Myth 4: You can require passwords and remote-wipe an iPhone, so you don't need encryption
Yes, the iPhone supports these capabilities, though sometimes you need to use Apple's free iPhone Configuration Utility to enable them. But so what? Bottom line, some regulations require encryption. They don't say that you can substitute other policies in place of encryption. (To learn more about using the iPhone Configuration Utility, see InfoWorld's article "Can you manage an iPhone like a BlackBerry?")
By the way, some regulations require multiple policies be in force, such as insisting that the device be password-protected against use, that it be remote-wipe-enabled in case it is lost or stolen, that its built-in cameras are turned off, and that on-device encryption is enabled for corporate data.
Myth 5: My laptop's not encrypted, so my iPhone needn't be, either
It's true that many organizations have not enabled encryption on laptops, though that's been changing in recent years as the risks of having employees carry their data out the door have become clearer. (For a good primer on how to deploy encryption, check out Mel Beckman's article "Your laptop data's not safe. So fix it" on InfoWorld.)
Some argue that organizations that have fallen down on the job when it comes to laptops should thus relax the requirements on other devices. Good luck there. If your organization qualifies under regulations requiring encryption (or any other access policies), you can bet that at some point all portable client devices will have to adhere. Mobile devices are often the first targets because there aren't that many of them, and as the new device in the IT mix, it's easier to start off requiring policy adherence. You can bet that your laptops will get encrypted, too.
Myth 6: It's really Microsoft's fault
One of the more ludicrous arguments I've seen is that it's not Apple's fault that the iPhone OS was misreporting to Exchange that it supported on-device encryption when it did not. It's Microsoft's fault for not catching the lie.
That's impossible. As the folks at Internet security firm VeriSign explain, "It appears all policy conformance claims (like this ActiveSync mailbox policy on device-encryption claim from the iPhone) are not programmatically verifiable, so they're not programmatically enforceable." In other words, Exchange can't peer into a client device and figure out what's going on under the hood; it has to rely on the client to be honest. That makes sense: How could Exchange or any server independently access all the kinds of devices out there and figure out how they're set?
Myth 7: Microsoft's software is so buggy, Apple should get a pass
The only more ridiculous argument along this vein is that because Microsoft produces such buggy, insecure software, Apple shouldn't be criticized when it has a bug.