Step 8: Manage and Configure Mobile Devices
As an Administrator using Microsoft Exchange Server 2003 (SP2), you now have tools with which to set and enforce your mobile device security policies. You can also control some of the features on the mobile devices by using provisioning tools.
This topic provides you with instructions and pointers for doing the following administrative tasks:
- Setting Up a Mobile Device Connection to Exchange Server
- Using the Mobile Administration Web Tool to Track Mobile Devices
- Provisioning or Configuring the Windows Mobile 5.0-based Devices
Setting Up a Mobile Device Connection to Exchange Server
If mobile users have a data usage plan through a mobile operator, Exchange Active Sync on the mobile device can be used to synchronize email, contacts, calendar, and tasks over the air. Alternatively, they can use Desktop ActiveSync to partner their Windows Mobile 5.0-based device with an Exchange server by using a USB cable from a desktop computer that is connected to your network.
Regardless of the connection method that your users use, you will need to provide them with the following information before they can synchronize with your Exchange server:
- The address of your external mail server.
- Their respective Exchange usernames, passwords, and domains that they will use to access your Exchange server.
Your users can use ActiveSync on their mobile devices or on their computer to choose which types of data, such as contacts, calendar, tasks, e-mail, they will synchronize with Exchange. You may advise your users to uncheck any data types that should not be stored on their mobile devices.
For more information about ActiveSync and other features on Smartphones and on Pocket PCs, including step-by-step instructions for the use of those features, visit the Windows Mobile Web site at http://go.microsoft.com/fwlink/?LinkId=37728.
Synchronizing Directly with Exchange Server
If your users use the desktop ActiveSync setup, advise them to be sure to choose the option to synchronize their mobile devices directly with the Exchange server. Direct push technology and security policy enforcement will be effective only when the devices are synchronized directly with the Exchange server. Synchronizing mobile devices with only the desktop computer is not recommended.
Connecting to an Exchange Server by Using a Phone or a Wireless Network
Your users can use ActiveSync on a Windows Mobile 5.0-based device to synchronize their mobile device directly with their Exchange server.
The first time a user starts ActiveSync on his or her mobile device, the user will see two options: to synchronize using the desktop computer or to synchronize directly. If your users have the address of their Exchange server and know their respective Exchange usernames, passwords, and domains, the ActiveSync wizard will walk them through the steps.
To connect a Windows Mobile 5.0-based device to an Exchange server
On the Home screen, choose Start, choose ActiveSync, choose Menu, and then choose the Configure Server tab. If the mobile device has not yet been synchronized with Exchange Server, Add Server Source… will be the available option.
In Serveraddress, enter the name of the server that is running Exchange, and then choose Next.
Enter your user name, password, and domain name, and then choose Next.
If you want the mobile device to save your password so that you will not need to enter it again the next time that you connect your mobile device to Exchange, select the Savepassword check box.
Select the check boxes for the types of information items that you want to synchronize with Exchange Server.
To change available synchronization settings, select the type of information that you want to synchronize, choose Menu, and then choose Settings.
To change the rules for resolving synchronization conflicts, choose Menu, and then choose Advanced.
Connecting to Exchange Server by Using a Desktop Computer
Your users can set up device synchronization with their Exchange server using their laptop or desktop computer and the USB cradle/connector that accompanies most Windows Mobile-based devices.
Before a USB sync connection can be made, ActiveSync must be installed on the user’s desktop computer. The ActiveSync software is available either on the Windows Mobile Getting Started Disc provided with the mobile device, or as a download from http://go.microsoft.com/fwlink/?LinkId=109230.
In the ActiveSync Setup Wizard, your users can:
- Create a synchronization relationship between the desktop computer and the mobile device.
- Configure an Exchange server connection to synchronize directly with Exchange server.
- Choose which information types they would like to synchronize with Exchange.
To connect with Exchange Server by using a desktop computer
Install ActiveSync 4.1 or later on your desktop or laptop computer.
After the reboot required by the installation, the ActiveSync Wizard’s Get Connectedscreen appears.
Connect the phone cable/cradle to the computer and cradle the phone and follow the instructions on the screen to complete the wizard.
When you finish the wizard, ActiveSync synchronizes your phone automatically. Once synchronization completes, you can disconnect your phone from your PC
Accessing a Corporate Network by Using a VPN Connection
If your corporate network includes access to a VPN server based on PPTP or L2TP/IPSec VPN protocols, your employees can set up their own connection with the interface provided with the Windows Mobile 5.0-based device. The VPN setup varies from device to device, so check with your manufacturer for instructions.
