Daniel Eran Dilger
Random header image... Refresh for more!

IDG’s Galen Gruman throws fit about Apple’s iPhone 3.1 Exchange fix

Galen Gruman

Daniel Eran Dilger

IDG and other tech news outfits have stooped to yellow journalism in printing the sensationalized tantrums of Galen Gruman, an uninformed Exchange user. At issue is the iPhone 3.1 firmware, which respects a policy setting of Exchange Server 2007 that blocks devices that don’t support hardware encryption.

Apple originally released Exchange support in iPhone 3.0 without policy support for device hardware encryption features, something that is required by default on Exchange 2007. Only the iPhone 3GS supplies hardware encryption, which scrambles all data stored on the device. Hardware encryption allows Exchange admins (and MobileMe users) to instantly wipe their mobile devices remotely.

Other iPhone and iPod touch models take a certain amount of time to perform a remote wipe because the device must overwrite or “zero” its local data. Hardware encryption therefore offers an additional level of security for managed devices, although it is still possible in certain cases to break open the device and obtain its scrambled data for external cracking.

What changed in iPhone 3.1

The new policy support in iPhone 3.1 reports the device’s hardware encryption status to Exchange. Because most admins choose to retain the default policy setting that blocks interaction with devices that don’t support hardware encryption, this has the net result of suddenly blocking all of Apple’s mobile devices from working apart from the latest iPhone 3GS.

The only two solutions available are to obtain a device that meets the requirements of the group running the Exchange Server, or convince your Exchange admins to relax their Exchange policies so that devices that don’t support instant wipe can be used.

Rather than simply reporting this issue, IDG’s Computerworld/Infoworld posted a teenage screed from an iPhone user who was upset that about his iPhone no longer worked with his company’s Exchange Server policy after upgrading to iPhone 3.1

Opinion: Apple betrays the iPhone’s business hopes

Rant on

This frustration was vented into a “You Lie!” outburst worthy of the kind of congressman who would fight to fly the Confederate flag over South Carolina’s state Capitol. Under the heading “The lie the iPhone has been telling,” Galen Gruman personifies the iPhone as evilly misrepresenting itself to Exchange in order to sync up a company’s mail store while “compromising their corporate security.” Are you kidding me?

IDG thought this was yellow press “newsworthy” enough to turn into a three page rant, where rather than discussing the actual implications of syncing Exchange to a mobile device lacking hardware encryption, something that has been the norm up to Exchange 2007, Gruman launches into a smear that suggests all of Apple’s products are security time-bombs waiting for the best possible moment to divert users’ calendars to Al Queda.

Given how many iPhone users are complaining that iPhone’s 3.x Exchange support does them no good because their company isn’t yet running the “new” 2007 edition of Exchange, how exactly is the iPhone “compromising corporate security”? Has Microsoft been “compromising corporate security” for not enforcing this setting prior to Exchange 2007?

And as for the “You Lie!” accusations that Gruman screams at his phone, and which the fringe of Windows Enthusiast extremists dutifully repeats on their angry blogs, Apple never lied about the hardware encryption features of the iPhone 3GS, and never suggested to users that these were available on previous models. The iPhone 3.0 software similarly did not “lie,” it simply didn’t support all of the policy settings available on Exchange that the iPhone 3.1 update does.

It lied, so I had no choice but to follow suit

Security is a complex practice. If Exchange admins really believe that their corporate security is “compromised” by having users access Exchange data without using an instantly wipeable mobile device sporting hardware encryption, then they should be qualifying a white list of hardware approved for use in their company, something that any company with such needs has the responsibility to do.

Gruman’s blatant hypocrisy is evident from his own decision to work around the issue by reapplying the previous 3.0 version of the iPhone’s software. If that’s your solution, you can’t talk about the iPhone “lying” and “compromising your company’s security.”

Given a full appraisal of the situation, Gruman explicitly chose to continue “lying” to his Exchange server and to knowingly “compromise” his company’s set security policy. If he actually worked in a corporate environment where security mattered, he should be fired.

