iPhone OS 3.1 enforcing Exchange device encryption, only supported by iPhone 3GS

No one is upgrading from iPhone 2G/3G to 3GS, so Apple just wanted to get some $$$. Come on, they have to do something to make people upgrade!

To all the people in the company I work for using the iPhone for their work email even when told its not supported: HAHA! *Nelson Point*

You mean Sucks to be "you" as in sucks to be you who don't have the S.
I don't see any reason why people who have an existing 2G or 3G won't upgrade.
You get a faster processor, double the memory, which actually computes to about 5 times the available memory after system resources,
and you get a slew of other features that the previous phones don't have (or Apple isn't releasing)
I sold my gently used iPhone 16GB 3G (off contract) for $300 on Craigslist and promptly turned around and bought a brand new 3GS 16GB with money to spare for a new case and screen protector.
If you are going to stick with AT&T anyway, might as well make use of the heavy subsidizing, eh?

Wow, I am officially over the iPhone...

iPhone is boring now...

granted I do have 3 4GB iPhones, oen I use, the other is ready to go and another BNIB...

$149 refurbs from the Apple store...

I don't know how you nubs actually really use this thing in real life..

wasting away time poking a 3.5" screen...

Quite frankly I think people who use more than 1GB/moth on an iPhone are losers...

@Jash

Like making good products you mean.

Eyhk- Because some of use are waiting for our contract to be up so we dont have to pay $600. Which the 4th gen will be just about out by then so...

@Eyhk

So what you are saying is that people like myself who have a first gen iPhone are stupid for not locking themselves into another 2 year contract, stupid for not paying $20 more per month for 3G service (that I don't need), stupid for not giving Apple another $200 when I have a working device, stupid for not wanting to get locked into another device that comes full of promises but falls short over and over again.

But it is an Apple creation, so I guess we should overlook all that and mindlessly buy into the "it is Apple, so you should have it" attitude. Think different unless it is different from Apple, then you are stupid - be a conformist!

And why isn't it supported in the 3G or below? Don't say "CASH FOR APPLE" because Apple is an honest company that doesn't rip off their best customers. No, they don't RAPE their "raisons d'être"

Why is it you only post comments on apple and MS related articles? Is it to share your paranoid delusions and conspiracy theories with the world? Or is it just to be a troll?

My guess is the latter.

class-action suit in 3 ... 2 ...

@Shotgun: Probably because I don't. I post on any articles that capture my interest. Honestly, I have no idea what the hell you're talking about, since just taking a quick look at my comment history, of the last 5 articles that show up on the first page that I posted on, only 2 were apple or microsoft related. Pretty damn good, considering that if you look at the engadget articles you'll see roughly the same ratio.

I'd also point out that I came to this article with a well thought out comment that points out a major facet of this news, whereas you came here to bash me for "only post[ing] comments on apple and MS related articles". Who's really the troll?

@ Shotgun

Probably because every-other article on Engadget is an advertisement for Apple, or bashes on Microsoft...

The other articles are devoted to how terrible resistive touchscreen technology is.

Sounds like Palm.

By the way, Shotgun, for comparison's sake I looked into your comment history and, low and behold; on the first page there's 5 different apple or microsoft related threads that you commented on. Kettle? Black?

@shotgun

i think maybe mark posts too much, but his comments are _usually_ dead on

@Josh: True... I have a bit to much free time.

@ Jim - Exactly what i was thinking

Actually your well thought out article is flawed and not well thought out at all. I was going to let it die with my first comment with my first assumption that you do not own an iPhone and second that you probably don't use exchange. But here we go..

Device encryption support is an Exchange 2007 feature only, and does not exist in Exchange 2003 or exchange 2000. Most companies have not yet upgraded to 2007 and are awaiting the release of exchange 2010. Device encryption is an activesync policy that can be easily turned off by an administrator per user or even per group and is not integral to the core function of the phone. The fact that the new iPhone supports it on a hardware level and not software like WinMo is a mystery to me at this point. Apple chose to activate that feature with the 3.1 and nowhere was it advertised that previous iPhone models would support device encryption. So I ask was it just ignorance that inspired your post? Or anger at Apple for enabling a new feature of the iPhone without first warning customers that this was coming?

P.S. The overall articles you comment on may be diverse but I don't recall an apple or ms related article that you haven't commented on.

If that's truly how they did things, then they need to be called out LOUDLY all over the internet(and elsewhere) for that. That is false and misleading, and they deserve a big backlash over that. That's one of the sneakiest things I've heard of.

@Shotgun:

Um, you missed the biggest part of his comment:

"they intentionally had the device lie and claim to have full device encryption so they could cheat their way to claiming exchange support".

Regardless of whether most businesses are using 2003 and 2000, they lied on their reply to the exchange server. No business should even allow a phone on their exchange network if it is doing stuff like that. They are pretty much hacking into a companies email server by not enforcing all of its policies.

Now, like Mark said, they completely disabled a feature that used to work before. While that isn't as bad as the comment I quoted from Mark, it sure as hell must piss off users who were able to connect (although falsely) to an exchange server and have that feature ripped from them, but only introduced on the higher end device, which of course can cost a user the full price depending on when they signed up for their previous iPhone contract.

