Yesterday we were greeted to a ComputerWorld column talking about how Apple had betrayed the Enterprise's trust by having a device report that it supported on-device encryption when it really did not. And while this allowed the older versions of the iPhone interact with Exchange 2007 systems with policies requiring such on-device encryption, the whole point of all this is Apple lied. Having on-device encryption is typically a major control with respect to data, and Apple basically stomped all over this.
The I see another article talking about how the iPhone reported to VPN controllers that it was not storing the password when, in fact, it was. Again, this permitted the iPhone to be used, but by bypassing a major security control. What this effectively meant is if I could get your iPhone, I could get into your organization's private network and you made it easy on me, because you stored the password for me. Now, back in corporate security no one suspected such a thing, so when I came in under your VPN connection multiple times and did damage, they suspected it was you. You said, "But it couldn't be me! I lost my iPhone!" To which corporate security said, "It had to be you, unless you shared your password, because your device can't store your VPN connection password..." and right away it becomes really clear that Apple didn't just lie to the Enterprise, it also lied to said users of the Enterprise, too. Because now this non-repudiation control we have in place is going to be used against you and you are actually innocent of the charge. But because your device reports it doesn't store the VPN password, corporate security believes you must have entered it, meaning you are now going to face the brunt of a civil and possibly criminal lawsuit at worst, or face being disciplined at best.
In security there may be a phrase "trust no one" but it's nonsense. You have to trust someone. In Active Directory, the domain controller is the trusted third party. On the Internet, the issuer of the SSL certificate is that trusted third party. You get the idea. So when your device reports you're following a policy, we have to be able to trust the device is telling the truth. If we can't, you can't use the device at work because we can't ensure adequate controls, some of them regulatory in nature, are in place. And this is what, it seems, Apple fanboys who can't get beyond their own blind love for the product miss. It's not about Apple vs. Microsoft. Not as far as security folks are concerned. It's about the fact that a control was reported to be in place which wasn't. I don't care who the vendor is and what the product may be. When you cross that line, you lose my trust. And in security, trust is crucial.
