Android's Exchange ActiveSync policy support is unclear at best
I found a workaround that seemed to solve the issue: Using the $10 Exchange by TouchDown app from NitroDesk instead of the built-in Email app worked perfectly on both the Motorola Droid with the corporate access plan and the HTC Droid Eris with the consumer access plan. I got access to my e-mail, the ability to decide which folders would be automatically refreshed, access to my corproate address book, and all the features you'd expect from a good Exchange client. TouchDown is even better than the iPhone's built-in Mail app, as TouchDown lets you schedule away notices, while the iPhone's Mail app can't do that.
But it turns out that Touchdown inaccurately reports the Droid's ActiveSync policy support, according to NitroDesk's support staff. "You should not be using Exchange by Touchdown in its current version because it may indeed be reporting EAS [Exchange ActiveSync] policies incorrectly in the current version. The next version will report it correctly. ... We had been waiting for encryption support at the file level for Android databases, but it may never get implemented," the support staff e-mailed me. NitroDesk is looking to add its own encryption at the field level and has beguin beta-testing that capability, although the invitation to join that beta program notes it could slow down the Droid. NitroDesk did not say whether other Exchange ActiveSync policies are being inaccurately reported.
This false reporting in Touchdown is a security hole similar to the one in Apple's iPhone OS 3.0, which falsely reported support for on-device encryption for a year, until the 3.1 update fixed that and as a result left many pre-3G S model iPhones unable to connect to Exchange servers that required on-device encryption.
My company's Exchange server does require on-device encryption, and I strongly suspect that is why neither the Motorola Droid nor Droid Eris could access my Exchange e-mail using the built-in Email app. Verizon's tech support staff (not even the internal support folks that the local Verizon Store manager called for me) could not say whether or which Exchange ActiveSync policies were supported, and neither could a Verizon corporate spokeswoman. Google's, Verizon's, Motorola's, and HTC's Web sites are silent about ActiveSync policies. Verizon's support staff also did not know what the on-device encryption even was (the rep I spoke to thought it was the same as SSL encryption) and could not find any documentation about it; again, Google's, Verizon's, Motorola's, and HTC's Web sites were silent on the Droids' on-device encryption capabilities.
This silence mirrors the same same silence I encountered when I asked Palm, Nokia, and Apple similar questions about their devices. It's all but certain that Palm's WebOS and Nokia's Symbian OS do not support ActiveSync policies. It's a good bet that the Android OS doesn't support ActiveSync policies either. Apple's iPhone supports a handful of ActiveSync policies, based on the vague details posted at Apple's site. Windows Mobile devices support most ActiveSync policies, and the BlackBerry OS uses its own server to manage policies.
Given that more businesses use Exchange than any other enterprise-class e-mail server, the uncertainty over the Droids' level of Exchange support, the revelation that Touchdown inaccurately reports at least on-device encryption ActiveSync policy support, and the fact that the Droids don't support IBM's Lotus Notes or Novell's Groupwise secured connections, I can't imagine any responsible business or IT department permitting the use of the Droids for corporate e-mail access. Thus, for business e-mail use, RIM BlackBerry remains the most secure mobile device, followed by Windows Mobile, and -- in distant third place -- the Apple iPhone.
Verizon spokeswoman Brenda Raney wasn't kidding when she told me, "The [Motorola] Droid is primarily a consumer phone." (To be fair, the HTC Droid Eris makes no pretense, other than its stated Exchange support, of being a business smartphone.)
Security capabilities limited, management capabilities nonexistent
The Droids also have limited security capabilities. Both let you set up "pattern" security to access the devices at startup or after they time out: You set a pattern of finger movements on the touchscreen that acts like a password would. (That's harder for a thief to guess than a traditional password.) And the Motorola Droid lets you store credentials on the device and set an alphanumeric password to manage them. And that's it. You can't set password strength requirements, enable remote wipe or auto-wipe after a specified number of failed access attempts, or control access to apps and Wi-Fi networks, as the iPhone, Windows Mobile, and BlackBerry devices can do. (The Touchdown app does let you set a four-digit PIN before making e-mail, appointments, and contacts available.)