In-Depth
Are ActiveSync's New Policies in Sync?
With Service Pack 1, Exchange 2007 gets a slew of new policy settings. We take a look at how they stack up against those of the BlackBerry.
Hard-core IT administrators are not easily swayed by mobile devices that can't be controlled. Sexy new features-such as audio and video improvements, longer battery life, better cameras and more games-make little impression on an IT admin, whose primary mission is to protect his kingdom from harmful outside influences. But with mobile devices becoming as functional as laptops and now in the possession of a much wider range of business users, admins are focusing even more intently on ways to protect the mission-critical data they contain.
So what sorts of added measures can IT administrators take to stonewall harmful influences from invading their networks? In a word: policies.
If you're working with the released to manufacturing (RTM) version of Exchange, you may know that there are up to 16 different policy settings in ActiveSync. But Service Pack 1 (SP1) brings the quantity and quality up to a whole new level, including 27 settings for the Standard Client Access License (CAL) and 43 for the Enterprise CAL. Let's take a closer look at some of the features you have at your disposal and then compare these to policies for Research In Motion's BlackBerry device.
The EAS Connection
Exchange ActiveSync (EAS) is a protocol implemented both on the server and on the client that allows for control over mobile devices through policies that connect to a user's mailbox. The first version of Apple's iPhone offered no support for ActiveSync. Apple Inc., forever trying to attract consumers over business users, didn't build in programming hooks for third-party developers. Yet the device was so smooth, you had admins gritting their teeth as an increasing number of top-level executives began asking, "Can I use my iPhone to connect up to my mail?" Administrators' typical answer was: Not with EAS.
Some may wonder, "What's the big deal?" One of the nice features in EAS is, if your phone is lost or stolen, you can remotely wipe it clean. If this can't be done, it shouldn't be allowed in your enterprise, plain and simple. There's far too much sensitive data being carried around in these phones, and admins simply can't afford to leave the network open to that kind of problem. With earlier iPhones, it wasn't even a possibility, but now, with the new 3G iPhone with EAS support, that connection can be made.
Apple isn't the only one making changes. Even the ActiveSync policy settings have received an overhaul with Exchange 2007 SP1. Let's take a look at how to work with policies in the 2007 RTM and the SP1 release.
The New Policy Settings in Exchange 2007 SP1
If you take two Exchange systems, in this case the 2007 RTM version and the SP1, you'll see the difference in policies immediately. To look at ActiveSync policies, you open the Exchange Management Console (EMC), expand out the Organization Configuration section and select the Client Access tab. It's the only aspect that's configurable at the organizational level, so you'll only see one tab entitled "Exchange ActiveSync Mailbox Policies."
[Click on image for larger view.] |
Figure 1. The Sync Settings tab of the Default ActiveSync Policy for Exchange 2007 SP1. |
One of the first differences between RTM and SP1 is that a default policy already exists in SP1. This default policy is assigned automatically to all Exchange 2007 mailboxes that don't have one. Note: You can change the settings on this policy or create another policy and set the new one as the default if you like. The default is a loose policy in terms of security, so you may want to alter the settings to improve security.
If you open the default policy, you can see that there are more tabs than General and Password (which is all we had in the RTM version). There are the Sync Settings, Device and Advanced tabs, indicating there's quite a bit more in terms of control settings to these policies.
The General tab includes the following settings:
- Allow non-provisionable devices: This allows older devices that do not have EAS support for mailbox policies to still connect up to their mailboxes through Exchange 2007.
- Refresh interval (hours): This determines, in hours, the number of times the device updates the policy from the server.
- WSS/UNC access: This provides the ability to allow or disallow access to Windows File Shares or Windows SharePoint Services.
The Password tab reveals a few new additions to the list for SP1. There are policies that relate to the use of alphanumeric passwords, password recovery, encryption, password length (default: four characters), time without user input before password must be re-entered (default: 15 minutes), password expiration (in days) and password history (default: 0). In addition to the previous settings, in SP1 there are the following:
- Minimum number of complex characters: This determines whether a password includes complex characters (any character that's not a letter) and how many of those are required.
