Chapter 4 Infrastructure and integration 32
In a typical deployment, Apple devices establish direct access to IMAP and SMTP mail servers
to send and receive mail over the air (or in the case of a Mac, over the air or Ethernet), set VIP
status in their message threads, and can also wirelessly sync notes with IMAP-based servers.
Apple devices can connect to your organization’s LDAPv3 corporate directories, giving users
access to corporate contacts in the Mail, Contacts, and Messages apps. CardDAV support lets
your users maintain a set of contacts synced with your CardDAV server using the vCard format.
Synchronization with your CalDAV server lets users do the following:
•
Create and accept calendar invitations
•
View an invitee’s calendar free/busy information
•
Create private calendar events
•
Congure custom repeating events
•
View the week numbers in Calendar
•
Receive calendar updates
•
Sync tasks with the Reminders app
All network services and servers can be within a DMZ subnetwork, behind a corporate rewall,
or both.
Digital certicates
Apple devices support digital certicates and identities, giving your organization streamlined
access to corporate services. These certicates can be used in a variety of ways. For example, the
Safari browser can check the validity of an X.509 digital certicate and set up a secure session
with up to 256-bit AES encryption. This involves verifying that the site’s identity is legitimate and
that communication with the website is protected to help prevent interception of personal or
condential data. Certicates can also be used to guarantee the identity of the author or “signer”
and can be used to encrypt mail, conguration proles, and network communications to further
protect condential or private information.
Use certicates with Apple devices
Out of the box, Apple devices include a number of preinstalled root certicates from various
Certication Authorities (CA) and iOS validates the trust for these root certicates. If iOS can’t
validate the trust chain of the signing CA, the service will encounter an error. For example, a
self-signed certicate can’t be veried by default in iOS. To view the current list of trusted root
certicates in iOS, see the Apple Support article iOS 8: List of available trusted root certicates.
iOS devices can update certicates wirelessly, if any of the preinstalled root certicates
become compromised. To disable this, there’s an MDM restriction that prevents over-the-air
certicate updates.
These digital certicates can be used to securely identify a client or server, and encrypt the
communication between them utilizing the public and private key pair. A certicate contains a
public key, information about the client (or server), and is signed (veried) by a CA.
A certicate and its associated private key are known as an identity. Certicates can be freely
distributed, but identities must be kept secured. The freely distributed certicate, and especially
its public key part, are used for encryption that can be decrypted only by the matching private
key. To secure the private key of an identity, it is stored in a PKCS12 le, encrypted with another
key that is protected by a passphrase. An identity can be used for authentication (such as 802.1x
EAP-TLS), signing, or encryption (such as S/MIME).
100% resize factor
