Clicky

We are using Exchange 2003 with certificate based authentication. We configure the iPhones and iPads using the Apple configuration utility. Everything is working very well, but I am having an issue understanding the settings on the passcode. I do understand that some settings are no longer available when syncing to Exchange and deploying via a profile. I do understand the difference between Auto Lock and Require Passcode after xx minutes. What I am having trouble with is how they work with Exchange. We do not have the Exchange sever configured to enforce password on device and have the inactivity time set. We use the settings of the mobile config file to set these.
 
When we configure the iPhone profiles we set the Auto Lock to 1 minute and the Require Passcode after 15 minutes. Things gives a windows of 16 minutes total before entering a passcode correct?
 
When the config profile gets installed, the Require Passcode always gets set to Immediately. Why? If I configure the profile to Require Passcode after 1 Hour, then the 1 hour setting does not get set on the phone but the 15 minute setting does. What am I missing here? The Auto Lock always gets set correctly.
 
Finally, does anyone know the maximum inactivity in minutes that can be set on the Exchange server if configured to enforce password on device for Exchange 2003 and how does that play against the iPhone even when deploying the profile? I have read that the maximum inactivity on the Exchange server actually matches the Auto Lock feature on the iPhone. How does this affect the Require Passcode setting on the iPhone and how do the 2 work together when using Exchange?
 
Any help is appreciated.

asked 07/15/2011 10:13

barrykeel's gravatar image

barrykeel ♦♦


9 Answers:
When you are setting the policy on Exchange, you are setting the maximum limit, not the default settings, so setting the Require Passcode to 15 minutes will set the maximum time selectable on the handset before the passcode is required.

With the iPhone, you have to set the settings on the handset - and the policy restricts the choices on the device.  Immediately is the default setting on the iPhone for the Require Passcode.

Do you need the other items answered based on the above answers?

Alan
link

answered

alanhardisty's gravatar image

alanhardisty

So if I do not configure the Exchange server and configure the iPhone profile only, the profile should set the device, correct? Or does the profile only set the maximum time?

I understand that the default is Immediately. Why then does the configuration profile actually set the device to 15 minutes when I configure the profile settings for 1 hour?
link

answered 2011-07-16 at 07:39:20

barrykeel's gravatar image

barrykeel

You need to set a policy to require a password as a minimum otherwise you can't remotely wipe the phones if lost or stolen.

If there is no policy set - you can adjust the phone however you like.

I haven't seen a phone set to 15 minutes if you set the policy to 1 hour.
link

answered 2011-07-16 at 07:48:26

alanhardisty's gravatar image

alanhardisty

I have seen this and I have have seen other threads about the 15 minutes not applying correctly in the Apple forums, yet no one has a definitive answer.

If you deploy the mobile config file yes the user can still set the policy how they like but only up to 15 minutes. The additional options on the phone of 1 hour and 4 hours do not show up and they cannot turn the passcode off. I know this as this is how our phones behave.

I have not turned on the password requirement on Exchange because I heard the 2003 had a maximum of 5 minutes inactivity and I need 15.

See how confusing this becomes. Like I said our profiles work well, but I cannot get the passcodes set from the profile as we like. We have tested for several weeks. Sorry, but I still cannot see how it is relating.
link

answered 2011-07-16 at 08:02:14

barrykeel's gravatar image

barrykeel

What exactly are you trying to achieve?
link

answered 2011-07-16 at 08:15:13

alanhardisty's gravatar image

alanhardisty

I am trying to set a mobile config file for download form a secure website. This config file installs all certificates and settings to the phone for our organization. Our users download this file, install the profile and all setting for their phone are configured from the profile. This works perfectly, all setting we want on the phone get configured correctly except the passcode setting.

I am trying to configure the passcode setting to Auto Lock at 1 minute and Require Passcode after 15 minutes. The Auto Lock setting will configure to what we set in the profile anywhere from 1 to 5 minutes. The Require Passcode setting always sets to Immediately unless I configure the Require Passcode setting in the profile to 1 hour, then the phone gets configured to 15 minutes.

I know this has something to do with the Exchange sync and I am trying to understand why this is happening.
link

answered 2011-07-16 at 08:16:54

barrykeel's gravatar image

barrykeel

I've not used the Apple Utility before so can't assist you on that aspect I am afraid.

Might play with my 2010 server and see if the utility works better with that.

Exchange 2003 has limited support for settings / configuration and this improved with 2007 / 2010.
link

answered 2011-07-16 at 08:28:17

alanhardisty's gravatar image

alanhardisty

I know about the limited support, but unfortunately I am still using Exchange 2003. The utility does exactly what we want and makes deployment very easy, except I still have to request a user certificate for each user to authenticate to Exchange and that takes some time.

It is very frustrating as the user installs the profile for their device, but then calls and I have to walk them thru how to change the passcode as they have no clue where to find the setting. Yet they can install the profile.

If you find any answers to this I really would appreciate it.
link

answered 2011-07-16 at 08:35:15

barrykeel's gravatar image

barrykeel

Apparently the default on the iPhone is to lock immediately and the user has to change it. This is either by design by Apple or a bug in the config as I have seen others with the same issue. Set the settings in the iPhone configuration utility to match the Exchange settings. This gives the wipe ability from Exchange and you can still deploy the passcode lock with the utility.  this is mainly from all the testing we did in the utility with Exchange 2003.

link

answered 2011-07-16 at 08:42:48

barrykeel's gravatar image

barrykeel

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

Asked: 07/15/2011 10:13

Seen: 286 times

Last updated: 12/17/2011 05:19