- Require encryption on the storage card: This determines whether the storage card of the mobile device requires encryption. This is not a supported option on all mobile devices, so if storage card encryption is a must, not only do you need to set the policy, you also need to ensure that the mobile device has the option.
[Click on image for larger view.] |
Figure 2. The Device Settings tab of the Default ActiveSync Policy for Exchange 2007 SP1. |
The Sync Settings tab has the following options:
- Include past calendar items: Here you can determine a date range of calendar items to sync with devices. The default is All, but you can also select Two Weeks, One Month, Three Months and Six Months from the drop-down menu.
- Include past e-mail items: As with the calendar items, you can determine a date range of e-mail to sync with devices. You can choose All (the default), One Day, Three Days, One Week, Two Weeks or One Month. Note: If you want to determine different settings for these options, you can use the Exchange Management Shell (EMS) to do so.
- Limit message size to (KB): Establishes a maximum download size for messages to the mobile device.
- Allow synchronization when roaming: Enabling this can be a bit expensive because when the device is roaming, charges tend to be higher. But if you do enable it, the device will sync even when in roaming mode.
- Allow HTML-formatted e-mail: Whether you have this option selected or not, e-mail that has been formatted as HTML will still be delivered. It'll just be converted to plain text first. But if you want, you can select this checkbox to allow HTML-formatted e-mail.
- Allow attachments to be downloaded to the device: Left unchecked, you can prevent users from downloading attachments. When creating a new policy, it's checked by default. In addition, you can establish a "Maximum attachment size (KB)."
The Device tab contains a grouping of checkboxes that's somewhat self-explanatory and can be regarded as revolutionary for ActiveSync policy strength. Using the checkboxes, you can turn on or off the following devices and features:
- Allow removable storage
- Allow camera
- Allow Wi-Fi
- Allow infrared
- Allow Internet sharing from the device
- Allow remote desktop from the device
- Allow synchronization from a desktop
- Allow Bluetooth (with options Disable, Hands-Free Only and Allow)
The Advanced tab includes these options:
- Allow browser
- Allow consumer mail: This setting determines if a user can configure personal e-mail (POP or IMAP) on the same device.
- Allow unsigned applications: To run applications that haven't been signed with a trusted certificate.
- Allow unsigned installation packages: To install applications that haven't been signed with a trusted certificate.
- Allowed and Blocked Applications: Can be configured to allow or block certain applications on the mobile device that you deem necessary.
Note: All of the settings on the Device and Advanced tabs are called premium features. There's a message directly on the tab that explains that each mailbox with these premium features enabled requires an Exchange Enterprise CAL. This is an added CAL that you purchase on top of the Standard CAL and that comes with more features. While the RTM implementation of ActiveSync policies was available for both Standard- and Enterprise-level CALs, the SP1 version contains a few premium features. In addition to the licensing aspects, your mobile devices may or may not support some of these new features. Some are available through the latest version of Windows Mobile 6.1 (connected up with an Exchange 2007 SP1 Enterprise CAL). You can see a charted comparison from TechNet.
[Click on image for larger view.] |
Figure 3. The Advanced tab of the Default ActiveSync Policy for Exchange 2007 SP1. |
The Exchange Management Shell Angle
Administrators want to hear that all things that can be done from the EMC are doable from the EMS and vice versa. If you want to use the command line, there's no problem. But leave the GUI options open, too.
Traditionally, this hasn't been much of a problem.
However, with Exchange, there are aspects that are only EMS-configurable. Let's look at how to configure the ActiveSync policies through the EMS, and then we'll list the options that are only available through the EMS.
Note: To see a complete listing of the Exchange ActiveSync cmdlets, as well as all of their settings, click here.
