11 Replies Latest reply: Feb 22, 2012 5:56 AM by Michael Black
jmbotean Level 1 Level 1 (0 points)

I've learned that having an Exchange account (apparently only Exchange 2007, not 2003)  results in a diminished set of choices regarding the time interval before the passcode lock sets, and that is consistent with my experience: the four-hour option was available when I had only an Exchange 2003 account installed on the device, and this shortened to 15 minutes after installing an Exchange 2007 account. In my case, it is not a matter of an employer making the requirement: I am the employer, and I am using, in this case, Microsoft Business Online Productivity Services--i.e., hosted Exchange vs. in-house. I have not yet found a setting to override this ridiculously short interval on the Exchange server, but at least I know where to look, and it would not seem to be anywhere on my devices. The fact that I can choose not to use a passcode lock altogether demonstrates that this is not a security requirement imposed by the Exchange server, just a more limited range of options. The option not to use the passcode lock would not be available if it were a true security issue for Exchange, one presumes. I don't recall, by the way, such behavior in Windows smartphones I've had in the past.

 

Is anyone else finding the 15-minute passcode lock on the iPad and iPhone as annoying and dangerous as I am? I have disabled the lock altogether as a result. It is terribly annoying to have only 15 minutes to set my iPad aside before having to unlock it, and it renders the iPhone downright dangerous in the car--and I'm talking about turning iTunes on or off, or simply checking a map. I never talk or text while driving.

 

I thought four hours was a reasonable (for me) compromise between security and usability, but someone (Apple? Microsoft?) has decided we all need more protection than that and has reduced the intervals to a mere 15-minute maximum. Now I have no other security than wiping my device remotely if it falls out of my possession. The setting screen tells us that "shorter times are more secure," as if it were scolding us. I would have even greater security if I had never bought the devices, but that is beside the point.

 

I don't understand why users should not be able to decide for themselves the degree of passcode security they desire and need on their devices.


iPad, iOS 4.3.2
  • GZukes Level 4 Level 4 (1,565 points)

    Are you confusing the Passcode Lock with the Auto-Lock? On my iPad, 15 Minutes is the longest I can set my Auto-Lock, but I can set the Passcode lock up to 4 hours.

  • jmbotean Level 1 Level 1 (0 points)

    Nope, not at all. I've since learned a few new things and have updated my question accordingly. I can assure you I am not confusing the two. Thanks for your reply!

  • Michael Black Level 6 Level 6 (18,860 points)

    Well, with your iPhone, using it hands-on in your car period is dangerous.  If you use a hands free device or headset and voice dialing, there is no need to touch the phone to make or receive a call.

     

    As to the annoyance of having to frequently unlock a device, all I can say is that is the trade off for some security.  It is impossible really to have some reasonable level of security without some loss of convenience.  If you store personal or private information on your iDevice, I will willingly live with some inconvenience in order to gain the secuirty (my iPhone is set to autolock after 2 minutes).

     

    Keep in mind too, that you won't be able to remote wipe it if a thief can get into it in the first place and just disable find-my-iphone, or turn on airport mode (no data connection, no find-my-iPhone feature), or use it for the time period it takes you to realize it is gone, login to mobileme and try to secure it.

  • jmbotean Level 1 Level 1 (0 points)

    I'm afraid hands-on is the only option when looking at the map. Do you not listen to iTunes (or turn on the radio or heater) in the car but talk on the phone? It's the conversation/distraction that's dangerous, hands-free or not. I get very nervous behind drivers who are talking, even when hands-free, because I know they are thinking about their conversation, not their driving.

     

    And my devices are never out of my sight. That is my first responsibility for security, but I'd like options beyond 15 minutes. Four hours is a reasonable compromise for me.

     

    I've not found a setting on my iPad to disable Find-My-IPhone, but you're certainly right about airplane mode. I can live with inconvenience, and having to enter a PIN in order to add a thought to my to-do list is certainly inconvenient. But having to manipulate the phone that much to listen to a song in the car is more than inconvenient.

  • Michael Black Level 6 Level 6 (18,860 points)

    Well, we can agree to disagree on the conversation thing.  Personally, I get very nervous when I see drivers with cell phone in their hands, and I have personally witnessed two accidents caused precisely by that fact.  Someone with their eyes clearly on the road and both hands free to control the car, while talking into a bluetooth headset makes me significantly less nervous.

     

    It is odd though that your work pushes out a security certificate that makes having the passcode itself optional, but then limits the time you can set.  Never seen that, and your right of course, seems pretty pointless.

     

    To disable find-my-iPhone, just go into your mail account settings for your mobileme account and slide the slider to "OFF".  You can indepentently set a unique restriction passcode on that ability with the restrictions in general settings (just disallow any changes to accounts).

  • jmbotean Level 1 Level 1 (0 points)

    Well, we do disagree. Not that I wanted to start a less-distracted-than-thou conversation, but my reading of recent research is what supports my conclusion, i.e., that it's not where the hands are, but where the mind is, that matters in attentive driving. Driving while stressed-out can be pretty dangerous, too, it seems. All these things are human, and few of us possess the mental discipline to be 100% attentive to what we're doing. Those who are tend to live in monasteries and do very little driving!

     

    Thanks for the setting information; I had forgotten it was there, and at least it's not in the most intuitive place. And I'll put the passcode lock back in place and see if my in-car dock enables me to turn iTunes on and off without a passcode.

  • rturner2 Level 1 Level 1 (0 points)

    From jmbotean... "Is anyone else finding the 15-minute passcode lock on the iPad and iPhone as annoying and dangerous as I am? I have disabled the lock altogether as a result."

