6

Most tablets, and iPads in particular, are typically single user devices.

Scenario: A service business that interacts directly with customers in person and wants to use iPads while interacting with customers during the sale and for customer service. There may be native apps and web apps. Because not all sales/services agents will need an individual iPad, there is plan to share a number of iPads in a given location between numerous employees.

What precautions need to be taken in order to ensure information confidentiality, as employees may need to put data for their individual clients on the iPad, which should not be accessible to other employees. What other risks should one consider in this scenario, such as stored credential exposure or tying auditable events to a particular user?

Are there any native configuration settings or setups that can be used to secure the use of shared iPads? Are there any tools or techniques which others are using to manage this scenario? Something like Deep Freeze or a quick base-image reset may work if some type of per-user profile could be loaded?

Eric G
  • 9,691
  • 4
  • 31
  • 58
  • 2
    Square peg, round hole... Ain't tablets **personal gadgets**? An interesting question, nonetheless. – Deer Hunter Apr 26 '13 at 05:33
  • 2
    It's likely possible with a combination of tools, but probably more hassle than it's worth to continually restore the devices to a known state between users. Why not just set up a centralised repository for this kind of shared information and have a web-app that the staff can use from any device, iPad or otherwise? – Polynomial Apr 26 '13 at 10:25
  • Let's go on the assumption that the C-Level guys think iPads are cool and are driving this against the wishes of IT (that never happens anywhere, right?). Even if all the apps were web based, I imagine there should still be concerns over credentials, PDFs that get loaded, email app (maybe they will use web based email, maybe not), printing, etc. – Eric G Apr 26 '13 at 14:37

2 Answers2

1

We've recently been testing Good for Enterprise which has turned out to be great. Users can install it on any device IOS or Android (assuming it is compliant to your standards(ie not jailbroken for example)) then set up quickly and easily. All your personal data (email, contacts, documents etc) are synced and stored within the encrypted application. If you unenroll one user and re-enroll another then there won't be any remnant data on the device inside the app so it could easily be shared between users. Set up takes a minute or two and is quite painless. You can also push out applications to the users via the 'Good' application.

Other things that might be of interest to you, Defense Signals Directorate IOS Hardening Guide and a list of mobile management software.

NULLZ
  • 11,426
  • 17
  • 77
  • 111
1

Two answers:

  1. If you have to use iPads, then think of them as "kiosk" devices and whatever each "user" does they must log into specific applications to do. You could do that by just having each individual application represented on the device, and they log in individual, or if you want to make it seem "slick" you could use something like citrix and have a holistic login that opens up a virtual "desktop" for each user.

  2. You could consider switching to Android in the near future. Don't want to start a platform flame war here, but Android in the next release is providing multi-user infrastructure built into the OS. You would then have the ability to have multiple users dynamically using the same "pad" at the same time. I am not sure of the plans Apple has for this.

As a final answer, you could of course develop an overlay application that essentially takes over the iPad and does what (2) is doing for the iPad, but it would be a facade, and you would have a lot of work to do to ensure CIA (confidentiality, integrity, availability).

Tek Tengu
  • 1,699
  • 11
  • 13
  • Is (1) just a remote desktop suggestion, or another avenue? If remote desktop, what solutions work and still provide the "iPad" goodness of using fingers, low latency, apps. etc. Want to look slick for the customers, not an iPad logging into a windows desktop :-) For (2), can you provide more detail in your response - will this integrate with AD/LDAP, etc or is this just local users / local auth. – Eric G Apr 26 '13 at 17:15