The iPhone didn't originally support VPNs, but Apple added that capability via a software upgrade in late 2007. The iPhone's VPN capabilities are solid -- comparable to Windows Mobile and Palm OS devices -- with a choice of L2TP and PPTP protocols and support for EMC RSA Security's SecurID key-based authentication. (You access those through the General preference pane's Network option.)
But the iPhone 1.x VPN client does not work with all VPNs; Cisco-based VPNs in particular are incompatible unless they are set specifically for Mac OS X and iPhone compatibility. The July iPhone software update will improve VPN capabilities by supporting Cisco IPsec and two-factor authentication, certificates, and identities. The July release also adds WPA2 wireless encryption and 802.1x authentication.
Three security issues have caused the most complaints from IT, when compared with Windows Mobile, Palm OS, and BlackBerry. Apple plans to address all three in the June software update, though the details are not yet fully clear.
First, the iPhone has not provided device encryption, meaning that any data stored on the iPhone can easily be obtained by a thief. With 8GB to 16GB visible to PCs as an external drive when connected over USB, the iPhone can store a lot of possibly precious corporate data.
Second, the iPhone's lack of a remote lock or kill feature has left IT in the lurch if the device is stolen or lost.
Third, password protection on the iPhone is scant. More than providing a four-digit maximum for passwords, the iPhone has provided no way to enforce password use or policies as users can simply turn the password feature off.
The 2.0 software will address the first two issues -- and more. (But it won't support on-device encryption like the BlackBerry does.) As expected, Apple will add IT-manageable security policies and remote-kill features as part of the July update. It will also let IT control what third-party software users can download to their iPhones, download PKCS1 or PKCS2 authentication certificates to the devices, apply e-mail and other configuration options automatically to the device, and control wireless access point access through Radius policies. To do this, Apple's configuration tool generates XML profiles that can be downloaded to the iPhone via e-mail or through the built-in Safari Web browser. IT may not like the fact that the configuration utility must run on a Mac or via the Web, however.
For Exchange-managed policies, IT can use the Exchange 2003 System Manager or the Exchange 2007 Management Console.
Until July, IT will have to decide whether these three security shortfalls justify banning the iPhone from the enterprise until the new software is out and its capabilities better understood. A good way to judge that is to make an honest assessment: Are you as tough on USB thumb drives, smartphones, and work-at-home users' PCs as you want to be on the iPhone?
Note: This story was corrected on June 13, 2008, to clarify that the iPhone 2.0 software does not support on-device encryption of stored data.