You can also provision the mobile devices so that the connection is configured and the users only need to supply their usernames and passwords. For more information about configuring your Windows 5.0-based mobile devices for VPN access, see “CM_VPNEntries Configuration Service Provider” topic in the Windows Mobile 5.0 SDK http://go.microsoft.com/fwlink/?LinkId=67444.
Using the Exchange ActiveSync Mobile Administration Web Tool to Track Mobile Devices
The following bulleted list describes several things that you can use the Exchange ActiveSync Mobile Administration Web tool to do:
- View a list of all of the mobile devices that are being used by any enterprise user.
- Select a mobile device to be remotely erased, or cancel the selection of a mobile device to be remotely erased.
- View the status of pending remote wipe requests for each mobile device.
- View a transaction log that indicates which administrators have issued remote wipe commands, and which mobile devices are targeted to be erased.
The Welcome Screen of the Mobile Administration Web tool introduces its two administrative options, presented on separate Web pages:
Remote Wipe Initiate and track a remote wipe command for lost or stolen mobile devices
Transaction Log View a log of administrative actions on mobile devices, noting time, action, and user
Initiating and Tracking Remote Wipe on Mobile Devices
The Remote Device Wipe option provides the following functions:
Initiating a Remote Wipe for a Lost or a Stolen Mobile Device
To initiate a remote wipe, you can search for a user’s mobile device by specifying the user’s name. As shown in the figure below, the Remote Device Wipe Web page displays the device ID, device type, the time that the device last synchronized with the Exchange server, and the wipe status or delete status of the device for each user's mobile device. To initiate a remote wipe for a lost or stolen mobile device, you can locate the desired device and then choose Wipe. The Remote Device Wipe Web page then displays the up-to-date status for the mobile device, displaying whether and when the device was successfully wiped.
Viewing the Status on a Pending Remote Wipe for a Lost or a Stolen Mobile Device
When a remote wipe is specified for a mobile device, the remote wipe command stays active until the administrator specifies otherwise. This means that, after the initial remote wipe has been completed, the Exchange server continues to send a remote wipe directive if the same device ever tries to reconnect to the Exchange server.
Canceling a Remote Wipe If a Lost or a Stolen Mobile Device Is Recovered
If a lost mobile device is recovered and the remote wipe that you initiated has not occurred, you must cancel the wipe in order for the device to successfully connect again. To cancel the wipe, locate the mobile device that has the remote wipe command set and then click Cancel Wipe.
Deleting a Mobile Device Partnership from the Exchange server
You can use the remote wipe command to delete a mobile device partnership from the Exchange server. This action, which is primarily useful for "housekeeping" purposes, will delete from the Exchange server all states that are associated with a specified device. If a user tries to connect a mobile device to the Exchange server after the partnership between the mobile device and the Exchange server has been deleted, the mobile device user will be forced to re-establish the partnership with the Exchange server.
Viewing a Log of Remote Wipe Transactions
The following table shows the information that is compiled by the Remote Wipe transaction log regarding the critical administrative actions that are performed when you use the Exchange ActiveSync Mobile Administration Web tool.
Date and time when the action was executed
The user who executed the action
The mailbox that the action pertained to
The device that the action pertained to
The type of device that the action pertained to
The action taken by the administrator
Provisioning or Configuring the Windows Mobile 5.0-based Device
If you are working with a mobile operator or a mobile device manufacturer to deploy your Windows Mobile 5.0-based devices, you may be able to acquire mobile devices that have been pre-configured with the technologies and security settings that fit your needs.
You can use the device provisioning tools that are available in the Windows Mobile 5.0 Software Development Kit (SDK) to configure settings on the devices; to add, update, and remove software from the mobile devices; or to change the functionality of the mobile devices.
You must have either manager access to the Windows Mobile 5.0-based devices or the ability to run trusted code on them in order to use the provisioning tools. Check with your mobile operator or device manufacturer for more information on the application security settings on your devices.
For more information about managing mobile devices, see the "Managing Devices" section of the SDK for detailed information. The SDK documentation is included in the MSDN Library. The SDK documentation and tools are available at no charge from the Microsoft Download Center.
