Operation Manual

ManualsBrandsApple ManualsOtheriOS Implementierung

Chapter 4 Infrastructure and integration 32

In a typical deployment, Apple devices establish direct access to IMAP and SMTP mail servers

to send and receive mail over the air (or in the case of a Mac, over the air or Ethernet), set VIP

status in their message threads, and can also wirelessly sync notes with IMAP-based servers.

Apple devices can connect to your organization’s LDAPv3 corporate directories, giving users

access to corporate contacts in the Mail, Contacts, and Messages apps. CardDAV support lets

your users maintain a set of contacts synced with your CardDAV server using the vCard format.

Synchronization with your CalDAV server lets users do the following:

•

Create and accept calendar invitations

•

View an invitee’s calendar free/busy information

•

Create private calendar events

•

Congure custom repeating events

•

View the week numbers in Calendar

•

Receive calendar updates

•

Sync tasks with the Reminders app

All network services and servers can be within a DMZ subnetwork, behind a corporate rewall,

or both.

Digital certicates

Apple devices support digital certicates and identities, giving your organization streamlined

access to corporate services. These certicates can be used in a variety of ways. For example, the

Safari browser can check the validity of an X.509 digital certicate and set up a secure session

with up to 256-bit AES encryption. This involves verifying that the site’s identity is legitimate and

that communication with the website is protected to help prevent interception of personal or

condential data. Certicates can also be used to guarantee the identity of the author or “signer”

and can be used to encrypt mail, conguration proles, and network communications to further

protect condential or private information.

Use certicates with Apple devices

Out of the box, Apple devices include a number of preinstalled root certicates from various

Certication Authorities (CA) and iOS validates the trust for these root certicates. If iOS can’t

validate the trust chain of the signing CA, the service will encounter an error. For example, a

self-signed certicate can’t be veried by default in iOS. To view the current list of trusted root

certicates in iOS, see the Apple Support article iOS 8: List of available trusted root certicates.

iOS devices can update certicates wirelessly, if any of the preinstalled root certicates

become compromised. To disable this, there’s an MDM restriction that prevents over-the-air

certicate updates.

These digital certicates can be used to securely identify a client or server, and encrypt the

communication between them utilizing the public and private key pair. A certicate contains a

public key, information about the client (or server), and is signed (veried) by a CA.

A certicate and its associated private key are known as an identity. Certicates can be freely

distributed, but identities must be kept secured. The freely distributed certicate, and especially

its public key part, are used for encryption that can be decrypted only by the matching private

key. To secure the private key of an identity, it is stored in a PKCS12 le, encrypted with another

key that is protected by a passphrase. An identity can be used for authentication (such as 802.1x

EAP-TLS), signing, or encryption (such as S/MIME).

100% resize factor