And did they give any information on whether this will be supported at a later date for older phones? Or is it only 3GS, because thats a completely Applish move if they pull that stunt. Its like giving users the ability to record video then ripping that feature away in a firmware update, but only leaving it enabled on your newest device.

Just imagine if another company did this. There would be a hell storm.

@Shotgun: You missed the point of my comment entirely. Previous to 3.1, the iPhone actually falsely claimed to have full device encryption when it did not. Is the reason for that so much of a mystery? When 2.1 was released, it was claimed that the iPhone had "full exchange support". They made it falsely claim to have full device encryption because the 3G(which was the current generation at the time) didn't support it. Now that the 3GS is out, which supports it, all the sudden they disable that and make it report itself correctly. This is at least as bad as Palm claiming to be an iPod to iTunes, and is actually far worse from a business standpoint since it basically hacked its way onto protected exchange servers. It's also bad for those who bought the 3G because Apple made it look like it supported something and then yanked that out from under them.

Since you asked what inspired my post: It's the fact that Apple made a device pretend to have a feature it didn't really have in order to sell more units and is now pulling that feature out from under those who bought their product because of those false claims.

For your last bit: You're right, I do post on most Apple and Microsoft related threads. I also post on most Android, Palm, Nokia, and thin laptop related threads. As was said: I just comment a lot.

@Shotgun

You make it sound so easy. Just disable encryption for that 1 person....Right, I'll let you get right on that. While your at it, do the same thing for the other 1000 people asking for it...

And for the record, MOST companies REQUIRE encryption and are not about to disable it just to pacify certain groups of people. I know I'm not.

So it's my understanding you think Apple intentionally lied instead of Apple plugging a security hole it had in a previous software version that allowed it to work. Keep in mind that this affects iPhones that are configured to run with exchange 2007 servers only (which isn't perfect itself). I don't believe the affected users are a large enough group to warrant your overreaction. I don't recall anyone complaining when Windows XP's firewall turned out to not be a firewall at all and easily bypassed by any knowledgeable dev.

My apologies, I assumed you missed the point of the article where it states this was the result of a security fix so I failed reiterate it.

@Shotgun: This clearly wasn't a bug. This isn't something where if it's not reported then the server just lets the device on. The device actually has to report to the server that it does have full device encryption. If you're actually buying the line that this was a bug in the software that just happened to be fixed at the exact same time that Apple released a new lineup that actually does provide such encryption, then I've got some snake oil to sell you that can cure any disease.

Actually from what I've seen no devices report anything to exchange servers except identification info, it goes the other way around. Once you enable a policy for a specific group of employees that have devices it sends those changes to the devices and it can either comply or not. If the device is not able to comply with the new policy then the connection is severed permanently or until the policy is removed on the server end. You're assuming the worst without gathering information first and spreading anger where there shouldn't be. I don't see how the release of the software coincides with a new lineup of Apple products, I don't recall them claiming exchange support on the new nanos. There have been several months between the release of the 3GS and this update, I feel it is exactly as they describe it.. a security hole plugged up.

What you are doing here is creating a false hysteria of sorts laden with anti-Apple sentiment without any evidence whatsoever. Once someone with knowledge of how WinMo/iPhone and exchange interact on a technical level your argument doesn't have any ground to stand on.

@Shotgun: Exactly, and the old iPhones claimed to comply, when they actually didn't. If they hadn't made that claim then it never would have worked from the start. And I'm not talking about the Nano's. So far reports are that the new iPod Touch supports full device encryption. Meaning this update came on the exact day that the product line(iPod and iPhone) fully supported it.

The new iPod touch uses the same hardware platform as the 3GS so why wouldn't it support device encryption? The iPod touch is irrelevant. Why would anyone want corporate email on that thing?

I want to see exactly where the claims are that you keep referencing. All iPhones support exchange, specific additional features will vary from revision to revision. The same goes for WinMo devices. No WinMo 5 device will support device encryption either. Apple never claimed device encryption would work on the older devices, how it did in the first place was obviously a mistake. To leave that kind of security hole in place is not only unethical, it is not Apple's modus operandi considering their attention to security and quick response to discovered holes in their desktop/server OS.

I still don't know why you hold anything Apple with such contempt. If you don't have evidence that this was an intentional move then don't post until you do

Also, I'm wondering if you know what device encryption is meant to do.

Please read:
http://blogs.msdn.com/windowsmobile/archive/2007/03/26/windows-mobile-6-storage-card-encryption-faq.aspx

And then ask yourself what it has to do with the iPhone.

Shotgun, sorry, but nobody is talking about storage card encryption. With Exchange 2007, or MS's Mobile Device Manager you can enforce device encryption. Again, that's device encryption. Storage Card encryption is also something you can enforce.

I think what Mark is saying, that with a non iPhone 3GS, and older firmware you could sync it with Exchange and if the Exchange admin was enforcing device encryption, the older firmware would report back, YEAH, I'm encrypted, when it really was not.

Now with 3.1, it is actually telling the truth and erroring out because it was really not encrypting.

