Apple’s release of their new iPhone 5c and 5s models and the accompanying update of the iOS operating system to version 7.0 (or whatever point build it is now at) seems to have delighted consumers. Certainly the normal queues appeared at Apple stores in the rush to get one of the new devices and the iTunes servers were overwhelmed with the demand to download iOS 7. All good stuff, even if the notion of a gold iPhone seems strange to someone like me, who isn’t particularly fashion-conscious.
Exchange administrators might not have been quite so sanguine about the new iPhones and iOS. In fact, their release demonstrates some of the challenges that exist in the Bring-Your-Own-Device (BYOD) strategy now used by many companies in an effort to control the costs of mobilizing their workforce.
Unfortunately the release of new versions of iOS have not always been problem-free. Administrators are all too aware that Apple’s interpretation and implementation of the Exchange ActiveSync (EAS) protocol is not as good as it might be and the scars of the calendar hijacking problem in iOS 6 in late 2012 and the knock-on performance impact on Exchange 2010 servers are still well remembered. Even though Microsoft and Apple have since been working together to improve the client-server interaction between iOS and EAS, some caution is necessary when a new iOS appears.
But administrators exert no control over when users install iOS 7. The OS is either on a new device or can be downloaded and installed from iTunes. Administrators might ask users not to do this until they have had a chance to validate iOS 7 against a production Exchange environment, but the consumer-driven nature of Apple’s app framework makes it really difficult to get such a message across.
Some problems synchronizing email using EAS with iOS 7 have been reported by experts such as Paul Robichaux. At this point it’s not clear if the issues are widespread or are limited to a specific set of devices or circumstances. It seems like the problems only affect Exchange 2010 deployments; everything seems to work with Exchange 2013 and Exchange Online (Office 365). I’m not too surprised at this because Microsoft has done a lot of work to increase the robustness of EAS on the server recently and I assume that this work makes it more difficult for a malfunctioning client application to cause problems. Apple Support has recommended some things to try if your clients report problems – steps such as deleting the partnership between the device and Exchange to force a complete synchronization. You can always follow support principle 101 and reboot Exchange, but I cannot see how this would help. On the other hand, a nice reboot never hurts.
On the hardware side, the new Apple iPhone 5s includes fingerprint biometric authentication. Any new security feature tends to be immediately tested by hackers and it’s not really a surprise to find that some weaknesses have been found and exploited by the German Chaos hacking club. Some to-and-fro between Apple and the hacking community will ensue until the gaps are closed and we can all get on with life. What’s more important in some respects is the fact that a consumer feature has been introduced that is not covered by EAS policies.
Users love the ease and facility of fingerprint swiping. There is no doubt that it is much easier to authenticate using a swipe than it is to input a complex password. And you can never forget your fingerprint in the same way that codes often slip the mind. However, EAS mailbox access policies allow organizations to require users to input a password of minimum length and can also lock a phone after a certain period of inactivity. The idea here is to protect the confidential data that exists on the device should the device be lost. EAS policies have no concept of biometric authentication and therefore do not cover Apple’s fingerprint reader.
You might consider this to be a problem. I am not so worried because fingerprints are a pretty good method to authenticate people. It’s true that EAS policies are not being observed in the strictest sense, but implementation of EAS policies is entirely in the hands of a vendor. All Exchange cares about is that the device reports that a policy has been provisioned to it and is now being observed. The fact that a fingerprint swipe is being used is not reported to Exchange. The device is lying a little, but it’s also secure – assuming Apple works the bugs out and fixes the reported problems.
Getting back to BYOD, the introduction of new devices and operating systems requires administrators to keep a close eye on implementation details so that the new devices and OS can be supported with Exchange. You don’t control Apple and never will so a strategy is necessary to live with the situation. Exchange MVP Steve Goodman will address this issue in his "Exchange ActiveSync: Taming the Beast" session at the Exchange Connections conference 1pm next Thursday. (His iPhone with Microsoft Exchange Server 2010 - Business Integration and Deployment book is a pretty good guide too)
You can always block or quarantine iOS 7 devices until you’re ready to deal with them or just accept that this is an aspect of BYOD that will be ongoing and is therefore acceptable. Another approach is to deploy an MDS solution such as BoxTone to help manage mobile devices more effectively than is possible using the OOTB EAS capabilities built into Exchange. If these strategies don’t work for you, then maybe a move to Windows Phone or Android would. These platforms have their own challenges, but at least you’d get away from iTunes updating…
Follow Tony @12Knocksinna