Be aware that there are two versions of Windows Mobile 5.0 software: Windows Mobile Version 5.0 software for Pocket PCs and Windows Mobile Version 5.0 software for Smartphones. Some procedures are different for these different versions of Windows Mobile 5.0 software. While working in the SDK, closely follow references and directions for the version that is on your mobile devices.
Overview of Provisioning
Provisioning a Windows Mobile 5.0-based device involves creating a provisioning XML file that contains configuration information, and then sending the file to the device. The Configuration Manager and the Configuration Service Providers configure the device based on the contents of the provisioning XML file.
The Configuration Manager is the central authority that processes the provisioning XML file. The Configuration Service Providers carry out all configuration queries and changes. After the data is passed to the Configuration Service Providers, they are responsible for carrying out the changes to the mobile device and for reporting the success or failure of the transaction.
In order to use the provisioning tools, you must have either manager access to the Windows Mobile 5.0-based devices or the ability to run trusted code on them.
The following bulleted list describes most, but not all, of the ways that you can deliver the provisioning XML file to the mobile device:
- A device that is connected to a desktop by a USB connection.
- Storage cards.
- Over the air (OTA).
- Download from a Web site.
- Placement in device ROM or persistent storage.
The Provisioning Process
The following is a walkthrough of the provisioning process using a sample XML file that you can use to configure your Windows Mobile-5.0 based devices with the path and the domain name of your Exchange server. The resulting configuration should enable your users to synchronize their mobile devices without having to enter this information.
During this sample provisioning process, you will perform the following tasks:
- Create the provisioning XML file.
- Prepare the provisioning XML file for delivery using ActiveSync.
- Deliver the provisioning XML file to the device by using a USB connection or a storage card.
In this process, you will use the makecab.exe utility to create a .cab file. Makecab.exe is included with the Microsoft Windows Operating System and is available from the Command prompt.
XML provisioning files can be packaged as .cab or .cpf files. Because ActiveSync Application Manager does not recognize .cpf files, the .cab format is used in this sample.
Provisioning Sample: Configuring Synchronization Settings
Create a valid provisioning XML file that is named _setup.xml. This file should contain the XML code that addresses the Configuration Manager and its associated Configuration Service Providers.
To create the XML file
- Copy the following provisioning code for the Sync Configuration Service Provider and paste it into Notepad or other text editor.
<parm name="AllowSSLOption" value="1" />
<parm name="Server" value="\\testserver"/>
<parm name="Domain" value="testcompany.com" />
- Change \\testserver to the name of your Exchange server, and change testcompany to the domain name of your Exchange server.
- Save the file as _setup.xml.
The _setup.xml file must be processed as a .cab file before it is transferred and installed on your user's mobile device with ActiveSync Application Manager.
To prepare the XML file for delivery through the Desktop
To create a .cab file from the _setup.xml file, run the Makecab.exe utility, using the following syntax:
makecab _setup.xml myFile.cab
You may want to have your mobile operator sign the .cab file. This is an optional step that will remove the possibility of your users seeing the Unknown Publisher dialog box during installation.
The provisioning .cab file can be distributed to a device that is cradled to a desktop PC. The provisioning .cab file can also be distributed to a mobile device on a variety of storage cards, such as a MultiMedia Card (MMC), a Secure Digital I/O (SDIO) card, and a Compact Flash card that are inserted into the device.
If the ActiveSync Setup wizard appears when you connect the mobile device to a desktop computer, click Cancel. It is recommended that you use Windows Explorer and File explorer to transfer the .cab file to the device.
To distribute the .cab file to a mobile device
Move or copy the .cab file <myfile.cab> to the device.
On the device, locate the file by using File Explorerand click the .cab icon to initiate the installation.
The Unknown Publisher dialog box may appear if you did not sign the file. Click Yes to continue with the installation. Notification of a successful installation will appear.
Select the .cab file and from the Menu, and then choose Delete to remove the .cab file from the device.
You can check the device to verify that your device provisioning was successful.
To verify that mobile device provisioning was successful
Uncradle the device or remove the storage card.
Choose Start, choose Programs, and then select ActiveSync.
Click Menu, and then select Configure Server…. The Exchange server path will appear in the Server Address dialog box.
Click Next. On the Edit Server Settings page, the domain name of your company should appear in the Domain dialog box. The User name and Password dialog boxes will be empty.
Click Back, and then choose Cancel.