Underneath the glitz and glamour of the iPhone 4 lies a remarkably capable business device. In four short hardware releases it's gone from being a high-end feature phone to a smartphone with support for remote policy enforcement and hardware encryption of your device data. It may not have all the security features that RIM packs into its BlackBerry devices, but there's more than enough for most business needs.
The two biggest improvements are a new set of tools for handling device encryption and support for multiple Exchange accounts in the iOS 4 mail application. There's also support for additional device policies, especially around password management.
Data protection is increasingly important for mobile devices, as it's needed to ensure that you have an effective endpoint security model for your mobile devices. Unprotected phones could be lost and could easily reveal sensitive corporate information. That's why iOS 4 has added data protection tools that add application-specific encryption to the iPhone file system. The new features are initially only supported by Apple's own email application – although there is an API for use by third-party developers.
Setting up data protection is as easy as setting up a device passcode. When a user inputs their passcode, the iPhone uses it to create a key used to handle file encryption and decryption. As soon as the phone is locked or shut down the key is automatically erased – so data is protected when it's not likely to be used. iOS4's data protection tools need hardware support to work – so don't expect them to work on an iPhone 3G. If you're upgrading an iPhone 3GS to iOS4 you'll need to do a full system restore in order to enable the new file system, reinstalling applications and data from a backup.
While data protection is a useful tool, not every user will have it enabled by default. That's where iOS 4's policy support comes in, allowing IT professionals to set security policies for all managed iOS devices. If you're delivering mail by Exchange ActiveSync, you can use Exchange's device management features to set policies, using specific policies for different users or groups. Alternatively you can use Apple's own device management tool, which creates XML policy files that can then be delivered to users by email or over a direct connection. The latest version of the iPhone Configuration Utility supports iOS 4 devices, and you can use it to set the password policies needed to implement iOS 4's data protection features.
There are other password management features worth investigating if you're deploying iOS 4 devices. As well as forcing alphanumeric passwords (rather than the default four digit passcodes), and the maximum age of a password, you can set a minimum password length as well as a minimum number of complex characters. This should mean your users have the strongest passwords possible. At the same time you can also lock down the device still further by setting a minimum number of failed password attempts. If someone attempts to access the device and fails to give the correct password, trying several times, the device will be erased automatically.
iPhones have had Exchange ActiveSync support since what we can now call 'iOS 2'. It's been one of the better implementations of EAS, with full support for messages, contacts and calendars (something that's only just made it into Android). iOS 4 adds more support for EAS profiles, so you can use Exchange to push basic device profiles to phones – including disabling the device camera and preventing web browsing.
The biggest change is support for additional EAS profiles. This allows you to use the new unified inbox to bring more than one Exchange account to a device. Setting up an additional Exchange account is easy enough – you can use the desktop configuration tools to create an appropriate profile, or use the on-phone account tools.
Here's our quick step-by-step guide to adding more Exchange accounts to an iPhone running iOS4.
Start by clicking on Exchange when setting up an additional email account.
Then fill in the appropriate account information: username, password and domain.
You may be asked for the fully qualified domain name of the mail server, and to accept any self-issued certificates. You'll also be able to choose to sync mail, contacts and calendar – we'd recommend just mail for any secondary account (unless you're synchronising team calendar and contacts).
Once the first sync has started you'll be able to manage just how mail is handled by your iPhone, using the same tools as in earlier versions of iOS.
The new account can be accessed from the mailbox management screen, where you can choose to look at mailboxes separately or using iOS 4's new unified inbox view.
That's all there is to it! You'll receive mail as it arrives on the server, and will be able to use all iOS 4 search and mailbox management features on any additional Exchange mailboxes.