Managing Users' Mobile Access
From an administrator's perspective, managing access and policies for iPhone users is largely the same as managing access for any other mobile device. Exchange direct push and ActiveSync are enabled by default for all users, meaning that unless you have explicitly changed things, all iPhone users with existing accounts should be able to access their accounts without requiring per-user configuration. (If you rely on iPhone configuration profiles, you should also be able to deploy iPhones to users so that they only need to enter their Exchange username and password -- see Part 1 of this series for details.)
If you are running Exchange 2007, the iPhone also supports Exchange Autodiscovery based on a user's e-mail address.
As with other devices, you can adjust the organizationwide policies or user-specific policies to grant or deny mobile device access. Once a user has configured an iPhone with his Exchange account information and connected to Exchange, you will be able to use either the Exchange ActiveSync Mobile Administration Web Tool or the Exchange Management Console to view additional information about the device, including the last time the iPhone was synced with Exchange, the last time Exchange policies were updated on the iPhone, and the time of the last ping request. You can also use these tools to initiate a remote wipe of a lost or stolen device and view the status of a remote wipe request.
Configuring Passcode Policies
The only Exchange policies (other than allowing users to access their accounts from mobile devices) that you can enable for the iPhone via Exchange are passcode policies. You can require users to create a passcode that must be entered to unlock the iPhone, specify a minimum passcode length, require an alphanumeric passcode, and specify a period of inactivity after which the iPhone locks automatically.
Apple's iPhone configuration profiles include the same options plus some stricter ones, such as the number off passcode attempts before the iPhone must be resynced with iTunes to re-establish access. Passcode policies configured via Exchange are automatically pushed to the device over the air and enforced as long as the iPhone is associated with an Exchange account. (IPhone configuration profiles, on the other hand, must be e-mailed or hosted on a Web server, and users must choose to install them and can delete them at any time.) If both a configuration profile and Exchange passcode policy are in place on an iPhone, the strictest options will be enforced.
The ability to remotely wipe confidential data from a smart phone is one of the most important features in a business device. In the event that an iPhone associated with an Exchange account is lost or stolen, administrators can remotely wipe it from within the Exchange ActiveSync Mobile Administration Web Tool or the Exchange Management Console. If Outlook Web Access is enabled, as it is in most environments, users can also initiate a remote wipe of an iPhone using the mobile device management features available in Outlook Web Access.
When a remote wipe command is issued, the iPhone will revert to an Apple-logo screen and remove all user data and settings. This includes user account information (both Exchange accounts and other e-mail accounts) and associated e-mails, contacts and calendar items. It also includes all media (music, photos and videos), applications and Web browser bookmarks.
Because a remote wipe of an entire iPhone may take considerable time and battery power, an iPhone may power down before completely erasing if its battery becomes depleted. If this happens, the iPhone will continue erasing data when (or if) it is connected to a power supply. Once an iPhone has been wiped, it will need to be activated in iTunes again before use. To ensure successful future use, you may need to remove any residual association between the phone and a user in Exchange if the phone is recovered and reactivated within your network.
Connecting the iPhone to Exchange
Associating an iPhone with an Exchange account is designed to be a relatively simple process. As indicated by Apple's instructions, users simply need to create a new e-mail account on the iPhone, select Exchange as the account type and enter their account information (e-mail address, server address, username and password, and an optional account description). You can also automatically configure either all or just the server-specific components of these settings using configuration profiles.
Apple does not take a firm stand on whether or not the username should be entered in domain\username format or with only the username (omitting the domain), but in most environments domain\username is required. Typically, this depends on the default domain option for an Exchange environment (as well as whether or not the environment exists in a multidomain network), but in some situations, the full domain name may be needed even if the default doesn't use it. It's wise to test with an iPhone before developing instructions for users or support staff.
The iPhone prefers connections that encrypt all communication using SSL. If it cannot establish an SSL connection to the server (or in some environments to a Windows ISA Server), it is designed to attempt to connect without using SSL. Ideally, you should configure an environment that requires SSL.
If you are using SSL, you will also need to ensure that any certificates used to sign communications are installed on the iPhone. The iPhone ships with root certificates for a number of common certificate authorities. If you use certificates signed by these authorities or certificates that build an effective chain of trust, you will not likely need to install additional certificates on the iPhone. If you choose to use self-signed certificates or are relying on certificates signed by a certificate authority other than one available via the installed root certificates, you can use a configuration profile to install the certificates on each iPhone that will access your environment.
Once an iPhone is associated with an Exchange account, users will be prompted to enter a passcode that conforms to any policies established in Exchange. They will also have the option of choosing which types of data to sync -- Mail (Inbox), Calendar and/or Contacts. Once the iPhone has established a connection to Exchange, it should initiate a first sync (for performance issues, you may wish to have users establish their initial connection using Wi-Fi within your network). By default, the iPhone will sync only three days' worth of Mail items, though this can be changed using the Settings application on each iPhone.
Note: An iPhone can be associated with and sync to only one Exchange account.