6

Considering that the iPhone 3GS and the iPhone 4 (and the latest iPad) all support local device encryption, how do you enforce that only secure devices can connect to your ActiveSync endpoint?

In other words, how do you prevent older iPhones and iPads (that do not support local encryption) from accessing the server, and downloading messages with attachments to unprotected storage?

Community
  • 1
makerofthings7
  • 50,090
  • 54
  • 250
  • 536

6 Answers6

6

Remember that even a device with local encryption may have no passcode lock, and may be backed up via iTunes to an unencrypted volume. If that volume is on a laptop, then it's just as portable and losable.

  • Very true, and the Apple Deployment kit may help deploy this policy. – makerofthings7 Dec 02 '10 at 15:45
  • @makerofthings: not sure it does anything about whether the backup volume is encrypted, though. Of course you may have existing processes to ensure that. –  Dec 02 '10 at 16:07
  • Related: [Protecting phones from USB attacks](http://security.stackexchange.com/questions/7687/protecting-cellphones-from-usb-attacks) – makerofthings7 Sep 29 '11 at 18:58
5

Exchange 2010 / Windows R2

Exchange 2010 includes much of this functionality built-in, and IIS in 2008R2 allows the ability to filter on URLs similar to the 2003 solution below.

  1. Navigate to OWA via this special URL https://mail.yourcompany.com/ecp/
  2. Click "Phone and Voice"
  3. Create a new "device access rule" and configure it to Quarantine or Allow iPhones.
  4. Note, there is no practical difference between DeviceModel and DeviceFamily.
  5. (Not personally tested yet) In IISManager, open Request Filtering
  6. Scroll right to edit the Query Strings.
  7. Add the appropriate block, according to the URL table below.

Command line junkies can manage devices and default policies as well. As far as I can tell, there is complete feature parity between the ECP and the commandline :

Get-ActiveSyncOrganizationSettings | fl UserMailInsert, AdminMailRecipients, DafaultAccessLevel
Set-ActiveSyncOrganizationSettings -UserMailInsert "Your phone has not been approved, contact IT at x443 to enable email access for this phone" -AdminMailRecipients secnotify@company.com

Exchange 2003 / Windows 2003

We installed Mod_Rewrite (an Apache port to IIS) on each of our Exchange 2003/Front End servers to control access.

Here is the ruleset we are planning on putting into production and will block access to these servers based on the User_Agent field. Note: This ruleset is still in testing and may be revised. If you have comments, please add them.

############## RULE 1 ############### 
# 
# Exclude Disallowed Devices 
# 

#Do match and prevent version 4.3.2  (Part 1)
# RewriteCond %{HTTP_USER_AGENT} Apple-iPhone2C1/801.8* [NC,OR] 
# RewriteCond %{HTTP_USER_AGENT} Apple-iPhone3C1/808.8* [NC,OR] 
# RewriteCond %{HTTP_USER_AGENT} Apple-iPad2C3/808.8* [NC,OR] 

#Do match and prevent version 4.3.2  (Part 2)
# RewriteCond %{HTTP_USER_AGENT} Apple-iPhone2C1/801.7* [NC,OR] 
# RewriteCond %{HTTP_USER_AGENT} Apple-iPhone3C1/808.7* [NC,OR] 
# RewriteCond %{HTTP_USER_AGENT} Apple-iPad2C1/808.7* [NC,OR] 
# RewriteCond %{HTTP_USER_AGENT} Apple-iPad1C1/808.7* [NC,OR] 

#Do match and prevent version 4.0  
RewriteCond %{HTTP_USER_AGENT} Apple-iPhone2C1/801.293.* [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} Apple-iPhone3C1/801.293.* [NC,OR] 

#Do match and prevent version 3.13 ,  3.21 , 3.2 
RewriteCond %{HTTP_USER_AGENT} Apple-iPhone2C1/70.* [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} Apple-iPhone3C1/70.* [NC,OR] 

