Messaging and Security Feature Pack Overview
6/2/2010
The Messaging and Security Feature Pack for Windows Mobile 5.0 enables Windows Mobile 5.0-based devices to be managed by Microsoft Exchange Server 2003 SP2. The result is a mobile messaging solution that uses the management benefits of Exchange ActiveSync and the new security policy functions on the Windows Mobile 5.0-based devices, which helps you to better manage and control the devices.
Using Windows Mobile 5.0-based devices with the Messaging and Security Feature Pack will give you the following capabilities:
- With direct push technology, you can provide your users with immediate delivery of data from the Exchange mailbox to their device. This includes e-mail, calendar, contact, and task information.
- You can define the security policies on your Exchange server and they will be enforced on Windows Mobile 5.0-based devices that are directly synchronized with your Exchange server.
- You can monitor and test Exchange ActiveSync performance and reliability by using the Exchange Server Management Pack.
- You can manage the process of remotely erasing or wiping lost, stolen, or otherwise compromised mobile devices that are directly synchronized with your Exchange server by using the Microsoft Exchange ActiveSync Mobile Administration Web tool.
Features
These MSFP features improve essential communications for mobile workers.
Direct Push Technology
The direct push technology included in Exchange Server 2003 SP2 provides a new approach to the immediate delivery of data from the Exchange mailbox to the user’s mobile device. Direct push works for mailbox data, including Inbox, Calendar, Contacts, and Tasks. The direct push technology uses an established HTTP or HTTPS connection between the device and the Exchange server; previous solutions required the use of Short Message Service (SMS), which is no longer required. No special configuration is required on the mobile device, and you can keep your standard data plan since the service is world-capable and requires no additional software or server installations other than Exchange Server 2003 SP2.
For an in-depth discussion of the direct push technology, see Understanding the Direct Push Technology in this document.
Exchange ActiveSync
Exchange ActiveSync is an Exchange synchronization protocol that is designed for keeping your Exchange mailbox synchronized with a Windows Mobile 5.0-based device. Exchange ActiveSync is optimized to deal with high-latency/low-bandwidth networks, and also with low-capacity clients that have limited amounts of memory, storage, and processing power. Under the covers, the Exchange ActiveSync protocol is based on HTTP, SSL, and XML and is a part of Exchange Server 2003. In addition, Exchange ActiveSync provides the following benefits:
- The consistency of the familiar Outlook experience for users
- No extra software is require to install or configure devices
- Global functionality that is achieved via standard data access phone service
Global Address List Access
Support for over-the-air lookup of global address list (GAL) information stored on Exchange Server. With the Messaging and Security Service Pack, mobile device users will be able to receive contact properties for individuals in the GAL. These properties can be used to search remotely for a person quickly based on name, company, and/or other aspect. Users will get all of the information they need to reach their contacts without having the data store on their device.
Security Features
Security features help protect personal and corporate files on mobile devices.
Remotely Enforced Device Security Policies
Exchange Server 2003 SP2 helps you to configure and manage a central policy that requires all mobile device users to protect their device with a password in order to access the Exchange server. You can specify the length of the password, require usage of a character or symbol, and designate how long the device has to be inactive before prompting the user for the password again.
An additional setting, wipe device after failed attempts, allows you to delete all data and certificates on the device after the user enters the wrong password a specified number of times. The user will see a series of alert dialog boxes warning of the possible wipe and providing the number of attempts left before it happens. External memory, such as a secure digital (SD) card, is not erased.
You can also specify whether non-compliant devices can synchronize. Devices are considered non-compliant if they do not support the security policy you have specified. In most cases, these are devices not configured with the Messaging and Security Feature Pack.
The device security policies are managed from Exchange System Manager’s Mobile Services Properties interface.
Remote Device Wipe
The remote wipe feature helps you to manage the process of remotely erasing lost, stolen, or otherwise compromised mobile devices. If the device was connected using direct push technology, the wipe process will be initiated immediately and should take place in seconds. If you have used the enforced lock security policy, the device is protected by a password and local wipe, so the device can receive calls, but will not be able to perform any operation other than to receive the remote wipe notification and report that it has been wiped.
