There has been a great deal of discussion (and confusion) over the last few days regarding a bug exposed by the recently-released iPhone 3.1 software regarding encryption and Exchange connectivity from iPhone and iPhone 3G (but does not impact the iPhone 3GS).
First, the good news: this does not impact AEMS users, since we do not have the relevant ActiveSync policy setting enabled.
So what is the fuss about? Well, there is a setting in Exchange ActiveSync mailbox policies that allows the Exchange administrators to require that any device connecting to their Exchange environment via ActiveSync have device encryption turned on. (This does not refer to encryption of the connection between the device and the server, but rather encryption of the data sitting on the device. Transport encryption is handled by HTTPS.) Neither the original generation iPhone nor the iPhone 3G have the necessary hardware support for device-level encryption. This feature was not introduced to the iPhone platform until the 3GS was brought to market.
Now stay with me. This is were it gets complicated. Although the first two generations of iPhones do not support device encryption, prior to the iPhone OS 3.1 release, if the Exchange server was saying “Hey, we require device encryption,” these older iPhones would report back (with fingers crossed behind their backs like truent children) “No problem. I’m encrypted.” In other words, the iPhone would spoof the relevant flag in its ActiveSync conversation to convince the server that device encryption was turned on.
With the release of iPhone 3.1, this behavior changed. Now when the server tells these older devices that device encryption is required, they no longer fib, and the iPhone user receives an error which says:
Policy Requirement
The account “_______________” requires encryption which is not supported on this iPhone.
In other words, this isn’t really a bug, but rather the software on the iPhone finally coming clean in its negotiations with the server about its capabilities.
So, what’s the solution for those encountering this error?
- Get an iPhone 3GS, which DOES support device-level encryption, or
- Cajole the Exchange administrators into turning off the device encryption requirement.
The first solution is annoying and costs money. The second may not be viable depending upon the security requirements of the environment in question.
To reiterate, this is not an issue for the Austin Exchange Messaging Service, since our ActiveSync policy does not currently require device encryption, so rest easy…