Fortunately for Gruman, he’s safely working for InfoWorld/IDG. Oops, embarrassing! It appears IDG just published an admission that its corporate security team sets up security policy that it doesn’t actually bother to enforce, then turns around and advises other companies on how security should be implemented in the enterprise. Of course, it’s also possible that he ran into this security policy problem at home in his one-man consultation shop, the “Zango Group.” If that’s the case, perhaps he can plead with himself to allow his own iPhone to work with his own Exchange Server.

Then again, he claims no technical expertise in his public resume outside of writing and editing, with a BA in journalism and political science. Given his journalistic credibility expressed in the rant, it’s hard to identify what exactly his core competency is, and what qualifies him to be speaking about corporate security policy.

Unsurprisingly, Gruman’s other comments reveal that he doesn’t know what he’s talking about when it comes to tech. He says Apple probably won’t support data encryption on earlier models because, “Apple has been very clear in saying it won’t support simultaneous processes in the iPhone OS, which any software encryption would likely need to be.” What a tool. The iPhone performs all sorts of “simultaneous processes,” which is why it can play music while you browse the web while receiving a call.

The iPhone 3GS’ use of hardware encryption and the security that provides isn’t something Gruman’s ignorant speculation really addresses. All he does is indicate that he speaks of subjects he knows nothing about, in the pages of IDG’s trade magazines, a pulpit where people should have some expertise in order to be given airtime. Apparently, all you need to print an IDG opinion is a distorted notion of how things work and a juicy public admission that you are willfully subverting your employer’s security policy. That, and an emotional axe to grind on Apple.

Galen Gruman – Editor and writer | LinkedIn

A sick feeling of betrayal, by your own words

Gruman continues on to a third page of clenched fist shaking that includes the threat, “If the devices touted for more than a year as great at doing that really can’t do it in the real-world business context, they’re not worth the several hundred dollars they cost or the limited space in my pockets. I can get a Palm Pre instead; after all, it still works with Exchange, and for my on-the-road music, I can bring along a cheaper iPod.”

Perhaps Gruman should take a cursory look at the Pre before claiming he’s ready to buy one. While it also claims Exchange support, the Pre’s version is much weaker than the iPhone’s, lacking support for even basic security policy settings including a mandatory device PIN and remote wipe of any kind.

Yes, while the original iPhone only supports “slow wipe,” the Palm Pre can’t currently be wiped by Exchange at all, meaning that security!! will!! be!! compromised!! for any corporations who dare allow a Palm Pre inside their doors. The Russians will be all over them in seconds, able to rendezvous at their next meeting or perhaps able to call their mothers and read them naughty emails found in their child’s Sent Items. Think of the corporate children!

Palm Pre and Microsoft Exchange not playing nicely together | Jason Langridge’s Mr Mobile Blog

That’s it, I’m ready to hate Apple now

“I’ve been a champion of the iPhone as more than a fancy iPod for a couple years now, suggesting that businesses give it a serious look despite some of its more IT-desired omissions. Now, I feel embarrassed for having done so,” Gruman complains. “Yes, it technically supports Exchange, but not in the way that anyone would expect in the real world. Yet Apple let us all think it did. Then it revealed the truth in a damaging, surprising, inconsiderate way.”

Are we supposed to take you seriously, Mr. Gruman?

You discovered that “Exchange support” isn’t a binary thing. There are degrees of support. Mobile support is a subset of what you can expect from a desktop PC, and depending on how your IT department configures your security policy, you may or may not be able to sync to a Palm Pre, an earlier model of iPhone, or even any mobile devices at all. They might turn on IMAP support for you or not. It’s up to them, as they are running the party.

What you chose to do, Mr. Gruman, is willfully deceive your employer and subvert your own company’s policy after becoming aware of the facts involved. That makes you in the wrong, not the now-outdated iPhone 3.0 software that didn’t address all of the security policy options Exchange 2007 can be set to enforce. So shame on you for being a sensationalist, ignorant hypocrite.

And as for this rarified level “corporate security” that you talk about: your company runs a Microsoft shop, meaning that they’ve selected an enterprise platform with the worst record on security ever put in place. You speak of Apple as if it has questionable practices in the realm of security, as if you’ve never heard of Microsoft’s Active X, the Melissa virus, Internet Explorer, Storm malware, the multibillion dollar Windows Malware Diaper industry, and so on. Are we supposed to take you and your IDG trade rag seriously?

