How to secure smartphone access

Implement Exchange ActiveSync policies


The recent revelation that Apple's iPhone OS had been falsely reporting to Exchange servers that iPhones and iPod Touches provided on-device encryption when in fact they did not has raised several questions regarding mobile device support for EAS (Exchange ActiveSync) policies, vital safeguards many businesses employ to secure access to corporate information, whether to meet specific regulations or as a matter of general security prudence.

As it turns out, information on EAS policy support among mobile devices is not easy to come by. Also not easy is ascertaining what exactly will happen when an Exchange server is configured to use a policy that any given mobile device may or may not support.

Exchange ActiveSync 2007 supports 29 access and security policies that IT can enable. (To get the details on the policies and their values, check out Microsoft's documentation for Exchange Server 2007 policies)

Just a handful of mobile devices support at least some EAS policies: Apple's iPhone, smartphones using Microsoft's Windows Mobile OS, Nokia's E and N series as well as the S60 through a download, and Palm's WebOS, along with its defunct Palm OS.

Windows Mobile 6.1 supports all 29 policies, though an Exchange enterprise license is needed for 14 of them. Apple and Nokia did not respond to InfoWorld's request to list specifically what EAS policies their devices support; a Palm spokeswoman was unable to find the information even after several days. All three companies have published limited information on their Web sites:

* Nokia's site says that it supports "all security policies," without indentifying which ones those are.

* Apple's site says the iPhone supports Allow Camera, Password Enabled, Allow Simple Password, Alphanumeric Password, Password Expiration, Password History, Maximum Failed Password Attempts, Minimum Password Length, Maximum Inactivity Time Lock, Policy Refresh Interval, Minimum Device Complex Characters, Require Manual Synchronisation While Roaming, and, in iPhone OS 3.1 only, Require Device Encryption.

* Palm's Web site says its WebOS 1.1 supports Password Enabled, Alphanumeric Password, Password History, Maximum Failed Password Attempts, Maximum Password Length, Maximum Inactivity Lock, Minimum Device Complex Characters, and Password Recovery.

Google's Android OS does not support EAS at all, and Research in Motion's BlackBerry does not support EAS directly. Instead, you use RIM's BlackBerry Enterprise Server, which has its own set of policies, all of which, of course, the BlackBerry OS supports.

Many devices allow users to connect to Exchange via IMAP, if Exchange is configured to accept such connections. No EAS policies are enforceable via IMAP.