Comments on: Exchange enhancements in iPhone 3.1 cause some users grief

By: duckie

duckie — Wed, 23 Sep 2009 16:33:45 +0000

Now that I’ve looked into this issue in a bit more depth, I should add that the policy setting that is likely to be making the real difference on Exchange is “allow non provisionable devices”. When set to true, this allows legacy devices that don’t support the “require encryption” rule (such as Windows Mobile 5 and 6.0, and iPhone OS 3.0 and earlier) to sync with Exchange. Exchange sites that previously allowed iPhones to sync would presumably have had this setting on and still do (and I’d hazard a guess that their old WinMo devices are still happily syncing). There is therefore no reason for admins in such places not to make a policy exception for iPhone OS 3.1 users since this will effectively be preserving the status quo.

The hot air being blown around the web about “security holes”, “bug fixes” and Apple “breaking things” is quite frankly arrant toss and apparently written by people who have never been anywhere near an Exchange admin interface in their life.

By: pa

pa — Fri, 18 Sep 2009 01:49:02 +0000

@duckie,

Good analogy. Just to get a better feel for how Microsoft implements mobile device security on Exchange, you could have used airport security check in your example.

- can you please remove your laptop, put your bags and jacket and shoes in a tray and place them on the conveyer to be checked by our x-ray technician?
- *no response*
- please go right ahead sir!

By: duckie

duckie — Thu, 17 Sep 2009 18:14:56 +0000

@Dorotea
It’s not that it’s up to the client to fully disclose security exactly. If a client doesn’t know about a given policy rule (such as encryption) when Exchange asks about it, then Exchange simply allows it to connect anyway. It’s a bit like someone asking you for ID at a nightclub door, and if you say nothing and produce no ID then they let you in anyway.

By: Dorotea

Dorotea — Thu, 17 Sep 2009 15:57:16 +0000

So lets see if I have this right.

iPhone 3g/2g don’t have hardware encryption.

iPhone 3G/2g running OS 3.1 is able to connect to Exchange Server when the security policy doesn’t require hardware encryption of the data on the iPhone. If Exchange server security policy does require hardware encryption, then an iPhone 3g/2g running OS 3.1 cannot connect.

iPhone 3gs has the ability to do hardware encryption, so it can connect to Exchange server using OS 3.0 and OS3.1

OS 3.0 did not fully implement client security policies for Exchange server. OS 3.1 does. It is left up to the client (iPhone OS) to fully disclose security to Exchange Server .

By: Berend Schotanus

Berend Schotanus — Thu, 17 Sep 2009 09:59:39 +0000

This actually might be good news for Apple.

The best way for companies to keep their employees satisfied and to prevent them for using workarounds that allow the use of private iPhones but threaten company security is to provide them with company owned iPhone 3GS’s.

By: MarkyMark

MarkyMark — Thu, 17 Sep 2009 05:40:06 +0000

This whole interwebz “episode” is turning into kind of an amusing impromptu IQ test – which readers immediately grasp the situation and its consequences, and which are left baffled? Lots, I suspect…

By: Hypothesard

Hypothesard — Thu, 17 Sep 2009 05:28:58 +0000

@jeromec
A device (iPhone) that would recognize (support) all the rules to apply (enforce) when connecting to a Server-side appliance (Exchange server) even those rules forbiding a device lacking capabilities (iPhone EDGE and 3G) like Hardware encryption (which is present in iPhone 3GS)
Even if It means that the Device (iPhone EDGE or 3G) is now excluded from accessing the Server-side Appliance.

In natural language :
The iPhone (all of them) with iPhone OS 3.0 didn’t have a full implentation of the latest “Rules to respect” when connecting themselves to an Exchange Server (2007 sp1) which sets to refuse connection with a device not having Hardware encryption.

the iPhone OS 3.1 now fully support those setting on the server side and diplay the refusal and effectivelly forbid the connection to the Exchange server when the iPhone doesn’t have Hardware encryption (iPhone 3G and iPhone EDGE).

Only the iPhone 3GS do have hardware encryption (Software encryption is not efficient in the real world : lack of speed when asked to “remote wipe”, which mean motivated party could crack open the device, then later on, decrypt the storage part, where Hardware encryption provides instantaneous “Remote Wipe out”)

By: kris

kris — Thu, 17 Sep 2009 05:16:01 +0000

@jeromec

My understanding is that the iPhone 3.1. supports the encryption option(feature), but this setting(when set to TRUE) is above the capabilities of all iPhones and iPod touches released before 2009

I hope I’m makings sense to you.

By: jeromec

jeromec — Thu, 17 Sep 2009 04:56:21 +0000

I have a hard time understanding this article. The sentence “mobile devices that fully support those feature options will stop working if the server-side policy settings raise the bar beyond the devices’ capabilities” in particular, keeps puzzling me:
What is a mobile device that fully supports feature options which are beyond the device’s capabilities???