Apple's Sloppy iPhone and Exchange Fix
A couple days ago, Apple released a configuration change for iOS 4-equipped iPhones to help speed up synchronization actions with Exchange Servers. Apparently, the problem was not only causing slow syncs from the user’s perspective but was causing significant load on the server side as well.
According to the article, “… users should install a configuration profile from Apple that increases the amount of time the iOS 4 device will wait for the Exchange Server to respond to its sync requests. For best results, the profile should be installed on as many iOS 4 devices at your company as possible.”
I caught wind of the problem via a tweet linking to a blog post complaining about how Apple didn’t see fit to sign the configuration profile, which is something that they allow through their management tools. Since Apple’s fix is not signed, it’s conceivable that someone with bad intent could take Apple’s fix, modify it with some otherwise unwanted settings and redistribute it.
It probably won’t happen, but it could.
Given the weakness in how Apple currently recommends distributing iOS profiles (putting the onus on users to install it rather than pushing it out from a central store), I think the complaint is totally justified. If an IT staff has trained its users to only accept and install signed profiles, then Apple’s fix breaks those rules. I opened up the profile to look at the underlying XML in order to see whether an enterprise IT staffer would be able to re-create the profile using the iPhone Configuration Utility so they could sign it and get it out to users, post haste. It appears that the main effect of the configuration is to adjust the DefaultEASTaskTimeout value to 240, although I don’t know what the default value is.
Unfortunately, from what I can tell after a few minutes of digging in the most recent version of the ICU (2.2) and its documentation, that particular policy is not available as a configurable option. This indicates that the settings are either reserved for Apple, or that Apple’s fix was created with an unreleased, beta version of the ICU.
In other words, you are stuck with Apple’s sloppy fix for the time being.
Apple’s security-unconscious patching process and the annoying advice to install “on as many iOS 4 devices at your company as possible,” only serve to highlight Apple’s lack of tools to help enterprises effectively manage those iPhones that are flooding onto the corporate network. Thankfully, the mobile device management features Apple baked into the latest iOS lay the groundwork for third parties to come to the rescue, allowing companies like MobileIron that promise to deliver middleware that will allow enterprises to securely deliver to iPhones configuration profiles as well as software, plus be able to perform some management oversight on the devices.
7/1 Update: My mentioned in the comments below, my colleague P. J. Connolly tried to import Apple's fix into an existing corporate profile using ICU. Below is the result:
7/2 Update: Response to the issue from Microsoft Exchange Team blog, confirming our findings about ICU and this policy. One note about hand editing the raw XML of a profile, you wouldn't therefore be able to sign that with the ICU. You would still have an unsigned profile, just one that you created.