Time to Exchange?

Special Thanks to Manveer Wasson for the iPhone Exchange/Corporate VPN Testing and Analysis.

There were several pitfalls to the original iPhone firmware that left businesspeople in the dark; IPSec support, WPA2 Enterprise for WiFi, and of course Microsoft Exchange for email calendaring and contacts. When Apple announced back in March that version 2.0 of their iPhone firmware would finally add support for the aformentioned business features, we were excited to say the least. Now that the firmware is finally out, we're happy to say that Apple has delivered on it's promises. So now all you enterprise guys should ditch your BlackBerries and Blackjacks for iPhones, right? Well, not so fast...

Apple's efforts to cater to enterprise customers is definitely commendable, but it just isn't perfect for all situations. Each piece of the enterprise puzzle works well on its own. From the connectivity perspective, things are working as expected. We were able to connect to a large WPA2 Enterprise network without any issues.

The IPSec VPN however is another story. For a company that has a strict security policy, you generally will not be able to access any part of the corporate network directly through the internet (and in this case the internet would be the iPhone's 3G or Edge data connection). You would need to establish a VPN connection to your company to allow for secure communication. Configuration is quite simple. Provide your VPN server address, account name, group name and shared secret. Now go back to the Settings screen, turn on your VPN, enter your password, and you're connected! So what's the problem? Well, when we get into the world of IPSec VPN, a typical deployment is to have two-factor authentication for an extra layer of security. This basically means you need to use a special one-time use password (called a token) when authenticating to your VPN. From a computer you will generally run a software based application to generate this token based on PIN number that you would already know (for example your Domain password).

So what does all that translate to? Well it means if you want to connect using IPSec VPN on your iPhone, you'll have to generate that token from your computer. That token will also have to be generated each time you want to connect to the VPN. This pretty much defeats the purpose of being able to VPN to your corporate network from the iPhone since you probably won't have (or don't want to) fire up your computer to generate a token. This really isn't Apple's fault, but a lot of planning needs to be done on the IT side of your company before you can connect seamlessly over IPSec VPN with your iPhone. One way to remedy the problem would be for the 3rd party authentication companies to create iPhone apps that can act as software token generators. That way you can maintain the security of the two-factor authentication system without having to rely on another device to create a token. Another issue we found during testing is after locking your phone, the VPN connection is terminated. In order to re-establish the connection, a new token must be generated. Again not really a flaw with the iPhone, but another example the business experience working not-so-seamlessly.

If your IT guys are nice they may have already created a Device Configuration to do your iPhone configuration for you. Device Configuration is basically an XML script generated by the iPhone Configuration Utility that can automate typically tedious configuration tasks such as Exchange, wireless, VPN, and email settings.

In order to install the script, you simply need to browse to it from your iPhone in Safari, or open it as an email attachment. After opening the script, the user needs to click Install and they're good to go.

The last, and biggest, new business feature for the iPhone 2.0 is its support for Exchange ActiveSync. You can finally connect to your corporate Exchange servers for email, calendar, and contact syncing. Setup is again pretty straight forward. Provide your corporate email address, username, password, and the iPhone will verify your credentials. You will then be able to enter in the exchange server address. One minor issue to note here is that you are forced to enable the passcode lock. This means whenever you want to unlock your phone, you'll have to enter in the PIN. Although from a security standpoint this makes sense (if you lose your phone or if it gets stolen nobody can read the corporate email), it would be nice to at least have the option to disable it.

Now you can select which items you want to sync with Exchange: Mail, Contacts or Calendars.

Possibly the biggest flaw in Apple's Exchange integration comes into the picture when you want to sync your contacts or calendars. All of your existing contacts and calendars will be deleted if you want to sync with Exchange. If you currently sync your contacts using another method, you'll have to sacrifice that in order to use Exchange. There is no option to create a secondary contact list or calendar. It's either all or nothing folks. Hopefully Apple (or a clever 3rd party developer) will smarten up and add support for syncing multiple calendars and contact lists. Personally we like keeping our private and professional lives separate to some extent so for now we're leaving contact syncing off.

