Sunday, February 01, 2009

basic iPhone / push email in a secure corporate environment (quick read)

at my job, i've been helping in our company's iPhone smartphone rollout and thought i'd perhaps post a few notes/tips on how to setup a secure experience.

first off, i'm no network engineer so i apologize for any discrepencies in hardware i refer to. i'm the techie on the helpdesk that gets it all rolling. :)

we tried to follow apple's plan of attack (found here, pdf) and here's just a quickie on what we did.

the biggest concern we had at our company was security.  we currently supported any blackberry device (bes = very secure connection to our exchange server and routing traffice through firewall) and both Palm and Windows Mobile devices too (running goodlink client vs the native activesync connections).

the BES and Goodlink servers allow us to avoid having any device direct access to the exchange server and also the security options to enforce a password policy at will or remote wipe stolen/lost devices.  these were the top concerns we had with iPhone support, the main thing being that we would have to open up a gaping wide hole in our firewall to allow direct activesync connections from it and in turn any other device.  another problem w/the iPhone and security was that you couldn't use mac address filtering since its run on a GSM network which does not have a physical mac address for the cellular radio; yes you have mac address via wifi and bt but not so much so w/3g/gprs.

the remote wiping of activesync devices was added w/an update and could now be done via a management console add-in; so that takes care of that.

basically what we had to do was to get an ISA server to allow traffic based on ip.  AT&T has several custom APN plans that allow for static ip ranges and also several pricing plans.  if you go the route of per ip charge, you are limited to only 30, however the custom apn should be unlimited for you company (i believe you even choose your apn name)

Device Rollout
as for device setup and rollout; we just had the user go through AT&T and purchase their device, once activated the public ip is processed and then we add rule the firewall.  also be sure to add the wifi mac address to the rules list so that when they are on wifi they will still be getting push email.

i then create a mobileconfig file using configuration utility (which now is a standalone vs a service) configured with the custom apn, exchange information.  you can also setup password policies and custom applications even.

then i setup a temp email account on the device and send an email w/the mobileconfig to it and open the mobileconfig on the iPhone.  it will run through configuration (it actually will fail to connect initially since the iPhone processes the APN info last).  also, be sure to backup the device prior to opening the mobileconfig.  it will wipe all of the contacts, calendar items off the device and use the exchange ones.

occassionally i will have to disable the radio and re-enable it to get it to connect up.

exchange information will download almost instantly.  in contacts you will get access to all of your contact lists and also to the global address book.  calendar works very well. email works really well but does kill your battery.

depending on the user, i will at times suggest/recommend using interval based email since push will require you to recharge your phone midday (if you get emails like i do). however if the user needs the push features, i then recommend to disable vibrate notifications on new email and also turn down brightness  and make screen and phone lock faster to save all the juice they can.  also recommend to disable bt and wifi when not being used.

afterwards i will go back and remove the temp email account (you can also setup a portal page on your intranet and have the iphone connect via wifi to the portal and then download the mobileconfig via safari also; i may look into doing this however security would need to be added to such page)
so far my users are enjoying their devices and still getting used to the touch keyboard.  supporting them so far has been pretty good; most things are fixed by just powering down and back up or disabling the radio and re-enabling.  we'll see how that goes over the long term though.

well, that concludes this quick read.