Macworld iWorld wasn’t just about exhibit halls full of cute, bizarre accessories for iPads and iPhones. There was an enterprise track called MacIT, during which I heard a fascinating talk by Justin Rummel, a senior project manager at Qivliq Commercial Group, on Thursday.
Some of Rummel’s Dilbert-like anecdotes will be familiar to anyone who has worked in enterprise IT or deployed mobile devices (see this list of nearly 600 large-scale iPad deployments here). Others highlight the type of measures that only an uber-security-conscious body with 3 million-plus employees must – and will – take.
As part of a federal green initiative, the Pentagon wanted to test the iPad as document e-reader for its executives. It brought Qivliq in, which set up several pilots of 20 to 40 iPads each last year.
Despite the fact that all of the documents would be unclassified, Rummel still had to go by the book – in this case, the Security Technical Implementation Guide, or STIG, which serves as the bible for how government PCs and devices must be configured and managed.
For instance, iTunes is wholly banned from government PCs – an obvious problem since iTunes is needed for synchronizing with and setting up new iPads. Using Rummel’s personal PC seemed out of the question, since only government-owned PCs are allowed on Pentagon networks. Any personal PC detected on a Pentagon network can be whisked away by security officials, and not returned for weeks or months.
“They kind of laugh at you if you ask if you can use a personal machine,” he said.
Bending, not Breaking, the Rules
To set up the new iPads, Rummel had to go onto the lawns of the Pentagon with his personal laptop and connect each iPad one by one to the iTunes store using a Mi-Fi mobile wireless hotspot. He doesn’t recommend this for everyone.
“If you’ve got 1,000 iPads to set up, this is not an efficient approach,” he said, dryly.
The Pentagon had many other restrictions. Prevent users from installing or deleting their own apps, taking pictures with the iPad camera, watching movies and TV shows and playing network games. It also asked Qivliq to move some default iPad app icons like Safari into hidden folders, and prevent users from swapping the custom Pentagon screen background for pictures of their family or kids.
Qivliq also set the iPad’s login and password settings to match the Pentagon’s BlackBerry smartphones. So complex passwords that had to be changed very 90 days, auto-lock of the device after 5 failed login attempts, etc.
Some of the policies the Pentagon asked for proved impossible using iOS 4 and the Mobile Device Management (MDM) solution of Good Technology, said Rummel. For instance, the Pentagon wanted Rummel to delete some of the apps built into iOS 4. Told that it was impossible, it settled for Rummel moving those icons into a different folder so that they “would be out of sight and out of mind” of the executive users.
It also unsuccessfully sought to permanently turn off the iPad’s Airplane Mode. In the first phase of the pilot, users were only able to use the Good PDF reader. That frustrated some of the beta testers.
“‘You mean I can’t use e-mail or surf the Web? This is a rock,’ one guy told me, as he put it in his desk drawer,” Rummel said.
In the second phase, the iPad’s Wi-Fi was turned on. In the third phase, users were allowed secure access to their government e-mail, calendar and contacts after authenticating using a federally-mandated CAC smart card reader.
Once all of the engineering and configuration work was done, Rummel had to fill out forms attesting that he had followed the STIG procedures to a T. Documenting the work, he estimates, took 3 times as long as the actual work itself.
Even with all the painstaking configuration work and documentation, and the limited scope of the deployment, Rummel says the ROI of using the iPads should be just six months. “I guess the executives read a lot of paper,” he said.
Despite the pilots’ apparent success at meeting their objectives, the Pentagon hasn’t pushed ahead with a full iPad deployment yet. The reason is that the STIG governing iOS devices was released as a draft in 2011 but hasn’t been finalized, said Rummel.