Apple explains iPhone OS 3.1 Exchange changes

iPhone and iPhone 3G users hit a roadblock last week trying to login to Exchange 2007 servers after upgrading to iPhone OS 3.1.

(Credit: Apple)

Because the problems began with the latest update, it may seem reasonable to assume that the update is to blame, but it's not. In fact, everything is working exactly how it's supposed to be, according to Apple.

"iPhone OS 3.1 is working properly with Exchange Server 2007," Apple representative Natalie Harrison told CNET News. "We added device encryption information to the data that can be managed by IT administrators using Exchange Server 2007. The policy of whether to support iPhone 3G, in addition to iPhone 3GS, which always has on-device encryption, on Exchange Server 2007 is set by the administrator and can be changed at any time."

What this means is that iPhone OS 3.1 now properly identifies itself to Exchange 2007 as having hardware encryption, and that's what is causing the problems for iPhone and iPhone 3G users.

iPhone OS 3.0 did not identify itself properly to Exchange 2007 on any iPhone. This means that if you had a 3G and Exchange 2007 was configured to require hardware encryption, you could still login, even though the device does not have hardware encryption.

With iPhone OS 3.1, all iPhones identify themselves properly to the server, essentially fixing a glitch in the previous operating system. However, now iPhone and iPhone 3G users that upgraded to iPhone OS 3.1 cannot login to Exchange 2007 servers that require hardware encryption.

If you use the new iPhone 3GS, you won't notice any change. Apple's newest phone is equipped with hardware encryption, so it will meet the requirements of the Exchange server when identifying itself.

If you already upgraded to iPhone OS 3.1 on an iPhone or iPhone 3G and connect to an Exchange 2007 server, you can ask that the IT admin turn off the hardware encryption requirement for those devices.

Company IT administrators who require hardware encryption to access Exchange 2007 will need to decide whether they want older iPhones to access their servers. If so, they will need to configure Exchange to not require encryption from the iPhone and iPhone 3G.

Of course, if you haven't upgraded your iPhone, it will continue to access Exchange 2007 as it always did.

[Seaspray0]

Well, now I know why someone wasn't getting their email properly.

[Random_Walk]

It's just a couple of checkboxes in the Exchange Management Console; I squished that one yesterday. :)

[Vegaman_Dan]

It's an easy thing to find and fix if you're used to managing the server, but it isn't something that Apple really made known to anyone. It was a failure on Apple's part to address the issue in a timely manner- especially since it was a known issue before they released the product.

But again, easy to deal with on the back end.

[gggg sssss]

@Random_Walk better to just ban iPhones tho

[avo773]

now the only problem with 3.1 is the fact that it takes 3-5 tries to send a text, not receiving texts and getting "call failed" messages. i just upgraded to the 3G S 2 weeks ago. this crap shouldn't be happening to a brand new phone!

[ikramerica--2008]

try restoring the phone to factory and then resyncing it. not seeing the problem you speak of with same phone.

[pjhenry1216]

i like how a phone restore is the common answer to problems. sounds a lot like "format and reinstall windows" to me.

[EskWIRED]

"Format and re-install Windows" is exactly what it is like.

I had to do it to my 3GS because a phone call cam in during a sync. Somehow, this screwed the pooch wit the file system.

I lost all my bookmarks, all my application settings, everything. I had to rearrange over a hundred icons using the lousy iPhone user interface.

iTunes 9.0 has a means to rearrange the icons using your computer. But in order to do so, you first have to let iTunes move (and misplace) ALL of your icons to one of Apple's 3 pre-set arrangements. No thanks.

Worst of all, unless you allow iTunes to rearrange all of your icons, you can never again use iTunes to sync apps from your computer to your phone.

So far, I've found the iTunes/iPhone software to be horrible. How did Apple get a reputation for making good software? Is it just the pretty animations, hypnotizing amateur computer users

[Vegaman_Dan]

@EskWIRED:

"How did Apple get a reputation for making good software?"

They have a good reputation for making a good OS. The software including QuickTime and iTunes, is widely ridiculted and despised across the industry.

[mathmeister]

@EskWIRED: Huh? I upgraded to iTunes 9 and didn't have to select any prearranged icon order. The app icons showed up exactly as they were on my phone and I was free to rearrange as I wanted to (or not).

[skatemusiclife64]

ESKWired- what are you talking about? I didn't have to choose a "preset". You must be imagining things. What are you talking about when you say

"Worst of all, unless you allow iTunes to rearrange all of your icons, you can never again use iTunes to sync apps from your computer to your phone."

I know a psychologist I can refer you to.

