I've written many times about the Bring Your Own Device movement (BYOD) and the need for increasing security controls.
For years, we've controlled device settings on Blackberry devices with the Blackberry Enterprise Server (BES). We force passwords, encryption, and device memory wipes for ten failed passwords so that every user has enterprise enforced security
With iPhones and Android devices it's harder to control settings and behavior on personal equipment.
We think the best we can do within the limitations of present server-side technology is to enforce the use of passwords on all devices using Active Sync, require a timeout of 10 minutes, and eliminate the use of the most simple passwords (1234, 1111 etc). Microsoft Exchange/Active Sync can query the device for the settings currently in place and only synchronize email if the device adheres to enterprise security policies.
We'll eliminate support for POP and IMAP protocols because these cannot be used to inspect and enforce desirable device settings.
We've debated the use of settings that automatically wipe the device for 10 failed password attempts, as we do with Blackberry. However, given that we cannot selectively purge corporate verses personal data, we'll likely avoid that setting for now.
BYOD management is a journey. Server side tools that inspect personal devices and only allow synchronization of corporate data such as email when settings are consistent with policies seem like a cool solution.
In the future, we may add client software (Mobile Device Management) to each device to provide more control over encryption on Android devices and permit selective memory wiping of corporate data.