iPhone: Friend or Foe

From the many articles that have been circulating around the iPhone and Microsoft employees it would seem that Microsoft views the iPhone as an enemy. Windows mobile (pre version 7 of course) seemed like a great platform that was until the iPhone came out and we saw (myself included) people change their views of what Windows Mobile could offer. A comparison between the two was like comparing NT4 Workstation with Windows 7. So what did Microsoft really expect? It seems like the only people left using Windows Mobiles are Microsoft employees and people who had been given the device as a work mobile. Don't believe me, next time you are in a meeting ask everyone to show you what they are carrying around.
So let me get to my point. Microsoft claimed that Windows Mobile coupled with Exchange ActiveSync was going to be a Blackberry killer. A few years later and this is still as far away as ever from being a reality… Enter the iPhone. We are now seeing that even C levels are starting to ask when they can connect their iPhone to Exchange and also even seeing some corporates adopting and handing out the iPhone as a standard device. This is easy to achieve by leveraging the ActiveSync protocol that Apple have licensed and allowing users
But how do you get around the issues that have been talked about around security. The easiest and cheapest way is to ensure you have a solid ActiveSync Policy. Here are some of the key settings that should be considered:

•  Allow Non Provisionable Devices - This setting ensures that only devices that are able to apply ActiveSync polices are able to connect. If you enforce device encryption an iPhone 3G running OS 3.x and later (there is a bug in earlier versions that falsely reported to Exchange that the device supported hardware encryption) will not be able to connect.
• Enforce password on device – This setting ensures that all users of ActiveSync have a password/pin protecting their device.
• Maximum failed password attempts – In case a device is lost or stolen, this setting ensures that the device is completely wiped after the maximum number of attempts to gain access to the device has been exceeded. This setting needs to be thought out carefully as too few attempts means that users may end up wiping their devices accidently and too many gives attackers a greater chance to gain access to corporate data.
• Inactivity time in minutes – Another setting that needs to be thought out carefully, too short a setting can be frustrating to users if the password requirements are complicated and too long can result in increased risk of unauthorised access to data.
• Minimum password length – This setting can cause a great deal of pain in terms of usability. The right balance between minimum password length, Inactivity time and Maximum failed password attempts is key to having happy users.

When building your ActiveSync policy keep in mind that only a subset of the available policies, listed below are supported by iPhones:
• Remote wipe
• Enforce password on device
• Minimum password length
• Maximum failed password attempts (before local wipe)
• Require both numbers and letters
• Inactivity time in minutes (1 to 60 minutes)
• Allow or prohibit simple password
• Password expiration
• Password history
• Policy refresh interval
• Minimum number of complex characters in password
• Require manual syncing while roaming
• Allow camera

So for Matt’s 5 cents:
The iPhone is proving to be a catalyst for people to move towards ActiveSync as a mobile messaging platform. While planning for iPhone access to ActiveSync don’t forget that your ActiveSync policy really needs to cater for all ActiveSync users regardless of device type. So even though the iPhone policy support is limited you should still ensure that the other settings are still suitable for those people with Windows Mobile or Android devices.