Many Exchange Server customers have reported issues logging on to Exchange using iPhone devices older than iPhone 3GS. iPhones support Exchange ActiveSync (EAS), the same protocol supported by Windows Mobile devices, and licensed by many other mobile device manufacturers.

Exchange Server 2007 SP1 and later support many additional policy settings. Two policy settings that are of interest here are:

  1. Require device encryption: When you enable this policy, mailbox data synchronized and stored to a mobile device is encrypted.

    Exchange ActiveSync security policies
    Fig 1: Exchange ActiveSync policy requiring device encryption

  2. Allow Non Provisionable Devices: You can disable this setting (default) to prevent provisioning of devices that can't fully apply Exchange ActiveSync policies.

The iPhone 3GS supports device encryption, and is the first version to do so. Previous iPhone models, including the iPhone 3G, do not support device encryption. Additionally, before iPhone OS 3.1, these devices did not communicate their policy status correctly, resulting in the devices being able to connect to Exchange Server, even if your Exchange ActiveSync policy required device encryption and did not allow non-provisionable devices.

iPhone OS 3.1 correctly reports its policy status. As a result, if your policy requires device encryption and doesn't allow non provisionable devices, previous models of iPhone which don't support device encryption are prevented from accessing the mailbox.

After considering your organization's security policy, if you need to allow older iPhone devices to connect, you can modify the Exchange ActiveSync policy to either allow non provisionable devices, which will still enforce device encryption on devices that do support it, or you can disable device encryption. Note, allowing non-provisionable devices allows devices that may enforce some policies, or may not enforce any policies at all. Alternatively, you can create another policy which does not require device encryption, and apply it only to mailbox users with devices that do not support device encryption.

For more details about Exchange ActiveSync policies, see Understanding Exchange ActiveSync Mailbox Policies in Exchange 2007 documenation.

Bharat Suneja