I “discovered” a new feature of Microsoft Exchange today as I synced my email and a security policy turned the passcode feature of the iPhone on. Passcode requires you to enter a password every time you access the phone and need to wake it up from having gone to hibernate mode. This is an effective and perhaps wise secuirty feature on the iPhone that also helps deal with the perceived danger of an unmanaged device touching the network, but it is unbearable in practice. I elected to disable my email account.

Unfortunately, disabling the email account is not enough…the passcode remains and must be disabled from the Settings, General menu. Once I realized this, it was a simple matter to turn off. But this is a time-bomb you may wish to anticipate with end users. I can’t imagine anyone would have the patience to live with the passcode enabled. How many times per hour would you be typing that passcode to check your email?

I was curious to provide a link here for IT Admins to manage this security policy, but could find nothing online that gave precise instructions. I did however find tons of information about how to get around this annoying security measure.

At first, I decided not to go there. Hacking around your employer’s security is about the most disrespectful, unethical, and stupid thing I can think of…but it is telling that the solutions are so easy to find online. As my phone kept prompting me for a password at home on a Friday night, I did, in fact, figure out how to jailbreak my phone, install OpenSSH, and ssh into the phone to figure out why I was still being challenged. I thought the policy had installed something on my phone when in fact it simply turned on a native feature.

I have three suggestions for IT admins who know they have clever iPhone users:

• Communicate - Don’t just “tolerate” users connecting to Exchange with their iPhones. If you allow that–which I think you should–then decide whether or not to enable this security and tell everyone about it. Work out a reasonable timeout period to protect against the lost phone problem but not annoy the people who are checking every beep from a new email.
• Monitor - I was curious if the Exchange Admin would have any way of knowing whether the policy was being enforced or not. Since it is easy to defeat–by a determined end user–it makes sense to recognize that just deploying the policy with no communication is going to encourage some people to defy authority. Is there a way to detect that?
• Anticipate - I also discovered the passcode feature can be configured to wipe out the entire contents of your iPhone after a certain number of failed attempts. Awesome. If your employees are controlling nuclear missle launches from their iPhones, or are frequently abducted and held hostage so that criminals can read their emails…go for it. But think long and hard before you deploy an goose egg like that for your iPhone users.

For the record…my phone is back to its unhacked state now and I will not be connecting to that server again.