Updated 2nd July 2010: Clarified the alphanumeric password description.
Updated 1th July 2010: Added that iPhone supports password expiration.
Updated 27th August 2010: Changed “Enforce password history” since it works (Thanks Hans and Doctor Osos).
There has been a lot of discussion regarding the iPhone and the support for the EAS (Exchange ActiveSync Policies). With the new iPhone OS 4.0 out, I decided to test the policies out in my lab. Please feel free to comment if I got something wrong or if your tests have turned out differently.
In my previous tests, I have noticed that EAP is very picky about versions so please keep in mind that I tested this on Exchange 2007 (SP1), running through a TMG 2010, behind a Cisco ASA and iPhone OS 4.0 (running on an iPhone 3GS).
- Allow non-provisionable devices – Easily put, if you select this, you don’t care about checking the policies on the phone at all. In short, Exchange will ask the phone if it supports the policies. If the phone is old or doesn’t support EAS at all, Exchange will let is sync anyway.
- Refresh interval (hours) – How often the mobile phone checks for updates of the policy. Default seems to be “Unlimited” and the Experts Exchange discussion also creates some confusion. My experience says that whenever you sync it will check if the policy has been updated.
- Require alphanumeric password & Minimum number of complex characters – Works! A complex character is any character that is not a letter. If you put the minimum to 1 you need to have at least 1. Otherwise you’ll get an errormessage: “Enter a strong passcode with 5 or more letters/numbers and one special character (#&!)”. And yes, if you set the policy to 9 charactes and 2 complex characters, the iPhone will tell you that!
- Enabled password recovery – Doesn’t work. In case the user forgets their passcode, this article explains how password recovery works. However, when I click Display Recovery Password in OWA, I get “No password is available”.
- Require encryption on the device – Works!
- Require encryption on the storage card – Works!
- Allow simple password – Works! This setting enables or disables the ability to use a simple password such as 12345. If a user tries to put “12345” you will get the errormessage “The passcode must not have ascending or descending characters”. If they try “11111” you get “The passcode must not have repeating characters”.
- Number of failed attempts allowed – Works! However, I haven’t been able to test it live yet but I can see in the iPhone that it has auto-erase switched on after the amount of retries I specified in the policy.
- Minimum password length – Works! If they enter a too short password, you get “The passcode must be longer”. Note that if you select just numbers as a passcode the pad that the iPhone displays gets much bigger and easier to unlock the device after autolock.
- Time without user input before password must be re-entered (in minutes) – Works! But since the iPhone in general doesn’t support more than 5 mins before autolock, it doesn’t matter if you put it to 10 mins, it will then be set to 5 mins.
- Password expiration (days) – Works! It asks you to renew your password after the number of days you have entered here.
- Enforce password history – Works! If I put it to remember 5 passwords, I can’t re-use any of the last 5 passwords.
Sync Settings tab
- Include past calendar items – Doesn’t work. Even if you set the policy to only allow past two weeks items the iPhone will let the user configure and sync older items, like past 3 months.
- Include past e-mail items – Works! When you set the policy to only allow for example the past 3 days, the iPhone GUI doesn’t allow you to select to sync and older e-mails than what the policy says. If you change this in the future, the iPhone will force the user to what you set in the policy if you increase or decrease it. But if the user, after this, decide to lower the number of days – it will work and the policy will not force the iPhone back to the policy.
- Limit message size to (KB) – Doesn’t work. Even though i limit it to 5 kB, it will download and read e-mails that are huge (just text, not including attachments).
- Allow synchronization when roaming – Sorry, haven’t been able to test this yet.
- Allow HTML formatted e-mail – Doesn’t work. It allows HTML mails to be read (with images downloaded if they’re external) without any problem.
- Allow attachments to be downloaded to the device – Doesn’t work. It will let you download attachments no matter what. Also, see below.
- Maximum attachment size (KB) – Partly works (?). If you receive an e-mail with a attachment with a larger size (in my example I allowed max 250 kB and sent a 1,6 MB PDF file) than allowed you will see the attachment but if you click it, nothing will be downloaded. It will simply show download in progress. But at the bottom the e-mail see a button “Download complete message” and this works. If this is an iPhone bug or just my lab environment, I don’t know. If someone can confirm this behavior, please comment!
- Allow removable storage – N/A. I would say there is no removable storage on iPhone.
- Allow camera – Works! It simply removes the Camera icon from the iPhone.
- Allow Wi-Fi – Doesn’t work. Still possible to connect to Wi-Fi networks even though we disable it in the policy.
- Allow infrared – N/A since no infrared device on iPhone.
- Allow Internet sharig from the device – Sorry, haven’t been able to test this yet.
- Allow remote desktop from the device – Since a RDP client is not included in iPhone OS, I hardly think this policy will make any difference.
- Allow synchronization from a desktop – I would guess that this is aimed at Microsoft ActiveSync or the Windows Mobile Device Center. Since iPhone only uses iTunes I don’t think this policy will have any affect. Any tried it?
- Allow Bluetooth – Doesn’t work. Even though I completely try to disable Bluetooth, it’s still possible to enable it.
- Allow browser – Works. It simply removes the browser icon from the iPhone.
- Allow consumer mail – Even though I disabled this, the Gmail account configured continued to work and if you wanted to add a new e-mail account, you could still add mobileMe, Gmail, Yahoo, AOL and Other accounts.
- Allow unsigned applications – Doesn’t work. I suspect this only works on Windows Mobile since there’s no such thing as signed apps on iPhone. Maybe if Apple signs them when they add them to AppStore, but on the other hand you can’t install apps on a default iPhone that are not on AppStore.
- Allow unsigned installation packages – See above.
- Allowed Applications – See below.
- Blocked Applications – Doesn’t work. I tried adding the names of some apps on the iPhone, but they can still be started.