iPhone and ActiveSync, a security concern

  • Article

A couple days ago, Mary Jo speculated that Apple has licensed Microsoft's Active Sync technology which allows iPhone to securely sync with Exchange servers (over its smoke signal speed, EDGE data connection).   Will ActiveSync be out of the box today or an upgrade in the future?  Will it be the reported implementation on the iPhone to connect with Exchange via IMAP?  (IMAP isn't really a concern for most Enterprises since the IMAP service is usually disabled) 

I have no details about this deal, and probably couldn't talk about them anyway if I had inside knowledge, but I am concerned about security.

Here are a few things to consider if Apple has licensed EAS.

  • Most enterprises that use Exchange leave the attributes in AD "on" for Exchange Active Sync (EAS) and Outlook Web Access (OWA) for all users.  That means that if you have an ActiveSync enabled phone, you can usually point it at your Exchange server without any special help from IT.  Typically, this is the same server name as the OWA URL.
  • Exchange and ActiveSync have the ability to push security settings down to the phone, as well as remotely wiping the phone in case of theft or loss.  The first time you sync from the phone, you have to agree to allow the Exchange server to implement security policies.  Most common security settings are to require a PIN or complex password to unlock the phone after 5-15 minutes of inactivity.   In case you misplace your phone, after 15 minute it locks, and 5 wrong passwords wipe the device.
  • The implementation of ActiveSync is up to the licensee, in this case Apple.  So, the question is:  Will Apple implement security policy settings that allow administrators to lock down the phone and wipe them if they are compromised (also deleting potential music)?  If they don't, we may all be writing ADSI scripts to turn off EAS attributes soon....

Guess we will have to wait and see.