http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com/2009/09/10/iphone-os-3-1-blocking-encrypted-microsoft-exchange-connections-on-non-3gs-devices/)

TUAW reports (http://www.tuaw.com/2009/09/10/iphone-os-3-1-now-enforces-exchange-encryption-policy-may-block/) that a number of iPhone users who have updated to iPhone OS 3.1 are finding themselves unable to access their Microsoft Exchange accounts due to device incompatibility with Exchange's server-side encryption.

While the iPhone 3GS supports this device-level encryption, other iPhone and iPod touch models do not. Non-3GS devices had been able to access Exchange systems utilizing the encryption option on iPhone OS 3.0, but the ability was apparently an oversight on Apple's part that has been corrected in iPhone OS 3.1.While many are reacting to this issue as though it's a bug, and are reporting it as such, the reality is that the Exchange encryption requirement is a feature and the fact that it was not being correctly enforced was actually a security hole. IT administrators with Exchange 2007 SP1 servers and iPhone clients are probably going to be fielding an above-average level of incoming questions, but at least they can rest easy knowing that Exchange encryption is now working correctly. Cold comfort for their users, though.Apple today posted a support document (http://support.apple.com/kb/TS2941) addressing the issue, noting that the only recommend solution at this time is for affected users' system administrators to disable the device encryption option for syncing.

Article Link: iPhone OS 3.1 Blocking Encrypted Microsoft Exchange Connections on Non-3GS Devices (http://www.macrumors.com/2009/09/10/iphone-os-3-1-blocking-encrypted-microsoft-exchange-connections-on-non-3gs-devices/)

Lost functionality is now a feature.

s.
:)

This situation seems odd, especially since it was in place on previous models, though I believe I understand the concern for users and administrators that necessitated this move.

Seems like an effective way to push enterprises to the new 3GS model, though!

Still unable to import .ics calendar invite email attachments into iCal via iPhone 3.1 :mad:

That's not a solution.

Oh boy! Here comes 3.1.1!

EDIT: Although if I'm reading this right, being locked out is how its supposed to work. Well, I guess that IS secure!

Apple's solution is simple. Everyone upgrade to 3GS!

Oh and sorry to all those folks who cannot downgrade back to 3.0. That feature was also disabled.

It's probably important to note that this looks like it affects exchange 2007, and not 2003.

They patched a security hole that cannot be fixed on the old hardware due to the lack of encryption hardware.

Commence whining anyway. :rolleyes:

supposedly the email on the 3G is not encrypted when it's stored on the phone and that's a big deal for a lot of companies. my wife works in a company regulated by HIPAA and they locked their MS Exchange environment so the only way you can access it on the iphone is via OWA. their blackberries don't have wifi or cameras either, they have secure models

if you have a problem see your IT people. the only people whining are the ones who the IT people don't like anyway

http://www.telegraph.co.uk/technology/apple/6168930/iPhone-users-report-problems-with-software-update.html

Oh boy! Here comes 3.1.1!

EDIT: Although if I'm reading this right, being locked out is how its supposed to work. Well, I guess that IS secure!

Actually updated my touch last night and it is 3.1.1(7C145)

I'm still not understanding why something that worked before is now being removed? Why not allow Encrypted connections on all devices? If they supported it before 3.1 why not leave it in?

Edit: Ok, just reread the statement. I was reading it as the devices supported encryption prior to the 3.1 update and 3.1 removed it. The removal of that encryption caused the server not to sync.

Bad move Apple, you still have lots of 3G customers out there in the corporate world to make this kind of stunt.

Actually updated my touch last night and it is 3.1.1(7C145)

I'm still not understanding why something that worked before is now being removed? Why not allow Encrypted connections on all devices? If they supported it before 3.1 why not leave it in?

3.1.1 is for iPod Touches only. 3.1.0 is for iPhones

Why not allow Encrypted connections on all devices? If they supported it before 3.1 why not leave it in?

It can't work on the 3G. It's hardware encryption and the 3G and first gen iPhones don't have the hardaware.

It only worked before because they made a mistake...it wasn't actually secure in 3.0! So they fixed it.

So there's nothing Apple can do about this. If you need hardware encryption you need to buy a phone with that hardware. If you don't need that level of encryption, don't turn it on in the servers.

Those are your choices.

Bad move Apple, you still have lots of 3G customers out there in the corporate world to make this kind of stunt.


Please explain what you think they should do.

Apple's getting too damn corporate/greedy.







in b4 fanboys

Actually updated my touch last night and it is 3.1.1(7C145)

I'm still not understanding why something that worked before is now being removed? Why not allow Encrypted connections on all devices? If they supported it before 3.1 why not leave it in?

Edit: Ok, just reread the statement. I was reading it as the devices supported encryption prior to the 3.1 update and 3.1 removed it. The removal of that encryption caused the server not to sync.

Because the other devices DIDN'T support it... It just LOOKED like they did. If the old devices are not capable (At the hardware level) of encrypting the data correctly, then I am very pleased that Apple did this. The last thing IT people need is a bunch of phones that arn't secure at all pretending to be secure.

Conclusion: This bites for users, but real security is odviously better than fake security.

Wow, way to misunderstand the problem completely.

This is not a stunt. If an administrator has enabled device encryption, it's because they expect the sensitive data to be stored in an encrypted manner on the device. The iPhone 3G CANNOT STORE DATA IN THIS ENCRYPTED MANNER.

If any "corporate customer" is going to get pissed off at Apple for disabling this (they're not), then they should simply disable device encryption because IT WAS NOT BEING USED IN THE FIRST PLACE.

Sigh.

Ok, so to be clear that I am understanding this.
1. They didn't remove any functionality from the touch or 3G, they just removed the ability for them to sync unencrypted data to the server.
2. The Touch and 3G weren't encrypted before and still aren't.
3. The only thing that changed was that the devices were not properly reporting themselves and the server policy that requires encryption was essentially being fooled into thinking the 3G and touch were syncing encrypted data.

Please explain what you think they should do.

Its called a time machine. You know they already have a prototype and are just slowly releasing the technology each year to get more money from us.

Better yet, release a hardware update via software update...this they also have the ability to do.

Ok, so to be clear that I am understanding this.


That's pretty much it.


Better yet, release a hardware update via software update...this they also have the ability to do.

