Exchange ActiveSync and iPhone OS 3.1


Many Exchange Server customers have reported issues logging on to Exchange using iPhone devices older than iPhone 3GS. iPhones support Exchange ActiveSync (EAS), the same protocol supported by Windows Mobile devices, and licensed by many other mobile device manufacturers.

Exchange Server 2007 SP1 and later support many additional policy settings. Two policy settings that are of interest here are:

  1. Require device encryption: When you enable this policy, mailbox data synchronized and stored to a mobile device is encrypted.

    Exchange ActiveSync security policies
    Fig 1: Exchange ActiveSync policy requiring device encryption

  2. Allow Non Provisionable Devices: You can disable this setting (default) to prevent provisioning of devices that can’t fully apply Exchange ActiveSync policies.

The iPhone 3GS supports device encryption, and is the first version to do so. Previous iPhone models, including the iPhone 3G, do not support device encryption. Additionally, before iPhone OS 3.1, these devices did not communicate their policy status correctly, resulting in the devices being able to connect to Exchange Server, even if your Exchange ActiveSync policy required device encryption and did not allow non-provisionable devices.

iPhone OS 3.1 correctly reports its policy status. As a result, if your policy requires device encryption and doesn’t allow non provisionable devices, previous models of iPhone which don’t support device encryption are prevented from accessing the mailbox.

After considering your organization’s security policy, if you need to allow older iPhone devices to connect, you can modify the Exchange ActiveSync policy to either allow non provisionable devices, which will still enforce device encryption on devices that do support it, or you can disable device encryption. Note, allowing non-provisionable devices allows devices that may enforce some policies, or may not enforce any policies at all. Alternatively, you can create another policy which does not require device encryption, and apply it only to mailbox users with devices that do not support device encryption.

For more details about Exchange ActiveSync policies, see Understanding Exchange ActiveSync Mailbox Policies in Exchange 2007 documenation.

Bharat Suneja

 

Comments (17)
  1. iamme says:

    You state the following:

    # Allow Non Provisionable Devices: You can disable this setting (default) to prevent provisioning of devices that can’t fully apply Exchange ActiveSync policies.

    Yet if you look at both of these pages, it states that Allow Non-Provisionable Devices is enabled by default:

    http://technet.microsoft.com/en-us/library/bb123484.aspx

    http://msexchangeteam.com/archive/2007/05/23/439541.aspx

    However, when you create a new EAS policy, it is disabled by default.  This is a big different and is something that should be included in the article as your default is on manually created policies, not the default EAS policy.

  2. Thunder says:

    "if you need to allow older iPhone devices to connect, you can modify the Exchange ActiveSync policy to either allow non provisionable devices"

    I did this and tested on an iPhone 3G, with OS 3.1, and got the error message: "Policy Requirement The account blah requires encryption which is not supported on this iPhone"

    I have "Allow non-provisionable devices" selected and "Require encryption on the device" selected

  3. Rob G says:

    I have experianced the same thing. With "Allow non-provisionable devices" enabled and Require Device Encryption 3g devices and below cannot sync.

  4. Bharat Suneja [MSFT] says:

    @Iamme: Thanks much for pointing that out!

    @Thunder & Rob G: When non-provisionable devices are allowed (that is, AllowNonprovisionableDervices" is set to $true) and DeviceEncryptionEnabled is set to $true, devices that report the correct policy status are allowed. Why this doesn’t work with iPhone and iPhone 3G running OS 3.1 needs to be investigated.

    For now, if your organization’s security policy permits, please use the other alternative: a different policy that does not require device encryption for only those users.

  5. Steve Simmons says:

    What the iPhone 3.1 doesn’t work with Exchange (e.g. the largest messaging software product in the known universe) out of the box?  Is Apple actually branding that as a feature :-).  I wish somebody at MSFT would nail Apple to the wall about this.  Apple flat out lied to their customers and shipped a product with a known defect (security defect no less).  At the end of the day, all the Apple sheep out there will be the first ones to bring up security issue after security issue with MS products.  This one seems ripe to rub in their faces.

  6. Albert Fang says:

    Really digging deep down in the latest iPhone technology is going to take some work, but with the right staff of developers, I believe it is simply possible.

  7. Petri says:

    @Thunder & Rob G:

    We have noticed – with other phone vendors – that in case when your phone model does not fully support EAS policies, but you have already done one sync it is quite hard to get rid of the problem. Even you delete your ActiveSync profile, it gets the old settings from somewhere and is not able to overwrite them.

    I don’t know the iPhone, but if you could reset your phone (so it will clean all your settings and other stuff, like when you got at first) and then try to sync again you might get it work.

  8. canardminceblanc says:

    @everyone

    Surely it is entirely correct behaviour that an iPhone 3G running OS 3.1 would not be allowed to connect when encryption is required, even with allow non-prov enabled? All this setting does is give a free pass to devices that don’t implement the policy – iPhone OS 3.1 DOES implement the require encryption policy, and on a 3G will say "oops I don’t have encryption, sorry" and EAS will thus not connect it.

  9. MaximumExchange.ru says:

    Перевод на русский здесь (Russian version of this post): http://www.maximumexchange.ru/2009/09/24/exchange-activesync-and-iphone-3-1/

  10. sltech says:

    I’m having a weird problem with iPhones connecting to an Exchange 2007 server.  After successfully setting up the Exchange Email account on the iPhone 3GS, they can see all the email in their Inbox but none of the folders within the Inbox show up.  Any ideas?

  11. Pete says:

    Hi

    Can you tell me exactly how the iPhone wasn’t report its policy correctly? I’m having exactly the same problem connecting to a server that doesn’t have "allow non-provisionable device" set from my EAS client. Can you tell me at the EAS protocol level what would cause a device to fail? I’m being rejected with a 403 error before it even generates a 449 to ask for provisioning.

  12. nephmon says:

    (I’m pete from the last post). BTW, I send PolicyKey of 0 on the first request, expecting to get a 449 response, but always get a 403. It’s the same no matter which version of the protocol I implement, 2.5, 12.0 or 12.1. OPTIONS works OK, though, so I’m authenticating correctly.

  13. nephmon says:

    Never mind, figured it out. It seems you can’t do the lazy provisioning now where you can wait for 449 response and then do the Provision. You have to preemptively provision before the first actual request.

  14. Bharat Suneja [MSFT] says:

    @Pete/nephmon: That seems logical – Exchange won’t allow sync before provisioning.

  15. Bharat Suneja [MSFT] says:

    @sltech: You can post in the Exchange forum (mobility) on Technet, or contact your device vendor for support.

  16. nephmon says:

    Yes, Bharat, but if the "allow non-provisionable devices" check box is checked, it behaves differently. In that case, it will respond to a device that doesn’t send a policy key with a "449 – needs provisioning" error, making it clear what’s required. If the check box ISN’T checked, it always responds with a "403 – not authorized" error. I believe it’s this inconsistency that prevented the iPhone syncing with servers that had the check box unchecked before version 3.1 of the iPhone software.

  17. Fred says:

    What about certificate enrollment for IPhones? How can you get the certificate on the IPhone device if private key export is not allowed?

Comments are closed.