Acceptance and control
If you know or suspect that iPhones are making a stealthy march into your operation, you have a couple of options. First, you can offer an alternative. By providing employees with an alternate smartphone such as a BlackBerry or a Windows Mobile device -- both have great centralized security options -- you can reduce the clamor for the iPhone and at the same time provide a more secure, business-proven solution.
In many cases, however, providing and supporting an alternative phone may not be a viable option. Doing so could be cost-prohibitive, especially if it means setting up a BlackBerry Enterprise Server, an Exchange server or an Exchange alternative. If you're asked to support only a couple of iPhones, it's probably easier to manually configure and restrict them by hand. This is particularly true if high-level managers are the primary users demanding the iPhone.
Here, user education is important. By explaining why devices need to be managed for security reasons and explaining the policies that you've implemented on the managed iPhones, you can at least offer them a rationale for minimizing the use of iPhones in your environment. This may not always be successful in limiting demand, but it's always a good starting point.
If you're forced to make the iPhone more broadly available, you can develop a configuration profile, or a series of profiles, that effectively limit access to iPhone features and applications and enforce needed security options. You can then make these profiles available to users. One advantage of the current iPhone OS is that once a policy is accepted on the device, you can restrict who can remove it.
This can be effective in dealing with both company-owned iPhones as well as personal devices. If you can get support for the idea that employees using a personal iPhone for work means some of its features need to be secured, you can distribute the requisite profiles. This gives you a way to configure and allow access to a wireless network or to other internal resources while at the same time layering on needed security measures.
A key point here is communication. You need to spell out why the iPhone needs to be locked down as much as possible. You may even want to create company-wide policies about what resources users are allowed to access or store on their iPhones. It helps to be willing to entertain the option of an iPhone, even as you also make clear your concerns and provide ways to address them. The bottom line is this: If you're forced to deal with iPhones in your environment, you want as much control and cooperation as possible.
While the iPhone Configuration Utility and the profiles that it can apply and enforce provide the best options for mitigating risks, they're not the only options. As I mentioned earlier, if you have an Exchange environment, you can also apply Exchange security policies. They, unlike configuration profiles, can be deployed over the air.
Granted, the entire range of profiles isn't available, but basic ones such as requiring a passcode to unlock the iPhone are available. Exchange also enables remote wipe, making it one of the more powerful options for using an iPhone in the enterprise.
If you don't have Exchange, and don't want to spend money on it, there are a number of less-expensive alternatives -- Kerio MailServer, Zimbra and Communigate Pro -- that still provide the core features of Exchange by licensing Microsoft's ActiveSync.
Another third-party product is Good for Enterprise. This suite allows you to secure not just iPhones, but also Android and Palm WebOS devices such as the Pre and Pixi. Good offers this security by using its own native iPhone application. The app provides much of the same groupware functionality that the iPhone's Mail, Calendar, and Contacts apps provide, but enterprise data is stored in encrypted form and can be remotely wiped from the device when necessary.
This provides better security than even the built-in Exchange support and is relatively easy to configure and manage, though an appropriate collaboration suite such as Exchange or Domino is required. Even with Good, though, you may want to further secure the iPhone using configuration profiles.