Yeah, I know. They kept bragging about Snow Leopard's printer update. I keep trying it but my printer hasn't changed! They're clearly still working out the bugs on that one!

Apple's getting too damn corporate/greedy.

While I agree they should've had the foresight to build in the hardware encryption before the 3GS, that alone became one of the iPhone 3GS' features.

Companies that mandate such high security should be providing their employees with the right hardware anyway, and that won't include iPhone 3G's.

At no point does this make Apple greedy. They added a feature to their latest phone. It just wasn't being properly enforced by the software. Now it is.

If your social security #, credit card numbers and other personal info was in an email on someones 3G iPhone wouldn't you be concerned if it wasn't encrypted (at the hardware level)?

C'mon, the ramifications could be HUGE for data falling into the wrong hands! I for one, appreciate what Apple did.

So this is a story about Apple fixing a security hole and people are whining? iPhone 3.0 on the 3G was incorrectly reporting that it had device level encryption when it did not. The new release fixes this issue.

Two things

1) The server trusts the client? Isn't that stupid to begin with?

2) They can't implement the necessary encryption in software?

If your social security #, credit card numbers ... was in an email...

That type of info should never be sent in an email anyway, encryption or not!

The iPhone 3GS hardware encryption is a joke as it is anyway. Pointless.

Apple's getting too damn corporate/greedy.


in b4 fanboys

They're not getting corporate enough. By that I mean, hey Apple, we corporate IT types would invite you in wholeheartedly if you didn't keep screwing up. Exchange support should be one of their highest priorities. Hell, it should be a division of Apple. They could be killing the Blackberry, but they are not winning any trust with this almost-good-enough Exchange support. The Blackberry, while it kind of sucks as a device in comparison to the iPhone, is still safe in corporations and for good reason: it syncs with Exchange with solid stability and is a highly functional Exchange client.

So this is a story about Apple fixing a security hole and people are whining? iPhone 3.0 on the 3G was incorrectly reporting that it had device level encryption when it did not. The new release fixes this issue.

Welcome to MacRumors, which is considering changing its name to MacWhiners---I know pretty lame, but most of the forums are filled with whiners and you have to weed through to find the posts that are useful or intelligent. (my post should not be included in either of said categories--although it is more of a whine post, I'll admit).

A cannot fathom what form of encryption they are doing here that can't be done in software.

That type of info should never be sent in an email anyway, encryption or not!

All sorts of stuff are attached to emails in PDFs, Excel spreadsheets and Word docs.

Its called a time machine. You know they already have a prototype and are just slowly releasing the technology each year to get more money from us.

Better yet, release a hardware update via software update...this they also have the ability to do.

I don't think Apple is being cynical about this. I think they just goofed, then fixed it. Just because MacRumors members can time travel ;) doesn't mean Apple can. Apple plans their releases well in advance but still can't be expected to have every feature of the next generation of a product in the current generation. That just doesn't make sense. Adding features in new models is what they do for a living and what we pay them for.

So this is a story about Apple fixing a security hole and people are whining? iPhone 3.0 on the 3G was incorrectly reporting that it had device level encryption when it did not. The new release fixes this issue.
I think people would whine less if they understood that this is a software fix for a real problem. But I also think that Apple could have been a little more forthcoming about this change in the Knowledge Base article.

OK, so Apple is obviously lying to get people to buy the latest model, but what exactly is it trying to convince people the latest model can do that earlier ones can't?

"Hardware encryption" isn't an answer, because there's no (classical) algorithm which can't be implemented in software on top of a general purpose CPU, and there exists no common algorithm which won't run fast enough on an iPhone's ARM CPU for the piddling amount of data involved.

Was this mentioned anywhere?

I appreciate they fixed a bug but I am upset as there was no real heads up.

Thankfully me company allows email forwarding so I can forward work email to a gmail account.

They're not getting corporate enough. By that I mean, hey Apple, we corporate IT types would invite you in wholeheartedly if you didn't keep screwing up. Exchange support should be one of their highest priorities. Hell, it should be a division of Apple. They could be killing the Blackberry, but they are not winning any trust with this almost-good-enough Exchange support. The Blackberry, while it kind of sucks as a device in comparison to the iPhone, is still safe in corporations and for good reason: it syncs with Exchange with solid stability and is a highly functional Exchange client.

Blackberry doesn't use ActiveSync. It uses the Blackberry Enterprise Server. Each device using the BES requires a purchased license. You can also use a desktop client but that isn't applicable in an "enterprise".

The issue is around Exchange 2007 w/ SP1. There is an option to enable device encryption in the ActiveSync policy. This tells the device that it should be encrypting cached email. Since the pre-3GS doesn't do this you now get an error whereas previously it just ignored it. Pre-3GS "could" do this in software but it would be very slow as encrypting/decrypting on the fly in software is *hard* on the CPU so it's not likely it will ever happen. The 3GS has specific hardware to accelerate this for a good user experience.

Your options are:

1. Find a way to roll back to 3.0
2. Corporate Exchange admin disables this policy rule.
3. Get a 3GS.
4. Don't use ActiveSync anymore.

Apple handled this 3.1 roll-out pretty pathetically. I believe they should of issued warnings to their users (especially enterprise users) that this update could stop ActiveSync for their entire pre-3GS iPhones. As it is most Exchange admins are probably finding out by their users screaming on the phone.

I'm not sure what the driving force was behind Apple changing their stance on this was. It's been fine since 2.0.

This is a side effect really, to keep out Palm Pre users, from iTunes... :D

This is a side effect really, to keep out Palm Pre users, from iTunes... :D

That doesn't seem so far-fetched :).

That's not a solution.

I agree - seems like a pretty weak response!

Since the pre-3GS doesn't do this you now get an error whereas previously it just ignored it. Pre-3GS "could" do this in software but it would be very slow as encrypting/decrypting on the fly in software is *hard* on the CPU so it's not likely it will ever happen. The 3GS has specific hardware to accelerate this for a good user experience.

Other devices with slower CPUs have working software encryption implementations that don't degrade performance too much. And some of those devices, even with encryption enabled, are faster than the iPhone 3G...

If only certain content (such as the mail, SMS, calendar, contact list, cookies, and network settings) needs to be encrypted, then the performance impact could be slight enough to be unnoticeable.

