iPhone 3.1 Encryption Enforcement Fix Causing Problems for iPhone 3G, 2G Exchange 2007 Users

iphone 3.1 Exchange Broken

iPhone 3.1 apparently fixes a bug that didn't properly enforce Microsoft Exchange 2007 SP1 encryption policies, and that looks to be causing problems for users of the iPhone 3G and iPhone 2G (and likely first and second gen iPod touch users as well).

While the iPhone 3GS supports Exchange encryption and is thus unaffected, the previous generation devices reportedly do not, leading to the error shown above.

Outside buying an iPhone 3GS or getting your Exchange Admin to turn off the encryption requirement (good luck with that!) we're not sure if there's a fix for this fix yet.

If you've run into the problem, however, drop us a note in the comments.

[BroadbandReports.com via TUAW]

Rene Ritchie

Editor-in-Chief of iMore, co-host of Iterate, Debug, ZEN and TECH, MacBreak Weekly. Cook, grappler, photon wrangler. Follow him on Twitter, App.net, Google+.

More Posts

 

0
loading...
0
loading...
0
loading...
0
loading...

← Previously

Rumor: iPod touch Camera Axed Last Month, May Make Surprise Return?

Next up →

TiPb Presents: iPhone Live! #65 - It's only rock and roll, but did we like it?

There are 47 comments. Add yours.

Jellotime91 says:

Eat sum dragunz dat wil solv ur problam.
No Ned 2 thx mi

Corey says:

Yep knock me off line at 5 am and no luck with the IT. So now I have to decide, live with out email, go back to a blackberry or get a 3GS. Thanks Apple

David says:

"Thanks Apple"
Have you considered that the lack of encryption flag enforcement was a blatant security hole, nulling out any attempt by IT to protect the data being synced? How long before enterprises stopped supporting Exchange via iPhone if this persisted? I think it was a no-brainer for Apple to patch this, even if it inconvenienced you. If it's OK for your data stream to sync without encryption, than I'm sure your IT manager will turn off the flag.

Corey says:

A: If I known this was a issue I would have got a 3GS
B: If it was such a major security why give the sync in the 1st place.
Bottom line it would have been nice to know pryor to the update

icebike says:

I don't get it.
If the iPhone didn't honor this request in the past, and it worked inspite of not honoring it, then why wouldn't just turning off the encryption requirement in the iPhone, or (if thats not possible), rolling back to 3.0 fix the problem?

icebike says:

In addition, the Anti-Phishing feature of Mobile Safari does not work either:
http://research.zscaler.com/2009/09/watered-down-phishing-protection-in....

Jim Jones says:

I'm down too. Maybe we'll all get free 3GS to fix it :)

Plasmanut says:

Wow, that sounds painful. I was performing the update as I read this. Needless to say I canceled it. Now, if I want to access Exchange Mail with my 3G, does this mean I'll be stuck at 3.0 forever?

Sean says:

Hmm good thing I didn't update . But like the previous poster said, I guess I'm stuck with 3.0 as long as I have the 3g

icebike says:

Stuck in release 3.0?
I'm sure Apple will fix this shortly. They can't write off the entire business segment.
Soon as this hits the Wall Street Journal it gets fixed immediately.

Oboewan says:

You don't understand.
Many Exchange 2007 SP1 servers REQUIRE mobile devices to be encrypted.
The 3G isn't.
What 3.1 does is, it stops your iPhone from LYING about it's lack of hardware encryption. Therefore, it can't access those servers - because it shouldn't have been able to access them IN THE FIRST PLACE for security reasons.
If Apple fixed this "bug" it would actually be opening up a huge security hole and possibly making a lot of corporations very angry.
If you didn't know about this it's your own fault. If your IT department requires hardware encryption there's a good reason. The 3GS has it, the 3G doesn't. And it's just by security flaws, possible fraud, and a whole lot of (questionable) luck that you've been able to access your email (and open up security holes) thus far.

Tony O says:

And you still want to own an apple product? I don't get it. Apple just F*@3% around with our phone for which we paid an arm and a leg and we have no say in the matter? WTF?

Gavin says:

That's why I have an iPod Touch not iPhone. I use android os for my phone .

icebike says:

@Obewan:

What 3.1 does is, it stops your iPhone from LYING about it’s lack of hardware encryption. Therefore, it can’t access those servers – because it shouldn’t have been able to access them IN THE FIRST PLACE for security reasons.

