Apple adds secure enterprise logins for iPhone: The iPhone 2.0 software, available through a download link for existing 2G iPhones today, adds promised support for the 802.1X port-based authentication required in any company that's even remotely serious about its network security. 802.1X isolates connecting to an access point from gaining access to the network to which the access point is connected. A special client, known as a supplicant, must provide the right credentials for a device to be approved for access. Cryptography binds the process. (Instructions for manually installing the software are over at Wired. The update will likely be pushed out via iTunes to current owners tomorrow, and is included on the iPhone 3G, which goes on sale starting today over the international dateline and tomorrow in the U.S., Europe, and elsewhere.)
Apple splits its 802.1X support into two pieces. There's basic support built into the iPhone 2.0 software, found in the Settings application's Wi-Fi section. Click Other. Click the None label next to Security, and the WPA Enterprise and WPA2Enterprise options appear. Select either, and the main login screen lets you enter the network's name (SSID), a user name, and a password. This basic method is limited to WPA Enterprise and WPA2 Enterprise, the two most common (and most secure) forms of 802.1X.
Most enterprises will want much more control over this process, and Apple provides the iPhone Configuration Utility, currently available in its most complete form only as a Mac OS X application, and in more limited forms as Web 2.0 applications for Windows and Mac OS X.
The utility serves two purposes: creating configuration profiles, including for multiple Wi-Fi networks and VPN connections; and allowing iPhones in an enterprise to run internally developed iPhone software. The Wi-Fi profiles allow you to create WEP or WPA/WPA2 802.1X configurations, and include support for choosing allowed EAP messaging types, configuring authentication elements associated with a given EAP type, and adding server certificates and names for better authentication control.
Once created, these profiles can be distributed throughout a company via email or as a direct download to the iPhone via an intranet Web server. Apple chose not to encrypt them, which means that certain information that's not secured--such as the shared secret for certain VPN connections--could be disclosed to someone who had access to the profile or could download it off the local network.