Following up from my last post on enforcing security policies devices such as iPhones, I thought it might be worth clarifying how iPhones deal with encryption.
Essentially iPhones from the 3GS onwards are encrypted by default, this isn’t something the end user or administrator can control. Earlier devices such as the iPhone and iPhone 3G do not support encryption at all, they’re simply not powerful enough apparently (Apple told me this!).
So if you use Exchange and wish to set the encryption security policies onto iPhones the ‘Require Encryption on the Device’ doesn’t actually do much in of itself – the device is either already encrypted or just can’t be.
Where it is useful is if you wish to block access to devices that cannot be encrypted. In this case you simply set the ‘Require Encryption on the Device’ policy and uncheck the ‘Allow Non-Provisional Devices’ policy. The iPhones will report back their support for encryption and Exchange uses this to evaluate whether they should be allowed on not. So iPhone’s and 3G’s will be blocked.
Further info on iPhone support for Exchange ActiveSync Policies can be found here.