iPhone 3.1 Encryption Enforcement Fix Causing Problems for iPhone 3G, 2G Exchange 2007 Users

iphone 3.1 Exchange Broken

iPhone 3.1 apparently fixes a bug that didn't properly enforce Microsoft Exchange 2007 SP1 encryption policies, and that looks to be causing problems for users of the iPhone 3G and iPhone 2G (and likely first and second gen iPod touch users as well).

While the iPhone 3GS supports Exchange encryption and is thus unaffected, the previous generation devices reportedly do not, leading to the error shown above.

Outside buying an iPhone 3GS or getting your Exchange Admin to turn off the encryption requirement (good luck with that!) we're not sure if there's a fix for this fix yet.

If you've run into the problem, however, drop us a note in the comments.

[BroadbandReports.com via TUAW]

Have something to say about this story? Leave a comment! Need help with something else? Ask in our forums!

Rene Ritchie

EiC of iMore, EP of Mobile Nations, Apple analyst, co-host of Debug, Iterate, Vector, Review, and MacBreak Weekly podcasts. Cook, grappler, photon wrangler. Follow him on Twitter and Google+.

More Posts



← Previously

Rumor: iPod touch Camera Axed Last Month, May Make Surprise Return?

Next up →

TiPb Presents: iPhone Live! #65 - It's only rock and roll, but did we like it?

Reader comments

iPhone 3.1 Encryption Enforcement Fix Causing Problems for iPhone 3G, 2G Exchange 2007 Users


Yep knock me off line at 5 am and no luck with the IT. So now I have to decide, live with out email, go back to a blackberry or get a 3GS. Thanks Apple

"Thanks Apple"
Have you considered that the lack of encryption flag enforcement was a blatant security hole, nulling out any attempt by IT to protect the data being synced? How long before enterprises stopped supporting Exchange via iPhone if this persisted? I think it was a no-brainer for Apple to patch this, even if it inconvenienced you. If it's OK for your data stream to sync without encryption, than I'm sure your IT manager will turn off the flag.

A: If I known this was a issue I would have got a 3GS
B: If it was such a major security why give the sync in the 1st place.
Bottom line it would have been nice to know pryor to the update

I don't get it.
If the iPhone didn't honor this request in the past, and it worked inspite of not honoring it, then why wouldn't just turning off the encryption requirement in the iPhone, or (if thats not possible), rolling back to 3.0 fix the problem?

Wow, that sounds painful. I was performing the update as I read this. Needless to say I canceled it. Now, if I want to access Exchange Mail with my 3G, does this mean I'll be stuck at 3.0 forever?

Hmm good thing I didn't update . But like the previous poster said, I guess I'm stuck with 3.0 as long as I have the 3g

Stuck in release 3.0?
I'm sure Apple will fix this shortly. They can't write off the entire business segment.
Soon as this hits the Wall Street Journal it gets fixed immediately.

You don't understand.
Many Exchange 2007 SP1 servers REQUIRE mobile devices to be encrypted.
The 3G isn't.
What 3.1 does is, it stops your iPhone from LYING about it's lack of hardware encryption. Therefore, it can't access those servers - because it shouldn't have been able to access them IN THE FIRST PLACE for security reasons.
If Apple fixed this "bug" it would actually be opening up a huge security hole and possibly making a lot of corporations very angry.
If you didn't know about this it's your own fault. If your IT department requires hardware encryption there's a good reason. The 3GS has it, the 3G doesn't. And it's just by security flaws, possible fraud, and a whole lot of (questionable) luck that you've been able to access your email (and open up security holes) thus far.

And you still want to own an apple product? I don't get it. Apple just F*@3% around with our phone for which we paid an arm and a leg and we have no say in the matter? WTF?


What 3.1 does is, it stops your iPhone from LYING about it’s lack of hardware encryption. Therefore, it can’t access those servers – because it shouldn’t have been able to access them IN THE FIRST PLACE for security reasons.