#Do match and prevent iPad version 3.2 (7b367)
RewriteCond %{HTTP_USER_AGENT} Apple-iPad/702.* [NC,OR] 

#Do match and prevent iPad version 3.3X? 
RewriteCond %{HTTP_USER_AGENT} Apple-iPad1C1/702.500.* [NC] 
RewriteRule ^(.*)$ http://www.nfp.com?rule1 [R=301,L] 

############## RULE 2 ############### 
# 
#  Only Permit iPhones and iPads to connect.   
#  If they got this far, then they are not a banned / blacklisted device. 
# 

RewriteCond %{HTTP_USER_AGENT} .*iPhone.* [NC] 
# Do not alter the URL, and let it come through unmodified. 
RewriteRule ^.*$ - [NC,L] 

RewriteCond %{HTTP_USER_AGENT} .*iPad.* [NC] 
# Do not alter the URL, and let it come through unmodified. 
RewriteRule ^.*$ - [NC,L] 

############## RULE 3 ############### 
# 
# Block all other devices,  deny rule 
# 
RewriteRule ^(.*)$ http://www.nfp.com/?rule=3 [L,R=301] 

#Device Reference
#iPhone Simulator == i386
#iPhone == iPhone
#3G iPhone == iPhone1C2
#3GS iPhone == iPhone2C1
#4 iPhone == iPhone3C1
#1st Gen iPod == iPod1C1
#2nd Gen iPod == iPod2C1
#3rd Gen iPod == iPod3C1
#Apple-iPad1C1


# The 1st part of that string is always just "Apple-".
# The 2nd part of the string is DeviceType and is defined just
# like the URL above and is either "iPhone" or "iPad".
# The 3rd part of that string is just a delimiter "/".
# The 4th and final part of that string is the software version formatted in a way that Exchange Servers can digest it.

# Here's an example of creating that 4th part of the string using software build version for iPhone which is 7E18 aka iPhone OS 3.1.3.

# The first number from 7E18 (the 7) will become a "7" in the translated string.
# The first letter from 7E18 (the E) will become a "05" since it is the 5th letter of the English alphabet.
# Then you insert a "." (dot).
# The second number from 7E18 (the 18) will become "18".  It will be padded with zeros to be 3 digits
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 1
    HTTP_USER_AGENT can easily be spoofed. Just keep that in mind :) – Chris Dale Dec 02 '10 at 02:35
  • 1
    True, but I'm happy with 80 to 95% of insecure users being affected. How easy is it to change the useragent within the ActiveSync portion of the iPhone? Must it be jailbroken? – makerofthings7 Dec 02 '10 at 02:57
3

You can use certificate based authentication. If you don't provide a certificate they can't authenticate. Here's one link on it, but may be different depending on your version of Exchange.

This adds some operational overhead if you want to support mobile devices, you need to provide and install the certificates. But it will let you choose which devices can and can't connect.

http://technet.microsoft.com/en-us/library/bb430770.aspx

Edit: Adding links on setting up ActiveSync with certificates.

http://www.expta.com/2010/02/how-to-securely-deploy-iphones-with.html

http://images.apple.com/iphone/business/docs/iPhone_Certificates.pdf

Wayne
  • 274
  • 1
  • 3
  • Interesting, do you know if iPhones support this? – makerofthings7 Dec 02 '10 at 03:55
  • Yes, I added the links to the original comment for formatting. – Wayne Dec 02 '10 at 04:04
  • This solution doesn't seem to solve the problem of preventing devices that don't support local encryption, nor does it appear to have a way to require that the "encrypt local data" checkbox is checked on the 3GS and 4 models. I don't think this is a fit for my needs. My goal is to prevent disclosure of data of an offline, stolen, device. – makerofthings7 Dec 02 '10 at 05:39
  • 1
    @makerofthings how so? If a device doesn't have a valid cert it cannot connect to exchange. You decide which devices get certificates. Granted it is a manual process and it would be nice if it were as simple as checking a box on the server, but this solution appears to address the solution as much as the mod_rewrite. I would be interested to know which is technically more difficult: moving a certificate from an authorized device to an unauthorized device or altering the User_Agent field. – sdanelson Dec 03 '10 at 02:01
  • Point taken, but our business model acts as an email hoster for a financial vertical. We are limited to technical solutions for non-domain joined computers. For our business, and method of operation, this is a very ugly way to enforce a policy that works well when compared to the Blackberry. The overhead may make us not support iPhones at all. I think the UserAgent field is encoded within the ActiveSync protocol and is very tough to modify. It should address 98% percent of the users with minimal cost. – makerofthings7 Dec 03 '10 at 02:10
3

