Which is better for your business?
While the BlackBerry is the go-to mobile device for a security-savvy enterprise, the iPhone has its own arsenal of features to make it effectively secure. Either device can be used as a secure business tool if it is configured properly and used correctly.
The BlackBerry is the more mature solution with the ability to remotely provision, configure, and restore devices; however, its flexibility adds to its complexity. Administrators can make detailed solutions, but they can take a long time to implement. Additionally, without the BlackBerry Enterprise Server (BES), the BlackBerry offers little personal management.
Either device can be used as a secure business tool if it is configured properly and used correctly.
Apple's iPhone security so far is good but not perfect. The configuration tools are mostly intuitive; however, Apple lacks a granular way of controlling applications, and—more importantly—the ability to remotely provision, configure, audit and enforce devices. If Apple adds these functions, it would put the iPhone on even footing with the BlackBerry.
As both the iPhone and the Blackberry are vulnerable to malware and exploits, any policy decision on either device comes with associated security risks.
To help you make an informed decision, click on the headings below for iPhone and BlackBerry feature comparisons.
Application settings
| Feature |
iPhone |
BlackBerry |
| Remote wipe |
Remote wipe for iPhone is available through:
- Exchange 2007 Management Console
- Outlook Web Access
- Exchange ActiveSync Mobile Administration Web Tool
- Exchange 2003 - Exchange ActiveSync Mobile Administration Web Tool
Wipes take approx 1 hour per 8GB of data on the device.
Remote wipes of an encrypted device (iPhone 3GS or the 32GB+ iPod Touch) will first remove the 256-AES encryption key, making the encrypted data immediately inaccessible.
|
Remote wipe is a core feature of the device and can be triggered from the BlackBerry Enterprise Server (BES).Wipe times and implementation are comparable to the iPhone 3GS. |
| Encryption |
3GS has hardware encryption which is also enabled by enabling the ActiveSync option. Also available on the 2009 iPod touch. AES256 employed by default. Pre-3GS devices do not provide encryption.
Rumored encryption bypass vulnerabilities, some of which are true, all require the iPhone to be already jail-broken.
|
BlackBerry devices provide encryption and policy from the BlackBerry Enterprise Server (BES). The implementation is trusted and validated by many government organizations. |
| Provisioning |
Requires local configuration
|
Remote and local provisioning |
| Remote restore |
No
|
Yes |
| Password |
Passcode rules (passcode strength and length, minimum number of complex characters, passcode age, auto-lock timer, passcode history, grace period for device lock, and maximum number of failed attempts).
Out of the box, the iPhone uses a 4 digit passcode, but by using profiles in the Apple Configuration Utility you can set more robust enterprise restrictions.
|
Rich policy management of password complexity comparable to a desktop environment. |
Policy management
| Feature |
iPhone |
BlackBerry |
| Enforcement |
Can deploy profile to an iPhone, requires password authentication to override.
|
Can set strong controls for the device with a per-option policy on what can and cannot be edited users. Flexible but rather complicated. |
| Audit |
No, management functionality does not yet exist to be audited.
|
Yes, based on policy. Logged locally and centrally. |
| Patching |
Patches cannot be pushed over the network automatically. They are deployed by iTunes when the user connects and opts to update. iTunes can not be centrally managed, so an admin can not dictate deployment of the patch. Reliant on user awareness.
|
Patches can be deployed remotely from the BlackBerry Enterprise Server (BES). Full patch audit status and management can be executed remotely without user intervention required. Where a reboot is required policy can drive whether the user is given a choice to delay to a later time. |
| Updates |
Updates to profiles are not automatically deployed and require the user to decide to apply the policy.
|
Updates can be pushed from the BES remotely and applied in the background without user interaction. |
| Application control |
Profiles can be set to restrict deployed applications. This occurs at bootstrap, the administrator cannot deploy additional applications remotely.
In-house applications can be developed for the device, which, in turn, are checked and signed by Apple.
|
The BlackBerry Enterprise Server (BES) provides the ability to package and deploy specific applications remotely. Restrictions can be placed on applications that the user is allowed to install to a corporate white list or for administrator deployment only.
Per-application policies can be set to limit application access to resources (e.g., network access, local data, permissions to change settings, use location et cetera). These can be managed remotely in accordance with corporate configuration. Extremely granular. |
| User rights management |
By default a set of restrictions are provided: explicit content, Safari, YouYube, iTunes, allowing a user to install apps, allowing use of camera, screen captures.
|
Granular policies can be set, though they are somewhat intimidating. |
Transport security
| Feature |
iPhone |
BlackBerry |
| VPN |
Yes, password- and token-based authentication available. Requires user interaction.
|
Provides encrypted tunnel back to BlackBerry Enterprise Server (BES) for data transfer also supports explicit VPN. |
| Remote management |
No
|
Yes |
| E-mail |
Yes, supports SSL across a range of protocols. Depends on server configuration (Exchange by default). Also allows the use of Authentication Certificates.
|
Yes, by default through encrypted tunnel or directly to mail host. |
| Proxy |
Proxy can be set up for the Carriers Access Point. All traffic can also be forced through the VPN, which can be configured to go through a proxy.
|
Can set proxy policy at the BES level (routing all traffic back to the central server and routing through a single point). Can also set per-connection policies. |
| Certificates |
The iPhone includes the ability to use a SCEP server to control the issuing and revolcation of certificates to the device. It is also possible to create a profile containing certificates separate to using the SCEP server.
|
Can manage certificates and deploy remotely. |