So this is a story about Apple fixing a security hole and people are whining?.

Stupid people can't help being stupid people.

I think people would whine less if they understood that this is a software fix for a real problem. But I also think that Apple could have been a little more forthcoming about this change in the Knowledge Base article.

It may be a fix for a problem, but they sold a ton of 3G's that supposedly had exchange support, plan and simple. Clearly if they did not build in hardware encryption, they did not actually build in true exchange support and 3G owners have a very valid beef with apple because they were actively deceived in countless ads and spec sheets touting the 3G's compatibility with Exchange servers. Clearly when working properly (i.e with encryption enabled) there is a blatant incompatibility given the apparent lack of hardware encryption on earlier iphone models. I applaud apple for releasing a fix for a security problem, but if that fix is not accompanied by a hardware fix its essentially disabling a feature 3G owners believed their phones were capable of. Should apple choose to leave this as it is, they risk loosing what little support in the corporate world they had.

How someone at apple did not at least think to include a warning in the update dialog at the very least is unreal.

It may be a fix for a problem, but they sold a ton of 3G's that supposedly had exchange support, plan and simple. Clearly if they did not build in hardware encryption, they did not actually build in true exchange support and 3G owners have a very valid beef with apple because they were actively deceived in countless ads and spec sheets touting the 3G's compatibility with Exchange servers. Clearly when working properly (i.e with encryption enabled) there is a blatant incompatibility given the apparent lack of hardware encryption on earlier iphone models. I applaud apple for releasing a fix for a security problem, but if that fix is not accompanied by a hardware fix its essentially disabling a feature 3G owners believed their phones were capable of. Should apple choose to leave this as it is, they risk loosing what little support in the corporate world they had.

How someone at apple did not at least think to include a warning in the update dialog at the very least is unreal.

I think it's obvious that apple could have handled this a whole lot better, that hopefully goes without saying.

As for this change making the 3G incompatible with Exchange, I'm not sure that is fair. The device encryption setting is a policy setting that administrators can choose to activate and should appreciate the implications of prior to doing so, because it also means that the Exchange server cannot sync with older windows mobile devices.

For me its simple - if your employer needs devices to be using this setting then they need to count on it working and its a good thing Apple have fixed this bug. If your employer doesn't actually need devices to be using this setting then any admin who turns it on anyway needs to ask themselves why.

So there's nothing Apple can do about this. If you need hardware encryption you need to buy a phone with that hardware. If you don't need that level of encryption, don't turn it on in the servers.

Its funny that exchange encryption runs entirely in software on Windows and Snow Leopard then isn't it? In fact I'd bet that its done in software on the iPhone 3GS as well.

The only reasonable possibility for not supporting this on the older iPhone models is that they don't have the CPU resources to handle the encrypting and decrypting on a reasonable user friendly timescale. However I really don't buy that. Its more likely simply corporate greed.

Apple apologists: continue to apologise away.

Its funny that exchange encryption runs entirely in software on Windows and Snow Leopard then isn't it? In fact I'd bet that its done in software on the iPhone 3GS as well.

The only reasonable possibility for not supporting this on the older iPhone models is that they don't have the CPU resources to handle the encrypting and decrypting on a reasonable user friendly timescale. However I really don't buy that. Its more likely simply corporate greed.

Apple apologists: continue to apologise away.
No, the 3GS has hardware level encryption support of the entire data partition. The encryption/decryption is handled by a separate chip which is why the 3G and 2G iPhones do not support that feature.

This is not just encryption of individual files but on a disk level.

The iPhone 3GS hardware encryption is a joke as it is anyway. Pointless.
Citation needed.

No, the 3GS has hardware level encryption support of the entire data partition.

Where is the documentation explaining that the Exchange policy requires the "entire data partition" to be encrypted? Where on microsoft.com is the "Require encryption on this device" policy defined? Why can't there be an encrypted partition (container) for Exchange?

While I'm here, what is the iPhone thrashing to/from flash which means a standard symmetric crypto algorithm can't be run in s/w on all local storage? I propose ROT13 for binaries to fix the no-background-apps bug without affecting launch time. Does the Exchange policy prohibit varying the crypto by file?

Yeah, I can see my Microsoft loving IT department making a change on their system to accommodate my iPhone. Good one Apple.

OK. So how do I tell in advance if I will have this issue?

My IT dept will tell me nothing.

Two things

1) The server trusts the client? Isn't that stupid to begin with?

2) They can't implement the necessary encryption in software?

1) Yes, incredibly stupid. Unless we move on to some sort of TPM/Trusted Computing system, trusting the client side to provide important information is always a bad idea as they can always modify it. That's like setting the price of a service/good for a shopping cart platform via hidden form values... The client can change them before they submit the form, and if no server side verification is done, boom, cheap/free product! (Incidentally, tons of people do this... I'm guilty of coding pages like this myself.)

I doubt OS 3.0 on the 3G lied to the exchange server, though it's possible; More likely is that it simply didn't reply to the server's "Device Encryption Supported?" question and the server just assumes it does in the event of no reply and moves on... Sounds like 3.1 actually replies with a proper yes/no response.

2) Of course they can. Anything that can be done via hardware can be done via software on a general purpose processor like the arm. They're just not going to because a) It would increase the base system's memory footprint, which is already a problem on the 2G/3G devices b) it would use battery life up c) it would be slower d) it would require using developer resources to implement and maintain the code branch e) it would remove a selling point for their new models.

It's e) that's the kicker. If your enterprise really requires device encryption, they're going to require the 3G[S] or later and they're users *will* upgrade.

If not, just turn the feature off.

Device encryption is a joke as it is anyways... Sure the data gets stored on the device in an encrypted manner... but as soon as the device is on it starts decrypting it so that it can actually be used... So unless you require a (secure, not 4 digit...) key everytime the device is unlocked or turned on, then there is no way to secure the data from being extracted, unencrypted, by using the phone's OS itself.

And even if you do require a secure password at unlock/startup and properly freeze the memory states, etc... the device is still vulnerable when it is in use.

Yeah, I can see my Microsoft loving IT department making a change on their system to accommodate my iPhone. Good one Apple.
Is it your personal iPhone? If so and if your employer requires hardware encryption on portable phones, why would you be allowed to use your personal iPhone for work email in the first place?

