Apple sold over 9 million iPads as of October. I’m guessing they sold another 3-4 million this holiday season. I’m betting of those estimated 12 million iPad users, over 1 million are asking their network administrator “Hey can I can get my iPad on the network? I need it to work”.
Now the fact that they have been working without their iPad for the last few years, sort of makes me think it is really not so much needed to work, as nice to have to work, but that aside, lots of people are going to be asking for this. In fact “Comsumerization of IT” is a pretty hot topic now. Check out this IT World article for some other thoughts on this.
Here’s my take on iPads on the network, for what it’s worth.
Right now we allow only machines that we manage to have full network connectivity, any machine that is not part of our domain gets a guest role. We do this by requiring certificates on machines to authenticate to the network (using 802.1x EAP/TLS), and we don’t allow issued certificates to be exportable. Because of this we have never had any issues.
Now though, we want to allow non-domain machines to have access. We haven’t done this yet, but our plan is to change the network authentication to use usernames/passwords (PEAP/MsChap) but not certificates which would allow any authorized user on the network on any device. To make sure that we don’t allow devices that are unpatched, poorly managed or risky on the network we will use a NAC scanning tool to ensure it is up to date. Ideally we will do both authentication with certificates and without, but for those machines that are part of the domain (have certificates), not do the NAC scan since we already know they are up to date.
The problem is that currently no one makes a NAC client for an iPad, or an Android phone and with so many new devices it will be some time before these appear. Luckily though we can do a network based assessment and verify that there are no blatant violations. Network scans are not as granular as having a client, but can easily see an open port listening for connections or other remotely exploitable things.
One other idea we have had and that is championed by our own Markus Nispel, is to only allow the iPads to get to the virtual infrastructure and allow them to remote desktop only to that machine. This eliminates, or at least greatly reduces the risk. Markus and I disagree on this point though. I think one of the cool things coming out is all the enterprise applications that you can run directly from a tablet.
We make a mobile version of our network management suite that runs on an iPhone (and iPad) that allows me to manage our NAC implementation; I’d lose that if I can’t get on the network with my iPad. Also many other companies are running applications on their tablets directly and not through a virtual Microsoft machine. I heard of one healthcare organization that has 10,000 iPads to run their medical software on, with plans to grow to 18,000.
Even though, for us, I don’t think locking down the iPads to virtual machines makes sense, our solution is flexible enough to allow either. I can even rate limit iPads to a 1Mb stream, if I wanted but still allow my laptop unlimited speed.