With the release of Apple’s iPhone SDK now come and gone, and the enhanced IT-oriented capabilities planned for the next major iPhone software update in June, it’s clear that the iPhone is going to be a corporate mainstay.
Still, at its heart, the iPhone is a consumer device, so IT leaders still have to ensure that the iPhones that come in the door fit their data management and security strategies.
So, where to begin gearing up the iPhone for use at work? How can you satisfy executive demands to make the iPhone fit for corporate essentials while maintaining security and manageability? For those looking to get a jump on business-enabling the iPhone, here’s a handy guide on what’s currently possible and how to get it done. (Note that everything here applies to the iPhone’s voiceless cousin, the iPod Touch with the January 2008 software update.)
Accessing corporate e-mail
IBM’s promise of a Lotus Notes client for the iPhone remains unfulfilled. The iPhone 2.0 software update due in June will add an Exchange client. But in the meantime, if your business uses either system, you can provide e-mail access today via POP3 or IMAP, popular protocols that many businesses already support.
In either case, the iPhone’s Mail setup is where to begin configuring host addresses, user names, passwords, and SSL authentication.
A tip for Exchange: Even though the iPhone’s current Mail setup includes an Exchange pane, don’t use it. Use IMAP instead; the Exchange pane doesn’t work. (Even Apple’s support pages say to use the IMAP pane.)
Many businesses prefer IMAP over POP3 because IMAP provides greater control over message management, such as keeping the mail folders synchronized as mail is moved on any client. The iPhone will connect to the IMAP server and detect most settings automatically, making setup easy in most cases.
You can adjust the SSL settings, IMAP path prefix, server port, and other such settings by scrolling down to the Advanced portion of an individual mail account’s setup area. Note that the iPhone’s SSL options have been significantly enhanced from the first iteration’s number-only token scheme.
What you can’t do today with the iPhone — out of the box, anyhow — is get the BlackBerry’s push-based approach to e-mail, in which the mail server sends messages to the device rather than requiring the device to query the server to gain access to new messages.
This push-based approach makes it harder for someone to spoof the e-mail server. To push e-mail to an iPhone (or most other mobile devices) today, you need a mobile server, such as those from Visto and Synchonica; these integrate with your Exchange or Domino server.
But that will also change in June, when the iPhone 2.0 software includes Microsoft’s Exchange ActiveSync technology. ActiveSync lets the iPhone use Microsoft’s Direct-Push e-mail feature (Windows Mobile and Palm OS devices use ActiveSync as well to gain this capability; Research in Motion has built in its own push e-mail technology into its BlackBerry Enterprise Server product).
With Direct-Push, the connection between the OWA (Outlook Web Access) server’s mail port and the mobile device remains open so that new messages are instantly visible. (The iPhone does use OWA as its connection to Exchange, just as Microsoft’s Entourage e-mail client does for the Mac OS.)
Until the new software ships, you’ll have to live with the iPhone’s periodic mail checks (15 minutes is the shortest period, though you can easily find SSH hacks on the Web to reduce that window.)
Accessing calendars and other shared data
The biggest issue Exchange and Notes shops face today in business-enabling the iPhone is providing access to calendars, address books, and other PIM data beyond e-mail.
Come June, Apple’s software update will add an Exchange client, giving you the same access to e-mail, calendars, contacts, and notes as you get in Outlook or Entourage on the desktop.
Until then, calendars and contacts can be synchronized between Exchange and the iPhone, but this must be done through iTunes, meaning you will need a PC or Mac to act as an intermediary.
For Windows (XP or Vista) shops tapping Outlook 2003 or 2007, syncing is straightforward through iTunes. Connect the iPhone to your intermediary PC and select it in iTunes’ Devices list. Open the iTunes device Info pane and choose the calendars and contact sources you want to sync. If you have problems, consult Apple’s common fixes.
On the Mac, use the built-in iCal and Address Book software as the way station, and then configure Entourage to sync with them (use the Sync Services pane of the Preferences dialog box).
