Thanks Joe. I ran through the iPhone backup files(non-encrypted) and account, email alias, servername...all in clear text. Wasn't able to find the pwd, which I guess is good, this is an eval so we are looking at all potential exposure and attack vectors.
I was expecting more of a WinMo experience with regard to the iPhone once connected via EAS. This makes solutions like Sybase and MobileIron much more attractive for using the iPhone in the Enterprise. ..and Ben, thanks for offering up to have me shot. Thanks, JB From: Joe Pochedley [mailto:joe.poched...@fivesgroup.com] Sent: Tuesday, September 29, 2009 8:34 AM To: MS-Exchange Admin Issues Subject: RE: uuh... iPhone + EAS + wipe + remove partnership = ? As your surmised, the iTunes sync of the phone backs up all data, including the configuration (with usernames and passwords). The overriding thought is that if you're wiping the device, it's because the device has been lost or stolen. In that case, the person who finds the device generally doesn't have access to the iTunes backup copy... Even if they did, say because the user's laptop was also stolen, it's a good idea just to leave the remote wipe for the device enabled indefinitely... Then if the unauthorized user ever do try to sync to Exchange again, the phone gets wiped again... In your case, where you intend to let individuals keep their device, or use a personal device, as you suggested you can either disable Activesync on the account or disable the account... Alternately, simply changing the password on the account would also keep the device from re-syncing... Depending on why the user is now being denied this service (leaving the company, or just not allowed Activesync any longer) would drive how you handled their access restriction...... From: Barsodi.John [mailto:john.bars...@igt.com] Sent: Monday, September 28, 2009 7:20 PM To: MS-Exchange Admin Issues Subject: RE: uuh... iPhone + EAS + wipe + remove partnership = ? So scrounging around in the IIS logs I found a few lines from my iPhone with the following: DeviceType=iPhone&Cmd=Provision&Log=V So in my ignorance, I'm surmising that the iTunes 'sync' of the phone will maintain the EAS configuration, including credentials. I'm not familiar with iTunes and didn't expect this behavior.... Especially after wipe + device partnership deletion. I was expecting to have to go through the setup wizard again, but the restoration of the device put everything back into place. Is the only way to prevent it from resyncing with Exchange after a 'sync' with iTunes is to disable the EAS feature on the mailbox and/or disable the AD account? Sorry for the newbish questions. Too used to my BB environments. Thanks, JB From: Barsodi.John [mailto:john.bars...@igt.com] Sent: Monday, September 28, 2009 3:39 PM To: MS-Exchange Admin Issues Subject: uuh... iPhone + EAS + wipe + remove partnership = ? iPhone3G running OS 3.1 EX 2007 SP1 RU9 I'm evaluating EAS with WinMo and iPhones.... WinMo was a slam dunk, I've used it for years, expected the same outcome as when I did our eval for use with EAS on EX2003SP2 years back. So going through the same motions on the iPhone...I've tested this and had it happen twice now... Issue the "Perform a remote wipe to clear mobile device data" cmd, acknowledged, and received according to EMC. About 5 minutes later I remove the mobile device partnership. All actions are successful... iPhone pukes itself back to "Factory" settings. I go back in to see what the user experience is(we are considering allowing personal devices), so I proceed to restore my photos, music, etc. That completes. I go into the Mail app where I have my corporate account and Gmail account setup. Gmail starts working just fine. For the EAS account, I see a folder list of my mailbox, but no data and I receive the "Cannot sync.." blah blah error. Ok great! Now I download a few of the apps I had installed and sync them back over. I notice that some of my saved content in those apps reappears and my credentials for Facebook reappear and auto log me in? I never sync'd my apps, this was a fresh download from the App Store post wipe #2. Click back over to the mail app to see what details of my Corporate EAS account are there... and the dang thing starts syncing. Folders to to date as of 1 min ago? I jump over to the EMC and verify, yep device partnership is established. How can this be? I'm baffled and really tired, so it could be something blaring oblivious, I hope so, because this isn't a good thing. The other thing I noticed, post wipe, that the unlock pwd is still using complex requirements from EAS and doesn't revert back to the 4 digit numeric PIN.... The same steps above worked flawlessly on the WinMo. Anyone see this before? Any help would be much appreciated. Thanks, JB