All I'm saying is if it worked last week and you need to get your phone back onto exchange, then roll back to 3.0 till Apple figures out the problem.
If you IT department wasn't having a conniption last week they shouldn't be freaking out this week either.
I don't use Exchange, but I do have SSL encrypted mail servers, both my own and Gmails.
That Exchange allowed connections that were not encrypted when encryption was a REQUIREMENT seems to be an Exchange problem to me. If Luck plays any part in it, you should consider getting a new mail platform.

Squeeze says:

On a 3GS here and I manage a 6,000 mailbox Exchange platform. I am elated this came out. We don't officially support iPhone, but we can't ignore the convenience that employees want to stay connnected (but don't have a Corp blackberry).
This is really a great fix. Remember, the iPhone is starting to penetrate the corporate workplace and it's things like this that allow us to keep iPhone online (unofficially).

André says:

@icebike:
SSL encrypted servers and the kind of encryption Exchange requires are 2 complete different things.
Exchange requires that the contents stored on your phone are encrypted; nevertheless the connection to the server (the data in transit between your phone and the server through the internet) is always SSL encrypted.
This requirement is to avoid thieves (or any other 3rd party who gets his hands on your phone) being able to see/extract the contents already stored on your phone.

Corey says:

how do you roll back to 3.0?

Patrick says:

Great, email is gone. Seems to happen too often with apple updates. I guess they aren't serious about enterprise email. Won't be purchasing another iPhone.

André says:

@Corey:
Make a backup of your iPhone on iTunes and download the correct firmware from http://felixbruns.de/iPod/firmware/.
After the download finishes, shift-click (or command-click) the Restore button on iTunes - it'll open a window so you can select the firmware you want to use, select the downloaded one.

icebike says:

@Andre: So its easily fixable with software is what you are saying.
It doesn't need to be a hardware encryption at all, software encryption of storage should suffice. Just like about 2000 other App store apps use.

bent24 says:

CAn you have a fix for a "fix"? I thought you could only have a fix for a problem. Maybe they'll find the solution for the solution. LOL

André says:

@icebike:
When the 3GS was launched a lot was said about it offering encryption of its contents - it's even much faster to wipe out a 3GS than a 3G because to achieve that on a 3GS you just have to delete the encryption key, instead of really deleting every bit of data like the 3G has to do. 3G doesn't offer that kind of encryption because it's hardware based and the 3G doesn't have the necessary chip/chips.
If your Exchange admin doesn't want or can't disable encryption for everyone, they can just create a new policy on Organization Configuration / Client Access / Exchange ActiveSync Mailbox Policies unchecking the option "Require encryption on the device" on the Password page - then they have to apply this new policy to everyone who use ActiveSync on iPhone 3G.

scottb says:

@ Patrick, you dope - read the details.
Apple ARE serious, hence the change.
God, having enough money to buy this shit sure doesn't compensate for the idiots buying it...

ic778 says:

Also, the setting for asking for passcode when locked is now maxed at 15 minutes. The previous 1 hour option is gone.

icebike says:

@Andre:
Why to Microsoft users still think you need a chip to encrypt a file?
Software Encrypting is easy, fast, and very secure.
If you need to whipe the device, you can simply erase the key and leave the file (or delete it, your choice).
It does not take hardware chips to do this. It might be faster, but encryption via software drives the net. Its everywhere. I have 5 apps on my 3G with software encrypted data.
Apple need only encrypt the mail storage for exchange accounts (If selected), and then tell the exchange server it is an encrypted device. (Just like they did previously when they were lying about the encryption, but now they wouldn't be lying).

André says:

@icebike:
Then ask Apple to enable encryption on 3G.

André says:

continuing...
You don't NEED a chip to encrypt anything, but if you have one you can let it do the hard work instead of putting more stress over your already busy main processor.
The iPhone processor is not like a Core 2 Duo sitting most of the time without doing anything on a desktop.
That's the same principle why we have video cards on computers - to let them do the hard work instead of waiting for the main processor to do it.
A lot of web servers that serve SSL encrypted sites also have an special encryption chip to help relieve the stress of the main processor.
Apple chose that path to avoid having a sluggish smartphone that would make users scream.

F*cked in Fla says:

jJust got off of a 45-minute call with iTech. No realistic solutions: buy a 3GS or tell my multi-national corp to turn off their encryption (fat f'ing chance). Thanks for the big FU, Apple. Nice support.

F*cked in Fla says:

Local store techs and iTech junior techs act as if they haven't even heard of this problem. Supervisors have, but have no answers; just bad options. The spvr tried to convince me that this was all MY fault, becoause "iPhone was not designed to work that wasy" even though it did. Supposedly Customer Support is going to call me on Monday to probably blow some iSunshine up my iAss.

