Filed under: Enterprise, iPhone, iPod touch
iPhone OS 3.1 now enforces Exchange encryption policy, may block pre-3GS iPhones
The Apple Support forums are a'buzz with reports of several users upgrading to iPhone OS 3.1 and discovering a new "feature" which was not available previously. As mentioned in our comments, after upgrading to 3.1, some original iPhone and iPhone 3G owners with Exchange accounts are having trouble accessing their email. Apparently the server-side encryption policy option for mobile devices (only available as of Exchange 2007 SP1) is now being appropriately enforced.This is not affecting owners of the iPhone 3GS, due to the newer device's support for Exchange encryption. Prior to iPhone OS 3.1 the encryption policy was ignored for all models. Now that 3.1 is available, users are seeing this policy being correctly enforced and older iPhones without encryption support are left without access to Exchange services.
While many are reacting to this issue as though it's a bug, and are reporting it as such, the reality is that the Exchange encryption requirement is a feature and the fact that it was not being correctly enforced was actually a security hole. IT administrators with Exchange 2007 SP1 servers and iPhone clients are probably going to be fielding an above-average level of incoming questions, but at least they can rest easy knowing that Exchange encryption is now working correctly. Cold comfort for their users, though.
If you are running into this issue, the straightforward (though pricey) solution is to upgrade to the iPhone 3GS; or consider bribing your IT guy with Red Bull so he will disable the encryption requirement for mobile devices. But we want to hear from you; are you using an Exchange account? Can you still access it following the upgrade to 3.1? Which device are you using, iPhone or iPod touch; 3G or 3GS? Is this a little thing that means a lot to you from a security perspective or have you been left high and dry without access to critical email?
Update: MacRumors points out that Apple has now covered this situation in a new KB article.
[Via Broadband Reports]
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
Dave said 12:38PM on 9-10-2009
Not sure if this is exactly the same or not, but on my WinMo phone I have an exchange account set up. My work requires that I activate security on my phone (PIN lock) to connect to the Exchange server. Of course, I have no mail that needs to be secure, so having to enter a PIN every time I want to check something on my phone is annoying. Since I can do a remote wipe, I'm really not worried about it from a security angle. So, I can go into the registry and change a setting to disable the requirement client-side.
The point of this rambling is, perhaps on an iPhone, there is also a client-side hack that can be made (though it would probably involve jailbreaking). Sure it's a security hole, but seriously, if someone steals my phone, I seriously doubt they're going to try to spam my office network with meatspin links or something; they'll prolly just pawn it.
Reply
Michael Rose said 12:49PM on 9-10-2009
Not the same. PIN lock and encryption are separate requirements that can be set on the Exchange server.
josejrp said 12:51PM on 9-10-2009
I have a 3G phone and my Exchange 2007 connection still works in 3.1... I always used the SSL option in my account. Seems to me that upgrading to the 3GS is not the only option...
Michael Rose said 1:00PM on 9-10-2009
Jose, it's entirely dependent on whether or not your Exchange admin has turned on the 'require encryption' flag in the server settings. If he or she has NOT turned it on, you're fine.
Rob Roland said 12:45PM on 9-10-2009
So, why do the iPhones prior to the 3GS not support this encryption? This encryption can be done in software - how do you think PCs do it?
Yay for forced obsolescence.
Reply
Michael Rose said 12:48PM on 9-10-2009
Not the same thing, exactly. The PIM and email data has to be encrypted when stored on the iPhone's flash memory, and mobile devices need hardware support for this (otherwise the CPU load of encrypting/decrypting all the time will kill your battery life).
Ilham said 1:00PM on 9-10-2009
I am having the same issue on an IPod Touch 2G running 3.1.1. It states, "Policy Requirement - The account "____" requires encryption which is not supported on this iPod".
Then the only option provided is "Disable" which disables access to Exchange account.
Reply
adisor19 said 12:49PM on 9-10-2009
We're still on Exchange 2003 here at work so this is not a problem currently.
Adi
Reply
Tetzel1517 said 2:40PM on 9-10-2009
Glad to here that... we're also on Exchange 2003 here and for a moment I was worried I would lose access to work e-mail on the phone. The downside is that Exchange 2003 doesn't allow iCal in Snow Leopard to access my calendars. But at least they still work fine on my iPhone 3G.