You might consider evaluating Good Technology's product? It appears like it might address your concerns and even allow you to securely support a wider range of devices. It would unfortunately add an additional layer of software and increase your cost.

sdanelson
  • 1,267
  • 10
  • 21
  • 1
    We actually do offer Goodlink services, it's pretty (nice) software. However, the way it works with iPhone is different than all other Good client implementations. It's slow, and has usability issues. I spoke to the Goodlink Product Manager and he gave insight into how they are speeding up the product, but it only works well on a 3GS or 4. Ironically this is the same hardware that supports local encryption at no direct cost. In that case, Goodlink is mainly a way to offer 'sandboxed' email access with a fixed management cost per device. Onthe other hand, it's T&M for the field to do. – makerofthings7 Dec 03 '10 at 05:11
3

In the iPhone enterprise deployment guide, there's a section on Exchange ActiveSync, which mentions the "Require Device Encryption" policy which should prevent non-encrpyted iOS devices from connecting to the service.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
1

Codeproof MDM integrates with Exchange Server and provides various rules to block/allow devices with various device properties. You may want to check it out.

Disclosure: I work for Codeproof.

---------More details added as per the member request---------------

Codeproof is easy to use, low-cost, SaaS based MDM Service. Recently we added a new exchange activesync security feature called "Codeproof SecureSync". We have developed exchange plugins which communicates with your Codeproof account and where you can set various rules to allow/block devices such as block jailbroken devices, unlocked devices..etc. Some rules requires Codeproof Agent App to be installed on your mobile devices.

Management Console UI:

Codeproof SecureSync

Satish Shetty
  • 121
  • 3
  • The answer to the question is pretty much just a checkbox in new versions of Exchange - seems an MDM would be overkill for a single requirement that comes built-in. – Bob Watson Feb 10 '13 at 05:11
  • Satish, welcome to [security.se]. Can you elaborate on how your product solves the problem better than the builtin functionality, as @BobWatson pointed out? What makes your solution so much better? – AviD Feb 10 '13 at 07:59
  • 1
    (Btw well done on the disclosure. Often we have marketers hawk their product as if its a third party recommendation. :-) ) – AviD Feb 10 '13 at 07:59
  • @BobWatson - Just so you know, even with the checkbox selected, some Activesync ROMs in iPhones (and Android) may not honor acknowledge the *request* for local encryption, reducing the checkbox to an ineffective visual decoration – makerofthings7 Feb 10 '13 at 08:50
  • @makerofthings7 This is a question about iPhones; so ignoreing the Androids - are you talking about jailbroken devices that lie about encryption status? – Bob Watson Feb 10 '13 at 09:58
  • @BobWatson not at all. The ActiveSync protocol is licensed from MSFT and each implementor can implement any or all features. The 4.0 and earlier ROM on various apple hardware hardware happily ignores the local encryption checkbox. – makerofthings7 Feb 10 '13 at 14:53
  • @makerofthings7 Can you provide a link? – Bob Watson Feb 10 '13 at 21:08
  • @BobWatson no links. Have peer experience and personal experience that made me invent and post the answer using Mod_conf below. This site is perhaps just as reliable or moreso than a blog with similar information – makerofthings7 Feb 10 '13 at 23:10