[vaibhav92]

I fail to see how is it Exchange Problem. If devices says that it has support for h/w encryption them exchange is right in enforcing encrypted communication. The real problem as i see is that the older devices tell exchange that they have h/w enc. even even though they dont have one. So really it apples fault rather then exchange.

Getting IT admins to configure exchange to turn off encryption for these devices.. I am laughing my *ss off... Its the same kind of attitude that has got apple such a bad repute with most enterprises.

Keep it up apple..you are doing what you do best ... i.e stink

[luckywab]

Did you read the article? No where does it say it's an Exchange problem. Apple fixed a bug, simple as that. IT doesn't need to do anything they wouldn't already have to do for other unsupported devices.

[qwerty-berty]

Yes this is a big deal, especially at a time when Apple are trying to build up momentum with business users - I bet they wish they could snap their fingers make all 3G models just vanish overnight, to be replaced with 3GS of course. Taking advantage of a security hole was very sneaky indeed, causing an even more embarrassing u-turn and I wouldn't be surprised if somebody was fired over this.

Make no mistake, this isn't a ploy to encourage another round of device upgrades. Apple looks bad to both the users that can't access exchange and also the business who they are suggesting should lower the bar on their security.

Not sure why you need to be such a fanboy about it though, you already had an insightful enough comment.

[Maclover1]

The Apple iPhone Enterprise manual has ALWAYS stated that it does NOT support encryption. What was wrong was that the iPhone was actually acting like it was and so the Exchange 2007 encryption was working.

3.1 fixed it by turning if off, or stating correctly that it is not using encryption, so now if you are requiring that on your Exchange server then it wont work with an iPhone.

Exchange 2007 encryption is hardly ever used so this is basically a non issue for most. The SSL tunnel is still there, encrypting the connection and the dat will pass through that tunnel. What this option does is encrypt the data inside the already encrypted tunnel. Double encryption. This was added by MS in 2007 to compete with RIM, as RIM has always done this on the Black Berry and that is why the government uses Black Berry.

[Random_Walk]

It's a couple of checkboxes in Exchange at the mailbox server. Seriously - compared to shaking out troubles with BES, this one was VERY easy.

Signed,
-The IT guy who has to troubleshoot all the email glitches.

[solicitehere]

This is not an Exchange problem. Exchange has worked wonderfully for businesses for years. I don't know how a large business could survive these days without it. Apple simply wanted to make their product the way "they" wanted to regardless of other companies wishes. This will all catch up with Apple eventually and they'll have another terrible blunder as they typically do every 10 years or so. I wouldn't let iPhone's be used in a business setting for security reasons and Apple's slow patch time. iPhone's are huge now, that means they are going to be hacked again and again like they've been since their release. Welcome to the real market Apple, better late than never I guess.

[Synthmeister]

Until 2007 and WinMo 6.0, all WinMo phones worked the same way that the older iPhones work. I.e. device encryption was not an option till fairly recently with WinMo cell phones. For example, under WiMo 5, EAS remote wipe couldn't clear any data on a SD Flash card. Since most WiMo phones shipped with very little included storage, any important data was most likely kept on this impossible to wipe Flash memory.

All phones before WinMo 6 have the same security issue and even the Pre can't handle this feature. It's really not as big a deal as all the hype would have you believe. Apple really hasn't touted full exchange support till OS 3.0.

[moon1234567]

The problem with Apple is they could have chosen to support device encryption via a software solution for the older devices. This is how it is done on many Windows Mobile devices. The fact that APPLE CHOSE NOT TO do this shows that they are not serious about business.

This response from Apple is just disengenous. They should have been forcoming with users and apologized. The better solution would have been to offer software based device encryption. Leave it to the user to decide if any slowdown on the device is worth it in order to be able to sync with Exchange 2007.

Bad Apple. Bad.

[vaibhav92]

"Because the problems began with the latest update, it may seem reasonable to assume that the update is to blame, but it's not."

If its not iphone's problem then surely its exchange's problem...... ho wait may its again AT&T's fault..

Iphone was advertised and sold as compatible with Exchange then how and with this update its no more so. All those people who bought with piece of junk were totally ripped of. And the only solution that apple has that IT admins should turn off device encryption for the device.. Is this even realistic !!!!!

[Steve__S]

"Iphone was advertised and sold as compatible with Exchange "

The iPhones which were sold as being compatible with Exchange (the 3Gs) aren't having problems. Earlier models did receive a free upgrade of the OS which included this capability, but that didn't automatically give those older models built in hardware encryption like the 3Gs model has. Further, technically, being compatible with Exchange and supporting device encryption are two different things.

"All those people who bought with piece of junk were totally ripped of."

No, there weren't ripped off as this was not an advertised feature when the older devices were sold. Further, the iPhone is hardly a piece of junk.