Device encryption is a joke as it is anyways... Sure the data gets stored on the device in an encrypted manner... but as soon as the device is on it starts decrypting it so that it can actually be used... So unless you require a (secure, not 4 digit...) key everytime the device is unlocked or turned on, then there is no way to secure the data from being extracted, unencrypted, by using the phone's OS itself.

And even if you do require a secure password at unlock/startup and properly freeze the memory states, etc... the device is still vulnerable when it is in use.

Device encryption is hardly a joke; a proper implementation will protect information if the device is lost or stolen. With a proper encryption implementation, the information on a powered-off device is useless. Even with a 4 digit numeric password, a proper encryption implementation will simply erase the key after a few invalid password attempts. Bypassing this would require an attacker to copy the contents of flash and attempt to crack offline, and a well designed device will need to be disassembled to do so.

If the encryption key is stored in RAM while the device is running (as in Windows Mobile's implementation and OS X/Windows full disk encryption implementations), any vulnerabilities have to be in the OS itself - assuming the device is locked, the device has to be compromised somehow without rebooting it.

BlackBerries can be configured to clear the encryption key from RAM when the device is locked. Even if the password screen was somehow bypassed, the content would be inaccessible.

There were articles about the encryption problem back in July... like this one talking about how insecure the iPhone is (http://www.wired.com/gadgetlab/2009/07/iphone-encryption/).

During the last quarterly earnings call, Cook kind of side-mentioned that the 3GS would get a fix:

"We’re seeing growing interest with the release of iPhone 3.0 and the iPhone 3GS due in part to the new hardware encryption and improved security policies.”

I have to echo spades here. If the server is set to only allow encrypted connections, how did it ever work?

1. The server says "you can only talk to me encrypted".
2. The client goes ahead and talks to the server unencrypted.
3. The server says, oh, all right then, and doesn't refuse to accept unencrypted connections?

This sounds like a major security flaw on the server end.

I have to echo spades here. If the server is set to only allow encrypted connections, how did it ever work?

1. The server says "you can only talk to me encrypted".
2. The client goes ahead and talks to the server unencrypted.
3. The server says, oh, all right then, and doesn't refuse to accept unencrypted connections?

This sounds like a major security flaw on the server end.

You do not understand the issue. The server can be configured to instruct client devices to encrypt the data stored on the device itself, and previous versions of the iPhone firmware ignored this policy. The server really has no way of verifying that the client is storing encrypted information.

This has nothing to do with the use of SSL (or the lack thereof) in communicating with the ActiveSync server.

Pre-3GS "could" do this in software but it would be very slow as encrypting/decrypting on the fly in software is *hard* on the CPU so it's not likely it will ever happen. The 3GS has specific hardware to accelerate this for a good user experience.
Get real! The typical e-mail for most people is 2,000-3,000 bytes, and the iPhone won't let you cache more than what, like 200 e-mails maximum? and the default is something like 50?

It may be a fix for a problem, but they sold a ton of 3G's that supposedly had exchange support, plan and simple. Clearly if they did not build in hardware encryption, they did not actually build in true exchange support and 3G owners have a very valid beef with apple because they were actively deceived in countless ads and spec sheets touting the 3G's compatibility with Exchange servers. Clearly when working properly (i.e with encryption enabled) there is a blatant incompatibility given the apparent lack of hardware encryption on earlier iphone models. I applaud apple for releasing a fix for a security problem, but if that fix is not accompanied by a hardware fix its essentially disabling a feature 3G owners believed their phones were capable of. Should apple choose to leave this as it is, they risk loosing what little support in the corporate world they had.

How someone at apple did not at least think to include a warning in the update dialog at the very least is unreal.

Apple could be open to a lawsuit here by companies that require encryption due to laws. All this time, the 3G has been acting as if it was doing encryption. It turns out that it was a bug...and they've known about it all along?? This is HUGE. It is unacceptable that Apple left this hole for so long. I'm usually the one scolding the whiners, but this a legitimate, real-world issue.

Gonna blame ATT for this one too :rolleyes:

I believe that WinMo 6.0+ phones handle encryption.

Two things

1) The server trusts the client? Isn't that stupid to begin with?

2) They can't implement the necessary encryption in software?

Hardware encryption is supposedly harder to crack than software decryption. :rolleyes:
Than again, Linux in the right hands can crack anything with ease.

I have to echo spades here. If the server is set to only allow encrypted connections, how did it ever work?

1. The server says "you can only talk to me encrypted".
2. The client goes ahead and talks to the server unencrypted.
3. The server says, oh, all right then, and doesn't refuse to accept unencrypted connections?

This sounds like a major security flaw on the server end.

The problem is that the 3.0 firmware added support for the client to talk to the server encrypted, but the data is stored in a way that is accessible from the phone's memory using something that only talks unencrypted. It's still an encrypted connection, and I'm sure data during the transfer itself isn't vulnerable... just when it's accessed directly from the phone.

Apple's solution is simple. Everyone upgrade to 3GS!

Oh and sorry to all those folks who cannot downgrade back to 3.0. That feature was also disabled.

Get used to it. That is Apple's solution to EVERYTHING. Want H264 hardware decoding? Then buy a new Macbook because you will not get it any other way. It simply doesn't matter to Apple whether "older" hardware (like my less than one year old MBP is "old") CAN support a feature (e.g. Snow Leopard COULD have been released for PPC machines and video support could have been enabled for older iPhone models). That is beside the point. The ONLY point is that Steve wants your money and wants it bad. Got to have that backup reserve in case a kidney goes next time!

Get used to it. That is Apple's solution to EVERYTHING. Want H264 hardware decoding? Then buy a new Macbook because you will not get it any other way. It simply doesn't matter to Apple whether "older" hardware (like my less than one year old MBP is "old") CAN support a feature (e.g. Snow Leopard COULD have been released for PPC machines and video support could have been enabled for older iPhone models). That is beside the point. The ONLY point is that Steve wants your money and wants it bad. Got to have that backup reserve in case a kidney goes next time!

Best comment of the day

I'm still not understanding why something that worked before is now being removed? Why not allow Encrypted connections on all devices?

It's not encrypted connections anyway (as this is effectively SSL). This is about a requirement for an encrypted filesystem.

