|This blog post is probably out of date. If you want to set up Exchange ActiveSync, you should instead consult one my guides:|
|iPhone Exchange ActiveSync Setup||iPad Exchange ActiveSync Setup|
|iPhone ActiveSync Troubleshooting||iPad ActiveSync Troubleshooting|
Is your non-3GS iPhone locked out of your Exchange 2007 ActiveSync server after upgrading to iPhone OS 3.1? It’s a feature, not a bug! Here’s how to get older iPhones up and running with Exchange Server 2007 SP1!
What’s The Problem?
Microsoft Exchange Server 2007 SP1 added a feature to require mobile ActiveSync devices to encrypt data, enhancing security. Before iPhone OS 3.1, all iPhones incorrectly told the Exchange server that they supported on-device encryption. This allowed all iPhone hardware to function with Exchange 2007 SP1 servers that required device encryption. But original and 3G iPhones do not support device encryption, undermining corporate security policies.
The iPhone 3GS hardware actually does support device encryption, and iPhone OS 3.1 correctly reports this capability. But iPhone OS 3.1 also (correctly) reports that earlier hardware (the original iPhone and the iPhone 3G) does not support device encryption, so some Exchange 2007 SP1 servers refuse to allow them to connect. Oops!
What’s The Solution?
There are four possible solutions, three of which require IT assistance. Your Exchange administrator can research the meaning and implications of these options:
- Disabling device encryption allows all iPhones to connect, but does not force any Exchange ActiveSync device to encrypt data. This is not a great solution from a security perspective, so don’t bother trying to convince IT to implement it!
- Allowing non-provisionable devices enables all iPhones to connect but weakens security in general, allowing each device to enforce or ignore policies. This is a slightly better solution, since encrypting devices like the iPhone 3GS will encrypt, but it’s still not a great idea.
- Creating a special policy for “old” iPhones and applying it selectively is probably more acceptable. Administrators can allow certain users to ignore the device encryption policy but still apply it to all others. This commandlet (from Krypted) will create such a policy:
New-ActiveSyncMailboxPolicy -Name iPhone -AllowNonProvisionableDevices $true
- Upgrading to an iPhone 3GS is probably the best answer. IT doesn’t need to get involved (as long as you know how to configure Exchange ActiveSync) and no security policies need to be weakened to make it work.