I was working with one of the security guys at work on a report about the risks of implementing the iPhone in an organisation. Their are a number of reasons why IT managers should carefully consider these security risks. A few of these are
- Policies cannot be controlled at a granular level (compared to Windows Mobile or Blackberry)
- Lack of support for all of Exchange 2007 SP1 device policies (disable camera, disable WiFi, etc)
- Therefore split connections cannot be stopped (for example, connect to a WiFi network while connected to a VPN at the same time)
- Cannot control application exclusivity
- iTunes must be used to install updates.
- Known security vulnerabilities have been discovered and widely publicised.
To combat this, you can run a Powershell command on your Exchange 2007 CAS box to bind only one DeviceID to a user’s device.
To find all the DeviceID’s (and more) associated with a mailbox, type in
Get-ActiveSyncDeviceStatistics -mailbox <mailbox name> | fl *device*
You can then use the DeviceID here to input at the end of the following command
Set-Casmailbox <mailbox> -ActiveSyncAllowedDeviceIds <DeviceID>
I don’t think there’s an easier way to do this at anything beyond a per-user level. Please leave a comment if you know a way (Powershell script maybe?).
Now, you may notice in the above screenshot that there is a DeviceType listed. Unfortunately, I don’t believe there is Powershell command available that can allow the blocking a device by the DeviceType. The same goes with the DeviceUserAgent.
However, if you have an ISA2006 server, the guys over at the You Had Me At EHLO have posted a great article explaining how to block a device based on its User-Agent type.