Hi, I'm already familiar with implementing push email on various platforms but a user has now plonked an iphone on my desk and asked if it can be connected my our Exchange FE (the server already syncs to WM5 and WM6 devices) I have the relevant documentation but I cant seem to find a definitive answer on how to copy our SSL certificate chain onto the user's iphone (Startcom are our CA). I dont want to create a config profile if avoidable

Can I browse to the iphone and copy the certs onto it locally, then click the certs to self-install (like Windows allows)?

Cant be arsed to spend time on this and thought someone on STW may already have the answer

Cheers

Just get the email set up and set it to check every 15 mins – IIRC that's the best you can do with it.

We use push email from exchange at work – emails generally hit my iPhone before they hit my Outlook. If you are doing dozens, download the profile generator but for one-offs, just add a new email account and type in the details – it's really easy.

You'll need to be on at least exchange 2005 – later service packs.

I believe it's possible with the enterprise config utility.

Or spend some money on a certificate from one of the big CAs that are on the trusted list in the first place and avoid all this faffing about to get your cheapo one to work.

http://support.apple.com/kb/HT1421 any help?

And apple are meant to make things simpler than MS….

Why re-invent the wheel ffs, oh hang on that must be the i-wheel 🙄

If anyone has a definitive answer on whether I can just copy the cert across and click the cert to install, like it should be, please let me know 😮

Not done anything like this myself but the iPhone Configuration Utility certainly has bits on it for mail certificates and importing certificates, I would have thought that was your man.

I'm pretty sure you can't just browse onto the phone and install them. Browsing only shows the photos and shared data objects.

Doing things on the iPhone generally are simple; it's when you have to deal with MS's shonky software that you have problems.

Never had any problem getting my iphone to talk to our exchange server regards push mail.
Just pointed it at the OWA url, put in username and password and et voila.
Our SSL cert was a cheap one, not a Verisign but works a treat. Got the complete set, iPhone, Andriod phone, Windows Mobile and a Palm Pre all getting push mail from the exchange server.

Doing things on the iPhone generally are simple; it's when you have to deal with MS's shonky software that you have problems.

Apart from the fact that the OP is trying to install certificates on the iphone which is a standard generic process that pretty much all web aware devices should be able to do and absolutely nothing to do with microsoft.

As far as doing this goes, the OWA route described above seems to work for those that I know that have tried it. Do you have OWA set up?

From my perspective I would tell them to stick it to be honest. A standard iphone has bog all security on it. Once it's talking to your mail servers it's an open link into your internal mail and if it gets stolen then ask yourself what you're going to do about it. It's not like a blackberry where you can control it remotely. Do a bit of research, there are vendors out there who provide software to allow secure emails via iphones, the american military even use them but as a standard email client they're gash.

A standard iphone has bog all security on it. Once it's talking to your mail servers it's an open link into your internal mail and if it gets stolen then ask yourself what you're going to do about it. It's not like a blackberry where you can control it remotely

Standard iPhone allows a 4-digit pin to be set and I think that MobileMe allows you to track the location of lost iPhones, send messages to them, remotely lock them and remotely wipe them.

But you have no way of enforcing the massively strong 4 digit pin and MobileMe is not standard.

Can't you enforce the PIN as policy using the Configuration tool?

Deploying iPhone across an enterprise is easy with configuration profiles. Establish corporate passcode policies and settings with configuration profiles created and distributed via USB or over the air. With configuration profiles, you can remotely configure your company’s VPN, email, and wireless network settings, ensuring that each iPhone is secure and ready for business.

Configuration profiles also make it easy to install device restrictions and certificates on iPhone for authentication to Cisco IPSec VPN servers, 802.1x-based wireless networks, Exchange Servers, and other corporate services. For users, installing a configuration profile is as easy as tapping a secure web link or receiving an email with the configuration profile attached. Configuration profiles can be signed and encrypted — and once installed, individual users can be restricted from removing these profiles from their iPhones.

— http://www.apple.com/iphone/business/integration/

And yeah, MobileMe is an extra, but then so is a Blackberry server.

I feel your pain enfht having been in a similar situation to yourself.

Thankfully it's a bit more simple on an iPhone – you don't need to install the cert first before it will connect like the Windows phones. Just set the connection up following the prompts on the phone with your owa address etc. it'll give an error about the cert not being approved but you can just say OK/ignore and it should connect up fine.

(From memory – you can just send certs to the phone in an email and install them like you would on an Windows phone, although you don't need to).

Can't you enforce the PIN as policy using the Configuration tool?

I believe, and I'm now quoting heresay because I'm not directly involved in the project, that it is not beyond an average techie to frig the configuration profiles. Admittedly since most users who get the opportunity to use an iphone in an enterprise environment for the forseable future will tell people what to do rather than doing stuff, the chances of this from an internal user are fairly slim but a stolen device could be compromised reasonably easily.

And yeah, MobileMe is an extra, but then so is a Blackberry server.

Indeed and I'm not saying it's impossible to make them secure-ish, just that additional infrastructure is going to be required to do so. We're doing precisely this at the moment because of the pressure being brought to make it so from on high. It will be a very restrictive list of people who will be granted the ability.

Yeah I'm probably straying into your territory here samuri, as I don't do the IT side of things so I'm only going from what I've read in tech press about iPhone corporate security, rather than first-hand reality (which as you know often differs!)

Config profiles aside, all iPhones support the policies around PIN/password enforcement, complexity, inactivity time, and remote wipe – as does any other phone which supports the EAS 2.5 spec (Nokia, SE, Palm, others). The 3GS supports device encryption so if you require that and disallow non-provisionable devices, the 3GS will be fine but others won't. Allow non-provisionable devices and anything that can encrypt will, if it can't then it won't but will still connect. Depends on the need – winmo 6.0 and prior won't do it either.

As with any EAS device (winmo or not), if it doesn't comply with the policy, it's not getting access to the mailbox.

The amount of misinformation I come across about this is staggering – most of it dating from about 2008 before EAS support was added and it was IMAP or nothing for iPhones. Config profiles are there to add more information about where/what to connect to (corp wifi networks and VPNs, for instance) or restrict functionality (like stopping people downloading stuff from the app store). As far as Exchange is concerned though, it's just another EAS device.

Cheers simon_g.

Gotta love STW.. irregardless of the topic, sooner or later an expert will appear.

Thanks guys. The device had the Startcom CA cert pre-installed so our SSL was recognised without any problems, I didnt need the policy config tool afterall. I would have had issues had the CA cert not been preinstalled as the policy config only wanted to use personal certs and couldnt see our server certs (didnt spend a whole lot of time investigating this though..)

Apart from the fact that the OP is trying to install certificates on the iphone which is a standard generic process that pretty much all web aware devices should be able to do and absolutely nothing to do with microsoft

correct 😆

Samuri we do have a degree of policy enforcement, not as granular as Exchange2008 but remote wipe after 3 invalid attempts etc will still work on the 3G iphone which is enough for now until we upgrade Exchange later on this year, and all traffic is encrypted via the SSL.

Cheers guys

And a happy ending. Splendid.