Problem : Your company has quite a number of different mobile devices being used.
How do you control the different devices and to what degree can you
control them? Also, what do you do if a device is lost or stolen?
Solution : With the use of more mobile devices, some obviously will work more
smoothly with ActiveSync, such as those that are created by Microsoft
and use the ActiveSync protocol implemented on the device. For example,
devices that have an underlying operating system as Mobile 6 or later
are going to be more manageable than earlier Mobile devices or other
devices from other vendors.
What about BlackBerry devices? Those require their
own BlackBerry servers that connect with Exchange 2007, pull the mail
from Exchange, and push it down to clients. What about the iPhone? The
first version of iPhones had no way of connecting with Exchange. You
could use the web interface to perform an OWA connection, but the screen
was small and hard to work with. With the more recent releases of the
iPhone, there is support for EAS.
Exchange ActiveSync
allows for control over mobile devices using policies. You create the
policies in the EMC and apply the policy to users.
Note
If you have an Exchange
2007 RTM system and an Exchange 2007 SP1 system, you will be amazed at
how different the ActiveSync policy settings are. This is one area that
has been improved upon greatly in terms of more settings and more
powerful control options.
To view the default
ActiveSync policy (which is applied to all users with mobile
connectivity by default) as well as create a new policy, perform the
following:
1. | Open the EMC.
|
2. | From the Navigation Tree, expand the Organization Configuration work center and click Client Access.
|
3. | Note
that there is only one tab here, the Exchange ActiveSync Mailbox
Policies tab. Within the tab is a Default policy. You can double-click
the policy to open it.
|
4. | If
you want to create a new policy, you can choose New Exchange ActiveSync
Mailbox Policy from the Actions pane to open the wizard.
|
5. | From within the wizard, you can configure the following items, as shown in Figure 1.
- Mailbox Policy Name— Provides a unique policy name.
- Allow Non-provisionable Devices—
Selecting this checkbox enables older devices that do not have the EAS
support for policies to still connect to their mailboxes in Exchange
2007.
- Allow Attachments To Be Downloaded to Device— Selected by default, this allows the device to download attachments from emails.
- Require Password— Deselected by default, but if checked, you are presented with a collection of options, including the following:
Require Alphanumeric Password Enable Password Recovery Require Encryption on the Device Allow Simple Password Minimum Password Length (default: 4) Time Without User Input Before Password Must be Re-entered (In Minutes) (default: 15) Password Expiration (Days) Enforce Password History (default: 0)
|
6. | When you finish making your selections, click New to create the policy.
|
7. | When complete, click Finish.
|
Note
If
you want to take a policy you’ve created and set it as the default, you
can right-click the policy and choose Set as Default or select the
policy and choose Set as Default from the Actions pane.
Creating the policy is
only part of the configuration process. To ensure the policy is designed
the way you prefer, you have to select the policy and choose Properties
from the Actions pane. Note that many options are available to
configure, including the following five tabs: General, Password, Sync
Settings, Device, and Advanced. Let’s consider these one step at a time.
The General Tab of the ActiveSync Policy
The General tab shows you
the name of the policy. It indicates whether it is the default policy
and when it was last modified. The setting to allow nonprovisionable
devices is available for you to change the setting from when you first
created the policy. Next we have the Refresh Interval (Hours) checkbox,
which establishes the number of times a device updates the policy from
the server (in hours). Two checkboxes relate to file access through
SharePoint or a file server. You can select or deselect the Windows File
Shares or Windows SharePoint Services checkboxes.
The Password Tab of the ActiveSync Policy
When creating the
policy, you noted that there were several settings that make up the
password side to the policy. Well, only on the Password tab can you find
some of the additional settings available.
For example, under Require Alphanumeric Password is another setting: Minimum Number of Complex Characters (default is set to 3).
Another extra setting is
Require Encryption on the Storage Card, which enforces encryption on
the storage card. Note that because this is not a supported option on
all mobile devices, make sure the device allows for this before enabling
this as a requirement.
The Sync Settings Tab of the ActiveSync Policy
This tab has a group of synchronization settings we can configure, including the following:
Include Past Calendar Items—
Here you can determine a date range of calendar items to sync with
devices. The default is All, but you can select the drop-down and choose
All, Two Weeks, One Month, Three Months, and Six Months.
Include Past Email Items—
Similar to the calendar items, you can determine a date range of email
to sync with devices. You can choose All (the default), One Day, Three
Days, One Week, Two Weeks, and One Month.
Limit Message Size To (KB)—
Establishes a maximum download size for messages to the mobile device.
Select the checkbox and configure a maximum message size in KB.
Allow Synchronization When Roaming— Enabling
this can be a bit expensive because when the device is roaming, charges
tend to be higher. However, if you do enable it, the device will sync
even when in roaming mode.
Allow HTML Formatted Email—
Whether you have this option selected or not, email that has been
formatted as HTML will still be delivered. It is converted to plain text
first. However, you can select this checkbox to allow HTML formatted
email.
