iPhone and Exchange Server, No Longer K-I-S-S-I-N-G

12 September 2009

As is being reported at The Unofficial Apple Weblog, iPhone 3G (and first-generation) owners can no longer get their Exchange email, contacts, or calendars after upgrading to iPhone OS 3.1 if their IT departments have “require device encryption” enabled on the Exchange Server. Apple posted a Knowledge Base article acknowledging the issue, and recommending only that the requirement be disabled at the server-side.

The error users see reads thus:

Policy Requirement

The account “–” requires encryption which is not supported on this iPhone

I would imagine there are tens of thousands of people whom this affects.

At The City Church, our IT department enforces strict security policies, so we have “require device encryption” enabled. Our employees who have iPhone models prior to the iPhone 3GS now have only two options:

Thankfully, we caught this issue early – after two of our staff members reported issues after upgrading to OS 3.1 – and are now recommending everyone with an iPhone 3G ignore the upgrade notices they get from iTunes.

Our two unfortunate staff members who already upgraded took their iPhones to the local Apple Store Genius Bar. After several unsuccessfully attempts to downgrade iPhone back to OS 3.0, the Genius(es) finally gave up and just swapped out their phones.

With how widespread this issue could be, it’s probably in Apple’s best interest to come up with a better solution than swapping out upgraded iPhones.

A Masquerade

The issue here is not that iPhone 3.1 now (correctly) enforces the server requirement. Apple fixed a security hole and is further advancing iPhone software security. The problem is iPhone OS previously worked with servers that required device encryption, even when the hardware did not support it.

I did some investigative work (if you can call using Google “investigation”) and was able to find old versions of the iPhone Enterprise Deployment Guide. Prior to the current, third edition, the guide did not include a reference to device encryption. Incidentally, I don’t remember hardware encryption ever being promoted or advertised as a feature of the iPhone, prior to the 3GS.

However, one of the reasons our IT department gave the green light to the iPhone is because it had been tested (for two months) with Exchange, with device encryption required – and it had worked. You’d forgive any IT administrator if, after such a test, they’d assume device encryption was working and supported.

We don’t know how device encryption is enforced by Exchange Server, but if the iPhone was able to masquerade as a device having encryption, one has to wonder how secure the requirement really is.

Also in question is whether Apple knowingly allowed the requirement to work despite the iPhone’s inability to meet it.

What Now?

As I mentioned, iPhone 3G owners who wish to access their Exchange email now have only two options, and most will just choose to forego upgrading software. That can’t be what Apple wants. They’d prefer people either stay up-to-date, with the latest OS software and security fixes, or – and this has to be the best solution for all parties involved – upgrade to the iPhone 3GS.

So how can Apple get current iPhone 3G owners – specifically those who access Exchange Server – to upgrade?

I’ve thought a lot about this and it seems to me the best way is to provide some sort of discounted price to those eligible. The way to do this is to require a user (1) upgrade their iPhone 3G to OS 3.1, (2) bring it in to an Apple Genius and (3) show they are attempting to access an Exchange Server with device encryption required. It’s a potentially nightmarish scenario logistically, but at least Apple could avoid a similar nightmare in PR.

But there is another solution here that might be better for everyone: Apple’s recommendation from the KB article. Allow me to digress for a moment.

Since we know that device encryption can be masked at the handheld level, does it even make sense to require it? Logic would suggest yes: it still does make sense, because the honest (those who own the device before it falls into the wrong hands) have no reason to circumvent the requirement. Unfortunately, this is not always the case. As we’re sure to witness, those with the knowledge that their device is not encrypting their data will continue to access Exchange Servers that require encryption – using iPhone OS 3.0. To the average user, availability is more important than accessibility.

This leads me to the question: what exactly is device encryption? And, more importantly, why should the average user care enough to voluntarily give up their privileges?

Frankly, I don’t know the answer to those questions.

I’m just glad I have an iPhone 3GS.