It certainly can be frustrating to be caught in the limbo between established security policy and personal convenience, but if IDG and its writers can’t intelligently appraise and outline such subjects accurately, subjectively, and without overblown emotionally-driven rhetoric that only serves to confuse or misinform its readers, why is the company in business?


1 luisd { 09.16.09 at 6:01 pm }

You’ve made my day! Fantastic reading to wrap up a buys day!

2 Brau { 09.16.09 at 6:14 pm }

While I agree fully with Dan and the absurd claims made by this so-called ‘journalist’ in regard to his rant against the iPhone OS upgrade, I do have cause to agree with one aspect of his grievance:

Apple does not do a good job of providing information to users so they can make educated decisions on whether or not to upgrade their OS. I was extremely happy with Panther; its feature set and bullet proof reliability won my praise. If I had known all the features Tiger dropped and the issues I encountered I would never have upgraded until Leopard, but the info was nowhere to be found. Tiger was billed as everything you love from Panther and more. Instead I was hugely disappointed and couldn’t wait to get it off my Mac for … *anything else*. Thankfully Leopard brought back a few of the missing user features.
Similarly, Apple has recently upgraded Logic Studio and limited support to Intel Macs only, despite the fact that most of the software features (those not requiring newer hardware) work just fine on a PPC Mac. I have a G5 Quad that has just fallen out of warranty and Apple won’t support it??? This kind of cutthroat tactic is unprecedented among all the recording software developers. (IE: Motu just released DP7 with support for G4, G5, and Intel Macs). If a small time player like Motu can support legacy hardware, it’s quite clear that Apple simply chooses not to, in the hopes of forcing users to upgrade. It’s corporate greed and misrepresentation for the sake of greater profit at the end user’s expense.

3 Jon T { 09.16.09 at 6:18 pm }

Woo hoo. Thanks Dan.

4 GMGruman { 09.16.09 at 6:46 pm }

I do find it funny, Dan, that you complain about my “rant” as childsh and then proceed to deliver your own. That’s the pot calling the kettle black.

[Please clue me in on what you thought was “childish” about calling you out for publishing a nonsensical, uninformed, hypocritical rant in a major trade rag? – Dan]

I do want to note that the original story’s line about the Palm Pre was not supposed to be published, as Palm would not verify that the Pre supports on-device encryption (its Web site is silent about that and its PR people did not respond). I had marked the line for deletion but it got published by accident, though we did remove it when we realize it was there. I don’t know if the Pre supports on-device encryption; if it does not, it is misrepresenting itself to Exchange 2007 or Exchange is not querying it.

[If you valiantly tried but still failed to remove this error before I pointed it out, after it was up all day being read by lots of readers, your company is more ineffectual and irresponsible than I imagined. A simpler explanation is that you just didn’t know what you were talking about, and actually made no effort to fact check until being presented with the error. ]

Dan’s entitled to his opinion, and I won’t debate that. But I do want to correct a statement he makes that is misleading. He focuses on hardware encryption, as if that’s what this is about. As my story clearly states, the iPhone misreported its support for on-device encryption, period. The 3G S supports hardware-based on-device encryption, so Apple has recommended users buy those to satisfy any encryption policy requirements. I suggested in my article that Apple look at adding software encryption to the many, many affected pre-3G S systems. So, Dan, please argue with what I wrote, not what you imagined I wrote.

[You can talk about opinions, but let’s talk about facts here. Exchange ActiveSync Clients implement support for EAS policy on their own. According to Apple, “iPhone OS (beginning with the iPhone OS 3.1 update) can enforce the Exchange ActiveSync mailbox policy requiring encryption on the device.” Are you stating that you have a source for proving that iPhone 3.0 falsely and perhaps maliciously reported support for encryption that wasn’t present? Your best guess at how things must work isn’t enough to warrant generating a shitstorm based on speculative guesswork.

If you want a third party opinion, consult this article:

“Remember that EAS is a two-part protocol: The server can send out any policy it wants, but implementation is up to the client. Depending on which clients you use, you might see radically different behavior. For example, Windows Mobile 6.0 supports several policy settings that Windows Mobile 5.0 doesn’t. Third parties who have licensed EAS, such as Sony Ericsson and Palm, are free to implement as many, or as few, of the policy control mechanisms as they like. In practical terms, what this means is that even though you upgrade to Exchange 2007 SP1 and purchase Enterprise CALs for the mailboxes for which you want to use these new policy settings, the devices you have might not support them!”

