iPhone and Exchange Server, No Longer K-I-S-S-I-N-G
As is being reported at The Unofficial Apple Weblog, iPhone 3G (and first-generation) owners can no longer get their Exchange email, contacts, or calendars after upgrading to iPhone OS 3.1 if their IT departments have “require device encryption” enabled on the Exchange Server. Apple posted a Knowledge Base article acknowledging the issue, and recommending only that the requirement be disabled at the server-side.
The error users see reads thus:
Policy Requirement
The account “–” requires encryption which is not supported on this iPhone
I would imagine there are tens of thousands of people whom this affects.
At The City Church, our IT department enforces strict security policies, so we have “require device encryption” enabled. Our employees who have iPhone models prior to the iPhone 3GS now have only two options:
- Do not upgrade iPhone OS software
- Buy the iPhone 3GS
Thankfully, we caught this issue early – after two of our staff members reported issues after upgrading to OS 3.1 – and are now recommending everyone with an iPhone 3G ignore the upgrade notices they get from iTunes.
Our two unfortunate staff members who already upgraded took their iPhones to the local Apple Store Genius Bar. After several unsuccessfully attempts to downgrade iPhone back to OS 3.0, the Genius(es) finally gave up and just swapped out their phones.
With how widespread this issue could be, it’s probably in Apple’s best interest to come up with a better solution than swapping out upgraded iPhones.
A Masquerade
The issue here is not that iPhone 3.1 now (correctly) enforces the server requirement. Apple fixed a security hole and is further advancing iPhone software security. The problem is iPhone OS previously worked with servers that required device encryption, even when the hardware did not support it.
I did some investigative work (if you can call using Google “investigation”) and was able to find old versions of the iPhone Enterprise Deployment Guide. Prior to the current, third edition, the guide did not include a reference to device encryption. Incidentally, I don’t remember hardware encryption ever being promoted or advertised as a feature of the iPhone, prior to the 3GS.
However, one of the reasons our IT department gave the green light to the iPhone is because it had been tested (for two months) with Exchange, with device encryption required – and it had worked. You’d forgive any IT administrator if, after such a test, they’d assume device encryption was working and supported.
We don’t know how device encryption is enforced by Exchange Server, but if the iPhone was able to masquerade as a device having encryption, one has to wonder how secure the requirement really is.
Also in question is whether Apple knowingly allowed the requirement to work despite the iPhone’s inability to meet it.
What Now?
As I mentioned, iPhone 3G owners who wish to access their Exchange email now have only two options, and most will just choose to forego upgrading software. That can’t be what Apple wants. They’d prefer people either stay up-to-date, with the latest OS software and security fixes, or – and this has to be the best solution for all parties involved – upgrade to the iPhone 3GS.
So how can Apple get current iPhone 3G owners – specifically those who access Exchange Server – to upgrade?
I’ve thought a lot about this and it seems to me the best way is to provide some sort of discounted price to those eligible. The way to do this is to require a user (1) upgrade their iPhone 3G to OS 3.1, (2) bring it in to an Apple Genius and (3) show they are attempting to access an Exchange Server with device encryption required. It’s a potentially nightmarish scenario logistically, but at least Apple could avoid a similar nightmare in PR.
But there is another solution here that might be better for everyone: Apple’s recommendation from the KB article. Allow me to digress for a moment.
Since we know that device encryption can be masked at the handheld level, does it even make sense to require it? Logic would suggest yes: it still does make sense, because the honest (those who own the device before it falls into the wrong hands) have no reason to circumvent the requirement. Unfortunately, this is not always the case. As we’re sure to witness, those with the knowledge that their device is not encrypting their data will continue to access Exchange Servers that require encryption – using iPhone OS 3.0. To the average user, availability is more important than accessibility.
This leads me to the question: what exactly is device encryption? And, more importantly, why should the average user care enough to voluntarily give up their privileges?
Frankly, I don’t know the answer to those questions.
I’m just glad I have an iPhone 3GS.
A very similar problem happened at my workplace. I’m very glad I waited to upgrade. What’s disturbing that this is contributing to a pattern of arbitrary feature malpractice.
I call it a corruptgrade.
That’s when a feature that had previously worked has been broken but newer versions of the software.
§ Michael Critz · 12 September 2009
I’m not trying to be snarky here, but an honest question: why do you use Exchange at all? We have over 100 staff now and the switch to Google Apps has made life quite a bit easier (not to mention completely free for us, as a non-profit).
§ Joshua Blankenship · 12 September 2009
@Joshua I need to for work. If I could erase 15 years of embedded Exchange support overnight I would!
§ Michael Critz · 12 September 2009
If you are concerned about who can read your email, you will never get approval for Google Apps.
As for Apple, I recommend watching the 2008 keynote, which made huge statements about the security of the Exchange functionality.
http://www.apple.com/quicktime/qtv/wwdc08/
The interesting bit starts about 4:20, with Steve Jobs.
“We’ve done it, we’ve built it in out of the box”
“Push email, push contact, push calendar, auto-discovery”
“Remote Wipe”
“All of this stuff built in”
Goes on about a lot of other network security stuff they added around Cisco VPN and Wifi.
“Everything they told us they wanted, we have built in.”
Then he talks about the beta program, and shows the video with the beta enterprise customers – 6:25.
The US military shows up:
“We’re not much different, but we’re one of the few that are exceedingly mobile, deploy all over the world and have people shooting at us”
Disney talks about getting into the network securely through the VPN client and two factor authentication.
Genentech security.
Sonneschein – security… Talks about working with FBI and the Secret Service.
Military – Talks about needing remote wipe, and how they need to be able to secure the device and lock it down. “I’m talking about soldiers lives.”
I’d say that Apple said it was secure. There’s probably more in the Enterprise track about how to integrate it with Exchange.
§ Jason · 16 September 2009