iPhone OS 3.1 enforcing Exchange device encryption, only supported by iPhone 3GS

Ummm, I know companies may not like it (in the end that's their decision to enforce) but why don't Apple just let the iPhone 2G & 3G work how they did before (ie lie) to allow them to work, and allow the 3GS & new Touch to encrypt correctly?

That way the phones would work - would be no less secure than they were previously & the companies could decide how they handled it.

Taking a fully working feature (as far as the employee is concerned) and making it work "correctly" thereby making it no longer work is the exact same thing as taking the feature away. Apple need to fix this and fix it fast.

Regards,
Shane.

I can't believe anyone could defend Apple on this. Even if they did not intentionally make their phone send a bogus message to a server, and even if they didn't explicitly say "we support everything about Exchange", they still screwed up. They still had a phone that didn't work properly with a security setting used in high end environments.

Think about it this way. If you ran a healthcare office that handled state contracts, you are bound by all HIPAA regulations. Now one of your employees got his iPhone 3g stolen...ah no biggy right, we are encrypted!! AHHHHHHHGGGGG WRONG! It turns out that all that data was completely open and you are now getting sued because some customer data got leaked and it turned out to be a prominent local business man. It let out that he had a horrible drinking problem, and your firm handled some of his mental health treatments.

Oh, but it was just a mistake on Apples part....so no biggy.

Doesn't matter either way, but if you are really going to fool yourself into thinking that they didn't check this considering the 3g phone came out nearly a year and a half after Exchange 2007, then you are suffering from a severe case of fanboyism.

Bottom line, either they hid it, or they did a horrible, horrible job at interfacing with Exchange 2007. Your pick, but try to think what you would say if the phone was built by Microsoft and it was connecting to a .Mac account.

Is anyone really surprised? I'm dead serious. When has Apple ever really done anything right by their customers? Even they act like they're doing you a solid, you do a bit of digging and their is another motive. Wait 1-2 gens from now when they release the iPod Touch with a camera, and tell you how awesome it is, when a year earlier Steve Jobs tells you it's not necessary, so you buy the current gen. This has been going on before the days of telling you, that you don't need a context menu(i.e. second mouse button).

It seems to me that this is a hole in the ActiveSync protocol? What kind of security is there if you trust the device to tell you the truth and you don't control the device?

It reminds of the questions I am asked when entering the United States:
[...]are you now involved in espionage or sabotage; or in terrorist activites [...]?

It is also a big assumptions on Exchange admins to believe that devices confirm to policies. In this case it might have been willfully misleading, but a device might have a bug or it's code been hacked.

How can Apple "LIE" if MSFT Exchange 2007 cannot VERIFY the LIE? If Exchange cannot verify the claim from the device, should anybody actually trust the Exchange Server?

There is a dichotomy here that most people are missing... I work as an IT Consultant for a number of organizations that *do* require high-level security and encryption -- government, health care, law firms, etc. The distinct commonality in all of these organizations is that they simply do not allow any device on their network that was not issued by the IT department. *Period*

This is why the Blackberry is and continues to be such a popular device in these environments. It has always supported tight encryption and security policies for corporate controls. Even those organizations I work with that support ActiveSync devices will not provision ActiveSync on any device that wasn't issued by the company. I have several clients who have had lineups of users requesting iPhone support and even Palm Pre support and in every case the answer has simply been a firm "No."

Of course, that doesn't mean that other organizations aren't installing Exchange 2007 and enforcing encryption just because they can, but in those cases, the encryption requirement generally doesn't have any legal or liability concerns associated with it, and in many cases getting the IT department to disable encryption in these types of organizations may or may not be that difficult.

Of course, none of this excuses Apple from having this bug in the first place (if the policy says to enforce encryption, then it should be properly enforced on the device), but the reality is that a lot of the response to this is alarmist and overly melodramatic. This is not likely to be as big of a problem as you'd expect, since most organizations that truly have regulatory or legal requirements to enforce encryption generally also demand "ownership" of the devices that corporate data resides on. Allowing corporate data to reside on devices that are not owned by the corporation is a bad idea for a whole bunch of other legal and liability-related reasons, regardless of the encryption policies that may or may not be in place.

Here in NZ some pundits also say Apple has betrayed iPhone business users by coming clean about on-device encryption and no syncing with Exchange Servers after applying the iPhone OS 3.1 Update.
http://computerworld.co.nz/news.nsf/scrt/9B9C2F6288E3B487CC257632007172D1?opendocument&utm_source=topnews&utm_medium=email&utm_campaign=topnews
I'm confused though, how did they communicate pre the update? If all it takes is for an iPhone without on-device encryption to lie to the Exchange Server by communicating "I'm OK, I have on-device encryption" how are the encrypted messages unencrypted? Is the data being sent encrypted or not and what allows the data to be read if the phone does not have on-device encryption?