Corporate IT Hanging Up on Apple's iPhone

WSJdpatton writes "iPhones can be used for email, but many businesses don't plan to sync them with internal systems used to power Blackberries and Microsoft mobile devices. Employees eager to use the cool new gadget, however, may pressure IT departments to support iPhones even if it means incurring more costs and changing policies. The WSJ reports: 'Incompatible technology has become an increasing problem for businesses as hand-held email and phone devices are evolving into minicomputers that can do such things as download music, take pictures and surf the Web. In the past, businesses have been unwilling to support certain devices, like those with cameras, for instance, because of concerns employees could use them to document company secrets. But these tensions would be magnified if the iPhone is as popular as Apple is hoping and some analysts expect.'"

Summary of the article.

[ozmanjusri]

Companies who've locked themselves in to a proprietary email system can't change when a new (and potentially better) product is available.

Re:Summary of the article.

[Helvick]

My day job involves creating processes that allow our enterprise to securely build, deploy and manage configurations to mobile devices like mobile phones and blackberry. What I need to do (as any other systems admin does) is to create a repeatable, secure and reliable method of taking control of a physical device, securing it (so data and credentials on that device are safe and my enterprise can authenticate both the device and the user later) and configuring it. When you want to do that for 20000 or more users on five continents over 80 or more cellular providers you really want to be able to fully automate the process. That requires an SDK and a reasonably complete manageability API at the OS level that is available to you.

Otherwise the option is to go manual. Apart from the near impossibility of getting a user to reliably communicate a device's identity (ie a hardware device ID\Serial number\IMEI number) back into a configuration database you cannot seriously ask normal end users to poke around in config dialogs, changing and tweaking settings and expect everything to work. It can be done but your support desk overhead becomes criminally expensive. I haven't even begun to discuss the difficulties involved in effectively securing the authentication protocols used for your end users services - what are we proposing? Cached user names and passwords? X.509 certificates and mutual authentication? OTP's? If so how do you configure both ends so that you preclude man in the middle attacks and credential stealing?

Why do we need to authenticate the device? Well what happens when a user loses a device or its stolen? That happens on average twice a day for us worldwide BTW. We revoke the device's access and then provision the user with a new one. To do that we need to be able to auth the devices too. We could get away with not doing that but would end up having to cancel user accounts to remain secure.

The closed nature of the iPhone precludes the above and that is the reason enterprises are saying that it is not suitable. I think it's going to be a great consumer device and, yes, I want one too but we aren't going to see support and adoption in large organisations that care about security until they provide the tools to manage the platform correctly (or just open it up). If Apple come out with comprehensive configuration subsystem using (for example) OMA-DM via SyncML then things would be looking up.

Exchange support would be nice but it's not critical at all even for monocultural Microsoft shops. Anyone can write a gateway interface between Exchange and anything else if they want to. It may be proprietary but it isn't closed. That's a very important point here.

Re:Yawn

[nevali]

MS, to an extent, but mostly RIM.

I could be wrong, but I was under the distinct impression that the iPhone would do POP3/IMAP4, just like pretty much every other phone released in the past 12-24 months.

This story is 100% BS.

[jcr]

iPhone works with POP and IMAP. They found a couple of IT drones who hadn't bothered to find out what was involved in supporting the iPhone, and just assumed that they'd have to jump through the same hoops that RIM requires.

-jcr

Daring Fireball

[LKM]

John Gruber has an article about this, for those interested.

Re:Yawn

[rbanffy]

One of the key functions of RIM-style e-mail is that the server tells the phone that it has to download something instead of the phone polling the server if there is something to do. It is useful if you need to be informed of something immediately after the e-mail arrives instead of waiting until the next scheduled contact.

With reduced cost per megabyte, higher data rates and increased battery life, this is becoming less and less relevant. I am completely happy with my IMAP, mainly because, when I really need to know, my server sends me an SMS that arrives in less than 10 seconds.