Tech, Gadgets, Photography, Social Media and Poor Spelling

How to turn an iPhone into a Nokia, apply the CESG policy

CESG the government department who handles policy for data handling amongst other things for government IT earlier this month decided that the imminent demise of the Blackberry (Version 10 of the OS not withstanding) means they need to get another phone approved for government use.. The iPhone got the nod.

With Blackberry pretty much being dropped all over the world, the once darling of the phone world was accredited to allow, with a predefined policy applied to provide Government users with a mobile method of accessing their emails up to a level called restricted, if you were that government minister receiving top secret emails, not so lucky. This has lead to CESG needing to find another phone for Ministers and Minions alike to use to read their email on the go.

This has lead to headlines on sites like cNet of

iOS 6 iPhones and iPads get security thumbs-up from UK government

and on the register as..

iPhones now ‘safe’ for Restricted info, but not Secret

The problem is with headlines is they only give you half the story, because while every bureaucrat this side of Westminster is jumping for joy, a shiny new iPad or iPhone may well be coming their way but it’s not all roses and butterflys.

You see, despite reports all over the globe that BYOD is the saviour of us all, and the luvvies of this world thinking they can just hook up their IOS device to the company lan and start downloading to their hearts content the realistic truth is, there is no self respecting sysadmin worth their salt who is going to let that happen.

The realistic truth is the novelty of these devices is going to wear off pretty quick in most cases when the users find out that that smartphone is going to be less smart once the IT dept has got hold of it. Realistically there is no way you can put a device on a company network and expect no recourse from the IT dept. Yes they may be the fun police however as was pointed out to me today “Everyone is an IT specialist, right up until the point it all goes wrong” it’s at that point Sales, Development, Presales they all point the finger at the IT dept and say “sort it out, i’ve got a job to do” and at that point hours of circumventing seurity systems, clicking on no because the backup stops you reading the quite so fast and all the other joys of being a user are things others do.

So what will you get for your £400 iphone when it goes on the company network?

Well i’m happy for you to read your email, but you’ve got to be joking if you think you are saving it on your device, forget about icloud i don’t want the company figures being indexed on icloud or left on a dropbox folder you have passowrd protected with the word kittens or Password123. Forget Apps, why? simple Apple have a history of “forgetting” to actually check all the apps and some of them data scrape, and we can’t trust any app which has access to your mail, contact list, calendar not to pass that data onto another source. best case scenario i’m going to setup a sideload app store but i’m not letting you install all sorts of cloud based google hugging apps.

So as an IT dept I have two choices for Mobile device Managerment

The walled garden

The walled garden consists of an app I install on the iDevice, this connects to a back end MDM server the best example of this is Good Technologies. this app contains a mail client, a contact list, a calendar and maybe some other apps all within an App which can’t speak to any other app on the device. there are obvious pro’s to this however research shows that people want to use the native IOS apps such as mail, calendar and contacts not what’s in the walled garden.

The complete takeover

The alternative to the walled garden is to provide the user with the more native experience, however lock down the system so you have control of the apps on the device MobileIron is a good example of this. The user has access to native apps however the system locks down Mail and turns off other apps so the user doesn’t have access to them.

The long and the short of all this is what the user thinks they are going to get, and what they actually get are two different things. The user perceives that they can use their iphone to do all the things on the Apple Ad, the reality is the iDevice needs to be locked down to the point it has the same functionality as a 1992 Nokia phone. This need sto be done because (a) we don’t trust the cloud, the apps and the internet and (b) we don’t trust the user not in the heat of the moment to do something foolish which could compromise the data of the company.

So while CESG may have opened up the government to the world of the iDevice, and while corporate BYOD is the finance departments wet dream, the harsh reality is without good user policy, and protective safeguards from the user and/or the environment this phone is not that flashy new device we see on Apple’s glossy commercials it’s just a very expensive portable email client.


2 comments on “How to turn an iPhone into a Nokia, apply the CESG policy

  1. Rob
    November 29, 2012


    There are other applications out there which perhaps offer a richer ‘sand-boxed’ approach thereby providing a range of corporately controller applications whilst maintaining a secure implementation.

    Such a solution is DME Excitor which was CESG CCTM certified before CCTM was replaced with CPA.

    Layering this solution of top of an assured, secure implementation may provide the right balance, enhance security, provide a management/MDM capability and arguably turn a secured iOS device into something more than just an expensive email client?



    • projectzme
      November 29, 2012

      That’s a fair comment, I’d be interested in knowing more about this software, does it afford the user access to the native apps such as mail, calendar and contacts? How does it deal with the user connecting to potentially problematic wifi networks? If it does use native apps for things such as mail on iOS how does it safeguard from local copies of attachments?

      Can I apply the XML files generated by the apple configurator to the device or does it utilise its own system..?

      I’m genuinely interested, I’m split between the native app usage or the sandbox app being the better solution and how CESG intends to apply a locked down configuration, will this solution be able to apply a cesg lock down according to any policy they publish? Can I do it over the air or would I need to be tethered..

      So many questions

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


This entry was posted on November 27, 2012 by in Apple, comment and tagged , , , , , , , , , , , , , , , .
%d bloggers like this: