Corporate IT Hanging Up on Apple's iPhone

WSJdpatton writes "iPhones can be used for email, but many businesses don't plan to sync them with internal systems used to power Blackberries and Microsoft mobile devices. Employees eager to use the cool new gadget, however, may pressure IT departments to support iPhones even if it means incurring more costs and changing policies. The WSJ reports: 'Incompatible technology has become an increasing problem for businesses as hand-held email and phone devices are evolving into minicomputers that can do such things as download music, take pictures and surf the Web. In the past, businesses have been unwilling to support certain devices, like those with cameras, for instance, because of concerns employees could use them to document company secrets. But these tensions would be magnified if the iPhone is as popular as Apple is hoping and some analysts expect.'"

Summary of the article.

[ozmanjusri]

Companies who've locked themselves in to a proprietary email system can't change when a new (and potentially better) product is available.

Re:Summary of the article.

[Helvick]

My day job involves creating processes that allow our enterprise to securely build, deploy and manage configurations to mobile devices like mobile phones and blackberry. What I need to do (as any other systems admin does) is to create a repeatable, secure and reliable method of taking control of a physical device, securing it (so data and credentials on that device are safe and my enterprise can authenticate both the device and the user later) and configuring it. When you want to do that for 20000 or more users on five continents over 80 or more cellular providers you really want to be able to fully automate the process. That requires an SDK and a reasonably complete manageability API at the OS level that is available to you.

Otherwise the option is to go manual. Apart from the near impossibility of getting a user to reliably communicate a device's identity (ie a hardware device ID\Serial number\IMEI number) back into a configuration database you cannot seriously ask normal end users to poke around in config dialogs, changing and tweaking settings and expect everything to work. It can be done but your support desk overhead becomes criminally expensive. I haven't even begun to discuss the difficulties involved in effectively securing the authentication protocols used for your end users services - what are we proposing? Cached user names and passwords? X.509 certificates and mutual authentication? OTP's? If so how do you configure both ends so that you preclude man in the middle attacks and credential stealing?

Why do we need to authenticate the device? Well what happens when a user loses a device or its stolen? That happens on average twice a day for us worldwide BTW. We revoke the device's access and then provision the user with a new one. To do that we need to be able to auth the devices too. We could get away with not doing that but would end up having to cancel user accounts to remain secure.

The closed nature of the iPhone precludes the above and that is the reason enterprises are saying that it is not suitable. I think it's going to be a great consumer device and, yes, I want one too but we aren't going to see support and adoption in large organisations that care about security until they provide the tools to manage the platform correctly (or just open it up). If Apple come out with comprehensive configuration subsystem using (for example) OMA-DM via SyncML then things would be looking up.

Exchange support would be nice but it's not critical at all even for monocultural Microsoft shops. Anyone can write a gateway interface between Exchange and anything else if they want to. It may be proprietary but it isn't closed. That's a very important point here.

Re:Yawn

[nevali]

MS, to an extent, but mostly RIM.

I could be wrong, but I was under the distinct impression that the iPhone would do POP3/IMAP4, just like pretty much every other phone released in the past 12-24 months.

Re:Why must we continually re-invent the wheel?

[dave420]

Or use Exchange, and then not have to make any sacrifices at all. Businesses don't want to lose the competitive edge they have, so cutting back on functionality, especially functionality as important as group calendars, is a deal-breaker. Exchange isn't re-inventing the wheel, it's clearly better than the solution you suggested, functionality-wise at least. I'm not trolling for MS or anything, it's just that companies don't give a rat's ass about F/OSS (often to their detriment) - they look at feature lists.

Re:Yawn

[kingtonm]

There's nothing wrong with having well supported proprietry kit, if you're already bound in, just make sure you've got a good handle on the bed you've chosen to lie in. We run exchange here, that means I can sync all my mail and appiontements to my windows mobile device (which I happened to already own). The standard device of issue here is the blackberry. It works well, the firm knows how much it costs to run, upgrade, support and what they get out of it.

As people move from one firm to another, Crackberrys are so common the transition is often seamless. It's also nice in the fact that because there are so many users, I often overhear the execs and managers discussing tweaks and doing self-support.

