But the biggest flaw in the iPhone configuration utility is how it manages the configurations. This is a deal-breaker for large organizations that have to assure that they are meeting compliance requirements or that must be able to install and update configuration profiles over the air or over a network.
You can easily share configuration profiles by e-mailing them or putting them on a Web site. If users click the attachment or the link, the profile is installed. But there's no way to force them to install the profile, and even if they do you have no way of knowing that they did, nor any way of ensuring that they will install any updates or additional profiles.
The iPhone Configuration Utility works well in defining configuration profiles. And it's a reasonable tool for businesses that set up mobile devices for their users, as IT support can easily and quickly install the profile over a USB connection when preparing the device in the first place.
In some cases, you can comfortably rely on the use of e-mailed or Web-accessible profiles. After all, if those profiles contain the only route to what a user needs to, say, access e-mail or the VPN (such as by requiring a certificate be used for authentication), then users will install them -- or not be able to use their devices for work purposes in the first place. We suspect many businesses not subject to regulations such as HIPAA and Sarbanes-Oxley can live with this "they'll install it because they have to" strategy, but it's not ideal. After all, you still have the issue of managing updates, which are harder to enforce through such draconian hurdles than the initial corporate access is.
Exchange ActiveSync: Short on policy, long on reach
The Exchange ActiveSync policies the iPhone supports fall well short of the controls provided by the iPhone Configuration Utility. In both Exchange Server 2003 and Exchange Server 2007, you can enforce the use of a password on the device, and determine how complex the password must be and how often the user must change it. You can set the number of minutes the device can be idle before a password is required, and you can set a maximum number of failed password attempts before the data on the device is wiped clean.
However, the only iPhone feature you can disable using Exchange ActiveSync policies is the camera, and only via Exchange Server 2007. Exchange ActiveSync policies offer no control over the use of the Safari browser, YouTube, the iTunes Music Store, or the App Store. Nor, of course, can ActiveSync deliver configuration settings for Wi-Fi, VPN, LDAP, and calendar subscriptions to your iPhone users. For all of these things, there's no substitute for the iPhone Configuration Utility.
Nevertheless, Exchange ActiveSync offers iPhone administrators one essential feature that the iPhone Configuration Utility doesn't provide: the ability to push a button and make all of the sensitive data stored on an iPhone go away, no matter where that iPhone might be. This "kill switch" is available in both Exchange Server 2003 and Exchange Server 2007, but only in 2007 is it also extended to the iPhone user, who can initiate a remote wipe from Outlook Web Access. That seems like a good idea, since the user is likely to be the first one to know when his device is lost, but you can hide the mobile device management option from Outlook users that you don't want to trust with this responsibility.
We've tried several remote wipes from Exchange Server 2007, and it works like a charm. Apple warns that older iPhones could take as long as one hour per 8GB to be "bricked," but our iPhone 3G handsets (with about 1GB of data, and running either iPhone OS 2.2 or iPhone OS 3.0) were cleaned and ready for restoration within 10 or 15 minutes every time. The status of the wipe is reported in both the Exchange Management Console and Outlook Web Access. E-mail confirmation of a successful wipe is also sent to the user's mailbox.