Exchange enhancements in iPhone 3.1 cause some users grief
- From: "Rotten Apple" <rotten@xxxxxxxx>
- Date: Mon, 21 Sep 2009 11:40:04 -0500
http://www.appleinsider.com/articles/09/09/16/exchange_enhancements_in_iphone_3_1_cause_some_users_grief.html
Wednesday, September 16, 2009
Exchange enhancements in iPhone 3.1 cause some users grief
By Prince McLean
Published: 10:00 PM EST
Improved support for Microsoft's Exchange Server's security policy features,
delivered in the iPhone 3.1 firmware update, has left some users angry after
discovering that their mobile device is no longer compatible with the policy
defined by their company.
At issue is Apple's iPhone client implementation of Exchange ActiveSync, the
Microsoft specification Apple licensed last year in order to provide
official support for Exchange Server sync to the iPhone and iPod touch.
EASy to wipe
EAS defines not only how Exchange server syncs data to mobile clients, but
also involves remote management features like remote wipe and security
policy such as mandating that all devices be set to use a PIN to lock the
screen when not in use.
Microsoft has evolved EAS over time, adding new options that allow Exchange
admins additional control over the devices they choose to support. For
example, in Exchange 2007 Service Pack 1, Microsoft added a new security
policy option to require device encryption on mobile devices in order to
support a new feature of Windows Mobile 6.0.
With file level device encryption, administrators can rapidly remote wipe a
lost or stolen device, minimizing the risk of its data falling in the wrong
hands. Without device encryption, a remote wipe takes longer because the
remote device must zero all of its files. This makes it more likely that a
thief could interrupt the wipe process, although once a phone is stolen, a
savvy thief can disable its network connection and attempt to prevent any
remote wipe from ever occurring.
Client-side EAS
Client manufacturers who license EAS from Microsoft, including Apple, Palm
and Sony Ericsson, can implement the EAS specification on their client
devices however they like. For example, the Palm Pre's Exchange support
currently doesn't support security policy involving PIN use or remote wipe
at all. Even Microsoft's own Windows Mobile 5.x implemented support for EAS
differently than the current WiMo 6.x.
For example, under WiMo 5, EAS remote wipe couldn't also clear any data
stored on an installed SD Flash card. Since most WiMo phones shipped with
very little included storage, any important data was most likely kept on
this impossible to wipe Flash memory.
This effectively meant that Exchange admins simply could not really wipe a
WiMo 5.0 phone, even though the devices were described as supporting a form
of remote wipe. That detail didn't stop pundits from favorably comparing
WiMo 5.x's ineffectual wipe with the lack of any remote wipe feature on the
original iPhone up until the release of the 2.0 firmware.
Policy respect
An Exchange server has no way to demand that clients obey all of its
security policies; it has to trust that client devices respect them. When
administrators specify a given policy on the server, mobile devices that
fully support those feature options will stop working if the server-side
policy settings raise the bar beyond the devices' capabilities.
That's what happened to many iPhone users who upgraded to iPhone 3.1 only to
discover that their device stopped syncing with any Exchange Servers using
the default "RequireDeviceEncryption" policy set to "True." Only the iPhone
3GS and the newly released 32 and 64GB iPod touch models support this
hardware encryption feature; earlier models of the iPhone and iPod touch do
not, and subsequently, their expanded support for Exchange policy settings
forced them to no longer work.
In order for affected iPhone 3.1 users to reestablish a connection with
Exchange, server-side administrators need to create a policy exception (for
either that user or the entire server) which will allow connections to
mobile devices that do not support device encryption. This was the status
quo prior to Exchange 2007 SP1, which introduced the policy option, so it
really isn't a drastic reduction in security as some have suggested. It
involves unchecking a box and clicking OK (below).
The only other alternative is for those users to either upgrade to phone
hardware that meets the minimum requirements configured on their company's
Exchange Server, or downgrade back to iPhone 3.0 and simply ignore the
security policy set by their company. The reason for the change on Apple's
end is to comply with legal security requirements such as HIPAA, enabling
the new iPhone 3GS to be suitable for approval in secure enterprise
environments such as within the healthcare industry.
