14 Chapter 1 Deploying iPhone and iPod touch
IMAP Email
If you don’t use Microsoft Exchange, you can still implement a secure, standards-based
email solution using any email server that supports IMAP and is configured to require
user authentication and SSL. These servers can be located within a DMZ subnetwork,
behind a corporate firewall, or both.
With SSL, iPhone and iPod touch support 128-bit encryption and X.509 root certificates
issued by the major certificate authorities. They also support strong authentication
methods including industry-standard MD5 Challenge-Response and NTLMv2.
IMAP Network Setup Guidelines
 For additional security protection, install a digital certificate on the server from a
trusted certificate authority (CA). Installing a certificate from a CA is an important
step in ensuring that your proxy server is a trusted entity within your corporate
infrastructure.
 To allow iPhone and iPod touch devices to retrieve email from your server, open port
993 in the firewall and make sure that the proxy server is set to IMAP over SSL.
 To allow devices to send email, port 587, 465, or 25 must be open. Port 587 is used
first and is the best choice.
Enterprise Applications
If you are planning to deploy enterprise iPhone and iPod touch applications, you install
the applications on your devices using iPhone Configuration Utility for Mac OS X or
iTunes for Mac and Windows. Once you deploy an application to user’s devices,
updating those applications will be easier if each user has iTunes installed on their Mac
or PC.
Determining Device Passcode Policies
Once you decide which network services and data your users will access, you should
determine which device passcode policies you want to implement.
Requiring passcodes to be set on your devices is recommended for companies whose
networks, systems, or applications don’t require a password or an authentication token.
If you’re using certificate-based authentication for an 802.1X network or Cisco IPSec
VPN, or your enterprise application saves your login credentials, you should require
users to set a device passcode with a short timeout period so a lost or stolen device
cannot be used without knowing the device passcode.
Policies can be set on iPhone and iPod touch in one of two ways. If the device is
configured to access a Microsoft Exchange account, the Exchange ActiveSync policies
are wirelessly pushed to the device. This allows you to enforce and update the policies
without any action by the user. For information about EAS policies, see “Supported
Exchange ActiveSync Policies” on page 6.