The initial justification was the use of the iPad as a pitch book delivery mechanism. Once they started down that path, however, the tablet users soon wanted to use an application to control presentations and share presentations of the pitch book across multiple devices.
But the company is very security conscious. It does not permit employees to use WiFi while on premises, nor while away from the office. Employees are not able to install applications on company owned machines, nor are they able to access cloud based services.
The first challenge was how to deploy the pitch books to the devices. It did not want to install iTunes and Bonjour on the company’s machines and network. It realized the pitch books could be easily installed on the iPad via email. But the WiFi and email policies precluded the iPad from connecting to the company’s email system. Instead, the initial work-around was to send the pitch book to a Gmail account. Then download and install the pitch book onto the iPad by having the iPad connect to the Gmail account.
That worked fine for the first iPad, but the company didn’t want every iPad configured to connect to the same Gmail account. After all, people outside the company would be handling the devices during meetings.
The next realization was that Apple’s iCloud could be used to synchronize the pitch book to the other devices.
Around that time the company decided to take a step back and asked: a) what are the risks to using Gmail, iCloud and WiFi? b) how can we mitigate those risks? and c) can we simplify the process and make it more secure?
Those problems were solved. The pitch books don’t contain any confidential information and the firm hasn’t opened its email or network attack surface area in any manner. The transmission to Gmail is protected by TLS as is the connection between the iPad and Gmail, as long as the wireless connection hasn’t been compromised. Synchronization over iCloud is also encrypted. It is true that a Google or Apple employee could access the files, but each company has controls in place to minimize this risk, and the information is not confidential.
The company now plans to require passcodes on the iPads, and each device will be configured so that it can be remotely wiped if it is lost or stolen.
Employees using the iPads are being provided with MiFi routers and instructed to only connect to those as a way to mitigate the risk of connecting to a rouge access point.
Password management issues
It turns out the most difficult task may be password management once again. Each MiFi needs to be reconfigured to use a different SSID and password, instead of the factory defaults. The Apple ID account needs a strong password, which has to be disseminated to each device, and the Gmail account should have a strong password. Of course, an eight character password to gain access to each tablet would be better than a 4 digit PIN.
If the scope creeps and the tablets are used for more tasks, the company really should move to a VPN and eliminate the dependency on Gmail. It might start using a WebDAV client to first push the data to iCloud or use a more secure service to deploy the data to each device.