All I'm saying is if it worked last week and you need to get your phone back onto exchange, then roll back to 3.0 till Apple figures out the problem.
If you IT department wasn't having a conniption last week they shouldn't be freaking out this week either.
I don't use Exchange, but I do have SSL encrypted mail servers, both my own and Gmails.
That Exchange allowed connections that were not encrypted when encryption was a REQUIREMENT seems to be an Exchange problem to me. If Luck plays any part in it, you should consider getting a new mail platform.

On a 3GS here and I manage a 6,000 mailbox Exchange platform. I am elated this came out. We don't officially support iPhone, but we can't ignore the convenience that employees want to stay connnected (but don't have a Corp blackberry).
This is really a great fix. Remember, the iPhone is starting to penetrate the corporate workplace and it's things like this that allow us to keep iPhone online (unofficially).

SSL encrypted servers and the kind of encryption Exchange requires are 2 complete different things.
Exchange requires that the contents stored on your phone are encrypted; nevertheless the connection to the server (the data in transit between your phone and the server through the internet) is always SSL encrypted.
This requirement is to avoid thieves (or any other 3rd party who gets his hands on your phone) being able to see/extract the contents already stored on your phone.

Great, email is gone. Seems to happen too often with apple updates. I guess they aren't serious about enterprise email. Won't be purchasing another iPhone.

Make a backup of your iPhone on iTunes and download the correct firmware from http://felixbruns.de/iPod/firmware/.
After the download finishes, shift-click (or command-click) the Restore button on iTunes - it'll open a window so you can select the firmware you want to use, select the downloaded one.

@Andre: So its easily fixable with software is what you are saying.
It doesn't need to be a hardware encryption at all, software encryption of storage should suffice. Just like about 2000 other App store apps use.

CAn you have a fix for a "fix"? I thought you could only have a fix for a problem. Maybe they'll find the solution for the solution. LOL

When the 3GS was launched a lot was said about it offering encryption of its contents - it's even much faster to wipe out a 3GS than a 3G because to achieve that on a 3GS you just have to delete the encryption key, instead of really deleting every bit of data like the 3G has to do. 3G doesn't offer that kind of encryption because it's hardware based and the 3G doesn't have the necessary chip/chips.
If your Exchange admin doesn't want or can't disable encryption for everyone, they can just create a new policy on Organization Configuration / Client Access / Exchange ActiveSync Mailbox Policies unchecking the option "Require encryption on the device" on the Password page - then they have to apply this new policy to everyone who use ActiveSync on iPhone 3G.

@ Patrick, you dope - read the details.
Apple ARE serious, hence the change.
God, having enough money to buy this shit sure doesn't compensate for the idiots buying it...

Also, the setting for asking for passcode when locked is now maxed at 15 minutes. The previous 1 hour option is gone.

Why to Microsoft users still think you need a chip to encrypt a file?
Software Encrypting is easy, fast, and very secure.
If you need to whipe the device, you can simply erase the key and leave the file (or delete it, your choice).
It does not take hardware chips to do this. It might be faster, but encryption via software drives the net. Its everywhere. I have 5 apps on my 3G with software encrypted data.
Apple need only encrypt the mail storage for exchange accounts (If selected), and then tell the exchange server it is an encrypted device. (Just like they did previously when they were lying about the encryption, but now they wouldn't be lying).

You don't NEED a chip to encrypt anything, but if you have one you can let it do the hard work instead of putting more stress over your already busy main processor.
The iPhone processor is not like a Core 2 Duo sitting most of the time without doing anything on a desktop.
That's the same principle why we have video cards on computers - to let them do the hard work instead of waiting for the main processor to do it.
A lot of web servers that serve SSL encrypted sites also have an special encryption chip to help relieve the stress of the main processor.
Apple chose that path to avoid having a sluggish smartphone that would make users scream.

jJust got off of a 45-minute call with iTech. No realistic solutions: buy a 3GS or tell my multi-national corp to turn off their encryption (fat f'ing chance). Thanks for the big FU, Apple. Nice support.

Local store techs and iTech junior techs act as if they haven't even heard of this problem. Supervisors have, but have no answers; just bad options. The spvr tried to convince me that this was all MY fault, becoause "iPhone was not designed to work that wasy" even though it did. Supposedly Customer Support is going to call me on Monday to probably blow some iSunshine up my iAss.