In iCal, you must create and use a calendar called Entourage for any entries you want synced to Exchange. (And Exchange calendar items will be placed in iCal in the Entourage calendar as well.) Then, with your iPhone physically connected and selected in iTunes’ Devices list, open the Info pane to choose the calendars and contact sources to be synced.
All three programs — Entourage, iCal, and iTunes — must be set up properly for this ménage à trois to work.
A tip: In Entourage’s preferences, choose whether to sync your server’s calendar or your local calendar. If you change this setting, it’s very likely that your calendar will stop syncing. It turns out the issue is in iCal: You’ll see multiple Entourage calendars listed (one for each time you changed the setting in Entourage).
Delete all but the “real” Entourage calendar (you can right-click on a calendar and choose Delete from the contextual menu).
Likewise, for Notes on the Mac, iTunes is the go-between as described for Exchange — and you will need a separate app, such as Information Appliance Associates’ PocketMac GoBetween, to make iCal and Address Book sync with Notes.
Ironically, there doesn’t appear to be a way to get calendar and address book data from Notes to the iPhone in Windows. If IBM follows up on its promise to ship a Notes client for iPhone, there’ll be no need for a third-party app or other work-around.
You can, of course, access calendar and contact data without connecting through the desktop by tapping Exchange or Notes Web access via the iPhone’s Safari browser. Unfortunately, navigating those desktop-oriented pages even in the iPhone’s fairly large screen makes this method a somewhat frustrating quick fix.
Securing the iPhone
The biggest issue for IT when it comes to the iPhone has been security, even with the availability of SSL authentication for securing e-mail connections. Make sure your Exchange or Domino server requires SSL and one of these SSL options: MD5 challenge-response, NTLM, or HTTP MD5 digest. The iPhone also supports password-based SSL authentication, but that can be more easily spoofed than the other options.
All SSL does, however, is encrypt e-mail messages, not any other traffic between the iPhone and the company’s servers. Typically, you would mitigate this concern by using a VPN client — or a BlackBerry or Motorola GoodLink server and its proprietary secured network — as the conduit to safeguard all traffic with the iPhone.
The iPhone didn’t originally support VPNs, but Apple added that capability via a software upgrade in late 2007.
The iPhone’s VPN capabilities are solid — comparable to Windows Mobile and Palm OS devices — with a choice of L2TP and PPTP protocols and support for EMC RSA Security’s SecurID key-based authentication. (You access those through the General preference pane’s Network option.)
But the iPhone VPN client does not work with all VPNs; Cisco-based VPNs in particular are incompatible unless they are set specifically for Mac OS X and iPhone compatibility.
The June iPhone software update will improve VPN capabilities by supporting Cisco IPsec and two-factor authentication, certificates, and identities, Apple said.
Three security issues have caused the most complaints from IT, when compared with Windows Mobile, Palm OS, and BlackBerry. Apple plans to address all three in the June software update, though the details are not yet fully clear.
First, the iPhone has not provided device encryption, meaning that any data stored on the iPhone can easily be obtained by a thief. With nearly 16GB visible to PCs as an external drive when connected over USB, the iPhone can store a lot of could-be precious corporate data.
Second, password protection on the iPhone is scant. More than providing a four-digit maximum for passwords, the iPhone has provided no way to enforce password use or policies as users can simply turn the password feature off.
Third, the iPhone’s lack of a remote lock or kill feature has left IT in the lurch if the device is stolen or lost.
Apple said it will add on-device encryption, IT-manageable security policies and remote-kill features as part of the iPhone 2.0 update, though it is unclear whether this means IT will need an iPhone-specific management tool or can use popular management systems they likely have already deployed.
Apple is making the new software available before the June release to IT organizations willing to test the beta version.
In the meantime, IT will have to decide whether these three security shortfalls justify banning the iPhone from the enterprise until the new software is out and its capabilities better understood.
A good way to judge that is to make an honest assessment: Are you as tough on USB thumb drives, smartphones, and work-at-home users’ PCs as you want to be on the iPhone?