Blog Post

Exchange Team Blog
2 MIN READ

Exchange ActiveSync and iPhone OS 3.1

bsuneja's avatar
bsuneja
Former Employee
Sep 23, 2009

Many Exchange Server customers have reported issues logging on to Exchange using iPhone devices older than iPhone 3GS. iPhones support Exchange ActiveSync (EAS), the same protocol supported by Windows Mobile devices, and licensed by many other mobile device manufacturers.

Exchange Server 2007 SP1 and later support many additional policy settings. Two policy settings that are of interest here are:

  1. Require device encryption: When you enable this policy, mailbox data synchronized and stored to a mobile device is encrypted.

    Exchange ActiveSync security policies
    Fig 1: Exchange ActiveSync policy requiring device encryption

  2. Allow Non Provisionable Devices: You can disable this setting (default) to prevent provisioning of devices that can't fully apply Exchange ActiveSync policies.

The iPhone 3GS supports device encryption, and is the first version to do so. Previous iPhone models, including the iPhone 3G, do not support device encryption. Additionally, before iPhone OS 3.1, these devices did not communicate their policy status correctly, resulting in the devices being able to connect to Exchange Server, even if your Exchange ActiveSync policy required device encryption and did not allow non-provisionable devices.

iPhone OS 3.1 correctly reports its policy status. As a result, if your policy requires device encryption and doesn't allow non provisionable devices, previous models of iPhone which don't support device encryption are prevented from accessing the mailbox.

After considering your organization's security policy, if you need to allow older iPhone devices to connect, you can modify the Exchange ActiveSync policy to either allow non provisionable devices, which will still enforce device encryption on devices that do support it, or you can disable device encryption. Note, allowing non-provisionable devices allows devices that may enforce some policies, or may not enforce any policies at all. Alternatively, you can create another policy which does not require device encryption, and apply it only to mailbox users with devices that do not support device encryption.

For more details about Exchange ActiveSync policies, see Understanding Exchange ActiveSync Mailbox Policies in Exchange 2007 documenation.

Bharat Suneja

 

Updated Jul 01, 2019
Version 2.0
Mobility
security

17 Comments

Show More
  • Deleted's avatar
    Deleted
    Sep 24, 2009
    @Thunder & Rob G:
    We have noticed - with other phone vendors - that in case when your phone model does not fully support EAS policies, but you have already done one sync it is quite hard to get rid of the problem. Even you delete your ActiveSync profile, it gets the old settings from somewhere and is not able to overwrite them.

    I don't know the iPhone, but if you could reset your phone (so it will clean all your settings and other stuff, like when you got at first) and then try to sync again you might get it work.
  • Deleted's avatar
    Deleted
    Sep 24, 2009
    Really digging deep down in the latest iPhone technology is going to take some work, but with the right staff of developers, I believe it is simply possible.
  • Deleted's avatar
    Deleted
    Sep 24, 2009
    What the iPhone 3.1 doesn't work with Exchange (e.g. the largest messaging software product in the known universe) out of the box?  Is Apple actually branding that as a feature :-).  I wish somebody at MSFT would nail Apple to the wall about this.  Apple flat out lied to their customers and shipped a product with a known defect (security defect no less).  At the end of the day, all the Apple sheep out there will be the first ones to bring up security issue after security issue with MS products.  This one seems ripe to rub in their faces.
  • Deleted's avatar
    Deleted
    Sep 24, 2009
    @Iamme: Thanks much for pointing that out!

    @Thunder & Rob G: When non-provisionable devices are allowed (that is, AllowNonprovisionableDervices" is set to $true) and DeviceEncryptionEnabled is set to $true, devices that report the correct policy status are allowed. Why this doesn't work with iPhone and iPhone 3G running OS 3.1 needs to be investigated.

    For now, if your organization's security policy permits, please use the other alternative: a different policy that does not require device encryption for only those users.
  • Deleted's avatar
    Deleted
    Sep 24, 2009
    I have experianced the same thing. With "Allow non-provisionable devices" enabled and Require Device Encryption 3g devices and below cannot sync.
  • Deleted's avatar
    Deleted
    Sep 24, 2009
    "if you need to allow older iPhone devices to connect, you can modify the Exchange ActiveSync policy to either allow non provisionable devices"

    I did this and tested on an iPhone 3G, with OS 3.1, and got the error message: "Policy Requirement The account blah requires encryption which is not supported on this iPhone"

    I have "Allow non-provisionable devices" selected and "Require encryption on the device" selected

  • Deleted's avatar
    Deleted
    Sep 23, 2009
    You state the following:
    # Allow Non Provisionable Devices: You can disable this setting (default) to prevent provisioning of devices that can't fully apply Exchange ActiveSync policies.

    Yet if you look at both of these pages, it states that Allow Non-Provisionable Devices is enabled by default:
    http://technet.microsoft.com/en-us/library/bb123484.aspx
    http://msexchangeteam.com/archive/2007/05/23/439541.aspx

    However, when you create a new EAS policy, it is disabled by default.  This is a big different and is something that should be included in the article as your default is on manually created policies, not the default EAS policy.