Annoyed says:

Not Exchange-related, but...
Has anybody else noticed that the iPhone 3.1 upgrade has broken their YouTube app?
I bought a 32GB iPhone 3GS yesterday (which, interestingly, had iPhone 2 software installed on it out of the box, but I didn't write down the actual version code) and was able to use the YouTube app over Wi-Fi with no problems while I was busy upgrading iTunes and moving other stuff around. After upgrading it to iPhone 3.1 and my iPod Touch 2G to 3.1.1 (from 3.0) both devices are now getting this annoying "YouTube not available." error message. Every time. Safari and Mail are still working fine, though.
I've seen several mentions on the net that unlocked iPhones get this error, and I bought it unlocked from the Apple Store, but it was working fine before the upgrade and so was my iPod Touch. I've even tried switching it to Airplane mode and turning the WiFi back on, but to no avail.
I know it's not a connectivity issue, because I can watch the requests go through my proxy server:
Sep 13 14:24:17.075 (b51fab90) Request: www.google.com:443/
Sep 13 14:24:21.628 (b51fab90) Request: www.google.com:443/
Sep 13 14:24:24.748 (b51fab90) Request: iphone-wu.apple.com/feeds/api/videos/?q=jcl5m&start-index=1&max-results=25&orderby=relevance&format=2,3

Annoyed says:

Argh... and ITLAPD isn't until Saturday!
I've solved this, but I don't like it the solution and I'm considering undoing it. Something has changed in the HTTP-proxy code in the YouTube app itself. If I turn off the proxy server in Wi-Fi settings the YouTube app starts working again.
I had to punch a hole in my firewall to allow tcp/80 outbound and tcp/443 outbound from something other than my proxy server to test this so it wasn't able to be working yesterday without proxy settings.
Thanks for reducing my security, Apple! :(

Corey says:

too much my relief, my company choose to make a change in the encryption policy so now I am back with email, etc. Yet For some reason I still fear they will change their minds.

William says:

the manual restore to 3.0 for an iPhone 3gs didn't work...any suggestions or things I could have done wrong?

gregg says:

So does any one know if apple will provide an update with the 3G adding 'encryption' to it? My company requires it and i would have to go by a 3Gs to get email on my iPhone...

Wnard says:

Anybody know if this has been fixed in 3.1.2, or if Apple is even working on a fix? I have a 2g. I was lucky and read about it before I upgraded.

Abbott0222 says:

Has anyone had sucess with 3.1.2 and Exchange 2007?

George says:

I've been wrestling with this for a few weeks too. Exchange 2007 SP1. Windows Mobile Devices work fine for Direct Push. I also the the "Cannot Get Mail" error and Direct Push mail is spotty. APPLE, PLEASE HELP!

nzarbis says:

Just upgraded my 3G to 3.1.2 and found out the hard way this issue. Will downgrade to 3.0.1 again :-(

Badger says:

I've got a 3GS on 3.1.2. We're running Exchange 2003 but I cannot sync. I can connect to the server and authenticate, but all I get is an empty Inbox with no other folders - ditto for Contacts and Calendars. In fact, it's xactly the same result as when I tested n iPod Touch 3.1.2 before I got my 3GS this week. Any ideas out there?

Midwest says:

I bought my phone a few months ago for business use and NEVER would have bought the iPhone without Microsoft Exchange compatibility. I am furious that after buying this phone earlier this year that the only solution Apple offers is for me to buy a new phone for $200.

FreeLancer74 says:

I am also lucky that I found out about this before we upgraded our twelve corporate clients on 3G phones from 3.0.1 to 3.1. I'm suprised no one has come up with a fix for this by now as there are still many Exchange 2003 servers out there.

KC Dan says:

Hey Badger,
Same problem here, have you solved it yet???

Sysadminlab says:

Now when iPhone 4.0 has been released I tested all the ActiveSync policies to see which ones that worked. Here's a summary: http://www.sysadminlab.net/activesync/iphone-os-4-and-exchange-activesyn...

David Hua says:

I like the helpful information you provide in your articles. I will bookmark your blog and check again here regularly. One more thing,introduce my live cameras website:inurl /view/index.shtml to you, it's interesting.

David Hua says:

I like the helpful information you provide in your articles. I will bookmark your blog and check again here regularly. One more thing, welcome visit my live cameras website:inurl /view/index.shtml

Eric Shaw says:

Yo!. Definitely loved your post. It was especially educational and useful. I hope you do not mind me blogging regarding this article on my personal website. Will definitely link back to you. My blog is:index of games