The new Microsoft Exchange ActiveSync Mobile Administration Web tool enables you to perform the following actions:
- View a list of all devices that are being used by any user.
- Select or de-select devices to be remotely erased.
- View the status of pending remote erase requests for each device.
- View a transaction log that indicates which administrators have been delegated the ability to issue remote erase commands, in addition to the devices those commands pertained to.
Advanced Security Features
The advanced security features in MSFP can be used to meet more stringent security requirements.
Certificate-Based Authentication
If SSL basic authentication does not meet your security requirements and you have an existing Public Key Infrastructure (PKI) using Microsoft Certificate Server, you may wish to use the certificate-based authentication feature in Exchange ActiveSync. If you use this feature in conjunction with the other features described in this document, such as local device wipe and the enforced use of a power-on password, you can transform the mobile device itself into a smartcard. The private key and certificate for client authentication is stored in memory on the device. However, if an unauthorized user attempts to brute force attack the power-on password for the device, all user data is purged including the certificate and private key.
For more information, see Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication.
Microsoft has created a tool for deploying Exchange ActiveSync certificate-based authentication. Download the tool and documentation from the Microsoft Download center Web site.
Support for S/MIME Encrypted Messaging
The Messaging and Security Feature Pack for Windows Mobile 5.0 provides native support for digitally signed, encrypted messaging. When encryption with the Secure/Multipurpose/Internet Mail Extension (S/MIME) is deployed, users can view and send S/MIME-encrypted messages from their mobile device.
The S/MIME control:
- Is a standard for security enhanced e-mail messages that use a Public Key Infrastructure (PKI) to share keys
- Offers sender authentication by using digital signatures
- Ensures that only the intended recipient can read the message
- Encrypts e-mail data at rest on the device to protect privacy
- Works well with any standard-compliant e-mail client
- Requires the use of a smart card reader
For guidance on how to implement the S/MIME control with Microsoft® Exchange Server 2003 SP2, see the Exchange Server Message Security Guide.
Administering the Messaging and Security Feature Pack
Safeguards like password policies and remote wipe capabilities provide you with the security features to help you protect your organization’s data. With the combination of the management capabilities built into Exchange Server 2003 SP2 and the security and configuration protocols included in the Windows Mobile 5.0-based devices that have the Messaging and Security Feature pack, your control over mobile devices has been streamlined. You will see that most of the administration of the security features for the mobile device happens on the Exchange Server or on the Exchange ActiveSync Mobile Administration Web tool.
The following table summarizes the features and the settings required on the Exchange Server or on the mobile device.
| Feature | Exchange Server Settings | Mobile Device Settings |
|---|---|---|
Exchange direct push technology |
Enabled by default with Exchange Server 2003 SP2
|
No preliminary device setup required. The device automatically switches from SMS to direct push technology when it synchronizes with ActiveSync. User steps thru ActiveSync wizard upon login to Exchange server. |
Exchange ActiveSync |
Enabled by default with Exchange Server 2003 SP2 Set parameters by using Exchange System Manager’s Mobile Services Properties |
No preliminary device setup required; user steps thru ActiveSync wizard upon login to Exchange server. |
Wireless access to global address list (GAL) |
Default Exchange Server setup Requires Outlook Web Access published on Exchange Server |
No preliminary device setup required Privileged devices have automatic access to GAL |
Remotely enforced IT policy |
Enable direct push technology in Exchange ActiveSync Use Exchange System Manager’s Mobile Services Properties to apply policies |
No preliminary device setup required; user steps thru ActiveSync wizard upon login to Exchange server and accepts IT policies. |
Remote Wipe |
Enable direct push technology in Exchange ActiveSync Use Mobile Administration Web tool to initiate, track, and cancel the remote wipe |
No preliminary device setup required; user steps thru ActiveSync wizard upon login to Exchange server and accepts IT policies. |
Certificate-based authentication |
|
Initial certificate enrollment and renewal using Desktop ActiveSync is required. |
S/MIME mobile device support |
Deploy an Exchange Server 2003 messaging system with PKI security |
Install certificate enrollment protocol and key on the device |