7

we run a windows network , some vendors we use are releasing apple apps for the ipad with pricing etc. -- the owners of the company want the apps for the associates to have.

I am not 100% comfortable with putting iPads on the network. WSUS controls all updates, we use VIPRE enterprise for a centralized anti-virus. We have a customized DNS filter on the server, and active directory controls all use access etc.

I am just not familiar with the iPad and want to make sure I am not opening up any holes with putting a bunch of them on the network

Is there an alternative method to run these Apps in a Windows environment? Like an Apple Emulator or something?

MDMarra
  • 100,183
  • 32
  • 195
  • 326
Jeff
  • 1,089
  • 5
  • 25
  • 46
  • 3
    Usually it's not a good idea to butt heads with the owners of the company, especially when your concerns are not overly defensible on a technical basis. – EEAA Aug 18 '11 at 14:35
  • I am not familiar with Apple/IPAD products I don't use them, so I have concerns. There on the network and I don't have control over them like the other machines on my network -- and the problems we have had in the past with giving associates 'freedom' causes concern for everyone. – Jeff Aug 18 '11 at 14:38
  • 4
    You may find the enterprise deployment guide for apple iOS devices useful Jeff: http://www.apple.com/support/ipad/enterprise/ – Rob Moir Aug 18 '11 at 14:56
  • 1
    Forcing people to run iPad apps on Windows just because you are *not familiar with the iPad* is awful. What would you think if you were forced to run useful Windows applications on Linux because a sysadmin is *not familiar with Windows*? These days it's common to run a public WiFi network for people bringing their tablets, phones and laptops. – Alex Jasmin Aug 19 '11 at 04:56

2 Answers2

16

Create a limited wireless subnet for the i-Devices that only has access to specifically what they need to use these applications. After doing that, you have nothing to worry about as far as security goes.

As an aside, I should say that if you think your network is "secure" just because you use WSUS and a centrally-managed AV system, you're having the wool pulled over your eyes. While doing these two things is a very good idea, and will go a long way to improving the security and stability of your network, there are many more things that you ought to be worried about. Honestly, the presence of a few iPads should be the least of your worries if you have the network itself locked down appropriately.

With all due respect, I feel like you have a bit of FUD with regards to the iPad and the "security" thereof. Apple has released tools to help with the configuration and management of IOS devices. No, you won't be able to deploy updates via WSUS or policy via GP, but honestly that should be the least of your worries. Due to the code signing and vetting process that apps go through, it's quite difficult to get viruses or malware on IOS devices, especially if you firewall your network in such a manner that they are not able to access the internet (or at least only access a small subset of the internet).

Think about this for a moment: many hospitals and clinics are starting to use iPads as an interface for their electronic medical records systems. With all the laws surrounding the need for security of personal medical data (HIPAA in the US, other laws elsewhere), it's clear that IOS devices certainly can be locked down appropriately. You've admitted you're not familiar with the devices. That fine. I certainly understand being hesitant to adopt a technology due to unfamiliarity. However, don't use the "insecure" buzzword as your stated reasoning for avoiding these devices. Just admit that you're unfamiliar and that perhaps that the management should purchase you an iPad for testing purposes so you can increase your familiarity and trust of the devices.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • WSUS and AV system isn't the only thing I have, but it's the two things that are not compatible with an IPAD. – Jeff Aug 18 '11 at 14:36
  • @Jeff - see my most recent edit to my answer. – EEAA Aug 18 '11 at 14:41
  • The only thing they want the IPADs to have is internet access. WSUS wasn't my main concern, I am not sure how the IPADs update (will i have to connect them to itunes everytime they need an update?). I know the AV system we have purchased won't run on them - I am just not familiar with the IPAD and want to make sure I am not opening up any holes with putting a bunch of them on the network – Jeff Aug 18 '11 at 14:43
  • 2
    @Jeff - again, this is not an iPad issue - it's a firewall issue. Even with AV running, your Windows machines are *much* more vulnerable to getting infected with malware from the internet than IOS devices are. See my most recent update. – EEAA Aug 18 '11 at 14:49
  • @Jeff as of right this moment, ipads have to be connected to itunes to update but there is a major OS upgrade about to come out for ipad and iphone that will allow 'over the air' OS updates, so that shouldn't be an issue. Your AV won't run on them, sure, but then the threat profile for tablet devices of this type is rather different from the threat profile for conventional devices. There are concerns with putting ipads on a network, sure, but OS updates and AV software wouldn't make *my* top 20 concerns. – Rob Moir Aug 18 '11 at 14:50
  • 1
    You need to have an IPad for testing ( it can go to anoter person for production) but you need to check what it has access to. You should also know that any modern tablet/phone has the ability to store data. This is a concern as users can steal data, or cause sensative data to be lost/stolen when the device is misplaced. – tkrabec Aug 18 '11 at 14:51
  • @ErikA I edited my original questions, saying they are 'insecure' was not the right words for the original question. I appreciate your responses - I am looking into the wireless subnet. I did not know that hospitals used the IPADs either. I marked your answer as the correct, it pointed me in a good direction to build on. Thanks for your time – Jeff Aug 18 '11 at 14:51
  • If I could +1 again for your edits, I would – Nixphoe Aug 18 '11 at 14:52
  • @Jeff - you're welcome. Good luck, and enjoy the project! – EEAA Aug 18 '11 at 14:52
  • @ErikA btw, i run ASA security appliances. – Jeff Aug 18 '11 at 14:53
  • I know that when I connect my 'iDevices' to my company exchange servers that a policy is forced on me to set a fairly strong unlock password on those devices. This is a LARGE company (>250k users) that's allowing this to happen, so obviously enough security people think that's good enough. – Chopper3 Aug 18 '11 at 14:56
  • @Chopper they have laptops and desktops in the store for exchange access , i dont think i will allow the ipads to connect to exchange. I have policies setup for activesync and only a select few are allowed to have that to begin with. – Jeff Aug 18 '11 at 14:59
  • 1
    @Jeff if you allow them to have iPads on the network I can pretty much guarantee within a few weeks they will want to get their email on it. If you don't want them to then that is fine, but you'll need a good reason. iOS's supports most (if not all) the features of Activsync including security polices and remote wipe, so using security as the reason is unlikely to fly. – Sam Cogan Aug 18 '11 at 16:03
  • @Sam I understand what you mean but i doubt they will -- the associates that will use the IPADs are not even allowed to use activesync on there mobile devices unless they are a manager. it's nice to know that it supports all the features of activesync tho. Thanks again – Jeff Aug 18 '11 at 17:14
6

The only iPad simulator I am aware of is the one you get with the development SDK, however I believe this will only allow you to run your own apps that you have developed, rather than download them from the app store.

What are your concerns regarding having iPad's on your corporate network? Have you considered a wireless network for the iPad that is just restricted to internet access and corporate mail, or what ever they need and nothing more?

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113
  • im trying to get suggestions for it - but the wireless network subnet for the ipads is an idea. I have never set a wireless subnet up before though so I am not sure the process involved. – Jeff Aug 18 '11 at 14:35
  • 1
    I'm also pretty sure that the dev SDK requires purchasing macs and will not work in windows. http://stackoverflow.com/questions/3757319/programming-on-the-iphone-on-windows-linux – dr jimbob Aug 18 '11 at 15:55
  • @dr jimbob Also very true – Sam Cogan Aug 18 '11 at 15:59