Work for a Fortune 200 company. We use Cisco VPN and Microsoft Exchange w/ ActiveSync. Our Security Architects are finding that the iPhone Cisco VPN client gives the user the option to SAVE the username / password - obviously a no-no. Also, hearing the the 'force-pin-code-lock' feature can be turned off by the user and 24 hours later, it will be forced back. So, If true (?), I now have a phone that can be left in a cab with no pin and a VPN client that has a userid and password pre-programmed in. ??? Yicks! Is this right? If yes, how are large enterprises supposed to manage / ensure compliance to these basic security issues? Thanks EV.