When the iPhone was first launched in June 2007, it was generally panned by IT managers and systems administrators. It didn't support any encryption of user data, could not have any enforced security policies and offered no way to remotely wipe data if it were lost or stolen. At the time, a lot of companies weren't prepared to accept those security gaps. Perhaps more importantly, the iPhone didn't yet support any third-party applications or interact with most office suites.
A lot can change in two and a half years. In 2008 the iPhone gained 3G and GPS support, and the simultaneous iPhone OS 2 update added support for third-party apps and the ability to interact with Exchange servers using Microsoft's ActiveSync technology.
Exchange supportallowed security policies for mobile devices to be enforced and allowed the user -- or an administrator -- to remotely wipe all data from the device. Apple also started to allow administrators to pre-configure the iPhone's settings, including an initial step toward a managed environment that could increase security and compliance with a company's acceptable-use policies.
The mid-2009 iPhone OS 3 and iPhone 3GS release again bolstered the iPhone's business cred. The iPhone 3GS was the first model to offer hardware encryption. The scheme isn't perfect and forensic and jailbreaking tools can sometimes get around it, but it is one of the strongest commitments Apple has made for enterprise customers.
And the iPhone OS 3 update added support for a wider range of collaboration tools beyond Exchange. All iPhones can now access CalDAV shared calendars, subscribe to any calendar published using the iCalendar format (which can also be used to schedule meetings across various calendaring apps), and access shared contacts using the relatively new CardDAV standard. That's in addition to its pre-existing support for vCard files and the ability to access LDAP databases for contact information.
More importantly, Apple boosted the device management capabilities available to IT departments to lock down an iPhone using configuration profiles created by the iPhone Configuration Utility. While the original version of this tool (released with the iPhone OS 2 and iPhone 3G in July 2008) was pretty limited, the latest version (released with the iPhone OS 3 update and iPhone 3GS in June 2009) allows admins to define settings and restrictions for many iPhone features. It also means you can limit access to a number of iPhone features such as the camera, the iTunes store and even Safari or YouTube.
At the same time, the ever-expanding array of apps for the iPhone provides serious business tools, including several fully functional office suites, for both general workplace functions and specific niches in a variety of industries. The result isn't surprising: A growing number of workers want to use these apps -- and the iPhone itself -- as a mobile device for many different tasks.
Is this enough for IT?
With that brief iPhone history lesson out of the way, the question remains: Is the iPhone at last ready for business or enterprise adoption? Even if admins say no, you face another question: Can you effectively ban the use of the iPhone in your environment?
The first question you should consider: Does the iPhone measure up to your standards for device and data security? The answer really depends on your environment and industry. If you work in health care, the answer is probably no, because of HIPAA concerns. If you work with various state or federal government agencies, you may also find that the iPhone doesn't meet compliance standards. If those type of regulatory issues aren't a problem, you still need to consider the kind of data employees might store on an iPhone and how that might involve any existing security policies.
Even if you initially find the iPhone's security lacking, there are some solutions to consider. Depending on the type of work and data involved, you can use a thin client or Web-based approach to allowing users access to data. With this approach, very little, if any, company or client data gets stored on the iPhone. Thin-client applications, including Citrix's Receiver apps, generally encrypt all data accessed by any thin client, including the iPhone. If you use a Web-based approach, you can secure the connection with SSL, a VPN or the new Mobile Access Server feature that Apple includes with Snow LeopardServer.
Other options are available, as many enterprise software providers have already developed iPhone apps that securely integrate with their offerings. This group includes Cisco, Oracle, Salesforce.com, IBM, Market Circle, and a range solutions for accessing the collaboration tools offered for products by 37 Signals, including the popular BaseCamp.
The trickier question is this: Can you effectively ban the iPhone? Despite any reasons you come up with to justify banning the iPhone, what are you going to do when a high-level manager simply demands one? The iPhone is a stylish device that offers both fun and function, and if the CEO or a senior VP wants an iPhone, you may not be in a position to convince her that she shouldn't have it. Once a handful of top-level managers have iPhone, you'll get a growing chorus of lower-level managers and staff asking why they can't have one, too.
A second likely scenario: An employee is denied an iPhone (or possibly any company-provided smartphone) and decides to get his own personal iPhone for use at work. This surreptitious infiltration is actually a bigger concern than a handful of managers; at least with them you still get to control the configuration and deployment process. If you don't know that workers are using iPhones in your company, you can't secure them at all. You can't even be certain what data might be stored on them.
And since the iPhone is fairly easy for even novice users to set up -- they can sign onto wireless networks, access intranets, and even gain access to an e-mail server -- it's no stretch to imagine that a lone, unauthorized iPhone could seriously compromise confidential data, as well as access to your network and the services running in it.
In other words, simply banning the iPhone doesn't really work. As long as employees have their own personal phones, it can be difficult to mitigate potential compromises. Of course you can draft a policy restricting the use of personal phones in the office, but enforcing that policy is going to be tough. At best, you'll be able to restrict access to internal resources by not allowing the iPhone to connect to your wireless network and prevent users from syncing their phones to a company-owned computer. (Simply disallowing iTunes is one effective way to prevent syncing.)
Even this may not be effective if employees are allowed to access services from outside your network. Even if you can banish the iPhone from your network, you still can't stop users from entering notes, appointments, or contacts from within your organization onto their iPhones by hand.