Fixing a major but unacknowledged bug in the operating system, last week’s iPhone OS 3.1 update has rendered most iPhones and all iPod Touches incompatible with Exchange 2007 servers that require on-device data be encrypted, a standard safeguard used by businesses.
In other words, Apple has fundamentally betrayed its iPhone users and the businesses that have either explicitly or implicitly supported the device.
If you’re like me, you probably ran the iPhone OS 3.1 update late Friday along with all the other Mac OS X updates. And perhaps, like me, you found your device no longer syncing to your company’s Exchange 2007 Server. I, for one, assumed something had changed on the back end. After all, a dot-one update is a bug fix, so there shouldn’t have been anything major to watch out for. But I learned Monday it was the update itself that was to blame.
My first reaction was, “Damn. Now I can’t check e-mail or schedules when not at my desk. I wonder how long it will take for Apple to fix the issue.” Our IT department is not about to relax its encryption requirement to deal with a change in Apple’s OS. Why should it?
Then it sunk in. The iPhone has been falsely reporting to Exchange servers since July 2008 that it supports on-device encryption.
The lie the iPhone has been telling
That’s right. Thousands of users have been accessing e-mail, calendars, and contacts over Exchange connections through their iPhones or iPod Touches, not knowing they were compromising their corporate security. During that entire time, Apple has extolled its support of Exchange and convinced many businesses that the iPhone was a corporate-class device they should embrace or, at least, tolerate.
How many businesses will revisit that support now that they know Apple shipped and promoted a product as fit for business only to later find that the device had a major security flaw? Apple clearly knew of the flaw at some point; otherwise, it would not have fixed it in the iPhone OS 3.1 update. Worse, how many users or businesses will trust Apple, now that they know it not only hid a major flaw from their attention but also slipstreamed a fix that broke compatibility with most of its devices?
Consider the implications on Mac OS X Snow Leopard, which now boasts the same Exchange support as the iPhone. As of the Mac OS X 10.6.1 update of last week, it still works with our encryption-requiring Exchange 2007 Server. But how does anyone know Snow Leopard won ‘t have a similar breakdown in the future, if not for encryption then for something else?
I suspect that Apple has set back its enterprise cause several years, if not permanently.
The fundamental damage that Apple has done to itself involves trust. IT may be glad that now unencrypted iPhones and iPod Touches — meaning every model except the iPhone 3G S released earlier this year — aren’t violating their security policies. But IT won’t be happy about learning those devices were unsecurely accessing their Exchange servers or about dealing with all those users whose iPhones and iPod Touches suddenly have lost access to Exchange.
No good options to fix the problem
And IT won’t be happy to follow Apple’s official suggestions: Either replace the devices with 3G S models or change the security policies to allow at least iPhone users to access Exchange without requiring on-device encryption. Neither option is realistic, and both show an amazing naïveté, or perhaps arrogance, about Apple’s view of the business environment.
The third option — downgrading the iPhone OS to 3.0 — is unrealistic for many users. If you’re lucky and the last backup of your iPhone has the previous OS, go to iTunes and click Restore. Otherwise, you need to have a copy of a 3.0-based backup (Mac OS X users who have Time Machine running likely will), or you need to download the 3.0 version from BitTorrent or other questionable sites, then restore your iPhone or iPod Touch using that older OS. Note that you have to Option-click in Mac OS X or Shift-click in Windows the Restore button in iTunes to be able to choose that backed-up or downloaded 3.0 OS. After the restore is complete, you’ll likely have to reinstall some apps, update your music files, and so forth to reflect changes made since the last backup; if you have no backup, you’re essentially starting over. Despite what I read on various blogs, I was able to restore an unsanctioned iPhone OS 3.0 onto my iPod Touch using the new iTunes 9.
I have my Exchange access back — but I had to become a hacker to do it. Few people will do that. And many organizations may decide to ban all iPhones and iPod Touches from Exchange rather than risk access by unencrypted devices that hack around their security policies by dowbngrading to the 3.0 OS or not upgrading to the 3.1 version.
There’s a fourth possible option, which is the only one that would satisfy legitimate IT security concerns: Apple revs iPhone OS to include software encryption, so the pre-3G S devices can honestly tell Exchange 2007 they support on-device encryption. But Apple has avoided implementing such encryption since Day 1, except for the 3G S released in July. I’m betting there’s a reason the on-device encryption is available only on the faster-chip model. Plus, Apple has been very clear in saying it won’t support simultaneous processes in the iPhone OS, which any software encryption would likely need to be.
Does Apple have a plan to reenable the pre-3G S models’ ability to work with Exchange when encryption is a requirement? I asked Apple that question yesterday, and a spokeswoman said she would let me know when she had an answer. So far, there is none.
The sick feeling of betrayal
I really like my iPod Touch, but at this point, I won’t buy another one or an iPhone. Right now, I simply can’t count on Apple to do the right thing. If I did get a 3G S or some future encryption-enabled iPod Touch model, what other nasty surprise will I find a year on?
While the apps are fun and being able to go to the Web when on the road is useful, the major benefit that I — and most business users — get is access to e-mail and calendars. If the devices touted for more than a year as great at doing that really can’t do it in the real-world business context, they’re not worth the several hundred dollars they cost or the limited space in my pockets. I can get a Palm Pre instead; after all, it still works with Exchange, and for my on-the-road music, I can bring along a cheaper iPod.
I’ve been a champion of the iPhone as more than a fancy iPod for a couple years now, suggesting that businesses give it a serious look despite some of its more IT-desired omissions. Now, I feel embarrassed for having done so. I’ve tolerated Apple’s half-baked iPhone management tools, given that the company has been careful not to claim professional-level management support. But Apple’s made a lot of hay about its Exchange support. Yes, it technically supports Exchange, but not in the way that anyone would expect in the real world. Yet Apple let us all think it did. Then it revealed the truth in a damaging, surprising, inconsiderate way.
That’s a double betrayal. And a sad, sick feeling.
Apple has to move quickly to fix the immediate problem and start giving business users with the information they need and the respect they deserve.