For what it's worth, OTA syncing of mail and calendering is so totally piss poor being, as it is, supported by some of the most conveluted, non standard, standards you've ever seen. Have you ever tried writing anything to use syncML?

Re:Not a great new app!

[teh+kurisu]

First of all, a couple of inaccuracies in your comment:

The shuffle ... doesn't have sequential playback ability.

Yes, it does.

iPhone is great since it doesn't have ... 3G camera and mobile internet.

Maybe you meant "3G mobile internet and a camera"? It certainly does have a camera, and it does have mobile internet over GPRS and WiFi.

Other than that your points are largely valid, although I think you missed the point of the comment you replied to. Loading devices with features without thinking of the user interface renders those features pretty much unusable, so you're better off without them.

The whole point of the lack of a keyboard is that you gain more screen real-estate when you don't need the keyboard. If you do a lot of texting this will be most of the time and the iPhone probably isn't for you. If you don't, all the other things you do on your phone become much easier. Remember, just because the lack of a keyboard doesn't appeal to you doesn't mean it won't appeal to anybody. Full QWERTY keyboards on smartphones sure as hell don't appeal to me.

This story is 100% BS.

[jcr]

iPhone works with POP and IMAP. They found a couple of IT drones who hadn't bothered to find out what was involved in supporting the iPhone, and just assumed that they'd have to jump through the same hoops that RIM requires.

-jcr

Re:is incompatibility a problem ?

[@madeus]

Active Directory and Exchange Server work very well for many, many companies out there. They get support from the vendors, and they work seamlessly with the client software (usually Windows with Exchange). LDAP is great, but IMAP doesn't offer the same functionality as Exchange does. LDAP and IMAP are supposed by Active Directory and Exchange Server, all you have to is enable them (or, "not disable them", depending on what means was used to set the system up in the first place). It's not an either or scenario, and that's true in a lot of cases.

Exchange isn't "poorer quality" - it's very good at what it does. Exchange and Outlook are really, really bad at dealing with large amounts of mail (compare with Mail.app, which manages several gigs worth of mail seamlessly). It's pretty poor quality mail server and client combination really. The calendaring support is good, but that's it's only redeeming feature.

The point I was making about using poor quality products was directed more at say, using things like Remedy, Chordiant, Veritas and Infovista (none of which ever work well), who think all DB's should be Oracle, or that the right language to write something in is always Java.

This is why I say it all boils down to people margin the decisions not understanding what they are doing - not knowing what they should be doing, and what they shouldn't be doing. Everywhere that has apps like Remedy and Chordiant has other web based apps developed to work around it's flaws, and they end up building their business around the software. Pretty much everywhere that has Infovista has other monitoring software that actually tells them what they want to know, and that's what they use when they want to get meaningful data out.

Managers tell more senior mangers that everything is done in Remedy/Chordiant/Infovista though. They say that outages caused by over hyped (and overly expensive) Veritas are 'unavoidable', when the real problem is the system design is lousy because they chose the wrong hardware/software.

Daring Fireball

[LKM]

John Gruber has an article about this, for those interested.

Re:Daring Fireball

[LKM]

You know... I always thought IT was a service to the people doing the actual work. Now I realize the people doing the actual work are only there so IT has a bunch of victims to terrorize. Thanks for opening my eyes.

Awesome. Instead of answering my question, you're paraphrasing the Daring Fireball rant.

Well excuuuuse me, Princess. I did not realize I was paraphrasing Gruber's article. I thought I was simply telling the truth.

Let me rephrase my question (since you're obviously not in IT):

Actually, I am.

how does the iphone contribute to the company's bottom line?

It contributes the the company's bottom line by cutting down on support cost for crappy cell phones. Not that it matters, if the right people want an iPhone, IT will do it.

And let's try one more: what does the iPhone offer that the *insert phone/email/platform of choice* doesn't already do?

Again, it doesn't really matter, but what the iPhone does offer is an interface that seems to be easy to figure out.

Thank you for the spelling correction, but let me offer you a definition from wikipedia: "A de facto standard (...)

Right. See that? "de" and "facto" are two different words. I know what you meant, obviously, it's not too hard to figure out.

