Securing the iPhone
The biggest issue for IT when it comes to the iPhone has been security, even with the availability of SSL authentication for securing e-mail connections. Make sure your Exchange or Domino server requires SSL and one of these SSL options: MD5 challenge-response, NTLM, or HTTP MD5 digest. The 1.x version of the iPhone also supports password-based SSL authentication, but that can be more easily spoofed than the other options.
Many enterprises want stronger protection than SSL provides, and so they typically use a VPN client -- or a BlackBerry or Motorola GoodLink server and its proprietary secured network -- as the conduit to safeguard all traffic with the iPhone.
The iPhone didn't originally support VPNs, but Apple added that capability via a software upgrade in late 2007. The iPhone's VPN capabilities are solid -- comparable to Windows Mobile and Palm OS devices -- with a choice of L2TP and PPTP protocols and support for EMC RSA Security's SecurID key-based authentication. (You access those through the General preference pane's Network option.)
But the iPhone 1.x VPN client does not work with all VPNs; Cisco-based VPNs in particular are incompatible unless they are set specifically for Mac OS X and iPhone compatibility. The July iPhone software update will improve VPN capabilities by supporting Cisco IPsec and two-factor authentication, certificates, and identities. The July release also adds WPA2 wireless encryption and 802.1x authentication.
Three security issues have caused the most complaints from IT, when compared with Windows Mobile, Palm OS, and BlackBerry. Apple plans to address all three in the June software update, though the details are not yet fully clear.
First, the iPhone has not provided device encryption, meaning that any data stored on the iPhone can easily be obtained by a thief. With 8GB to 16GB visible to PCs as an external drive when connected over USB, the iPhone can store a lot of possibly precious corporate data.
Second, password protection on the iPhone is scant. More than providing a four-digit maximum for passwords, the iPhone has provided no way to enforce password use or policies as users can simply turn the password feature off.
Third, the iPhone's lack of a remote lock or kill feature has left IT in the lurch if the device is stolen or lost.
The 2.0 software will address all three issues -- and more. As expected, Apple will add on-device encryption, IT-manageable security policies, and remote-kill features as part of the July update. It will also let IT control what third-party software users can download to their iPhones, download PKCS1 or PKCS2 authentication certificates to the devices, apply e-mail and other configuration options automatically to the device, and control wireless access point access through Radius policies. To do this, Apple's configuration tool generates XML profiles that can be downloaded to the iPhone via e-mail or through the built-in Safari Web browser. IT may not like the fact that the configuration utility must run on a Mac or via the Web, however.
For Exchange-managed policies, IT can use the Exchange 2003 System Manager or the Exchange 2007 Management Console.
Until July, IT will have to decide whether these three security shortfalls justify banning the iPhone from the enterprise until the new software is out and its capabilities better understood. A good way to judge that is to make an honest assessment: Are you as tough on USB thumb drives, smartphones, and work-at-home users' PCs as you want to be on the iPhone?