Better security is changing iPhone's image in IT departments.

While the iPhone’s “cool factor” has made it a hit among status conscious corporate executives, the mopho has been greeted with skepticism from the rank and file in the IT trenches. From their point of view, competing products like Research in Motion’s Blackberry and smartphones built on Microsoft’s Windows Mobile platform offer better security for their organizations. With the introduction of the latest version of the iPhone’s operating system, version 3.0, and iPhone Configuration Utility, version 2.0, IT resistance to letting Apple’s handset into the corporate tent seems to be weakening.

What has bugged IT folks in the past about the iPhone? For one thing, user profiles can’t be managed over-the-air as they can with a Blackberry and Blackberry Enterprise server or Motorola Good for enterprise servers. Another irritant is there’s no way to ensure that corporate policies on email, encryption, etc. have been installed or updated on the phones. What’s more, it’s difficult to preconfigure the units with settings for email, VPN access and such.

Apple’s update of the iPhone’s configuration utility, which gives network administrators a rich set of policy controls, has addressed some of those concerns and may be why IT doubters are relenting on their staunch opposition to the hardware.

For example, password entry into a phone can be required. The composition of the password, when passwords should be changed, rules on reuse of passwords and the number of failed password attempts before a phone automatically wipes out all the data on it can all be controlled by an IT department.

Specific content can be blocked on the phones, although that’s not true for specific applications. A workaround for that situation is to install all necessary apps when the phone is issued, then turn off the ability to install any more programs. The problem with that approach, however, is a user won’t be able to upgrade the existing apps on the phone.

Credentials can also be created for use in user profiles for their phones. They’re a stronger form of authentication than plain text passwords. What’s more, they’re less portable than passwords, which can be copied, pasted and used outside the phone.

Another sweet treat for administrators is the ability to layer profiles in the phone. Instead of customizing configuration settings for each unit, a set of profiles can be created and issued based on user need. A basic profile could be created for all phones, for instance, and tasks like VPN or WiFi access could be included in separate profiles that would be added to the basic one for mobile jocks who need them.

Getting users to install profile changes after they’re issued their phones and monitoring those updates, however, still remains a problem. That’s because users, not administrators, must install the upgrades. Moreover, once installed, there’s no feedback to the administrator that the upgrade was completed. Presumably, if an upgrade is necessary for performing essential tasks like checking email and accessing a corporate network, users, by necessity, will install it. Many organizations may be able to live with that presumption, but those that must meet compliance rules, such as HIPPA, cannot.

Security settings for the iPhone can also be controlled through its support of Microsoft Exchange  ActiveSync, but what can be done there pales to what can be accomplished with the config utility.

As with config, an administrator can impose password rules–determine password characteristics, set time for password changes, require re-entry of a password after a prolonged idle state and pick the number of retries necessary before there’s a shutdown and wipe of the hardware.

However, there’s no control of the Safari browser, iTunes and Application stores or YouTube. Neither are there configuration settings for WiFi, VPN or LDAP.

On the other hand, a “kill switch” can be flipped over-the-air by an administrator which will wipe all sensitive information from the phone. Users can also perform that task from Outlook Web Access, but that can only be done through Exchange 2007.

The encryption issue is addressed on the latest version of the iPhone, the 3GS, but what data is encrypted and how it’s done hasn’t been shared with the public by Apple.

The arrival of iPhone OS 3.0 and config utility 2.0 is a good start toward getting Apple’s smartphone accepted by IT organizations, but these improvements  could really change the hearts and minds of corporate data guardians:

• The ability to control application and firmware downloads over-the-air;
• A lock on the boot loader to prevent jailbreaking; and;
• Some form of multi-tasking to allow third-party security vendors to monitor and control some of the iPhone’s lower level OS and device functions.