in a mobile device management service, described later in this chapter.
So, chances are that you’ll use Apple’s apps and will need to keep account separation clearly in mind as you use them.
Documents should be stored separately, too
A big concern among IT managers is company data being copied to devices that they can’t monitor, potentially providing an escape hatch for sensitive data that they can’t trace to the leaker. That concern has been around as long as the home PC, of course, but it’s still real.
To work on a document, chances are that you have to make a local copy for your iPad, using the Open In service described in Chapter 17. After that’s done, the document – or that copy, anyhow – is no longer under IT’s control or within its ability to monitor.
But you can minimize the commingling of work and personal documents by using separate apps and storage services wherever possible.
For example, you might use Apple’s excellent iWork suite consisting of the Pages, Numbers, and Keynote apps (see Chapter 5) for personal documents; and use Microsoft’s also excellent Office suite of the Word, Excel, and PowerPoint apps (see Chapter 6) for business documents – assuming that your company uses the Office 365 service, which Office for iPad requires.
The Microsoft Office apps don’t let you share documents with other iPad apps, other than send them as file attachments in Mail. And they restrict you to saving files only to Microsoft’s OneDrive and SharePoint services, to the Dropbox cloud storage service, or to the Office apps’ internal storage on the iPad, as Figure 3-4 shows, though you can copy files from other apps, including Mail, into the Office apps. Thus, Microsoft Office for iPad makes it a bit harder to share its data with the rest of your iPad.
Figure 3-4: The Microsoft Office apps (Word is shown here) restrict document storage to just a few locations.
Of course, that separation is not complete. You can set up a personal OneDrive or Dropbox account and move files to it from the Office for iPad apps, and then share the files with other apps and services from the OneDrive or Dropbox app on your iPad or the OneDrive or Dropbox service from your computer. But doing all that takes a plan and some effort, so Microsoft Office is still a good option to prevent inadvertent commingling of business and personal files.
A similar strategy is to use different cloud storage services for work and business documents, such as Dropbox or iCloud Documents for personal files and Box or OneDrive for work documents. In some cases, as Chapter 16 explains, apps can directly read and write files stored on these services. Office for iPad can do so for OneDrive and Dropbox, and Apple iWork can do so for iCloud Documents and Box, for example.
Consider separating your web activities
One of the most convenient features of Apple’s Safari browser is that it syncs bookmarks, passwords, and credit card information across its iPad, iPhone, Mac, and Windows versions – if you’ve signed into the same iCloud account on those devices, of course. But that feature also means that your personal and work web information are synced within the same account as well.
Therefore, you might consider using two browsers – one for personal and one for business. That second browser should be the free Google Chrome, which also syncs bookmarks and passwords across all devices signed into your Google account, as Figure 3-5 shows.
Figure 3-5: As does Apple’s Safari, Google’s Chrome browser syncs bookmarks and passwords across multiple devices.
You might use Chrome for work and Safari for personal business, or vice versa. Because both iCloud and Google are considered personal services by IT departments, they’d probably prefer that you use neither for work, but you don’t really have a choice: Microsoft’s Internet Explorer is available only for Windows, and Mozilla’s Firefox is not available for iOS.
Working with Mobile Device Management
As mentioned in the preceding section, one method for separating business and professional information is to use a mobile device management server, a.k.a. MDM and EMM (for enterprise mobility management). These are systems that your IT department has to deploy and manage, usually for a monthly per-user fee, so they tend to be something that only larger companies use.
But even a small company can use some of these services, thanks to cloud-based small-business versions.
Popular providers include BlackBerry, CA Technologies, Citrix Systems, Good Technology, IBM, MobileIron, SAP, and Soti, though dozens of providers are out there.
An MDM server does at least two things:
✔ Manages user devices like iPads, such as by imposing restrictions on what networks you can access, determining what apps you can install, blocking access to iTunes and iCloud, and controlling whether you can open mail attachments in other apps. They can also remotely lock or wipe your device, disable access to corporate systems, and configure the use of virtual private networks (VPNs, described in the next section).
✔ Provide safe “containers” for corporate apps and data. Typically, these services provide their own apps for handling email, contacts, and calendars, and perhaps other functions. They’re kept in a separate part of the iPad’s memory known as a container that serves as a partition from the rest of your iPad’s apps and data. These apps can access corporate servers for documents and other data, but they can’t share that information with other apps on your iPad. These apps may also include a storage container for documents that you can browse, open from, and save to as well.
As a user, you’re restricted to what your IT department has decided it will permit via MDM. If those restrictions are too onerous, all I can recommend is that you don’t use a personal iPad for work but instead require your company to provide you with an alternative tool for business needs, such as a separate iPad or a laptop.
Enforcing basic security without the cost or effort of an MDM server
The iPad natively supports the Exchange ActiveSync (EAS) management policies provided by Microsoft’s popular Exchange server (including the Office 365 service). It’s sort of a budget MDM for small businesses, letting the company require your iPad be protected with a password (including its complexity and how often it must be changed), wipe or lock your device remotely, and remotely configure some security settings such as for Wi-Fi access points and VPNs.
The Exchange or Office 365 administrator for your company sets up which policies apply to which user groups in the management console for Exchange or Office 365.
I encourage any company of any size to at least use these policies to set basic security parameters for users’ iPads. You may not need a full-blown MDM tool, but everyone should set up basics such as password requirements.
Apple has another MDM option on the cheap – two, actually. But they’re Mac-only products. One is the free Apple Configurator (available at the Mac App Store), which lets you set policies similar to what EAS offers as well as impose additional restrictions and apply additional configurations. You create