If an organisation REQUIRES devices to using encrypted filesystems, this should be enforced by all devices.

iPhone 3G cannot honour that requirement, thereby creating a security hole for the organisation.

At the end of the day, this isn't Apple's call. And I'm sure Apple would also be breaching the ActiveSync licensing agreement by not adhering to/respecting the policies of the server.

iPhone 3G cannot honour that requirement, thereby creating a security hole for the organisation.
Wait, what? The very flag is, when used as you imply, theatre: "Security by assuming client good faith." Why not just put everyone's mail in world-readable folders and get the client to send a message promising never to access the wrong folder?

This is a technically unenforceable policy, requiring instead a human contract between employer and employee; it is as such meaningless to attempt to technically enforce it. A policy reminded with a warning dialog? Sure. But removing functionality that could be duplicated in a third party client or, perhaps, shim? No purpose. Any organisation which requires client encryption shouldn't rely on a "well, if you would be so kind..." from the server for anything. Especially when the response could be "yeah, ok, I'll get to XORing that with the owner's dog's name right away."

(Also, iPhone's don't require you to enter a decryption key passphrase every time you unlock the device, right? So all this is irrelevant.)

Get used to it. That is Apple's solution to EVERYTHING. Want H264 hardware decoding? Then buy a new Macbook because you will not get it any other way. It simply doesn't matter to Apple whether "older" hardware (like my less than one year old MBP is "old") CAN support a feature (e.g. Snow Leopard COULD have been released for PPC machines and video support could have been enabled for older iPhone models). That is beside the point. The ONLY point is that Steve wants your money and wants it bad. Got to have that backup reserve in case a kidney goes next time!

but Apple is being a lot nicer about it than most companies where they release 5 versions of a software package with minor differences and charge a lot more for a few features in the "Ultimate" or "Enterprise" version

Mobile devices that sync corporate email is just bad all around. Blackberry, iPhone, encryption, no encryption, makes no difference. Too many irresponsible people carry these devices that contain sensitive information. There are more secure methods for accessing corporate email remotely, such as OWA and Citrix. Maybe not as convenient, but that is the price of security.

PS. I am anti-email in the corporate environment. It is more counterproductive than productive. Businesses have succeeded for many of years without it.

I signed up just to share my workaround that I used on my iPod Touch 1G to get my Calender back. My Outlook email still works somehow. Probably because I'm using the Webmail address.

I sync'd my Google Calender to Outlook, then my iPod Calender to Google Calender. Worked great.

http://www.google.com/support/calendar/bin/answer.py?hl=en&answer=98563

then sync with CalDAV

http://www.google.com/support/mobile/bin/answer.py?hl=en&answer=151674

Kind of a kludge, but it worked.

well at least they fixed the security issue. i know 3g owners won't be happy though

It may be a fix for a problem, but they sold a ton of 3G's that supposedly had exchange support, plan and simple. Clearly if they did not build in hardware encryption, they did not actually build in true exchange support and 3G owners have a very valid beef with apple because they were actively deceived in countless ads and spec sheets touting the 3G's compatibility with Exchange servers. Clearly when working properly (i.e with encryption enabled) there is a blatant incompatibility given the apparent lack of hardware encryption on earlier iphone models. I applaud apple for releasing a fix for a security problem, but if that fix is not accompanied by a hardware fix its essentially disabling a feature 3G owners believed their phones were capable of. Should apple choose to leave this as it is, they risk loosing what little support in the corporate world they had.

How someone at apple did not at least think to include a warning in the update dialog at the very least is unreal.

Agreed. Apple isn't really owning up to the problem. Just warning you and instructing you to now get a 3GS for the promised exchange access

Get used to it. That is Apple's solution to EVERYTHING. Want H264 hardware decoding? Then buy a new Macbook because you will not get it any other way. It simply doesn't matter to Apple whether "older" hardware (like my less than one year old MBP is "old") CAN support a feature (e.g. Snow Leopard COULD have been released for PPC machines and video support could have been enabled for older iPhone models). That is beside the point. The ONLY point is that Steve wants your money and wants it bad. Got to have that backup reserve in case a kidney goes next time!

Indeed. Some will remain in denial but it's their business model and many enthusiasts still embrace it

Agreed. Apple isn't really owning up to the problem. Just warning you and instructing you to now get a 3GS for the promised exchange access



Indeed. Some will remain in denial but it's their business model and many enthusiasts still embrace it

Which enthusiasts actually embrace it? They're just selling products to the masses and the average consumer is completely clueless.

Mobile devices that sync corporate email is just bad all around. Blackberry, iPhone, encryption, no encryption, makes no difference. Too many irresponsible people carry these devices that contain sensitive information. There are more secure methods for accessing corporate email remotely, such as OWA and Citrix. Maybe not as convenient, but that is the price of security.

A properly secured BlackBerry with policies enforced by the central server is certainly more secure than using OWA or Citrix, unless OWA or Citrix is only accessible from a properly secured computer with enforced policies.

Which enthusiasts actually embrace it? They're just selling products to the masses and the average consumer is completely clueless.

They're all over this forum. they will either try to excuse it or run out and buy a new apple xyz

i like how with OWA you can save your password so if you lose your phone anyone can access your email until you change the password

Mobile devices that sync corporate email is just bad all around. Blackberry, iPhone, encryption, no encryption, makes no difference. Too many irresponsible people carry these devices that contain sensitive information. There are more secure methods for accessing corporate email remotely, such as OWA and Citrix. Maybe not as convenient, but that is the price of security.

PS. I am anti-email in the corporate environment. It is more counterproductive than productive. Businesses have succeeded for many of years without it.

Businesses were around before electricity too. Do you work by the flickering light of a candle or are you selective in what things you avoid because we managed without them before?

Wow, in all honesty, I can't believe some of you people. Some are angered at Apple for 'patching' this 'security flaw', and others are happy that their devices are now 'more secure'. This wasn't a flaw in the first place, it was a down right lie, and let me explain it to you:

Back when enterprise support was released, users had two device options: the iPhone and the iPhone 3G. At the time, the latest version of Exchange Server was 2007, which supported encrypted device connections. So, even though these two devices did not support such a connection method, Apple decided to 'fake it' for the shear sake of selling devices under the 'works with Enterprise/Business/Exchange' mantra. This was not a flaw, at the time at least, yet a feature: they faked the encrypted connection in order for these devices to be able to connect to secure Exchange 2007 servers.