"And the only solution that apple has that IT admins should turn off device encryption for the device.. Is this even realistic !!!!!"

No, it's likely not very realistic. Then again, companies aren't going out to purchase old phones to use with their Exchange servers. Apple clearly spells all of this out in their Enterprise deployment guidelines. Nobody bought an iPhone under false pretenses. There is no good solution for the older iPhones as they don't have built in hardware encryption. Older models didn't have remote wipe either. Only the 3Gs model is billed as enterprise ready and rightfully so.

[WNCmotard]

Asking the IT staff to disable a security feature is NOT a solution for bad updates from crApple. Before everyone slams me thinking I'm just another Apple hater, I own two ipods. One nano and one touch, and love them both. Apple's support however, has been a joke anytime I've needed it.

[Maclover1]

And yet Apple's support is rated #1 year after year compared to PC vendors. Apple has never said to turn anything off.

This feature, that is hardly ever used on Exchange 2007 and not even supported on previous versions of Exchange, was clearly stated as not doable on the iPhone. In FACT only Windows mobile 6.1 can support it, so 5.0 and 6.0 cant use it either. Its NOT turned on by default on Exchange 2007 when its installed. They standard SSL requirements are still in place, encrypting the tunnel.

[nrlz]

I don't know anything about Exchange, but if it allows you to disable it only for iPhone users, than that is acceptable, because it is just being honest that the iPhone doesn't support encryption. However, if Exchange cannot differentiate between devices, than Apple's suggestion would certainly be uncalled for.

[vaibhav92]

@Maclover1
"This feature, that is hardly ever used on Exchange 2007 " ... ***

Did you know that HIPAA mandates encryption of all emails (including transmission/cached). So all those executives/employees at insurance companies using this damn phone were just putting their org's compliance at risk. I am sure you will feel great when an iphone containing all your health records is lost/stolen and hackers can simply get all that info by simply jailbreaking the phone.

This issue is a perfect example of customer deception. Iphone 3g was sold as an exchange compatible device and this update simply proves that apple was lying for all this time. PERIOD.

[askgees]

T Maclover1- Might I suggest you read or LEARN TO READ.



"iPhone OS 3.1 is working properly with Exchange Server 2007," Apple representative Natalie Harrison told CNET News. "We added device encryption information to the data that can be managed by IT administrators using Exchange Server 2007. The policy of whether to support iPhone 3G, in addition to iPhone 3GS, which always has on-device encryption, on Exchange Server 2007 is set by the administrator and can be changed at any time."



The sales and market share tell the true pic. Apple is a child's toy. Spend 1200.00 on a notebook that is 4 years behind the latest PC and it lasts approx. 3 years. JUNK. [CNET editors' note: Personal attack deleted.]

[daveshax]

Jeez, this is Apple all over. Making stuff work beautifully at the expense of security. 'Hacking' their way to profit.

[qwerty-berty]

This latest move from Apple is exactly the opposite - breaking stuff in the name of security.

[pylamhk]

Why Exchange assume iPhone pre-3.1 is encrypted?

[tektaktyks]

once again,when anything was apples fault?never.

[WinNoMo]

The better Apple does, the more they innovate, the more their shares go up up up in value, the more MS Bots are in here bashing. Sad really. Oh look! Apple is up $3.2 to $178.38 (1.84%) and MS is down .01 to 25.19 (.04%)

Cry me a river, Apple implemented a security fix on the iPhone. Time to bash!

[WinNoMo]

Did I say Apple was up $3.2? My bad. Now it's up $4.97 and MS is down .14 to 25.06

Where do you want to go today? Down, down, down.

Where they belong.

[WinNoMo]

Why is MS stock lagging so badly? To match the performance of the company. Their business practices and shoddy products are finally catching up to them. So people like myself have had enough. I stopped using MS products. ALL MS products. And my life couldn't be better. There are others that have seen the light as well. Our numbers are growing. And MSFT shares are reflecting this trend. Win7? A band-aid on a sucking chest wound. MSFT has a head injury and they are applying their own tourniquet on their neck.

[Mark_Anderson]

You're the guy who got banned on ZDNet, right?

Good to see you trolling here. Well until they ban you anyway.

[Macbrewer]

The iPhone supports encryption over the connection, it's just not encrypted on the device. But, Exchange stores the message on the server anyway, so just use login for access. If you device is lost and someone tries to hack the information off of it, they won't have your outbreak/exchange password anyhow, and if you set it to erase after 10 attempts, the data on the device will be erased if the device is lost.

This is a lot of FUD from the Softie fanboys, as usual. The more Apple grows, the more FUD we see. I think it's quite entertaining.