William said 1:09PM on 9-10-2009
Does anyone know if Apple actually fixed the encryption on the iPhone 3GS? If they didn't, it seems kind of pointless for it to be correctly enforcing encryption.
( http://www.wired.com/gadgetlab/2009/07/iphone-encryption )
Reply
Mike said 6:18PM on 9-10-2009
The "encryption problem" has little to do with encryption, and more to do with Jail-breaking. As long as you can jail-break the device, the encryption doesn't matter. On the upside, 3.1 probably has a couple more days before it has been jail-broken, and for those couple days the device is secure ;-)
William said 7:17PM on 9-10-2009
@Mike: Actually, it doesn't have to do with jailbreaking; it's due to the fact that Apple has designed it so that the iPhone begins decrypting the data stream on its own without any need for the user to attempt to decrypt the data. From the article: "Wondering where the encryption comes into play? It doesn’t. Strangely, once one begins extracting data from an iPhone 3GS, the iPhone begins to decrypt the data on its own"
davidjwalsh said 1:22PM on 9-10-2009
vpn seems broke, a pptp connection works under 10.5 but not x.6 :(
Reply
sabih said 1:29PM on 9-10-2009
Ive been saying this since yesterday when it popped up at work!
Reply
Greg said 1:49PM on 9-10-2009
I am accessing exchange services through my iPhone 2G. I just updated last night and everything works just like before. The only difference that sucks is the new rules on the pass code intervals. In 3.0, we had the option of 15min and even 1 hr, now it is back to 1-5min. Anybody else notice that? I don't think this is the option of my employer.
Reply
davidjwalsh said 1:46PM on 9-10-2009
Bit of a catch 22 really.
Firstly I genuinely sympathise with the end user that the update whilst fixing a security hole has stopped a feature... albeit a feature that shouldn't have worked in the first place, but now many have come to rely on.
But from a sys admin POV, its cleared up a major headache - notably in my case of my boss (more accurately his boss) insisting that we lock out users who's exchange connection does not encrypt - despite the server insisting on it, and 99% of the users we find with unencrypted have been iPhones. The headache being that once we explain why they are locked out and they agreed to not use it, a day or so later we'd go round it again
Admittedly our inbound "upset user calls" have gone thru the roof today and it too a while to find out why - it didn't help we did Exchange maintenance last night.
The encryption is there because we work in an externally (read government) regulated company and being blunt its a requirement. I also personally think it should be defacto across any network one doesn't control - regardless of "legal requirement" but thats isnt the issue under discussion here.
Bottom line - apple have created a lose-lose here. If they make it work again, they will lose some of the trust they need to start getting their solutions into the enterprise environment. Mind you distributing a device that pro-activly ignores 'corporate policy' isn't an ideal starting point anyway
If they don't, then the only 'real' option to continue to use an iPhone in the way one is used to is to upgrade to a 3GS.... which is bitter pill in two major ways - it will be essentially a forced upgrade and it will cost real money - neither ever leaves a customer happy.
I'd hate to be the one in apple that has to make the decision.
Reply
JohnQ said 2:30PM on 9-10-2009
My 3G iphone works great with exchange (via outlook.com for my university email). I've been using 3.1 since betas, and it still works on the 3.1 final.
Reply
Sean said 3:08PM on 9-10-2009
Another option for 2G owners is not to upgrade to 3.1.
Reply
kpwong said 3:27PM on 9-10-2009
Greg. Try to disable your exchange account. Then change your time for pin requirements. You should have the one hour option again. Enable your exchange account and you should be all set.
Reply
Aaron said 4:41PM on 9-10-2009
My employer already made the decision for me. After having been supported on iPhones for about a year, we (the 40% of the office on the iPhone) awoke one morning to find that my employer had shut us off overnight due to these very security concerns. Email, contacts, calendars, all gone. We came into the office that morning to learn that we were now a Blackberry-only shop.
They say you never realize what a great thing you had until its gone – they weren’t kidding.
It’s been a painful transition – simple things (visual voicemail, a decent app store, native iTunes support) just don’t exist on the other side of the great divide. My phone has gone from being a major piece of how I experience my day – a real smartphone – to being simply an email and cellular device that takes up too much space in my pocket.
Mind you, all of us iPhone users paid for those devices out-of-pocket, which left a lot of people feeling jaded to start with, but this has been a nightmare.
Reply