Using Microsoft Exchange ActiveSync for MDM: What you can and can't do

Many companies use Microsoft Exchange ActiveSync to give users email access, but its limitations prevent it from being a full MDM tool.

As smartphone use exploded, many IT departments were ready with Microsoft Exchange ActiveSync to provide email...

access. But ActiveSync doesn't have all the features of a full-fledged MDM tool.

Because ActiveSync gives users mobile access to email, calendars and contacts, it is often the first place IT administrators turn for mobile device management (MDM). But you can't push applications with ActiveSync or grant users access to all the resources they need. Additionally, every device manufacturer includes different ActiveSync compatibilities, so there's no guarantee that all devices will have the same level of security.

What you get with ActiveSync

Microsoft ActiveSync allows you to expose Exchange to the Internet, which lets mobile devices connect from anywhere they have an Internet connection. With ActiveSync, users get access to the core, day-to-day Outlook functionality they need, such as email, calendars, contacts and tasks. But more advanced features of the mailbox, such as public folders and inbox rules, are usually unavailable.

In terms of MDM, all of the major mobile operating systems support a subset of ActiveSync profiles, but a large number of available ActiveSync management policies only apply to older OSes, such as Windows Mobile. There are ActiveSync policies that let you control sharing and block access to the camera, certain apps and Bluetooth, but none of those policies work on iOS or Android devices.

What you can control

The controls built into Microsoft Exchange ActiveSync that are compatible with today's smartphones and tablets revolve around security. You can force a PIN code of a certain length -- but not for an Android "connect-the-dots" style lock screen -- and require timeout on the screen after inactivity, and force a lock screen immediately after inactivity. To allow devices to sync, you'll need to set the Allow Non-Provisionable Devices property to True. Some devices, such as the iPhone, may connect when this is set to False, but many Android devices and Windows Phones will not, which causes problems when the mailboxes try to sync. It's best to set compatibility higher so that a variety of devices can connect.

Exchange creates a default policy automatically when it is installed on a device, but the settings will likely not fit your organization's exact needs or specifications. You can set certain policies based on the sensitivity of a user's data or the features their device supports. Those settings can be changed via the Exchange Management Console. Once the policy and ActiveSync are reachable on the network, you should be able to connect devices by setting up the Exchange mailbox in the mail app or mail settings of the device.

ActiveSync devices are managed via the Microsoft Exchange mailbox so you can track when the device checked in, what policies you want to assign and if you want to remotely wipe the device. Many IT departments rely on remote wipe to ensure that a lost or stolen phone will not contain easily accessible corporate data.

Limitations of Microsoft Exchange ActiveSync

Although ActiveSync's strong base allows mobile devices to connect to email, you can't use it to set up access to other resources. For example, you cannot push applications to devices, you can't configure remote access and you cannot control specific security features of the phones.

Exchange ActiveSync support is spotty between devices. Although every device manufacturer that implements ActiveSync licenses it from Microsoft, each one can choose how they implement it and what the device will support. And whether your department can use those features depends on which version of Microsoft Exchange you are running. For example, Exchange ActiveSync 12.0 is bundled with Exchange Server 2007 and has inconsistent support for features such as meeting attendee information, ability to disable the camera through policy, and performing a server-side email search on Android and Apple devices.

There are also restrictions when it comes to mobile device security. The most you can control is the lock screen password length, timeouts and performing a remote wipe of the device, which is not the most popular option for users who keep lots of personal data on their phones.

Getting Microsoft Exchange ActiveSync up and running is a small project for any Exchange administrator. You have the tools to enable access to what most people will want from their smartphones: calendaring and email. But if you need to ensure data is encrypted for auditing purposes, provide more than email access, or if you want something more elegant to pinpoint your corporate data on devices, ActiveSync won't do the trick.

Dig Deeper on EMM tools | Enterprise mobility management technology