I'm not a Microsoft fanboy -- there's alot wrong with Exchange -- but it works for the most part, people know how to support it, and if my clients had to vote on having an iPhone and no Outlook synching vs. having a Blackberry with all-of-the-above, well, I think the choice is pretty obvious.

Which is, of course, perfectly true and an entirely different argument from "why should IT bend over backwards, completely gut their defacto standards, just so the corporate users can play with their shiny new baubles at work?"

Re:Yawn

[rbanffy]

One of the key functions of RIM-style e-mail is that the server tells the phone that it has to download something instead of the phone polling the server if there is something to do. It is useful if you need to be informed of something immediately after the e-mail arrives instead of waiting until the next scheduled contact.

With reduced cost per megabyte, higher data rates and increased battery life, this is becoming less and less relevant. I am completely happy with my IMAP, mainly because, when I really need to know, my server sends me an SMS that arrives in less than 10 seconds.

Re:How long has Blackberry been around?

[Tickletaint]

Indeed this is a huge shortcoming of iCal, but the new version in Leopard supports group calendars synchronized over WebDAV, which is a big step towards corporate competitiveness. The Leopard release of OS X Server is supposed to include a WebDAV server, too:

iCal Server uses open calendaring protocols for integrating with leading calendar programs, including iCal 3 in Leopard, Mozilla's Sunbird, OSAF's Chandler, and Microsoft Outlook using an open source connector. These open standard protocols include CalDAV -- a set of extensions to WebDAV -- and interchange formats such as iCalendar, iMIP, and iTIP.

Re:Can I brick an iPhone?

Exactly. People crying about the iPhone supporting POP3 and IMAP are obviously not working in a corporate environment. Getting mail to the phone is the easy part folks. Getting mail to the phone in a way that doesn't drain the battery instantly (push), and in way where the mail can be locked and secured in an instant.. That's the tricky bit. The Blackberry is a good device, but -and make no mistake- Blackberry Enterprise Server is the key to RIM's success. I busted out laughing during last year's keynote when Steve mentioned Yahoo! Mail for push.. WTF?

Furthermore, people talking about putting tape over the iPhone's camera or those commenting about the camera being the least of the security concerns since the thing has bluetooth or can be attached via USB also don't get it. With BlackBerry Enterprise Server a corporation has the ability to lock that stuff down in the same way as they can lock down a user's computer. I can disable the BlackBerry's camera, bluetooth, usb.. I can push software down to all devices (SUPER convenient during that idiotic change to DST), and I can remove software from all devices. This combined with flawless syncing with our messaging system via push technology is why BlackBerry wins in the corporate environment.

The iPhone looks sweet as hell, but -in the end- it is just out of place in a serious corporation.

Re:Yawn

[Constantine+XVI]

If I'm not mistaken, the iPhone does IMAP push-mail

Re:Not a great new app!

[LKM]

The iPod does not work like the iPaq at all. You don't use a stylus to write or tap on the screen, you type with your thumbs. The difference is that you type on a keyboard shown on the screen instead of on actual little buttons. The people who have used it say it takes a bit of getting used to, but works pretty much like an actual small querty keyboard.

By the way, I've used a Palm and a P800 for a long time, and I enjoyed the text recognition very much. Not as good as an actual keyboard (which my P990i has), but way better than most other cell phone text entry systems.

Re:No, it's a *big* problem with mobile devices

[hab136]

And the Calendar is what? The Contacts/addressbook is what? The Todo list is what format? The notebook is what format?

Calendar - iCal/CalDAV (open standard, same as Mozilla's Sunbird)
Contacts - vCard, open standard
Todo - iCal again
Notebook - on the iPod, the notebook is a directory of regular text (.txt) files - I imagine iPhone will do the same.

Re:is incompatibility a problem ?

[Registered+Coward+v2]

if so, why don't we seen businesses demanding open standards used when they make the buying decisions ? is this uninformed people being in charge or what ?
incompatibilities are biting businesses for awfully long time, but we still have .doc floating around, proprietary communications protocols (like for syncing) and whatnot...

