MS Exchange on iPhone with iceWEB

@martin

here it is:
http://www.tuaw.com/2007/06/22/iphone-free-tuaw-feed/

The iphone is in no way a productivity smartphone, it's a lot closer to entertainment phone, an ipod with GSM call features and internet surfing. I doubt any company would cover its cost even if it came in corporate AT&T accounts. Too much of a toy and less tool, it does shine as personal (although overpriced) entertainment phone but IMO it isn't good enough for company use.

@ martin
There was an iphone-less feed started here the week before launch, not sure it still runs though.

Off topic --

I have nothing against the iPhone, but can it get it's own dedicated blog? 90% of the posts in the last week have been iPhone related, and it sucks wading through it to get to Mac stuff.

Or is there a way to filter out certain tags?

@Alex in Amsterdam

Short answer is no. The Treo you are using most likely connects to your exchange through OWA (Outlook Web Access - which is most likely the web email you are referring to) via activesync, versamail, or some other conduit. The iPhone does not currently interface with OWA.

@Sam

Yes imap over ssl is supported, but most likely you will need to vpn in, which as I stated before not everyone runs a vpn implementation supported by the iPhone. Do you really think it would be a reasonable course of action for a company who is already running a vpn solution with good results, to add a brand new interface just for a few iPhone users?

It is an attitude like that which makes my job difficult. I'm the mac guy in a primarily MS shop (5000 + windows desktops, -30 Macs), and when Apple gives me the opportunity to interface with the existing MS infrastructure, I am able to offer new functionality and better interoperability. Where macs have chosen not to play nice (wether by choice or otherwise) my end user suffers.

OK, I'm not so tech savy as you all, but can you eggheads answer this question? I can use my Treo to access my company email. I was told that since we can access our work email via exchange server on the web, we can access email with a Treo. So, does that mean I could use an iPhone the same way?

@Sam --

Almost every IMAP client, including the iPhone, stores a cache of the emails locally, for performance reasons and to enable offline use.

Don't believe me? Enable 'Airplane Mode' on your iPhone, and try browsing your IMAP mailboxes. You should be able to see all of the previously downloaded messages.

--Bryan

Just so that you know.. IMAP over SSL is supported, and should (minus the lack of features like task and calendar sync and remote wipe) be 100% as secure as exchange running over SSL, if not more so because it's a standard protocol.

I'd love to see your security guy respond, simply because he may have more expertise, although your comments were useful.

also, keep in mind that IMAP doesn't store the e-mail on the device, it accesses it on the server. Locking out a device out of the account should be a simple matter of changing the password.. without the host computer to sync to, I have not seen that the iphone has a way to change the password internally.

don't mean any offense.

--Sam

Hi James,

Just some thoughts from an Exchange admin on some of your questions:

1) Is there a reason to not allow iMAP with exchange other than "that's not what we have done before"? Is this somehow less secure? If so, how?
- speaking as an admin, the more protocols you open up on your server, the more you've widened the possible attack options. ActiveSync uses the same SSL based ports/services that OWA already uses, so most environments already have this set up. In smaller shops it's easier to make a change to please a few people, but when you start considering one more service to keep track of and another port to monitor, you need a pretty good reason to do it. Also you've really got to look at IMAP as the bare bones for a wireless sync experience. The iPhone is very slick and I love the interface, but I think Apple's trying their hand at the consumer market first before taking a dip in the Enterprise pool. IMAP doesn't support wireless synchronization for calendar, contacts, or tasks. If a user is coming from Blackberry or ActiveSync based devices, this can be a real deal breaker.

2) Are the VPNs that are in use and NOT supported by the iPhone somehow better/more secure than the VPN that is supported by the iPhone (and OS X) by default? If so: why? Is OS X's VPN support fundamentally flawed? What prevents a company from using a OS X friendly VPN?
- The VPNs I can't speak as well about not being a security team guy for my company. I can tell you going back to the initial response though that ActiveSync works without requiring a VPN solution (uses HTTPS) and can be further locked down with ISA server while Blackberry is a conversation initiated by the server on your internal network to RIM's NOC, so there are no inbound connection requirements for the handhelds. They just talk to RIM's NOC who the BES server is talking to and they've got real time sync without the extra burden of a VPN. We did have a VPN in place prior to ISA, and I can tell you that the experience on a SSL encrypted connection vs. the PPTP VPN that was there before is like night and day. SSL based through ISA is considerably faster and more reliable.
3) Isn't a phone that does NOT support 3rd party apps inherently more secure than one that does?
- Security for a company isn't just 'what can they install', but more like 'what the hell do we do if they lose this thing?'. With Blackberry and ActiveSync, we can enforce policies in regards to password requirements, device time outs, and remotely perform a wipe of the device or have the device wipe itself if the wrong # of passwords is entered. Blackberry is still pretty far ahead of Microsoft when it comes to how granular these get, but you get the idea (Blackberry devices you can lock out third party apps by policy. MS doesn't do that yet without third party management tool, but they do exist).

I think the bottom line here is that the iPhone is incredibly slick and an undeniable target of gadget lust by anyone that's an engadget/engadget wireless reader (it's even got me looking at tuaw! :)). What it's not yet though is ready for the enterprise. I don't think this is any accident. Apple can sell these so successfully without tapping that market that there's no need for them to go there yet. I do think you'll see Apple license either BlackberryConnect from RIM or ActiveSync from Microsoft to include in the iPhone at some point in time. When they do that, it'll be the equivalent of when the iPod was available for Windows. The floodgates into corporate customers will be open and guys like me will have to get some instructions ready for their end users.

Darn it. This would have been excellent if it were an Activesync software-based client. Of course it could not integrate the contacts/calendar/tasks into the iPhone shell, but at least you could always have that data right there in the program. The program could abide by all of the requirements of Activesync, and could require one to enter a security code before entering the program, etc. This would keep IT happy while also providing a satisfactory solution to employees. Unfortunately, I guess that is not what this program offers.

IT support (aka Exchange support) has always come off a little shady, like when whatshisface said he hacked a macbook and then would not confirm it or prove it.

Nobody has answered these questions:

1) Is there a reason to not allow iMAP with exchange other than "that's not what we have done before"? Is this somehow less secure? If so, how?
2) Are the VPNs that are in use and NOT supported by the iPhone somehow better/more secure than the VPN that is supported by the iPhone (and OS X) by default? If so: why? Is OS X's VPN support fundamentally flawed? What prevents a company from using a OS X friendly VPN?
3) Isn't a phone that does NOT support 3rd party apps inherently more secure than one that does?

Until somebody answers these questions with *real* answers, I can't help but assume that the iPhone Enterprise problem is as much the fault of the IT department as it is the iPhone. If I'm wrong: please answer the questions above and explain why.