September 18, 2009, 10:07 PM — Apple improved its iPhone support for Microsoft Exchange security and triggered a controversy, but it's impact is limited to sites that have deployed Exchange Server 2007.
For some users of older iPhone models, the change has led to blocking them from corporate email access, if their company's Exchange server requires data on the iPhones to be scrambled. Enterprises apparently will either have to scrub this policy or upgrade users to the new iPhone 3GS, which has the necessary hardware to handle the encryption.
In the recent iPhone 3.1 OS release, Apple decided to support a specific optional security policy in Exchange 2007. This option lets an enterprise "require encryption on the device," so that locally stored data, such as emails, are scrambled. Exchange administrators can use that more granular encryption to quickly target and remotely wipe specific files on devices that are lost or stolen, instead of the more laborious process of wiping all files.
For this to work as intended, two things are needed. First, Apple (or any other device builder) has to support this option feature in its client implementation of Exchange Active Sync, which Apple licensed from Microsoft in 2007 to let iPhone users access corporate email. Apple turned this option on for the first time in the 3.1 release.
Second, the client device has to have the hardware capability to do the encryption. That's only possible with the new iPhone 3GS and the new higher-capacity iPod Touch models.
"The manufacturer, in this case Apple, decides which [Exchange] policies to implement [in Active Sync client], then document which policies they support," says Ahmed Datoo, vice president with Zenprise, a Fremont, Calif., software vendor that provides multi-vendor device management software, covering iPhones among other platforms. "If the manufacturer never implemented support for that policy, then Exchange can't enforce that policy."
Until now, iPhone users were able to connect to Exchange 2007 servers, even if the corporate policy was to require device encryption. That's because the iPhone Active Sync client in effect was unaware of the server-based encryption policy, and Exchange in effect was unaware that the iPhone was unaware.
With the 3.1 OS, an iPhone becomes aware of this policy for the first time. Because the new iPhone 3GS has hardware encryption, it can encrypt the local data and implement the policy, and it syncs with Exchange 2007.