But the biggest flaw in the iPhone configuration utility is how it manages the configurations. This is a deal-breaker for large organizations that have to assure that they are meeting compliance requirements or that must be able to install and update configuration profiles over the air or over a network.
You can easily share configuration profiles by e-mailing them or putting them on a Web site. If users click the attachment or the link, the profile is installed. But there's no way to force them to install the profile, and even if they do you have no way of knowing that they did, nor any way of ensuring that they will install any updates or additional profiles.
The iPhone Configuration Utility works well in defining configuration profiles. And it's a reasonable tool for businesses that set up mobile devices for their users, as IT support can easily and quickly install the profile over a USB connection when preparing the device in the first place.
In some cases, you can comfortably rely on the use of e-mailed or Web-accessible profiles. After all, if those profiles contain the only route to what a user needs to, say, access e-mail or the VPN (such as by requiring a certificate be used for authentication), then users will install them -- or not be able to use their devices for work purposes in the first place. We suspect many businesses not subject to regulations such as HIPAA and Sarbanes-Oxley can live with this "they'll install it because they have to" strategy, but it's not ideal. After all, you still have the issue of managing updates, which are harder to enforce through such draconian hurdles than the initial corporate access is.
Exchange ActiveSync: Short on policy, long on reach
The Exchange ActiveSync policies the iPhone supports fall well short of the controls provided by the iPhone Configuration Utility. In both Exchange Server 2003 and Exchange Server 2007, you can enforce the use of a password on the device, and determine how complex the password must be and how often the user must change it. You can set the number of minutes the device can be idle before a password is required, and you can set a maximum number of failed password attempts before the data on the device is wiped clean.
However, the only iPhone feature you can disable using Exchange ActiveSync policies is the camera, and only via Exchange Server 2007. Exchange ActiveSync policies offer no control over the use of the Safari browser, YouTube, the iTunes Music Store, or the App Store. Nor, of course, can ActiveSync deliver configuration settings for Wi-Fi, VPN, LDAP, and calendar subscriptions to your iPhone users. For all of these things, there's no substitute for the iPhone Configuration Utility.