If you want to create a new policy, begin with the New-ActiveSyncMailboxPolicy, and use the many switches you can pick up from the TechNet site or through PowerShell help to establish the settings. To add an individual user to the policy, you can use the Set-CASMailbox UserName -ActiveSyncMailboxPolicy settings, although this is more easily done through the Recipient Configuration settings in the EMC.
To do so, go into the Properties of a user mailbox, go to Mailbox Features, select ActiveSync, click on Properties and apply the policy. For multiple users, you can begin with the Get-Mailbox cmdlet, with parameters to narrow down which mailboxes you wish to establish a policy over, and then use the Set-CASMailbox -ActiveSyncMailboxPolicy cmdlet settings.
If you want to modify a policy, you can do it from the EMC, or you can use the EMS. To modify through the EMS, you use the Set-ActiveSyncMailboxPolicy cmdlet and provide the -Identity of the policy and then establish the settings. Some of these settings may only be configurable through the EMS. These settings include:
- AllowPOPIMAPEmail
- AllowTextMessaging
- RequireSignedSMIMEMessages
- RequireEncryptedSMIMEMessages
- AllowSMIMESoftCerts
- RequireSignedSMIMEAlgorithm
- RequireEncryptionSMIMEAlgorithm
- AllowSMIMEEncryptionAlgorithmNegotiation
- MaxEmailBodyTruncationSize
- MaxEmailHTMLBodyTruncationSize
- UnapprovedInROMApplicationList
A Remote-Wipe Enhancement
In addition to the policy enhancements, it's good to note that the remote-wipe function has been given one extra feature, namely a confirmation e-mail. Either the user, through Outlook Web Access, or the administrator, through the EMC or EMS, can perform the wipe. An e-mail will be sent to the user and the admin confirming that the "Remote Device Wipe has completed successfully."
EAS vs. BlackBerry IT Policies
You may look at the wide array of controls offered by ActiveSync and feel as though you have all you need to control your environment. But BlackBerry shows that its available policy options are just the tip of the iceberg. It boasts more than 400 policies with its Enterprise Solution, which provides administrators with complete and precise control over their wireless solution. For a complete listing of all BlackBerry IT Policies, review the BlackBerry Enterprise Server Policy Reference Guide.
Space limitations prevent the listing of all 400 policy settings with full descriptions here, but suffice it to say the document is 200 pages long. So it goes without saying that the veteran mobile giant BlackBerry offers the greater level of control when matched up against ActiveSync Policies.
There is, however, a new offer from Microsoft that has the potential to correct this policy imbalance. It's the System Center Mobile Device Manager, which is a member of Microsoft's System Center family. It extends Active Directory to Windows Mobile and uses over-the-air (OTA) device management to ensure that updates and settings are delivered smoothly. Mobile Device Manager has more than 130 settings and policies for IT admins to work with.
Another negative angle to the new SP1 settings for ActiveSync (as well as for Mobile Device Manager) is that most of them require Windows Mobile 6.1 to function. In terms of enhancements for users, version 6.1 on the surface has only minor upgrades. Mobile 7 does have some promising new features, but if you want that control now for your users, you will have to upgrade to 6.1 to get it. This may be a real let down for iPhone users who were finally promised ActiveSync abilities with version 2.0. It's true that you have ActiveSync, but not all Exchange features are supported. For example, you can't disable cameras or open links in e-mails to documents stored on SharePoint servers.
Down ... But Gaining Ground
Between the vast array of improvements in ActiveSync policies in SP1 and the new System Center Mobile Device Manager tools, it's obvious that Microsoft is well aware of the need to improve its mobile device control to compete on the Enterprise level with frontrunner BlackBerry. BlackBerry has the advantage of marrying hardware and software, which narrows its focus and has contributed to its leadership position. But it would be a mistake to overlook Microsoft's strong Windows Mobile base, and Microsoft is already showing that it has the mobile control issue in its crosshairs.