It turns out that Apple's iPhone 3.1 OS fix of a serious security issue -- falsely reporting to Exchange servers that pre-3G S iPhones and iPod Touches had on-device encryption -- wasn't the first such policy falsehood that Apple has quietly fixed in an OS upgrade. It fixed a similar lie in its June iPhone OS 3.0 update. Before that update, the iPhone falsely reported its adherence to VPN policies, specifically those that confirm the device is not saving the VPN password (so users are forced to enter it manually). Until the iPhone 3.0 OS update, users could save VPN passwords on their Apple devices, yet the iPhone OS would report to the VPN server that the passwords were not being saved.
The fact of the iPhones' false reporting of their adherence to Exchange and VPN policies has caused some organizations to revoke or suspend plans for iPhone support, several readers who did not want their names or agencies identified told InfoWorld. One reader at a large government agency describes the IT leader there as "being bitten by the change," after taking a risk to support the popular devices. "I guess we will all have to start distrusting Apple," said another reader at a different agency.
[ Apple's snafu on the iPhone OS's policy adherence could kill the iPhone's chances of ever being trusted again by IT, argues InfoWorld's Galen Gruman. ]
Last week's iPhone OS 3.1 update began correctly reporting the on-device encryption and VPN password-saving status when queried by Exchange and VPN policy servers, which made thousands of iPhones noncompliant with those policies and thus blocked from their networks. (Only the new iPhone 3G S has on-device encryption.) Apple's document on the iPhone OS 3.1 update's security changes neglected to mention this fix, catching users and IT administrators off-guard. Worse, it revealed that Apple's iconic devices have been unknowingly violating such policies for more than a year.
"My guess is the original decision to emulate hardware encryption was made at a level where there wasn't much awareness of enterprise IT standards. After all, this is a foreign language for Apple," says Ezra Gottheil, an analyst at Technology Business Research. "However, once the company realized the problem, it made a spectacularly dumb choice. The change was necessary and inevitable, but Apple could have earned some points by coming clean at the earliest opportunity. Instead, it allowed itself to be seen in the worst possible light. This is the result of a colossal clash of cultures. Even when it is trying, Apple cannot force itself to think like an enterprise vendor."
Apple's advice to users on addressing the Exchange encryption policy issue is to either remove that policy requirement for iPhone users or replace users' devices with the iPhone 3G S.
IT organizations can also consider using third-party mobile management tools that enforce security and compliance policies; several now support the iPhone to varying degrees, including those from Good Technology, MobileIron, and Zenprise.