Fast forward to Wednesday, and Apple released the iPhone OS 3.1 update (3.1.1 for iPod touches). Apple decided that the iPhone 3GS was the device to have, and, without ANY warning whatsoever, 'fixed' this 'bug'/feature, which ended up disabling sync between the iPhone/iPhone 3G and a encrypted connection Exchange 2007 server.

The fact of the matter is this: Apple enabled this flaw/feature in order to sell devices. Let's be frank: at least a decent number of iPhone sales can be attributed to the fact that the devices were compatible with Exchange and enterprise setups. Now, with a new device available, Apple decided to play by the rules and stop lying to Exchange servers, breaking sync for a (potentially) large user base.

They didn't fix a flaw, they simply stopped a lie/fake connection.

was this encryption thing part of the shipping version of Exchange 2007 or did Microsoft add it in an update?

but Apple is being a lot nicer about it than most companies where they release 5 versions of a software package with minor differences and charge a lot more for a few features in the "Ultimate" or "Enterprise" version

That is ONLY because Apple makes the vast lion share of their profits from selling you HARDWARE, not software (unlike Microsoft). Thus, it is in Apple's best interest to both keep software costs low (promotional/advertising point against Windows) AND *NOT* give you certain key newer features UNLESS you buy their newer hardware. This "encourages" you to buy hardware from them more often than you would otherwise. This boosts Apple's profits big time. And since you have no alternatives for Mac hardware than from Apple, they get away with it. Your only alternative (other than hacking ala Hackintosh) is to abandon the Mac platform entirely and that means all your Mac software you've purchased over the years with it. This is because Steve will allow Windows to run on Macs (including virtualization) so that you can bring your Windows software library with you to ease transition to a Mac and run all that software that is unavailable for Macs, but Steve will NOT allow the same in reverse (i.e. to run Mac virtualization software in Windows so you could take your expensive copy of Photoshop CS4 with you to the Windows plaform; no you must buy a NEW copy of CS4 FOR Windows, etc. And forget about Final Cut Pro. It's not available for Windows and so to get out of Steve's scheme, you must abandon it entirely. Unfortunately, no company has been willing thus far to challenge Apple's "right" to not let you virtualize the OS on Windows. Well, Psystar has challenged similar licensing rights and the fanboys on here have demonized them to no end for it.

Personally, I'm a consumer advocate. I don't care about corporate rights. I'm for consumer rights. The greedy corporations have had their way for far too long as it is. Just look how the insurance companies (and also from their bribed political buddies, the Republicans) are demonizing Obama's health care plan before it's even finished. They state outright LIES and seem to get away with it. The public just eats fear up for breakfast. That also speaks to the knowledge and/or intelligence level of the average citizen that they don't immediately recognize that propaganda and fear mongering for what it is. No one likes the greedy self-serving insurance companies and yet somehow the Republicans have managed to get half of America to side with them. It's unbelievable. So I guess in a similar vein, I shouldn't be too shocked at how many Mac users side with Apple on issues where Apple is screwing the consumer (which includes them) over in the name of pure profit also. Most people are lemmings, IMO. They'd let the right person lead them straight off a cliff and never think twice about jumping. So sadly, getting reform in this country that favors the consumer (be it regarding anything from the one-sided DMCA that erased fair use for digital media to a company's right to tell you where and HOW you can use their product...say like with OS X) will require VERY charismatic individuals that can lead the lemmings to safety instead of off the cliff. Obama is pretty charismatic, but even he can't manage to dissuade people from the Republican mirage of hypocritical false piety and BS lies and that's on something that's really important like affordable and available health care. What hope is there to get consumer reform for something like "tying" violations by companies that just shout that they're too small to violate anti-trust agreements? Nobody cares. So unfortunately, your ONLY option is to either leave or keep paying Steve.

was this encryption thing part of the shipping version of Exchange 2007 or did Microsoft add it in an update?

Can't remember offhand but I think it might have been part of SP1 for Microsoft Exchange 2007 which is an update.

Why?

I understand the issue, but WTF was Apple thinking not implementing proper enterprise-level encryption on the original iPhone? That oversight is bad enough, but to not have it correct a year later in the 3G model??? Seriously ?

Couple this with the 2 years and 3 models it took just to get a decent camera, video recording, and A2DP, and it's like amateur hour in Cupertino. At least when they get it right, they REALLY get it right.

I don't understand why Apple is so schizophrenic with technology. At certain times, they will be in the lead in technology adoption and other times they will be so far behind it's laughable.
For example, in the case of 1.8" HDDs (ipod), first CD burners then later on DVD burners, Firewire 400 and 800, USB, Intel's Core 2 Duo processors, LED-backlit displays, environmentally friendly PC construction, Internal hardware design, ARM Cortex-A8 and PowerVR SGX based smartphone chips, Displayport, Nvidia 9400, etc, Apple was and is WAY out in front. likewise, OSX's software features are always way out in front of the industry
But then in other cases, with iPhone features like autofocus/flash camera, video recording, cut and paste, hardware encryption --- not to mention PC features like modern GPUs (although they have gotten better recently), fast SSDs, Blu-ray drives, etc, they are way behind. And I'm sure there are dozens of more examples..

but Apple is being a lot nicer about it than most companies where they release 5 versions of a software package with minor differences and charge a lot more for a few features in the "Ultimate" or "Enterprise" version

Interesting how so many using Apple's products seem to think that it is wrong to release five versions of one base software with only minor differences, but it's ok to do it with hardware?!

How can it ever be 'nicer' of Apple to limit their customers to buy whole new hardware just to get access to i.e. cheap video features? Features that could and would, work fine with a software upgrade etc, etc. Selling old hardware and buying new is a process that makes you loose a lot more money compared to buying a single, if even, expensive software. And it leaves behind a lot more trash as well as it is pure consumer ideology.

Because in environmental terms and in terms of sustainablility, Apple solution of limiting (forcing if you will) people to buy new hardware just to get access to contemporary features is a very real, effed up failure!

OS X sure is nice and I wish they would make it more accessible on 'other platforms'. Apple themselves isn't, they're a corporation with more greed than ever these days. They don't thrive on your conviction and admiration alone, they only want your money. Wake up and open your eyes!