The iPhone 3.0 software didn’t lie about anything, it simply did not support the EAS server side policy forcing “RequireDeviceEncryption.” In iPhone 3.1, Apple expanded its support for Microsoft’s EAS to respect that policy setting, meaning that Exchange admins, not iPhone client users, can decide whether or not to allow support for devices that lack the capacity to support device encryption.

The iPhone 3GS and the new 2009 32 & 64GB iPod touch all provide device hardware encryption, other models do not. You are wrong, and need to correct your misleading article. If you also want to apologize to me for accusing me of being “misleading,” you can do that too. As of now, you are still maintaining a false position in opposition to an admin with Exchange Server experience dating back for years (sadly).]

Finally, a I noted in the story I did roll back my iPod Touch to 3.0 so I could continue to access Exchange at my company. You really don’t think I would have doe that, much less told the entire world I did, if it wasn’t OK with my company to do so. Fortunately, we’re a private company not subject to many compliance requirements, and because as a technology editor I need to experiment with new technologies, I am given somewhat of a dispensation on some policies, as long as I run it by the appropriate people first. Believe me, I’m not as stupid as Dan suggests I am.

[I didn’t say you were stupid, I said your position was hypocritical and ridiculous. You’re saying the iPhone “lied,” that your company policy doesn’t support unencrypted devices, and so your remedy is to willingly lie to your server to subvert this policy because they wouldn’t create a policy exception for you. So either you didn’t tell the truth in your article, or you didn’t here, but you can’t have it both ways. ]

Finally, I am no fan of Exchange. It’s buggy and hard to manage, like most Microsoft products. But that doesn’t excuse Apple for its technology decisions and standards. I’m a longtime Mac user, so I am always happy when I can adopt Apple technology. And I prefer Apple technology because it usually is a lot better, created to higher standards. In this case, Apple fell short, and made the situation worse by how it handled the issue. That’s what really hurts. Bugs happen and can be forgiven.

[Frankly, I don’t care if you like Apple or if you think Exchange is buggy or not. I’m only irritated that you’d post a sensationalistic, wrong-headed story and then refuse to correct it. – Dan ]

5 TheMacAdvocate { 09.16.09 at 7:54 pm }

When a rational criticism is not possible, try an emotional diatribe. All of these cnet/IDG/PC rag rants wail about a violating some kind of imagined relationship or speculate about the secret evil motives Apple must have.

6 JasonBelec { 09.16.09 at 8:25 pm }

Ok that was funny, and the wit seems to be back. And the barbed tongue… Besides, rarely is the device in any way causing issues, it’s the users. Damn them to tarnation!

7 stefn { 09.16.09 at 11:56 pm }

Excellent. I sense and empathize with Dan’s frustration with the never-ending FUD aimed at Apple. His outrage has legs. Sadly just last week I began tracking Gruman as one of the more astute observers of Apple products and practices.

8 deardeveloper { 09.17.09 at 12:18 am }

Daniel Erin: This frustration was vented into a “You Lie!” outburst worthy of the kind of congressman who would fight to fly the Confederate flag over South Carolina’s state Capitol.

This statement would cause me to be willing to bet that you have no idea what the Confederate flag actual stood as a symbol for. It would also cause me to think that you don’t know what the battle of the civil war was really about. For being an intellectual liberal, I figured you wouldn’t have blindly bought into the things that your public school and textbooks taught you.

Over time, and for many, it has become a bad symbol of something it originally wasn’t. But time and society can do that to anything, I guess. Let’s just hope they don’t do that to the Apple symbol. It seems there are many out there trying very hard. Hem, hem, Leo Laporte (to name one).