     

    I totally agree with jmbotean! I have now also turned off my lock completely which is worse for security. The is the stupiest thing I have come across for a long time. Why limit the locking period and still allow the user to turn the feature off?

     

    I'm about to delete my work exchange email account and put my lock back onto 4 hours.

  • Michael Black Level 6 Level 6 (18,860 points)

    rturner2 wrote:

     

    From jmbotean... "Is anyone else finding the 15-minute passcode lock on the iPad and iPhone as annoying and dangerous as I am? I have disabled the lock altogether as a result."

     

    I totally agree with jmbotean! I have now also turned off my lock completely which is worse for security. The is the stupiest thing I have come across for a long time. Why limit the locking period and still allow the user to turn the feature off?

     

    I'm about to delete my work exchange email account and put my lock back onto 4 hours.

    From a security point of view though, 4 hours is nearly as bad as simply no security.  If you loose your iPhone while unlocked somewhere where it is found quickly (or if it is stolen while still unlocked) you've basically given the person free rein to go in and have full acess to the device.  Just seems pointless to even bother with a swipe lock and then pick such a long timeout period - self defeating in terms of security, IMO.

  • rturner2 Level 1 Level 1 (0 points)

    @Michael Black... Like all security, there is a trade off at some point between usability and security. I normally work from home, so no point in making it more painful for myself to unlock more often. But you do bring up a good point that I need to review my process for it is gets stolen.

     

    Not like this is going to be built... but perhaps like the new reminders / to do list app, perhaps I could set 4 hours for at home and 15 minutes when I drive out my door via a geo fence. That would be sweet!

  • Rocka Level 1 Level 1 (0 points)

    Common... Go to **** with security, there's not much security regarding iOS anyway. This was a convenient setting for various reasons, like locking the device overnight so kids can't play with my iPad in the morning.

    Unlocking it everytime I need to use my camera (Camera+), check email, or write something is a nonsense. So I understand those resulting in NO LOCK AT ALL.

    Pitty, having it set for an hour or two was a great "semi-secure" thing. Now there's nothing.

     

    Why the heck is it related to Exchange? Is this some kind of Gates' revenge or what?

     

    And what's the point in having a full choice from 1-2-3-4-5 minutes on the iPhone - what's the security difference between 3 and 5 minutes? Can anybody tell?

     

    Regarding the car conversations - those who conversate while driving are dangerous? How can we eliminate in-car conversations then? Forbid couples and families driving together?

  • Michael Black Level 6 Level 6 (18,860 points)

    Rocka wrote:

     

    Common... Go to **** with security, there's not much security regarding iOS anyway. This was a convenient setting for various reasons, like locking the device overnight so kids can't play with my iPad in the morning.

    Unlocking it everytime I need to use my camera (Camera+), check email, or write something is a nonsense. So I understand those resulting in NO LOCK AT ALL.

    Pitty, having it set for an hour or two was a great "semi-secure" thing. Now there's nothing.

     

    Why the heck is it related to Exchange? Is this some kind of Gates' revenge or what?

     

    And what's the point in having a full choice from 1-2-3-4-5 minutes on the iPhone - what's the security difference between 3 and 5 minutes? Can anybody tell?

     

    Regarding the car conversations - those who conversate while driving are dangerous? How can we eliminate in-car conversations then? Forbid couples and families driving together?

     

    The exchange feature allows the owner of the exchange server (and thus the one who controls the exchange accounts hosted on it) the ability to secure their empolyees accounts.  Since anything their employees house on the company's exchange server is the property of the company, they get to set the security policy as they see fit.  Exchange then pushes out a security certificate over the air that overrides the default security of the device's OS and emposes the corporate policy.  So no, it has nothing to do with Bill Gates, it has to do with a system that is primarily geared towards enterprise and corporate deployment, and enabling the owners of those systems to empose their own security standards and practices on devices used to connect to their corporate servers.  It also, btw, gives them the ability to remotely wipe your exhange account off the device at any time.

     

    I've never worked for any company that allows empolyees to use personal cell phones for access to company accounts without using some means of imposing security on the connecting devices - Exchange allows them a simple and standard way to do that.

     

    A passcode lock on an iOS device offers at least as much security as possible on any smart phone.  If employed with reasonable time out settings to avoide giving a theif open access, it does offer good protection against anyone actually gaining access to information on the device.  They can always restore the device as new, wiping it clean in the process, and go about using it as theirs, but your information at least, has been secured.

     

    It is certainly more than something to merely keep the kids out. If you use online banking or other financial apps, don't want someone reading your email or getting the addresses of all your family and friends, keep work documents or other confidential information, then you should be using a passcode lock on your device, with a fairly short default timeout.  Complain about the inconvenience all you wish, but don't disable the security passcode and then complain when the device is stolen and someone uses the infromation to aid them in stealing your identity, spam'ing your contacts, sending your personal photo's to anyone and everyone, posting your personal information on web sites, or whatever else they may do with full access to your iPhone and its contents.

     

    To my mind, it would be akin to leaving the doors to your house unlocked and wide open, because you find the act of having to dig keys out of your pocket everytime you come home too inconvenient.  Of course, you are free to do that too, but then don't complain when someone walks away with all your personal items and information.  Or perhaps a better analogy would be, don't complain when someone walks in to your house, sits down at your computer (which of course you have left logged in, or have set to autologin every time) and happily reads your email, copies down your online passwords, goes into your accounts and generally makes your life far, far more "inconvenient" then it ever would have been had you just logged out, and locked the door.

     

    There is a reason why identity theft is a multi-billion dollar a year crime category - so many people make it so easy for their personal information to be compromised that a world full of unsecured smart phones and tablets is a crook's dream world, like a kid in a candy shop.