Microsoft Exchange Server: Go mobile with Exchange Server
When providing mobile device access to Exchange, you have to consider device security and usability issues.
Brien M. Posey
Mobile messaging has taken on a renewed sense of importance over the last few years. The now-ubiquitous nature of smartphones and tablets makes mobile messaging something to which every business user expects unfettered and easy access.
Microsoft Exchange Server is well equipped to provide messaging to mobile users, and has been for quite some time. Exchange Server has already evolved through several generations. As such, when your users ask you to connect their mobile devices to their Exchange mailboxes, the messaging aspect of the process should be secondary. Your primary concerns should be related to security and usability.
When it comes to usability, most of your users are probably unaware that Exchange Server provides them with a handful of self-service options that let them manage their own mobile devices. They can find these options through the Exchange Control Panel, although the full menu of options will vary slightly depending on the version of Exchange Server your organization has installed.
They can access the self-service options for mobile devices by opening the Outlook Web App and clicking on the Options link, then selecting the See All Options link. At this point, all they have to do is simply click on the Phone tab (see Figure 1).
Figure 1 The Exchange Control Panel provides self-service support for mobile devices.
The Phone tab will show your users a list of every device they have ever registered to Exchange. They can use this interface to delete old devices or to view device details such as the make, model, mobile OS and ActiveSync version.
Most important, the self-service interface contains a Wipe Device button. Your users can use this function to initiate a remote wipe of a lost or stolen device. This is a critical function because it gives your users the ability to take action without having to wait on the help desk in the event of a missing device. For example, imagine that a user’s phone was stolen late at night. Through the self-service portal, the user could wipe his phone immediately without having to wait until the next day to submit a ticket to the help desk.
When you let your users access their Exchange e-mail from a mobile device, you have to consider how doing so will impact your organization’s security. Microsoft Exchange Server can apply a robust set of security policies to mobile devices through its mobile device mailbox policies.
Mobile device mailbox policies (formerly known as ActiveSync mailbox policies) are designed to provide security in situations where using Group Policy settings is impossible. As you may know, you can only apply Group Policy settings to domain members. The only smartphones that were ever capable of being domain-enrolled were those that ran Microsoft Windows Mobile 6.x. Other smartphones (including Microsoft Windows Phone 7 and Windows Phone 8 devices) can’t be domain-enrolled. You can use mobile device mailbox policies to apply security to those devices, even though they aren’t domain members.
Although mobile device mailbox policies are traditionally used to secure smartphones, those policies aren’t limited to smartphone security. You can actually apply mobile device mailbox policies to any device that uses ActiveSync to connect to Exchange Server. This includes devices such as the Microsoft Surface tablet, the iPad, and even PCs or tablets running Windows 8.
One caveat for using mobile device mailbox policies to secure mobile devices is that each make and model of mobile device offers a different level of support. For example, Windows Phone 7 devices were notorious for failing to support a considerable number of the individual policy settings.
Because not every mobile device provides an equal level of support for mobile device mailbox policies, it’s a good idea to familiarize yourself with which devices support the various policy settings. Windows Phone 7 devices, for example, only support the following Microsoft Exchange Server 2013 mobile device mailbox policy settings:
Windows Phone 8 devices support the following policy settings:
- Allow simple device password
- Alphanumeric password required
- Device password enabled
- Device password expiration
- IRM enabled
- Maximum device password failed attempts
- Maximum inactivity device time lock
- Minimum device password complex characters
- Minimum device password length
- Require device encryption
- Remote wipe
Check out this published list of policy settings supported by various other mobile devices.
Because different makes and models of mobile devices support different policy settings, you’ll have to come up with a strategy to keep your organization as secure as possible, while continuing to offer support for various devices. You can use any of three primary approaches.
One possible approach is to restrict the makes and models of devices your company will support and allow. That way, you can ensure only devices supporting the policy settings you need are in use and connected to your Exchange Server network. For example, you might restrict users to using only Windows Phone 8 devices.
A second approach is to create policies that allow non-provisionable devices. This method involves creating a restrictive mobile device mailbox policy, but doing so with the knowledge that some mobile devices won’t be able to fully enforce your policy.
To make this approach work, you’ll have to enable the option: Allow mobile devices that don’t fully support these policies to synchronize (see Figure 2). This setting was known as the Allow Non-Provisionable Devices setting prior to Exchange Server 2013. When this setting is enabled, mobile devices will ignore unsupported settings. Otherwise, using unsupported policy settings will cause mobile devices to fail to synchronize.
Figure 2 The setting, Allow mobile devices that don’t fully support these policies to synchronize, will permit mobile devices that may not support all of the mobile device mailbox policy settings.
The third approach is to create multiple mobile device mailbox policies. Because different types of mobile devices support different policy settings, you can create a different mobile device mailbox policy for each type of device you want to allow on your network. Exchange doesn’t provide a way to restrict devices by device type, but if a user attempts to synchronize an unauthorized device, the synchronization will fail unless the device can apply all of the security policy settings you’ve set forth in the mobile device mailbox policy assigned to that unique user.
Keep your contacts
Contact management is usually straightforward for Exchange users. However, several changes introduced in Microsoft Windows 8 can sometimes make contact management confusing.
Although not technically required, devices running Windows 8, Windows Phone 8 and Windows RT encourage users to log in using a Microsoft-connected account (previously known as a Microsoft Live account). If a user enters his Microsoft account credentials, Windows will attempt to import contacts from the user’s Hotmail account. It will also try to load any connected social networking sites into the People hub. The problem with this is there may be duplicate contacts in Exchange.
The reason this is a problem is because Windows RT and Windows Phone 8 devices can only connect to Exchange using ActiveSync. Because these devices don’t run Outlook, contacts are displayed in the People hub. Microsoft Windows 8 can run Outlook, but Microsoft Windows 8 connects to Exchange with ActiveSync, rather than using Outlook.
When it finds duplicate contacts, Windows will attempt to display only a single instance of the contact in the People hub. However, there are a number of different circumstances that can lead to duplicates being displayed. For example, if a contact’s name is spelled differently in Exchange and Hotmail, the contact will be listed twice.
There are a few different ways to deal with this issue and prevent users from seeing duplicate contacts. The most effective method involves preventing users from using their Microsoft-connected account. Assuming the user’s device is registered in an Active Directory domain, you can use a Group Policy setting to block Microsoft accounts. That Group Policy setting is accessible in the Group Policy Editor at Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft Accounts (see Figure 3). It’s worth noting that this setting only exists in Windows Server 2012.
Figure 3 You can use Group Policy settings to block Microsoft accounts.
For devices that aren’t domain-joined, the best thing you can do is link duplicate accounts. In Windows 8 and Windows RT, you can open the People hub and tap the account that you want to link. Next, swipe upward from the bottom of the screen and tap the Link icon. Now, just pick the contact you want to link and tap Save.
Linking contacts works similarly on Windows Phone 8 devices. To link a contact, open the People hub and tap on the contact you want to link. Then tap the Link icon, followed by the contact you want to link.
As you can see, there’s a lot more to providing mobile messaging than simply giving mobile devices access and connectivity to Exchange mailboxes.