Allow Attachments To Be Downloaded to This Device—
A simple one-click checkbox to enable/disable if users with this policy
can download attachments from within their email. Note that you were
able to configure this setting when you first created the policy.
However, you weren’t provided the next option.
Maximum Attachment Size (KB)—
From within the policy, you can configure the maximum file size you
want to allow to be downloaded to the device. If you leave this blank,
users are allowed downloads of all sizes.
The Device Tab of the ActiveSync Policy
The options on the
Device tab are specifically SP1 advancements (as are many of the
settings we’ve discussed thus far). Obviously with newer mobile devices
having items like cameras, it was decided that administrators should be
able to control the use of those devices. Note in Figure 2 that you can turn the following devices on/off with the click of a checkbox:
Allow Removable Storage
Allow Camera
Allow Wi-Fi
Allow Infrared
Allow Internet Sharing From the Device
Allow Remote Desktop From the Device
Allow Synchronization From a Desktop
Allow Bluetooth: Select the down arrow and choose: Disable, Handsfree Only, or Allow
Note
The settings on the
Device tab and the Advanced tab we discuss in the next section are
called premium features. There is an Exchange note directly on the tab
at the bottom that says, “Properties on the Advanced tab are premium
features of Exchange ActiveSync. Each mailbox that has these premium
features enabled requires and Exchange Enterprise Client Access License
(CAL).” Before purchasing this extended CAL, make sure your mobile
devices can support the policy application of these settings. If not,
there is no point to spending the extra money if the devices will not be
able to be controlled through the policy settings.
The Advanced Tab of the ActiveSync Policy
The Advanced tab (shown in Figure 3)
includes the remaining premium features that do not involve devices but
applications. For example, you have the following settings:
You can also configure allowed and blocked applications by clicking the Add button and selecting the applications that apply.
Assign an ActiveSync Policy to Users
After you have the
policies you need for your ActiveSync mobile devices, you need to apply
those policies to users. To accomplish this for an individual user,
perform the following steps:
1. | Open the EMC.
|
2. | From the Navigation Tree, expand the Recipient Configuration work center.
|
3. | From the Results pane, select the user you want to apply the policy toward. Then from the Actions pane, select Properties.
|
4. | Select the Mailbox Features tab.
|
5. | Select the Exchange ActiveSync feature and click the Properties button.
|
6. | You
are presented with the option to leave the default EAS policy or select
Browse and choose a new policy. After you select the policy, click OK,
and the new policy is applied to that user.
|
PS Note
The cmdlet through the EMS to assign the policy is Set-CASMailbox. You would type in the following: Set-CASMailbox ‘UserName’ -ActiveSyncMailboxPolicy (Get-ActiveSyncMailboxPolicy “Policy Name”).
If you want to apply the policy to multiple users, perhaps within a
distribution group, you can stack the commands using the pipeline (|) to
allow for a greater application of policies.
Manage a Mobile Device
You might think that you
can give your users a mobile device, set up a policy, and you are done.
Not quite. Passwords will be forgotten, devices will be lost or stolen,
and so on. There are several ways to manage the mobile device after it
has been released.
Users can manage their
own devices through the OWA settings. (You can disable this, but you
might want to leave it alone because you might want users to handle
their own problems. This creates less stress for you as an
administrator.)
You can manage the
device by locating the recipient in the EMC, right-clicking the user,
and choosing Manage Mobile Device, which opens the wizard. (This setting
appears only if the user has a mobile device associated with that
person. When users initially synchronize their mobile devices with their
mailboxes using Exchange ActiveSync, Exchange 2007 creates a
partnership with that device. After this partnership has been
established, the option to manage mobile devices will appear.) As an
administrator, this is the quickest way to wipe a device or recover a
password.
You can also use the Exchange Management Shell to manage mobile devices.
For OWA Users: Wipe a Device or Recover a Password
The most important
aspect of mobile management is the capability to clear a device of all
data (wipe its memory) in the event it is lost or stolen. Who knows what
data is on that device? With ActiveSync, it doesn’t matter. The moment
it’s turned on and checks in, the data is cleared out.
For users, Outlook Web
Access provides the capability to wipe all data from a device and
display the recovery password. To accomplish this, they need to perform
the following:
1. | Log onto Outlook Web Access.
|
2. | Select the Options link in the upper right-hand corner.
|
3. | From the Navigation pane of options, scroll down until you find Mobile Devices and select that link.
|
4. | Notice
you can see your device, the last sync time, and the status. There are
also links for Wipe All Data from Device and Display Recovery Password,
as you can see in Figure 4.
|
After
you clear a device, in SP1 there is now a link for cancelling the
request. If you decide to cancel (let’s say you find your phone), you
should do it quickly because after that phone connects and the device
begins the process of wiping, there is no cancel process.
Another new SP1 feature is
that after the remote process has completed, users receive an email to
let them know it has completed.
