Apple flubs its improved support for Exchange e-mail security
Editor’s Note: The following article is reprinted from Network World.
Apple improved its iPhone support for Microsoft Exchange security and triggered a controversy, but it’s impact is limited to sites that have deployed Exchange Server 2007.
For some users of older iPhone models, the change has led to blocking them from corporate email access, if their company’s Exchange server requires data on the iPhones to be scrambled. Enterprises apparently will either have to scrub this policy or upgrade users to the new iPhone 3GS, which has the necessary hardware to handle the encryption.
In the recent iPhone 3.1 OS release, Apple decided to support a specific optional security policy in Exchange 2007. This option lets an enterprise “require encryption on the device,” so that locally stored data, such as emails, are scrambled. Exchange administrators can use that more granular encryption to quickly target and remotely wipe specific files on devices that are lost or stolen, instead of the more laborious process of wiping all files.
For this to work as intended, two things are needed. First, Apple (or any other device builder) has to support this option feature in its client implementation of Exchange Active Sync, which Apple licensed from Microsoft in 2007 to let iPhone users access corporate email. Apple turned this option on for the first time in the 3.1 release.
Second, the client device has to have the hardware capability to do the encryption. That’s only possible with the new iPhone 3GS and the new higher-capacity iPod Touch models.
“The manufacturer, in this case Apple, decides which [Exchange] policies to implement [in Active Sync client], then document which policies they support,” says Ahmed Datoo, vice president with Zenprise, a Fremont, Calif., software vendor that provides multi-vendor device management software, covering iPhones among other platforms. “If the manufacturer never implemented support for that policy, then Exchange can’t enforce that policy.”
Until now, iPhone users were able to connect to Exchange 2007 servers, even if the corporate policy was to require device encryption. That’s because the iPhone Active Sync client in effect was unaware of the server-based encryption policy, and Exchange in effect was unaware that the iPhone was unaware.
With the 3.1 OS, an iPhone becomes aware of this policy for the first time. Because the new iPhone 3GS has hardware encryption, it can encrypt the local data and implement the policy, and it syncs with Exchange 2007.
The iPhone 3G, though it too is now aware of the Exchange policy, can not encrypt the local data, and reports this fact to Exchange. The server, also for the first time, is now aware that this iPhone is not in compliance and doesn’t let it connect.
iPhone, Exchange customer reaction
The change caught many users by surprise, triggering a flood of complaints and comments.
But for many other enterprise iPhone users, this won’t be a problem, even if they update to the 3.1 release. One reason is that their corporate email is based on Exchange Server 2003. That’s the case at a big medical center, which plans to sidestep Exchange 2007 altogether, according the center’s email administrator who asked not to be identified. Their current iPhone users are experiencing no problems. The center plans to wait for Exchange 2010, which the administrator says Microsoft plans to release later in 2009. “We’ll deploy device encryption when we have the ability to enforce it,” he says.
Another reason is that some organizations simply don’t require device-level data encryption. “We don’t have security requirements for on-device encryption unless the data is classified,” says Philippe Hanset, IT manager, University of Tennessee, Knoxville. “Which email is not, since it is usually sent in clear text over the Internet anyway.”
“For the iPhone side of things, it would definitely be better to require encryption,” says Ewan Leith, principal consultant, Network Integrity Services, a U.K.-based systems integrator with a focus on Microsoft products for the enterprise. “But a laptop running Windows 7 or Vista with Outlook has less protection: is there a significant difference in the risk of losing one [compared to losing a smartphone]? Drive encryption of Windows 7 laptops isn’t enforced by Exchange.”
Apple provided no heads-up to users or enterprise IT departments that some users accustomed to Exchange access were about to be frozen out. The company’s documentation on the change is short and to the point: “If your Exchange Server administrator has selected this option, only devices that support device-level encryption are allowed to sync…” Under “additional information” it has this one sentence: “Note that iPhone 3GS supports device encryption.”
Apple is equally brief about the options: “To re-establish syncing, have your Exchange Server administrator change the mailbox policy to no longer require device encryption.” As more than one blogger or poster has noted, “good luck with that.”
The update, and its results, triggered a rant by Infoworld editor Galen Gruman. Under the headline “Apple betrays the iPhone’s business hopes,” Gruman wrote, “Thousands of users have been accessing e-mail, calendars, and contacts over Exchange connections through their iPhones or iPod Touches, not knowing they were compromising their corporate security. During that entire time, Apple has extolled its support of Exchange and convinced many businesses that the iPhone was a corporate-class device they should embrace or, at least, tolerate.”
In a more measured assessment of the change on AppleInsider.com, Prince McClean concluded that the update, which after all was an expansion of iPhone support for Exchange security, was “poorly communicated to users by Apple.” The result was “confusion and frustration by users.”
McClean argues that the proprietary nature of Exchange Active Sync “creates a problem for consumers who want competition and choice along with the assurance that the phone they buy will work with their company’s servers.”
There is an effort at an open standard: the Open Mobile Alliance Device Management (OMA-DM) protocol, formerly known as SyncML, which was first released in 2000. It has not developed much traction at least in the U.S. Network World product tester Joel Snyder, recently reviewing the MDaemon SMTP mail transfer agent, which uses SyncML, noted that “our experience in testing mobile devices is that SyncML offers a lower level of reliability than the built-in ActiveSync clients in Windows Mobile and iPhone.”
Microsoft itself has taken note of OMA-DM and Systems Center Mobile Device Manager 2008 provides a commercial server implementation of the protocol for provisioning mobile devices.
But one interesting question, again raised by McClean, is whether Microsoft might eventually offer Exchange Active Sync as an open specification. That would fit with the recent partnership with Nokia, indicating that Microsoft is trying to leverage its pervasive server products, including Exchange and Microsoft Office SharePoint Server, rather than its own smartphone OS, Windows Mobile.