.. Because in environmental terms and in terms of sustainablility, Apple solution of limiting (forcing if you will) people to buy new hardware just to get access to contemporary features is a very real, effed up failure!

That's an important point that is sorely missed by most people considering Apple's environmental cred.

Whether their excuses about hardware capabilities are factual or not (with autofocus being the sole exception I think the others are BS) the features that are present on the iPhone 3GS and not on the earlier model(s) are NOT novel features that were just created yesterday. All of these things should have been planned for and implemented on the first iPhone. I mean, MMS not being available on iPhone v1?? come on, that is total BS. Likewise, things like video recording, autofocus, a decent camera sensor should have been in first iphone as well. Other software-based features like proper encryption, MMS, stereo bluetooth, voice dial, etc shoudl be offered as part of the newest OS on all earlier models.

Making people buy new units to get functionality that is easily implemented in software and is standard on most cellphones (ahem.. MMS, etc) is a terrible way of being environmentally friendly, although at least the older devices are being sold or given away and don't go directly to the landfill.

Can't remember offhand but I think it might have been part of SP1 for Microsoft Exchange 2007 which is an update.

Why?

because if SP1 shipped after the 3G was introduced then Apple is not at fault here for having a major security issue. I support MS products and have done so for years, but the whole 2007 collection including Vista has been pretty bad. Seems like MS rewrote huge parts of the product in patches. Almost as bad as 2001 - 2005 or so when they would introduce a server product and kill it or roll it into another product in a year or two

Interesting how so many using Apple's products seem to think that it is wrong to release five versions of one base software with only minor differences, but it's ok to do it with hardware?!

How can it ever be 'nicer' of Apple to limit their customers to buy whole new hardware just to get access to i.e. cheap video features? Features that could and would, work fine with a software upgrade etc, etc. Selling old hardware and buying new is a process that makes you loose a lot more money compared to buying a single, if even, expensive software. And it leaves behind a lot more trash as well as it is pure consumer ideology.

Because in environmental terms and in terms of sustainablility, Apple solution of limiting (forcing if you will) people to buy new hardware just to get access to contemporary features is a very real, effed up failure!

OS X sure is nice and I wish they would make it more accessible on 'other platforms'. Apple themselves isn't, they're a corporation with more greed than ever these days. They don't thrive on your conviction and admiration alone, they only want your money. Wake up and open your eyes!

everyone expects new product releases to have new features not available on older products. but when you ship a product like Vista or Windows 7 with only minor differences then you know it's a money grab. MS does this with it's server products. The "Enterprise" version will have one or two more features for double the price

because if SP1 shipped after the 3G was introduced then Apple is not at fault here for having a major security issue. I support MS products and have done so for years, but the whole 2007 collection including Vista has been pretty bad. Seems like MS rewrote huge parts of the product in patches. Almost as bad as 2001 - 2005 or so when they would introduce a server product and kill it or roll it into another product in a year or two

Exchange SP1 was released in 2007.

It isn't the first time MS has changed things in a service pack (XP SP2 Firewall anyone?). Microsoft still split things up (SMS -> CM).

the FW was just a minor add on

in Vista they changed the entire kernel. Vista SP2 is the same file as Windows Server 2008 SP2. they finally unified the kernels in all their products. and in RTM Vista they shipped SMB that was the original protocol from 1993. in SP1 or SP2 they changed it to SMB v2 which was completely rewritten. It's a lot faster but introduced a lot of incompatibilities. Vista SP2 is almost an entirely new OS from the shipping version. still boggles my mind why they did this

not even going to list all the serve products they introduced and then killed off or rolled into other products over the last decade

the FW was just a minor add on

in Vista they changed the entire kernel. Vista SP2 is the same file as Windows Server 2008 SP2. they finally unified the kernels in all their products. and in RTM Vista they shipped SMB that was the original protocol from 1993. in SP1 or SP2 they changed it to SMB v2 which was completely rewritten. It's a lot faster but introduced a lot of incompatibilities. Vista SP2 is almost an entirely new OS from the shipping version. still boggles my mind why they did this

not even going to list all the serve products they introduced and then killed off or rolled into other products over the last decade

They felt that it wasn't enough of a change to warrant a new OS, I guess. Also, Vista SP1 is supposed to share the 2008 kernel as well. Note how there is no pre-SP1 version of 2008.
What I do find odd is no mention of 2008 R2 from MS (based on Windows 7).
EDIT: seems that it is out, man no major press release or nothing :confused:

2008 R2 hit MSDN the same day as Windows 7 I think

Is it your personal iPhone? If so and if your employer requires hardware encryption on portable phones, why would you be allowed to use your personal iPhone for work email in the first place?

Because many employers in a way to cut costs even further will often require
their employees to BUY their own phone. They do not pick up the cost, you do.

It is possible your monthly bill may be reimbursed.

It is a requirement at my workplace to BUY your own phone to use on corporate
systems.

This is the new economic reality. Get used to it.

because if SP1 shipped after the 3G was introduced then Apple is not at fault here for having a major security issue. I support MS products and have done so for years, but the whole 2007 collection including Vista has been pretty bad. Seems like MS rewrote huge parts of the product in patches. Almost as bad as 2001 - 2005 or so when they would introduce a server product and kill it or roll it into another product in a year or two

Totally agreed.

This coming from an MCP / MCSE 2003 / MCSA 2003 / CompTIA Security+

the FW was just a minor add on

in Vista they changed the entire kernel. Vista SP2 is the same file as Windows Server 2008 SP2. they finally unified the kernels in all their products. and in RTM Vista they shipped SMB that was the original protocol from 1993. in SP1 or SP2 they changed it to SMB v2 which was completely rewritten. It's a lot faster but introduced a lot of incompatibilities. Vista SP2 is almost an entirely new OS from the shipping version. still boggles my mind why they did this

not even going to list all the serve products they introduced and then killed off or rolled into other products over the last decade

Not to mention I nearly had to sacrifice a chicken to get Vista SP2 on my corporate laptop, I seriously went thru so much pain developing a deployable image for the system administrators at my work that we eventually bailed on the idea and had the sysadmins make their own just because the licensing schemes were protecting the thing like it was better than gold but honestly, everyone, even end users with the merest knowledge of computers at my workplace were dogging Vista like the dog it truly is.

