[MarkParris]

Hello,

I am doing some work for a client, who runs a BES Server and a couple of hundred blackberry's, commercial would like to trial the iPhone's.

Are there any gotch's or issues that anyone know's of, when running the two systems on the same infrastructure and Exchange organisation.

Any information and isights that can be provide would be greatly appreciated.

[penguin3107]

They're mutually exclusive.
BlackBerry handhelds will use BES to communicate with Exchange.
iPhones will use ActiveSync to communicate with Exchange.

There's no problem using both at the same time.

[knottyrope]

We have many iphones and BES here with no issues.

You can have a BB and an iPhone on the same email address to compare them both.

[hairyfish]

So how does it work then?
There doesn't seem to be much doco on how to set up iPhone on Exchange.
I've clearly missed something as it doesn't work here, is there something no-standard that needs to be installed on Exchange (ie activesync)?
If so any links on a doc on how to setup this up? Every page I've found that mentions iPhone and Exchange vaguely goes over the topic but never really specifies exactly what needs to be done to get it to work.

[juwaack68]

Yea, that's because there isn't much documentation on the iPhones since they have such limited security in an enterprise environment.

You can install a certificate on them, to force certain things, like a password, and you're supposed to be able to remote wipe them, but beyond that.....have fun.

We're starting this right now. I have a guy in Marketing who's nice enough to configure everyone's personal iPhones and iTouch device to connect to the corporate network, without any security whatsoever.

I blame the network guys, for allowing it. But then I get calls from people for support. Sorry, wrong number. The Marketing guy's number is......

[knottyrope]

If your windows mobile phone can connect, an iPhone should be able to as well.

We use SSL certs. It is basically the same as a windows mobile phone that you install a cert into. I just ran the iphone web utility to create the package than can be emailed or published on a web server. There is not much to it.

[usererror]

Yep, we are also doing both as well.

We have the same security requirements setup in the Mobile Tab for Exchange as we have on the blackberry devices so "All is fair"

The user is forced to create a password on their iphone when we allow them to sync to Exchange. By default the mobile mail option is turned off for our organization.

[scorp508]

Quote:

Originally Posted by knottyrope

If your windows mobile phone can connect, an iPhone should be able to as well.

Caveat... if you have "Allow nonprovisional devices" turned off then an iPhone may not be able to connect depending on what features in the EAS policy you have configured. This goes the same for Palm Pre, non-WinMo Treos, and older WinMo, and others.

[knottyrope]

Quote:

Originally Posted by scorp508

Caveat... if you have "Allow nonprovisional devices" turned off then an iPhone may not be able to connect depending on what features in the EAS policy you have configured. This goes the same for Palm Pre, non-WinMo Treos, and older WinMo, and others.

Good point.

IIRC the default setting is true
if they turned it to false, you would be correct.

[DCM2007]

I manage the technology at a Financial Services company. I have deployed a BES but now I am getting strong armed into allowing Exchange Activesync so that everyone can go get an iPhone. I'm very reluctant for 2 reasons...1 - I absolutely will not support iPhones (or any Windows Mobile device for that matter) due to the fact that I am spread pretty thin already and need to keep things standardized. And 2...I think I have some legitimate concerns about the security of the devices due to the very little oversight I have over each device. Other than being able to disallow the sync and forcing a password policy, I have very little control. And while I "feel" like activesync is less secure, I need some specific documentation to either support my argument or refute it. Can someone point me towards some reading material that compares the security of BES vs Activesync?

[nobody7290]

Even, if the data transfer of the BES ( AES256Bits) is more secure then Active sync (SSL), the biggest difference in "security" is the control of the device, and, the control of the usage.

With an iPhone:
you cannot encrypt the filesystem
you cannot force the user to use your internal proxy server
you cannot disallow third party applications ( there is no iphone virus, but if )
you cannot disallow other email services (so, people might send vital data which they receive on the company mail using their iPhone to somewhere else)
you cannot log device usage like phoncalls, sms, pin

There are more options, but these I remembered first.

[knottyrope]

iPhone vs. BlackBerry Mobile Device Comparison - Sophos

[DCM2007]

Thanks for the comparison. That is exactly what I need. One more question...is there another post or perhaps another forum where security admins were asked whether or not they allow Exchange Activesync and their reasoning for their decision?

[knottyrope]

More iPhone info
Exchangepedia Blog: iPhone OS 3.1 Security Changes and Exchange ActiveSync Policy

Allowing active sync on devices that can not be wiped is a risk if they are lost.
I have heard of LAW firms not allowing PDAs etc for that reason.

[Frank Castle]

Actually Apple does have a decent document on setting up iPhone in the Enterprise.

Apple - iPhone in Business - Integration

That being said I work in a vertical with many security / regulatory demands and earlier this year we removed support for iPhone. This past summer we also removed support for all over mobile devices but Blackberry. Many reasons came into this decision but the simple fact is device management and security on other platforms compared to BES is woefully lacking.

We hear daily from the iPhone users and trust me they are a vocal group. So I have an ongoing list of the reasons why we do not support iPhone. It's really a decision your org needs to make about mobile security, management. This is by no means a perfect decision and for those orgs with less regulatory concerns not as big an issue.

This isnt just an iPhone issue really, there is a growing number of devices that to me are just consumer focused. Blackberry is enterprise focused and provides granual control if you so desire. I doubt Apple will ever allow that level of control as they want that iTunes / AppStore revenue stream.

This is similar to my other favorite topic - Personal liable mobile devices vs. Corporate liable. We are strictly CL only, period. People don't like it but this was decided by multiple people making much more then my pay grade, no company data is to be synced to a PL device. It doesn't save us money and is just a risk. Not to mention the gray area about who supports what and where that line is so I'm happy to have that policy as again it is asked OFTEN.

Anyways sorry to ramble. I've attached my iPhone issue list if it helpful to anyone.

[bpfns]

Great post, jletendre. I have similar experiences and observations with iPhones in the enterprise.

One question regarding encryption: Have you been able to successfully roll out content protection in your environment? This seems to crater about 15-25% of our users to some degree when we turn it on (enforce to "STRONG" from BES). I don't know exactly how much of this is just complaining from spoiled users, but there are a number of definite issues.

Since I have had to turn content protection off, my argument against the iPhone's easily broken encryption has been weakened. Any insight you can share or does the content protection feature just work?

TIA.

[Frank Castle]

Sorry been absent as a couple projects having been killing me the past couple months. Thank god for year end and holiday down time!

Someone correct me if I'm wrong but when you enable the content protection setting under Options / Security Options / General Settings / and change the Strength each setting requires a longer user password. Stronger is 10 and Strongest was something like 21 character long password. There is no way my users would not outright revolt if I tried to enforce that.

I believe even with Content Protection disabled the Blackberry contents are encrypted when LOCKED. When you have this enabled it's constantly on and un-encrypts as the information is access so in the past this just killed device performance so combined with the said password reqs we do not enforce this. I think a couple admins on here do though so they might have more detail and I'm too lazy to go through the IT policy guide.

I do think there is much mroe security on BES over what iPhone policy you have via EAS. BES goes beyond remote wipe and after X time of not being in contact with your BES can "self destruct" so this is really all about mitigating your risk and protecting company data. Currently iPhone with just EAS is not secure enough for any heavily regulated company.