9 Exchange enhancements in iPhone 3.1 cause some users grief — RoughlyDrafted Magazine { 09.17.09 at 12:31 am }

[…] security credentials and denounce the company in scathing terms. Writing for InfoWorld, Galen Gruman stated Apple had “betrayed the iPhone’s business hopes” and accused the company of […]

10 august { 09.17.09 at 3:54 am }

@deardeveloper The Confederate flag was a symbol of the Confederacy in the Civil War which they fought for the right to have slaves in the new territories and for their white supremacist way of life. You can’t get around that anyway you look at it. It’s like saying ‘niger’ is just Latin for ‘black’ so we should be able to say it with impunity.

11 Berend Schotanus { 09.17.09 at 5:47 am }

You discovered that “Exchange support” isn’t a binary thing.

Love and hate, good and evil, are binary ways of presenting the real world. But the real world isn’t binary either.
As a small challenger company it was relatively easy (but still an achievement) for Apple to represent the absolute good for a dedicated herd of fanboys. Apple is no longer a small company and as a large company it is confronted with real world tensions.
There is a natural tension between big corporations and their employees. Corporations tend to search excessive control over their employees. Employees tend to neglect the security interests of their employers. When you’re trying to get friends with the corporation, the employees aren’t gonna like you and vice versa. When you’re trying to get friends with both you’re inevitably get hurt somewhere.
When you’re a large company you’ll inevitably have many stakeholders and also conflict of interest between stakeholders. Still it’s good Apple is becoming a big company. Still it’s good to explain what’s going on. But in the process something irreversible got lost: the binary “good” that Apple used to have when it was still a small company.

12 duckie { 09.17.09 at 6:45 am }

Perhaps a simpler way of expressing this issue is “Exchange Server still agrees to sync with devices that have no knowledge of policy settings that are supposedly mandatory. This is a security hole perpetuated by Microsoft in order to preserve backwards compatibility with older Windows Mobile devices that do just what older iPhone OS versions do, and unlike the iPhone, can’t be upgraded. So now you know who to blame.”

13 SteveS { 09.17.09 at 10:49 am }

I’m glad you took the time to read articles like this that take you to task on what you’ve written. While I agree with your sentiment in that Daniel’s posts are often equally opinionated rants (which almost always seem to unnecessarily bring politics in to the discussion), etc. I have to point out here that Dan’s assessment and rebuttal to your post were right on the money.

After reading your post on Macworld, I was honestly embarrassed for you. It’s obvious that you experienced frustration and you wrote that article as a means of venting. However, it’s quite clear that you didn’t know what you were talking about. Worse, I know that you’re a long time Mac user and reading empty threats of switching to Palm, etc. was very much akin to a child throwing a temper tantrum. While attempting to discredit Apple’s enterprise possibilities, you’ve only discredited yourself as a journalist. To that end, I strongly suggest you do a follow up article, after doing some research of course, to set the matter right and hope to gain back some of the trust from those who once admired your work.

14 JasonBelec { 09.17.09 at 11:01 am }

If everyone would just stop using Exchange, the issues would go away. No excuse under the sun repeals the fact that MS has left so many open doors and bent so many rules in the corporate infrastructure as to make one wonder why people bother to claim ‘secure’!

15 stefn { 09.17.09 at 12:47 pm }

Good post. Reminds me of the saying that it’s easy to be Christian in a Communist country.

16 pa { 09.17.09 at 9:25 pm }


I have no idea what you mean. However, interesting name.

17 Strand Consult: Denmark’s illegitimate iPhone-angry pundit-nutter — RoughlyDrafted Magazine { 12.16.09 at 1:27 am }

[…] The Tech Crunch ‘Apple Backlash’ Myth IDG’s Galen Gruman throws fit about Apple’s iPhone 3.1 Exchange fix […]

18 Google Nexus One vs Apple iPhone 3GS. — RoughlyDrafted Magazine { 01.11.10 at 1:03 am }

[…] the Nexus One doesn’t do hardware encryption, meaning that most Microsoft Exchange shops will refuse to support either model (unless you can convince your company to downgrade its default security policy). The […]

19 Muhammad Abdullah Sheikh » Blog Archive » Google Nexus One vs Apple iPhone 3GS { 01.22.10 at 2:45 am }

[…] the Nexus One doesn’t do hardware encryption, meaning that most Microsoft Exchange shops will refuse to support either model (unless you can convince your company to downgrade its default security policy). The […]

You must log in to post a comment.