Oh the humanity
This change in the iPhone 3.1 update was poorly communicated to users by
Apple, which should have at least alerted users of the potential impact of
the upgrade during the installation process. The same update also quietly
disabled tethering support on AT&T for certain users who had enabled the
software feature against the terms of their AT&T contract.
The result was confusion and frustration by users, many of whom lack any
capacity to motivate their company's Exchange admins to help them understand
what had happened, let alone accommodate them with security policy changes
from the default settings many Exchange Server shops never bother to change.
Similar security policy problems have resulted in problems for Mac users.
Windows Server introduced changes that broke compatibility with existing
clients while trying to enhance the network's security profile in tandem
with the launch of Vista, for example. Support for alternative platforms
like the iPhone and the Mac is not Microsoft's top priority, of course.
However, Apple's increasing popularity among consumers, particularly among
executives and mobile road warriors, has helped to promote improved support
for Apple clients in many Windows-oriented companies.
Still, when unexpected things happen, many pundits are ready revile Apple's
security credentials and denounce the company in scathing terms. Writing for
InfoWorld, Galen Gruman stated Apple had "betrayed the iPhone's business
hopes" and accused the company of misrepresenting the security profile of
its iPhone devices, based on the speculation that iPhone 3.0 software must
have "lied" by reporting that it was performing encryption prior to the
update.
The problem with proprietary standards
In reality, iPhone 3.1 simply improved its support for EAS's defined
security policy options, with unfortunate results for anyone who wanted to
sync with an Exchange Server set to the default policy settings that
happened to exclude their model of iPhone.
The proprietary nature of EAS, along with its constantly changing
specifications tied to Microsoft's business decisions rather than industry
consensus, creates a problem for consumers who want competition and choice
along with the assurance that the phone they buy will work with their
company's servers.
Right now however, the enterprise messaging industry's leading vendors have
no desire to craft an open standard for mobile sync. Instead, RIM is
promoting its own BlackBerry Enterprise Server product, which rakes in
profits, while Microsoft is working to establish EAS as a way to anchor its
dominance in corporate email with Exchange Server.
Imagine if Palm had paid Apple for the rights to sync the Pre with iTunes,
but that part of the deal required Palm to only support features Apple
allowed. This wouldn't be ideal or open. On the other hand, it's challenging
for community consensus to build open standards that don't hamper the
potential for innovation. Emerging web standards are a great example of
finding a common ground in between, where vendors can innovate with
different engines and browsers that also implement common, compatible
features.
Whether something similar will ever happen in the mobile world remains to be
seen. Apple is rapidly becoming a significant player in the smartphone
industry, having passed Microsoft's combined Windows Mobile market share.
With so many iPhone users, Exchange administrators have more reason than
ever to accommodate them.
Apple is also taking its first real opportunity to enter the enterprise
market seriously, and iPhone 3.1 is evidence of that, even if it results in
short-term pain for some users right now. To help, Apple has revised its
iPhone 3.0 Enterprise Deployment Guide (PDF) to include the new changes in
iPhone 3.1.
Without much life left in its own mobile platform, Microsoft is likely to
become increasingly supportive of third party mobile platforms on Exchange,
and could someday even release EAS as an open specification to prevent a
rival, alternative open specification from being launched.
Microsoft is actually making some use of the Open Mobile Alliance Device
Management (OMA DM) protocol, which is also used by Symbian and in mobile
device management tools sold by IBM. OMA DM is an offshoot to the SyncML
consortium. Apple hasn't attempted to support SyncML since the original
version of iSync, and neither the iPhone nor Android seem to be paying any
attention to OMA DM.
.
- Prev by Date: iPhone 3.1 update triggering several issues
- Next by Date: Re: "Apple has introduced a bug..."
- Previous by thread: iPhone 3.1 update triggering several issues
- Next by thread: Very poor customer support at Apple Store with iPod
- Index(es):
Relevant Pages
|
Loading