So does that not mean that older phones were lying about actually being encrypted. That is bad, very bad.

Dorf,

That is what device encryption is. It encrypts any storage media attached to the device, including the phone's internal storage.

http://msexchangeteam.com/archive/2007/05/23/439541.aspx
Setting
Device encryption enabled
Desc.
For Windows Mobile 6.0 Devices this controls the storage card encryption on the device

Not so relevant to iPhone users at all. And on top of that the exchange setting to enable this is NOT on by default.

Mark, I will accept your apology at any point lol

@Shotgun: I've grown tired of arguing with you so I will bring this to 1 final question: Prior to the date that Apple made all new iPod/iPhone devices that supported exchange have hardware device encryption, did the older versions, or did they not falsely report that they had such support?

Tired of arguing irrelevant points or tired of being wrong?

If you want a definite answer to your question perhaps its best to point you to Apple engineering. But what I believe is that prior to 3.1 the software wasn't capable of handling errors on the device encryption policy failure and somehow it worked. There are a lot of possibilities that could explain why and unless you have some technical knowledge of how it works then I advise not jumping to conclusions.

Apology accepted.

Nope, wrong answer. Via gizmodo: "Before 3.1, firmwares just falsely reported that a user's iPhone supported device-level encryption." The phone can't just ignore the warning and keep on using the server, it has to actually respond back to the server claiming full device encryption or it won't be let in. Your beliefs are misguided and you might want to check the bias behind them at the door.

By the way, with that I'm ignoring this post and moving on. Have fun.

How is referencing another article where the content is the opinion of the author and not based on facts productive at all? Like I said, if you want an answer talk to an engineer.

I read this yesterday and the more I think about it, this is a really serious issue. My wife who works in the financial industry is required by the SEC to have all client information encrypted. Luckily she has a Black Berry and it is actually supported, but there are others in their offices that do use iPhones. HIPPA also requires that client information be encrypted, lots of doctors use iPhones. Any email received on the iPhones about patient information is not HIPPA compliant. Lawyers I am sure would have a similar issue.

Apple lied to the market claiming support which actually is putting companies in regulatory (and therefore financial) risk. Apple should lose their ass on this. This is criminal.

I work in the emergency services as IT, and yep we treat Macs as toys and won't support them. We need hundreds of machines to do all the things needed (including the appliance machines) and Macs are waaaaay too costly. Same for most decent sized businesses I'd guess.

This is a prime example of why I/they/we may have that attitude. It is unrealistic to add hardware to your environment that comes from a company that handles security in an under-handed manner. From my experience, and I may have just not spent enough hours researching ONE PIECE OF HARDWARE, I didn't see Apple making customers aware that the 3G did not support encryption. They are only just now acknowledging the issue, and have no viable solution in sight.

With all of the ruckus I've heard about this since 3.1 dropped... what took you so long to report on this, Engadget?

If an iPhone user comes to me demanding that I disable encryption on the Exchange server so he can read his e-mail then yes, I will tell him that his phone is a toy untill it supports proper basic security features that any serious company needs to enforce.

I have to say, for something that is supposed to be "so intuitive", I have A LOT of people lined up at my desk to configure their iPhones

The reason that most IT people/departments feel that way is because Macs are VERY costly and a pain to deal with. For example, I can get a machine from dell, take it out of the box, connect it to the network and it automatically image and configure itself with little to no interaction what so ever. I get 5 Macs in and I have to configure those things one by one.

Personally, I like apple products, but they're not enterprise ready at all and this just proves it.

@PBB

You obviously haven't looked into any Apple enterprise solutions. You can perform imaging on macs just as you can any PC. The only issue as you stated is price.

@PBB
"The reason that most IT people/departments feel that way is because Macs are VERY costly and a pain to deal with. For example, I can get a machine from dell, take it out of the box, connect it to the network and it automatically image and configure itself with little to no interaction what so ever. I get 5 Macs in and I have to configure those things one by one.

Personally, I like apple products, but they're not enterprise ready at all and this just proves it."

Really? In my previous position at a university I imaged/configured Macs over the network without interaction quite frequently. You must be doing something wrong.

@Shotgun & Nicole

Ok, let me rephrase then. Can macs be imaged, Yes. Is that one more solution I have to buy in addition to everything else, Yes. Does that mean I have to spend more money just because its a Mac, Yes. And Yes, I know there are free apps out there to do this, too bad free doesn't fly well with my boss.

For the record, We have experimented with mac imaging and it has proven to be very unreliable.

But I will concede that apple is trying VERY hard to make macs enterprise friendly, just have a ways to go that's all.

@PBB

You have to send more because it's a Mac AND because your current tools aren't designed for them. I could rewrite that sentence with "Windows PC" in it, and it'd be just as true. I'm afraid that if you're trying to broaden the spec of your tools, it is going to cost money no matter if you're branching out to Macs or PCs.

@PBB

No. You are doing something wrong. I work at a school that images over 700 mac's every year and it works perfectly. The only issues that arise are ones relating to bad configuring of the OS inside the image. Usually something stupidly minor our Mac tech's forgot when building them.

@shotgun

And those "enterprise solutions" most likely cost an "enterprise cost" XD