Even then, with SP2 the continued bugs (wireless inadequacy among others) that should have been caught well before SP1 was released just showed that nobody was steering the ship at M$.

I'm told that 5000 developers worked for five years on Vista. The problem: Too many cooks and not enough master chefs so to speak. They were so hot on making it a gee whiz operating system that they lost basic functionality in many cases.

everyone expects new product releases to have new features not available on older products. but when you ship a product like Vista or Windows 7 with only minor differences then you know it's a money grab. MS does this with it's server products. The "Enterprise" version will have one or two more features for double the price

Gee, you mean like how Snow Leopard only had minor differences??? (well other than ditching 1/3 of all Mac users in an attempt to force them to buy new hardware from Apple) You don't call that strategy a money grab? Most of those features could have been included a Leopard update and without ditching PPC for another year or two so that their track record remained consistent. Yet for all their talk of a bug fix and efficiency release (what Snow Leopard was coined as originally), it's not really any faster than Leopard and there's still plenty of bugs and irritating behaviors to go around. OpenCL and Grand Central seems to be its only real advantages and those need specialized software to really take advantage of them.

I think Apple is out of ideas for OS X, which is a pity given how many things could be improved in it, from actual gaming library support (ala Direct X and Direct 3D) without solely depending on OpenGL (which is also out of date in Snow Leopard on Day 1) and yet people wonder why gaming is slow to come to OS X, other than Cider ports (which are ALWAYS SLOWER). Apple cannot even see that the Finder could be improved greatly by providing a dual-pane option. How many times do you need to move files around and find yourself opening multiple windows? Actually, a better question is how many times a DAY do you have to do that for the lack of a simple dual-pane window? Frankly, that would be a huge improvement over Windows. Yeah, there's a 3rd party option out there, but it's expensive for something so basic that Apple should have had from day 1 in OS X. I could go on, but it's pointless since Apple couldn't give a flying rat's hind-end about user opinions or desires. If Steve cannot come up with it on his own, forget about ever seeing it.

i'm a windows user but from reading about SL it sounds like it should be a new OS product and not a patch. MS does this every other OS release. you'll have a big release like WIndows 2000 or Vista/server 2008 and a patch release like 2003/XP/WIn 7/2008 R2 which is just a big update. A few major features but mostly just ironing out issues from a major release.

Personally i think there is no more innovation in the OS in Windows and OS X except for UI improvements and the usual support for new technologies. MS fixed SMB in Vista SP1 but that was expected.

For gaming Apple's biggest problem is they use laptop parts in all their computers except Mac Pro's. I can buy a Dell PC for less than $1000 including a monitor with a nice discrete graphics adapter that will smoke anything Apple puts in their computers these days. the 9400M and 9600 are old and obsolete. But funny thing is that Dell just came out with a new laptop model that uses the 9400M and is overpriced just like MBP's.

Not to mention I nearly had to sacrifice a chicken to get Vista SP2 on my corporate laptop, I seriously went thru so much pain developing a deployable image for the system administrators at my work that we eventually bailed on the idea and had the sysadmins make their own just because the licensing schemes were protecting the thing like it was better than gold but honestly, everyone, even end users with the merest knowledge of computers at my workplace were dogging Vista like the dog it truly is.

Even then, with SP2 the continued bugs (wireless inadequacy among others) that should have been caught well before SP1 was released just showed that nobody was steering the ship at M$.

I'm told that 5000 developers worked for five years on Vista. The problem: Too many cooks and not enough master chefs so to speak. They were so hot on making it a gee whiz operating system that they lost basic functionality in many cases.

I have an HP Compaq 8510p Business Desktop and have run Vista and XP on it over the last 2 years. now i run Windows 7 x64 Ultimate and it's pretty good. Even the virtual XP Mode is nice for my checkpoint VPN client.

The biggest problem i had was with the crap HP software like Protect Manager or whatever it's called. Haven't bothered to install it over the last 18 months and everything works like a charm. when i had it running the whole PC was slow, took 5 minutes to log on, etc.

i read it was something like 15000 devs. few years ago i read a blog by one of the Vista devs and he said that from the time he submitted his code to the time it made it into a build was something like 4-6 weeks. it took that long to test it at different levels and MS had to write a lot of software just to develop Vista and that probably turned into the server versions of Visual Studio

because if SP1 shipped after the 3G was introduced then Apple is not at fault here for having a major security issue.

Whose fault is it then? Apple chose to offer support for this function, then didn't support it properly. It's Apple's product, and their own code too. Whose fault is it exactly? Do you think Steve Ballmer or the CEOs of Palm or RIM came in through the chimney in a ninja suit to introduce bugs while everyone at Apple was sleeping?

I support MS products and have done so for years, but the whole 2007 collection including Vista has been pretty bad. Seems like MS rewrote huge parts of the product in patches. Almost as bad as 2001 - 2005 or so when they would introduce a server product and kill it or roll it into another product in a year or two

I think its a little disingenious to drag vista and its woes into a discussion about Exchange to say the least. I agree with your comments on Vista but I'm not sure you can stretch that comparison to other things.

As for them introducing and killing products - most people moan that MS never innovate, you seem to be moaning because they did try.

Ok as far as I have read it just seems like everybody is complaining about it but I'm only going to say this if u are using exchange sure be a lil mad about it but dam if ur not don't complain about it doesn't affect u in any way so y even bring it up....mostly ppl in here are talking in third party which means u don't use it u speak for other so y don't you let the ones that do use it tell us what they feel and don't speak for them ..

Can I get confirmation that there are no plans for a fix and the only way my original iphone and 3G users are able to talk to exchange is if I disable the encryption?

My boss is going to love this answer :rolleyes:

Wow, way to misunderstand the problem completely.

This is not a stunt. If an administrator has enabled device encryption, it's because they expect the sensitive data to be stored in an encrypted manner on the device. The iPhone 3G CANNOT STORE DATA IN THIS ENCRYPTED MANNER.

If any "corporate customer" is going to get pissed off at Apple for disabling this (they're not), then they should simply disable device encryption because IT WAS NOT BEING USED IN THE FIRST PLACE.

Sigh.

its funny how corporate security doesnt matter or mean anything to apple fans or even apple and their non functional pin code pad on the iphone (which is now fixed)