For the most part the syncing functionality worked flawlessly. Changes made on the iPhone were quickly synced to Outlook and vice versa. However the usability of having all your corporate info on your iPhone leaves much to be desired. You still cannot search or sort email on your iPhone (though you can search contacts now). Only your Inbox will have email "pushed" to it. All other subfolders have to be manually synchronized (this is done by browsing to the folder). PowerPoint attachments do show up quite nicely in Mail when they decide to work. However we should note that some slides were getting cut off from the bottom or slides with complex graphics were rendered incorrectly. On the calendaring side, you cannot create a meeting invitation but you can respond to them with either an accept, deny, or "maybe". In addition, there is no "week" view for the calendar; only list, day and month. One feature we did like is calendar invites pop up as they are received prompting you to view the details or close the notification.

Apple has definitely taken big strides in appealing to the enterprise customer with the iPhone 3G. For the business user looking to connect to your corporate network and occasionally browse through your emails, this update will be more than sufficient. Having all my corporate meetings sync'd to the iPhone's calendar is also very handy. However there are sacrifices you'll have to make for this functionality. Choosing between personal and Exchange contacts and calendaring is a tough choice to make. For the corporate power users tethered to their BlackBerries, you'll want to stick with the two-phone solution.

MobileMe Final Words


View All Comments

  • buckdutter - Friday, August 22, 2008 - link

    AT&T's coverage could indeed be better, but then again they are still rebuilding from when they decided to switch from TDMA to GSM, instead of following the natural path to CDMA, which Verizon, Sprint, and Alltel (soon to be Verizon) use, as well as many more localized carriers. The problem with CDMA is that it is going nowhere. The majority of the world is GSM, and CDMA is becoming more and more marginalized, in fact in the next 4 or 5 years CDMA will be practically phased out in the US. Verizon (and Alltel) will be switching to LTE, a GSM based technology which will be a rough transition - either resulting in sacrificed coverage, or more expensive devices (like Verizons expensive "world edition phones") that will run on both their networks. Either way, they will be doing what AT&T (Cingular, whatever) did 4 or 5 years ago, and much later in the game.

    Meanwhile AT&T will make a natural transition from their 3G, which is in all fairness not nearly as widespread as EVDO at the moment, to LTE. Sprint will be going WiMax. Not one major carrier in the US or abroad has made a commitment to the future of CDMA. Verizon has held on to EVDO as long as it could, and has prolonged having to switch, but they are beginning to hit the limitations of EVDO, meanwhile 3G is just getting started, with AT&T planning to follow suit of carriers abroad and boost the speeds to around 20mbps in mid-2009. EVDO will be topping out around 3.2 at most, if even that.

    While having used all the services I strongly disagree with saying that Sprint or T-Mobile even come close to AT&T for coverage, it is largely regional subjective, and is really not fair to work in experiences in one localized area into the review for the phone. Like them or hate them, AT&T recognized early that GSM was the roadmap to go. Like it or hate it, blame Verizon for delaying the inevitable for so long...it makes no sense for Apple to make a CDMA phone when it is so limited in implementation globally. Because of that decision they are the most widespread GSM provider in the US (the US was a little late in getting into the GSM game).

    In the end, AT&T may have a lot of ground to cover, but we should be excited what at least one U.S. carrier took the leap and is building out a GSM network in the states, even though it meant making the sacrifice of less coverage in rural areas as they build the new network out. It will be interesting to see how Verizon copes with having to change over.
  • Hrel - Tuesday, August 12, 2008 - link

    Over 2 years the new iphone plane costs an extra 60 bucks, but the upfront cost is 300 dollars less. The iphone 3G is less expensive in every way; even with the incremental increase in contract cost. I'm confused that I need to point this out considering you say it in your article then contradict yourself by saying the old plan and phone was less expensive. Total cost over two years the new one is 240 dollars less. Reply
  • maxnix - Thursday, July 31, 2008 - link

    With no user replaceable battery, it is a toy, not a reliable business device.

