Apple iPhones and iPads may have made inroads into business but managing a fleet of iOS devices can be challenging, particularly without the help of third-party software.

Analyst house Gartner took a close look at the options open to businesses when it comes to deploying and managing Apple-made machines.

The report Meeting the challenges of Apple iOS device lockdown concludes that for all but the “most cost-constrained and simplistic” device rollouts, third-party enterprise mobility management (EMM) and mobile device management (MDM) tools need to be used.

“Such products ease the use of multiple profiles across large user groups by applying contextual metadata beyond basic device identifiers,” the report concludes.

“They can apply different security policies by unique password for each user, and they can adjust policies upward or downward based on the user.

“These tools offer administration of profiles by user and group, improving manageability at scale.”

Here are some of the issues the report says organisations will face when deploying iOS machines without third-party tools.

Some of the difficulties raised in the report are expected to be addressed by greater participation in Apple’s Device Enrollment Program, which helps automate mobile-device management and is currently only available in the US.

Challenge 1: Mass deployments can be laborious

Each iOS device must have its own Apple ID, which is necessary to make purchases from the App Store.

These IDs can be created and assigned either manually or using third-party tools that partially automate the process – for example, the Batch Apple ID Creator.

Gartner found that mass deployment of devices can involve a lot of manual tasks, because as each ID is created, it must be confirmed by email, limiting automation.

Reimaging devices using Apple Configurator, the free tool for mass configuration and deployment of iOS software, also requires devices to be physically attached to a computer and only offers the ability to configure up to 60 devices at one time.

Apps and media can be bought in bulk using Apple’s Volume Purchase Program (VPP), which allows a single administrator account to make purchases and manage licences.

Apps can then be pushed to users, most commonly via an MDM or EMM tool, which enables software licences to be recovered and reused when an employee leaves the company.

At present, the VPP is only available in a limited number of countries and requires companies to submit to a verification process.

Challenge 2: In-house management tied to Macs

Apple Configurator can only be used with Macintosh computers, which aren’t necessarily available in every organisation.

Challenge 3: Multiple users on one device

Apple doesn’t provide the capability for a single device to alter the apps and files available depending on who’s using it.

Instead, third-party EMM and MDM tools need to be used to support multiple users on the same device – for instance, by tying some device-specific identifier to multiple entries from Active Directory, Microsoft’s service that authenticates and authorises users on a corporate system.

Challenge 4: Limitations of user controls

When limiting how an iOS device can be used, a configuration profile setting out these limitations is created on the device. If this profile is wiped by the user, then access to enterprise data and apps from the device will be removed. However, enterprise data saved to third-party applications will not be deleted.

Returning the device to its previous locked-down state requires restoring it from a backup, which often means sending it back to enterprise IT.

To restrict the user’s ability to remove a profile on a device, profiles can be locked or bound to an Apple ID.

Challenge 5: No easy way to upgrade the OS

An unresolved problem when managing iOS devices, according to the report, is how the OS updates are handled.

Apple does not permit EMM or MDM tools to stage the OS so it can be updated at the discretion of the organisation.

Each device must have the OS updated by its user, raising what Gartner refers to as issues of consistency and reliability, “as the broad set of users employing lockdown devices often cannot be trusted to comply”.

This requirement can lead to a situation where users update an OS to a version that isn’t supported by apps on the device, which can necessitate machines being returned to IT for reimaging.

When a new OS is available, Gartner recommends organisations should either warn users not to upgrade until told to do so or use EMM-MDM tools that only permit corporate access to devices running an approved OS version.

Challenge 6: Locking down devices

iOS devices can be placed in a supervised state, which imposes strict usage controls and unlocks more than 20 additional management features, including single app mode, silent app push, and always-on VPN.

However, the report says that “supervised state has displayed a number of usability issues, including delays in the check-in and check-out of devices” and adds that the process “requires restoring the device, thus cannot be completed offline and may fail or experience delays on a poor network link”.

Gartner also points out there is no way for a device to auto-wipe itself if a user does not check back in at regular intervals.

“All these issues can make this mode unattractive without additional controls put in place by EMM-MDM tools,” the report concludes.

An alternative way of locking down iOS devices involves combining Apple’s Single App mode with third-party EMM-MDM controls.

“When multiple applications from multiple vendors must be locked down, the applications can request to be locked into Single App mode and the lock released when the user switches to another application. The EMM-MDM solution can control this scenario through profiling as well,” the report says.

This approach, referred to as extended lockdown, is useful when issuing the same device to multiple users – for example, when it is shared between shift workers. At check-out, user data such as email server, Wi-Fi and device passcode settings are loaded back on the device using the device’s restore process.