install the restrictions first in a locked profile.

The user can't remove it and then you can query the device if you want, make sure that the users comply with the 60-second grace period for the passcode, if you like, and then install the account.

So the user cannot remove the restrictions without removing also the accounts.

So the only way they can get over the restrictions is to stop their devices, remove the root MDM profile, terminate the relationship with your management server but they lose all the accounts as well so that's your carrot and stick.

If you want access to my resources you've got to let me manage your phone.

If you want access to my resources you've got to have these restrictions in place.

So that's carrot and stick number two so these are the two choices you can either one of these is fine by the way.

You can use the first carrot and stick approach with MDM, that's fine you can install a profile with both the restrictions and account access and so you can but this is another choice the second way is more granular because you can install an individual restrictions or individual accounts.

So pick one that goes with your IT workflow best or your enterprise server at workflow best and go with it, so two ways of doing carrot and stick.

So that's Mobile Device Management [ applause ]

So three key technologies in iOS 4 that helps you to manage iPhones in your enterprise and help you to create your next killer app for the enterprise space.

Configuration profiles lets you configure iPhones with accounts and restrictions and settings just the way you like it.

OTA Enrollment allows you to enroll tens of thousands of devices using a web portal and now in iOS 4 you have Mobile Device Management that allows you to monitor and manage these devices on demand and over the air, but there is one more thing.

There's a new feature in iOS 4 that you've asked us that will make your lives easier and today we're giving it to you.

That new feature is Wireless Enterprise App Distribution [ applause and cheering ]

You can now distribute your enterprise apps wirelessly without having the user to go through the tethering process and downloading your apps.

So we use, we allow you to distribute in-house apps in this protocol using your web server, your own web server.

No need to register your app with iTunes you serve it up, the user can install it.

There is Xcode integration to make your life easier to stage your apps for deployment this way.

Let's see how it works.

So I'm still managing Chris's phone, so I'm still managing his phone through MDM.

So what I'm going to do here is I am going to install a provisioning profile and a little web clip.

Now remember I can batch these commands so I'm going to send a push notification now and it's going to do both.

There it is.

Oh it's an app catalogue; it's your app catalogue.

So let's tap that link.

Ah these are your apps.

They're hosted on your web server and this is just a simple webpage that you serve up on your web server so let's install the customers app, maybe this is a CRM application.

Oh sure, install that, and it's installed [ applause ]

So it's that simple.

So how do you get this thing going?

What do you need?

Well you need a web server but you probably got one already.

You need a distribution provisioning profile.

You can download this through the developer's portal, it's the same provisioning profile that you've always had.

You need your apps to be packaged in the .IPA format and you need an XML manifest to help the phone find your app and figure out how to install it and fortunately we automate the last two pieces using Xcode.

So you [applause] you click an archive so you do an app archive and you say share with enterprise or distribute for enterprise and fill in the forms with a URL and that's all you need.

It works best with MDM.

Now wireless enterprise app distribution does not require MDM so you can use this today.

You can deploy your apps today with iOS 4 just using your web server, tell the users to go here, grab the app and off they go but it works best with MDM and here's why.

You can install a web clip for your app catalogue like I saw and save your user from having to find where to get the apps.

You can install and renew provisioning profile which is really cool.

It helps you to prepare the devices to have the provision and profile before the users install the app and renew this provision and profiles before they expire so the user experience remains great.

You can monitor your app versions, which is important again if you're doing enterprise app development you want your users to stay on the latest version so you can use MDM to remind users to upgrade their installations if needed.

So configuration profiles lets you configure the phones with your accounts and restrictions just the way you like them.

Over-the-Air Enrollment lets you deploy these configuration in a customized way using your rules, very scalable solution for tens of thousands of iPhones using a web portal.

Mobile Device Management lets you manage these devices, monitor them and keep their configurations up to date on demand and over the air and now wireless app distribution allows you to distribute your enterprise apps wirelessly.

Four great technologies in iOS 4 to help you integrate iPhone at your enterprise better and to help you make your next killer enterprise app.

So what next?

I'd like you to start using these technologies.

The easiest way to get started of course if you haven't already download iPhone Configuration Utility.

It's free of charge and it helps you to get started with configuration profiles.

If you have a very small workgroup, maybe 20-50 iPhones, this is maybe all you need, this is maybe all you need for configuring all the devices using a USB connection but if not I encourage you to develop your own solution, join the Enterprise Developer Program.

You can review all the documentations and you can create your own customized solution, integrate that with your IT framework and you know go all the way and if you're an enterprise app developer an enterprise appliance or server app developer this is the route you want to go.

You can integrate iPhone iOS 4 into your application, into your workflow to your console in very deep way, or you can buy a third-party solution, maybe from some of the guys in this room.

Watch for Mobile Device Management outfits to start supporting iOS 4 soon.

Alright, for more information please contact Mark Malone.

He's our Integration Technologies Evangelist.

Here's some documentation they are still going through the review process so we'll make them available to you soon on the developers website.

If you need early access to this documentation please come to the lab after this, talk to us, we'll see what we can do for you and of course Apple Developer Forum is always a great place to get help from Apple engineers and each other.

So some related sessions: There's one today Creating Secure Applications right following this session.

There's one on Wednesday and one on Thursday that you might be interested in.

Thank you very much.

[ applause ]

Apple, Inc. AAPL
1 Infinite Loop Cupertino CA 95014 US