Is the iPhone 2.0 Enterprise Ready?

[evogelpohl]

Work for a Fortune 200 company. We use Cisco VPN and Microsoft Exchange w/ ActiveSync.

Our Security Architects are finding that the iPhone Cisco VPN client gives the user the option to SAVE the username / password - obviously a no-no.

Also, hearing the the 'force-pin-code-lock' feature can be turned off by the user and 24 hours later, it will be forced back.

So, If true (?), I now have a phone that can be left in a cab with no pin and a VPN client that has a userid and password pre-programmed in. ??? Yicks!

Is this right? If yes, how are large enterprises supposed to manage / ensure compliance to these basic security issues?

Thanks
EV.

 

[soberbrain]

From your description, it sounds like these issues are both user related. In the end it doesn't matter how much security you add to a system if a user circumvents these measurements.

In the cab scenario, the iPhone should be remote wiped, but have a secure back up so that data is not lost.

 

[evogelpohl]

Is the iPhone 2.0 Enterprise Ready?

By user, you mean "End User Policy or Guideline" for Appropriate Use. If an Enterprise establishes a Policy (aka, enforced universally and with the oversight of tools, processes and/or compensating controls - that are audited), then all devices and computing platforms within that domain of IT (in this case mobile) need to meet that criteria. Without exception. If you have exceptions and lack of formal controls, then most likely the Policy, is a Guideline.

Password and Pin-code mgmt are not exceptional or extra-ordinary security requirements. Indeed, any fortune 500 company that follows an ISO 17799 based security framework will agree, you DO NOT allow full-access VPN clients to include embedded PWs. Also, you DO NOT allow your users to "choose" when they get to abide by pin-code requirements.

So, if these conditions are in fact true, i would say that Apple screwed up. This device is not Enterprise-Ready.

 

[zkaudio]

From your description, it sounds like these issues are both user related. In the end it doesn't matter how much security you add to a system if a user circumvents these measurements.

In the cab scenario, the iPhone should be remote wiped, but have a secure back up so that data is not lost.

... there are a LOT of regulations governing this stuff. They all pretty much operate around the basic and generally accurate assumption that the system's users will do stupid things. Literally has to be idiot proof.

 

[soberbrain]

I can see I'm in over my head on this topic. Definitely not an expert here and not up to speed on current regulations, just an end user that gets frustrated seeing others lack of respect when it comes to security.

I was reading the Enterprise Deployment Guide and it looks like the issues above would be due to manually configured iPhones.