    It seems to me that 90% of the users I see are fiddling about on it with their fingers and not even 10% use Bluetooth. Are there still no voice driven commands? That's how I use my phone.

    Seems like a great device for someone who wants to make calls on their iPod when they are not listening to a lossy audio source.

    Jobs is the new PT Barnum in that he fully exploits the "A sucker's born every minute..." credo. The world is full of lemmings.
  • maxnix - Thursday, July 31, 2008 - link

    Welcome fanboys to AT&T's limited 3G. The rest of the world has been there for 5 years. Reply
  • steveyballmer - Wednesday, July 23, 2008 - link

    Sprint or whoever has released the perfect smart phone! It's based on Windows Mobile and is beautiful to behold!
    There is nothing else anything like it! The Instinct!

    The ZunePhone has suffered a few setbacks so this will have to do until we work out the bugs. Buy it! Don't be decieved by that imitation iPhumb.

  • Lezmaka - Monday, July 21, 2008 - link

    I think there's a fairly obvious (to me anyway) reason why the talk time measured is almost half the time the specs state, beyond the best case scenario stuff.

    In most conversations, there's a significant amount of dead air. Even if it's only 1/10 - 1/4 of a second at a time, over the course of several hours, that will add up. But with most music, there's almost no dead air. Even when the person isn't saying something, there's at least some sound being generated. Detecting that dead air and not transmitting would probably be the best for battery life, but even if it continually transmits, the compression would reduce the amount of data transmitted to almost nothing.

    I would guess that choosing an audio source that more closely matches an actual conversation would provide a somewhat more accurate test result. But I'm not expert, so what the hell do I know?
  • Giacomo - Monday, July 21, 2008 - link

    Ehm... No man, there's no way this could influence battery life. No matter how intense is the information in the call, most of the energy drain is due to the "line" itself... Keeping the full-duplex conversation online.

    Everything else left to the battery is the loudspkeaker consumption... But it's a ridicolous amount, you won't be able to measure its impact.

  • donhoffman - Tuesday, July 29, 2008 - link

    Actually the original commenter on this was correct. This is a time-honored technique for getting more battery life out of cell phones. Channel allocation for voice calls is done at call setup. A continuous data stream is not needed to keep up the "line". If either end of the call has nothing to send, it does not need to transmit, saving significant power. The technique used in this article probably does underestimate the battery life. Not by 100%, but maybe 20-30%. Transmit power is much larger than audio power. That is why you get 24 hours listening to music on the iPod side, but only 5 or so hours doing cellular phone calls.

  • nichomach - Sunday, July 20, 2008 - link

    Not wishing to get into whether the new iPhone is all that, I'd note that the enforced PIN code when using Exchange is usually a policy setting defined in Exchange, and there's a choice about enabling it. That choice'll be made by your Exchange admin(s). If they enable it - personally, I do - then I'd expect it to be enforced on any device that claims to support Activesync. One of my arguments with Nokia's Mail for Exchange client, for instance, is that it doesn't (or didn't) properly support policies like that; that the iPhone does makes it a viable choice if I end up with a director demanding one. If you're using your phone in a corporate environment, then you may be sending and receiving confidential stuff. Enforcing a PIN and supporting remote wipe properly is the sine qua non as far as I'm concerned. Reply
  • Schugy - Sunday, July 20, 2008 - link

    Openmoko will have the best 3rd party support while Nokia and Google (Maemo / Android) have their own ressources. But regarding their openness they are evil. The FIC Freerunner is a nice phone but the Openmoko project still has to develop a lot.
    On the other hand I think that a Open Pandora handheld with a USB HSDPA modem (maybe builtin in future revisions) is a lot more usable and even has game controls. Telephony and navigation could be done via a bt headset+voip and gps receiver.

    All the platforms will feature ports of killer apps like pidgin IM, scummvm, evolution e-mail and lots more. Ports of gnash, the GNU flash player, are possible too but I would suggest to get rid of these stupid and annoying banner ad players. A nice stream or download link for mp4-files will make your full featured (fullscreen / post processing filters) mplayer happy.

Log in

Don't have an account? Sign up now