Friday 1 October 2010

ActiveSync and email on iPhones (and other ActiveSync devices)

Recently I’ve been asked a lot about ActiveSync for iPhones, but I try to highlight the security implications for this.

I have spoken with a number of people who have ActiveSync running on their Exchange Servers, where they can access the server directly from the internet. I’m not a fan of having servers on the LAN available from the internet, but the pressure to deploy the access this is often overlooked. Especially as the Microsoft IAG and UAG solutions will allow you to reverse proxy the ActiveSync connection, eliminating the need for a direct connection to the Exchange server.

Ensure the handset you have has a level of encryption on it, as the company can be subject to hefty fines from the ICO, if personal data is not encrypted. Apple iPhones have AES 256-bit hardware encryption to protect the data at rest. The Nokia E-series that I have investigate have encryption on both device and storage memory.

Although as this is protecting data at rest, ensure there is at least a password on the device, or there is no point having the encryption. Enforcing password on the device, and comprehensive password policies can be created on from the Exchange server.
What is the handset is stolen? There is the ability to remote wipe the mobile device, as well as enforce a wipe if there are too many failed attempts to logon to the device.
The only concern is a number of requests for this access on personal iPhones, which is a worry from a data leakage perspective. Although a number of places have said they will ensure password policies and reserve the right to remote wipe the device when it is required, then make their employees agreeing to this. Personally, I am not a fan of this and would rather be working with corporate devices, where as a business you have more “rights” to your hardware.
From a technical perspective, you will need to do the following:
  • Ensure ActiveSync is configured and running on the Exchange server, with the relevant password, encryption and wipe policies. Assign the access to the users who should be able to access it, taking care to remove access from everyone else (so they are unable to connect up unauthorised or personal mobile devices).
  • Configure an ActiveSync portal on IAG, or create a portal for ActiveSync on UAG.
  • Ensure all the Exchange server settings are entered correctly.
  • Apply a real SSL certificate to the portal, as some mobile devices will not allow you to except a self signed SSL certificate.
  • Publish the portal.
  • Test the ActiveSync by defining the server name, domain/username and password here:
  • Expect it to fail on the OPTIONS section, but everything else should pass.
  • Configure your device to point to the newly created portal.
  • Allow device to synchronise and enjoy emails on your mobile device!