Apple improved its iPhone support for Microsoft Exchange security and triggered a controversy, but it's impact is limited to sites that have deployed Exchange Server 2007.
For some users of older iPhone models, the change has led to blocking them from corporate email access, if their company's Exchange server requires data on the iPhones to be scrambled. Enterprises apparently will either have to scrub this policy or upgrade users to the new iPhone 3GS, which has the necessary hardware to handle the encryption.
The Future Branch Office: Download nowIn the recent iPhone 3.1 OS release, Apple decided to support a specific optional security policy in Exchange 2007. This option lets an enterprise “require encryption on the device,” so that locally stored data, such as emails, are scrambled. Exchange administrators can use that more granular encryption to quickly target and remotely wipe specific files on devices that are lost or stolen, instead of the more laborious process of wiping all files.
For this to work as intended, two things are needed. First, Apple (or any other device builder) has to support this option feature in its client implementation of Exchange Active Sync, which Apple licensed from Microsoft in 2007 to let iPhone users access corporate email. Apple turned this option on for the first time in the 3.1 release.
Second, the client device has to have the hardware capability to do the encryption. That's only possible with the new iPhone 3GS and the new higher-capacity iPod Touch models.
“The manufacturer, in this case Apple, decides which [Exchange] policies to implement [in Active Sync client], then document which policies they support,” says Ahmed Datoo, vice president with Zenprise, a Fremont, Calif., software vendor that provides multi-vendor device management software, covering iPhones among other platforms. “If the manufacturer never implemented support for that policy, then Exchange can't enforce that policy.”
Until now, iPhone users were able to connect to Exchange 2007 servers, even if the corporate policy was to require device encryption. That's because the iPhone Active Sync client in effect was unaware of the server-based encryption policy, and Exchange in effect was unaware that the iPhone was unaware.
With the 3.1 OS, an iPhone becomes aware of this policy for the first time. Because the new iPhone 3GS has hardware encryption, it can encrypt the local data and implement the policy, and it syncs with Exchange 2007.
The iPhone 3G, though it too is now aware of the Exchange policy, can not encrypt the local data, and reports this fact to Exchange. The server, also for the first time, is now aware that this iPhone is not in compliance and doesn't let it connect.
iPhone, Exchange customer reaction
The change caught many users by surprise, triggering a flood of complaints and comments.
But for many other enterprise iPhone users, this won't be a problem, even if they update to the 3.1 release. One reason is that their corporate email is based on Exchange Server 2003. That's the case at a big medical center, which plans to sidestep Exchange 2007 altogether, according the center's email administrator who asked not to be identified. Their current iPhone users are experiencing no problems. The center plans to wait for Exchange 2010, which the administrator says Microsoft plans to release later in 2009. “We'll deploy device encryption when we have the ability to enforce it,” he says.
Another reason is that some organizations simply don't require device-level data encryption. “We don't have security requirements for on-device encryption unless the data is classified,” says Philippe Hanset, IT manager, University of Tennessee, Knoxville. “Which email is not, since it is usually sent in clear text over the Internet anyway.”
“For the iPhone side of things, it would definitely be better to require encryption,” says Ewan Leith, principal consultant, Network Integrity Services, a U.K.-based systems integrator with a focus on Microsoft products for the enterprise. “But a laptop running Windows 7 or Vista with Outlook has less protection: is there a significant difference in the risk of losing one [compared to losing a smartphone]? Drive encryption of Windows 7 laptops isn't enforced by Exchange.”
Apple provided no heads-up to users or enterprise IT departments that some users accustomed to Exchange access were about to be frozen out. The company's documentation on the change is short and to the point: “If your Exchange Server administrator has selected this option, only devices that support device-level encryption are allowed to sync…” Under “additional information” it has this one sentence: “Note that iPhone 3GS supports device encryption.”