[vaibhav92]

@Macbrewer

Do you realize that iphone caches your mail bodies so that you can view frequently views mails without any latency. So even though the mail might be safely encrypted on the server end it can be still accessible to any eavesdropper who happens to have physical access to your phone.

For the 10 Failed Attempts Data Wipe BS... is it a default settings for the phone.. the answer is NO... Also even though you have configured your phone for this, it will be still possible for hacker to jail broke you phone to access all the data residing on it.

Dream on fan boy.. dream on

[AllenKids]

For the Love of Beatles.

iPhone 3.1 breaks some iPhones' snycing because it was NOT suppose to work in the first place.

[MaggieRed]

This ranks up there with the galactically stupid behavior from Apple. I cannot understand their decisions here.

[Steve__S]

Is it "galactically stupid" to fix a security bug? iPhones without encryption should have never (incorrectly) reported that they were encrypting data. Once Apple was aware of the issue, it would have been negligent for not locking this down properly.

[MaggieRed]

No the bug fixes are fine. The issue is Apple is trying to break into the enterprise business, it is galactically stupid to pull stunts like these, as hard core IT people will simply lock out the device. If they spent the time in the bug fix and the result was to shut down support on 3G phones, why did they not spend more time and just implement software encryption. That would have been the smart thing to do.

This kind of behavior will only hurt Apple.

I'm an Apple supporter, you are missing my point.

[xvw199]

To me there seem to be two issues:
1) iPhones 3G (and ealier?) said they had hardware encryption but didn't.
2) Exchange 2007 (and later?) accepted the statement blindly but did not in fact encrypt anything.

Note the email traffic is still encrypted by the SSL tunnel so the h/w encryption we are discussing is in addition to the transport encryption so I don't think HIPPA regulations and the like are compromised.

Seems there are two bugs here. If the phone says I do h/w encryption then Exchange sends encrypted messages the phone should not work. It must be the case that the phone says 'I can encrypt' and Exchange says 'Ok but I won't bother' If the phone worked before it should work now. It is a totally bizarre scenario that the moment Exchange is told the phone can't do h/w encryption it starts to encrypt.

I think we need more information.

[vaibhav92]

Do you really understand the issue. The problem is iphone lied to the exchange server that its encrypting all persistent data that its receiving from the server. This means that even if the phone caches or stores any info retrieved from the server it will be encrypted. Exchange server can not in case verify this claim and has to depend on what device is saying.

In the past iphone was lying to the server that it was encrypting even though it wasn't really doing that. So all that data was laying on the phone in clear text waiting to be compromised. This update stops iphone from lying to the exchange server hence the issue.

And regarding HIPPA please dont talk through ars From the HIPPA security doc "Require that all portable or remote devices that store EPHI employ encryption technologies of the appropriate strength;" more at http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806rev.pdf

This means that i can sue my health cover provider who happens to use iphone < 3GS in their networks.

[brudgers]

I can't believe you people don't trust Apple.

We are talking about MS Exchange.

That's Microsoft.

How could it possibly be Apple's fault?

Please stop. Steve Jobs returning to announce ringtones is the most amazing remarkable really good thing ever.

[obgod3]

It is a little ominous, here is the deal, there are two ways to use the iPhone and Exchange, one is a push or direct connect and as folks have stated may be an easy fix.

But I think it is more than that. The second way to connect is simply to setup an account on the iPhone to use your OWA server, works fine and sync perfectly, yes encrypted via SSL.

But the real deal is this you dont need the extra $15 a month for enterprise services from AT&T to use OWA, but you do if it is a direct connect or push from Exchange.

This is not a security bug, the channel has been encrypted all along.

So is this really an issue or a play to get more revenue?

By the way 50% of the MAC's we purchased last year are having major failures, hardware failures, over 50% ...yeh that great, dont expect to get any help from Apple, we have been trying for 6 months on some of these issues.

[obgod3]

OK my bad, I found out if your using OWA to connect then all you have to do is re-create the email account on the iPhone and it will sync back up, folks might want to consider this for two reasons, first no real security issues with the OWA connection and it sync's everything you want, also it is cheaper, you dont pay the extra $15 a month enterprise fee. Just setup an email account and point to your OWA server(s)

[1Gremlin]

I upgraded to the new software and my Exchange stopped to work. I simply went into my mail settings, then reentered my password. What do you know it started working again. Not rocket science. The other fact is that when I installed the OS upgrade I ALWAYS request the option to wipe the phone and install from backup.

1Gremlin

[jcoliton1]

So - my server guys say that I have to go BACK to 3.0 OS - anybody know how to install an old version of the OS? (That will teach me to try and stay current!)