Most businesses have no need for open standards because the current ones are nearly universal and work well enough to get the job done. I have yet to have a client that cannot open a .ppt or .doc file (99% of the time they use an MS product), Exchange AS works fine with my Treo and Palm OS (Letting me junk Goodlink and all the problems it causes while still synching calendar items and contacts) even though the IT folks only officially support WM devices; in short the overwhelming adoption of proprietary standards means there is no real push to fight for open ones.

Personally, as much as I would like an iPhone the inability to work with Exchange AS means I won't buy one (IMAP / POP3 is simply not an option for me because or IT folks won't enable it) Simply forwarding mail to an external POP3 or IMAP account doesn't work because Exchange only forwards external, not internal mail via rules _ I never could figure out how to forward internal email.) and I suspect that other business users who have come to rely on a working mobile email / calendar / contact solution will feel the same way. We want solutions that work without having to battle IT or devise workarounds that may or not be reliable.

Re:is incompatibility a problem ?

[@madeus]

You've pretty much hit the nail on the head for me, in your own comments.

As far as the Outlook is concerned, it bogs down with large amounts of mail (especially in the one folder) and is god awful at searching large volumes of mail (and if you can't search it easily and quickly, it's rather pointless holding on to mail) - it's Outlook (rather than Exchange) that I've found poor to be dealing with large amounts of mail in one folder (e.g. an archive folder for a mailing list, or group of related lists). I tried using the Mac OS X Exchange client, I like the project management features it has, but I discovered it's just as crappy as the Window version if you have an sizable amount of mail. The application developers don't seem to understand how to do threading, just bad software design.

Exchange has been an issue because it's replication is poor, replicated systems are quite capable eating themselves which takes ages to repair and that should really never happen. Microsoft does not make tools to repair them though (beyond trivial issues), you have to buy third party software to do that, which I think is a good indication of how big a problem it is. Using a database like that to store the data (not just index information) is a really dumb idea if the database engine is not completely reliable.

Our 2 million + customers are on systems with Exim and Courier at least - so they get a decent service that doesn't have any of those issues. Their maildir isn't going to get 'corrupt' and lose all their messages, you can get a copy of their mailbox from the past easily using the file system and snapshots. Replication and scaling is trivial.

That's not to say that Exchange is unsuitable for use in a corporate environment (there still really isn't a better integrated Windows solution for most users) but that's not a reason not to open up services like IMAP on it.

"Switching on," not "Switching to"

[Foerstner]

Allowing IMAP-S on an existing MS Exchange server requires about five minutes in the administration interface. It does not necessitate eliminating Outlook's MAPI, or whatever other proprietary protocols you choose to run.

Of course, it does require a security model based on something other than, "Our server is secure, because hackers could never compromise Outlook!"

Re:Yawn

[illumin8]

One of the key functions of RIM-style e-mail is that the server tells the phone that it has to download something instead of the phone polling the server if there is something to do. It is useful if you need to be informed of something immediately after the e-mail arrives instead of waiting until the next scheduled contact.

RIM does not have a monopoly on this feature. Have you ever heard of Push IMAP? It's an open protocol that $YOUR_HOSTING_COMPANY probably already runs on their mail server.

From the linked article:
The protocol was designed to provide for a secure way to automatically keep communicating new messages between a server and a mobile device like a PDA or Smartphone. It should reduce the time and effort needed to synchronize messages between the two (by using an open connection that is kept alive by some kind of heartbeat).

Re:push email

[CXI]

For some time now I have had push email on a Windows Mobile Treo. Exchange natively does everything that Blackberry or Goodlink can do if you have the right devices.

Re:And so they shouldnt...

[ballwall]

Blackberry (afaik) is much more than the device. It's actually a huge infrastructure that actually makes your device sit on the corporate network, along with all the encryption, authentication, and policy enforcement to make that communication secure. From wiping the device after a certain number of invalid password attempts to enforcement of password policies on the device itself.

If you wanted the same level of intranet access to be available on the iphone, you'd need to set up an internet facing IMAP server, proxy, LDAP server, etc, and then somehow authenticate every piece of traffic going to all of them (which, I'd imagine, would be setting multiple passwords in several places on the iPhone, but they may have been smarter than that). And this still leaves the device itself wide open in the case of loss or theft. The other option is a VPN, but I haven't heard of Apple stating they'd be included anything like that on the phone.