Device Encryption on Apple iPhones

Following up from my last post on enforcing security policies devices such as iPhones, I thought it might be worth clarifying how iPhones deal with encryption.

Essentially iPhones from the 3GS onwards are encrypted by default, this isn’t something the end user or administrator can control.  Earlier devices such as the iPhone and iPhone 3G do not support encryption at all, they’re simply not powerful enough apparently (Apple told me this!).

So if you use Exchange and wish to set the encryption security policies onto iPhones the ‘Require Encryption on the Device’ doesn’t actually do much in of itself – the device is either already encrypted or just can’t be.

Where it is useful is if you wish to block access to devices that cannot be encrypted.  In this case you simply set the ‘Require Encryption on the Device’ policy and uncheck the ‘Allow Non-Provisional Devices’ policy.  The iPhones will report back their support for encryption and Exchange uses this to evaluate whether they should be allowed on not.  So iPhone’s and 3G’s will be blocked.

Further info on iPhone support for Exchange ActiveSync Policies can be found here.

Android and iPhone Exchange Activesync Policies

Over the past couple of weeks I’ve been doing some work on how best to secure data on the myriad of mobile devices that are used these days to access email and calendar information.

It’s a hot topic at the moment, and so it should be.  Recently here in the UK the information commissioner brought in a £500,000 fine for each instance of information data loss.  Of course it would depend on the information lost, but hands up anyone who understands everything that’s on their companies smartphones and PDA’s… with info creeping out in email attachments or iPhone apps that cache your work username and passwords, it’s a real risk.

If you use MS Exchange, one of simplest ways to apply a level of security to mobile devices is to use the Exchange Activesync Policies that are included out the box.  These allow you to apply – and more importantly enforce – a range of configuration options on devices and block access to devices that don’t meet a minimum standard you decide on.

At the bottom of this post I’ve attached a spreadsheet which I’ve put together which details the policies available and the devices they are compatible with.  To get the information I spoke to MS, Google and Apple (thanks Jason) directly, so it should be accurate.  But I don’t have any contacts at Nokia or Palm so that info was taken from their deployment guides.

Part of the reason I thought I’d post this up is that I noticed a very similar doc was added to Wikipedia, but it doesn’t include some important information about the level of Exchange Client Access Licence (CAL) need to use some of the policies, nor does it talk about the differences between hardware versions of iPhone.  If I can bring myself to dive into the wiki mark-up language I’ll amend the article to include the info but for now I hope this spreadsheet helps some of you.

If you’re not currently implementing any policies in Exchange there are a few things to consider before you do. 

First think about the types of device currently connecting.  If you’ve been using Exchange EAS for a while the chances are you’ll have a range of kit from Windows Mobile 5 onwards.  This older equipment may not support many of the available policies, so if they’re company owned devices you may want to look at upgrading them rather than cut the users off entirely.  Unfortunately it’s not just older devices that don’t support all EAS policies correctly.  Modern OS’s such as Google’s Android and Palms WebOS don’t either. 

There are some simple reports that an be run using PowerShell that will list out all the device that connect in, including device type, versions and usernames.  Unfortunately the iPhone doesn’t report back its hardware version until iOS4 however.  I’ll try to follow up this post with the query details.

Remember that neither Google’s Android, Applies iPhone or iPhone 3G support any level of device encryption, which from a business perspective is a little scary considering their popularity.  What’s worse, early versions of the iOS3 firmware apparently mislead the Exchange server into thinking early iPhone were encrypted.  If you have a lot of these things out there but still want to apply a level of security you can buy yourself some time using the ‘Allow non-provisional devices’ policy. 

One option would be to create a basic security policy with all the PIN settings you want to apply and enforce that by un-checking the ‘allow non-provisional devices’ policy.  This will ensure that if a device doesn’t support the policy it can’t connect.  You could then create a seperate policy with the encryption settings and the ‘allow non-provisional devices’ enabled.  In that case the policy should apply only to those phones that support it.

As always, communication out to your end users is going to be key, especially if you have personal devices connecting to Exchange in addition to your company ones.  Whilst having a PIN etc is probably a fair exchange for the Exchange functionality they’ll receive, suddenly finding that your personal phone has had a PIN enforced and that your SD of music and photos has been encrypted is likely to annoy…  Something to keep in mind!

Anyway, here’s spreadsheet: Exchange ActiveSync Policies

Update 22/11/2010:  I have updated the table to include Windows Phone 7 as described here.

Bruno Senna at the Goodwood Festival of Speed

Bruno Senna posted a great clip of him driving one his uncles (Ayton Senna) old race cars back down the Goodwood hill to the paddock, filming the entire thing on his phone.   As Bruno says on twitter:

I was holding my mobile phone with my left hand and the steering wheel with the right. Don’t do this at home. Definitely not on the street!!

I thought this was a good demonstration of the reasons I love the Festival of Speed.  Where else would you get the best drivers in the world hooning the best cars in the world up and down someone’s driveway? 

Apples iPhone 4 Gyroscope

Chipworks MEMS gyroscope die

After reading about the iPhone 4’s gyroscope during WWDC, I have to admit I wasn’t sure how such a thing would work.  I’ve only ever really encountered the spinning gyroscopes you get as a kid, and I couldn’t really see something like that fitting in a phone!

Thanks to this Wikipedia entry, and  this article on ifixit.com the mystry is solved – worth a read if you feeling geeky.