Not Exchange-related, but...
Has anybody else noticed that the iPhone 3.1 upgrade has broken their YouTube app?
I bought a 32GB iPhone 3GS yesterday (which, interestingly, had iPhone 2 software installed on it out of the box, but I didn't write down the actual version code) and was able to use the YouTube app over Wi-Fi with no problems while I was busy upgrading iTunes and moving other stuff around. After upgrading it to iPhone 3.1 and my iPod Touch 2G to 3.1.1 (from 3.0) both devices are now getting this annoying "YouTube not available." error message. Every time. Safari and Mail are still working fine, though.
I've seen several mentions on the net that unlocked iPhones get this error, and I bought it unlocked from the Apple Store, but it was working fine before the upgrade and so was my iPod Touch. I've even tried switching it to Airplane mode and turning the WiFi back on, but to no avail.
I know it's not a connectivity issue, because I can watch the requests go through my proxy server:
Sep 13 14:24:17.075 (b51fab90) Request: www.google.com:443/
Sep 13 14:24:21.628 (b51fab90) Request: www.google.com:443/
Sep 13 14:24:24.748 (b51fab90) Request: iphone-wu.apple.com/feeds/api/videos/?q=jcl5m&start-index=1&max-results=25&orderby=relevance&format=2,3

Argh... and ITLAPD isn't until Saturday!
I've solved this, but I don't like it the solution and I'm considering undoing it. Something has changed in the HTTP-proxy code in the YouTube app itself. If I turn off the proxy server in Wi-Fi settings the YouTube app starts working again.
I had to punch a hole in my firewall to allow tcp/80 outbound and tcp/443 outbound from something other than my proxy server to test this so it wasn't able to be working yesterday without proxy settings.
Thanks for reducing my security, Apple! :(

too much my relief, my company choose to make a change in the encryption policy so now I am back with email, etc. Yet For some reason I still fear they will change their minds.

the manual restore to 3.0 for an iPhone 3gs didn't work...any suggestions or things I could have done wrong?

So does any one know if apple will provide an update with the 3G adding 'encryption' to it? My company requires it and i would have to go by a 3Gs to get email on my iPhone...

Anybody know if this has been fixed in 3.1.2, or if Apple is even working on a fix? I have a 2g. I was lucky and read about it before I upgraded.

I've been wrestling with this for a few weeks too. Exchange 2007 SP1. Windows Mobile Devices work fine for Direct Push. I also the the "Cannot Get Mail" error and Direct Push mail is spotty. APPLE, PLEASE HELP!

Just upgraded my 3G to 3.1.2 and found out the hard way this issue. Will downgrade to 3.0.1 again :-(

I've got a 3GS on 3.1.2. We're running Exchange 2003 but I cannot sync. I can connect to the server and authenticate, but all I get is an empty Inbox with no other folders - ditto for Contacts and Calendars. In fact, it's xactly the same result as when I tested n iPod Touch 3.1.2 before I got my 3GS this week. Any ideas out there?

I bought my phone a few months ago for business use and NEVER would have bought the iPhone without Microsoft Exchange compatibility. I am furious that after buying this phone earlier this year that the only solution Apple offers is for me to buy a new phone for $200.

I am also lucky that I found out about this before we upgraded our twelve corporate clients on 3G phones from 3.0.1 to 3.1. I'm suprised no one has come up with a fix for this by now as there are still many Exchange 2003 servers out there.

Yo!. Definitely loved your post. It was especially educational and useful. I hope you do not mind me blogging regarding this article on my personal website. Will definitely link back to you. My blog is:index of games

Wow, i seems to be really hard..........actually i was trying to update but had to cancel it............ So how can i access my exchange Mail with 3G, will i get stuck with it ? I was searching for a long but at last i could....because of gods grace i upgraded my 3G from 3.0 to 3.1. With 3.1 i was able to fix the bug that properly didn't enforce the Microsoft Exchange of 2007 which was the reason for all problems in Iphone 2G and 3G.