GSX Blog

ActiveSync for Exchange 2010

Posted by Carl Drechsel on Fri, Jul 27, 2012

Exchange 2010

As more and more companies are adopting BYOD supporting a broad set of end user devices security and device management take on greater importance. As we are left wonder where the BlackBerry Enterprise Server will fit into the current and future state of enterprise messaging other vendors and technologies are left to fill the gaps. Anyone who has been working with Exchange for some time knows that ActiveSync has been around for a while; its recent evolution brings us to the current version which is part of Exchange 2010.

Features supported for ActiveSync in Exchange 2010

  • Support for HTML messages
  • Support for follow-up flags
  • Conversation grouping of e-mail messages
  • Ability to synchronize or not synchronize an entire conversation
  • Synchronization of SMS messages with a user's Exchange mailbox
  • Support for viewing of message reply status
  • Support for fast message retrieval
  • Meeting attendee information
  • Enhanced Exchange Search
  • PIN reset
  • Enhanced device security through password policies
  • Autodiscover for over-the-air provisioning
  • Support for setting auto-replies when users are away, on vacation, or out of the office
  • Support for tasks synchronization
  • Direct Push
  • Support for availability information for contacts

With BYOD security has taken on a greater importance and with that Exchange 2010 provides a number of features to address this, from both the server perspective and the device perspective. There are still a number of things that need to be addressed but Microsoft is moving in the right direction.

Active Sync Security Features (Device)

  • Remote wipe
  • Device password policies
  • Minimum password length (characters)
  • Minimum number of character sets
  • Require alphanumeric password
  • Inactivity time (seconds)
  • Enforce password history
  • Enable password recovery
  • Wipe device after failed (attempts)
  • Device Encryption Policies
  • Require encryption on device
  • Require encryption on storage cards

There are also a number of ActiveSync policies that you can configure in Exchange

  • Allow Bluetooth
  • Device encryption enabled
  • Allow Browser
  • Password enabled
  • Allow Camera
  • Password expiration
  • Allow Consumer Mail
  • Password history
  • Allow Desktop Sync
  • Policy refresh interval
  • Allow HTML E-mail
  • Maximum attachment size
  • Allow Internet Sharing
  • Maximum calendar age filter
  • Allow IrDA
  • Maximum failed password attempts
  • Allow non-provisionable devices
  • Maximum inactivity time lock
  • Allow POP IMAP Email
  • Minimum password length
  • Allow Remote Desktop
  • Maximum e-mail age filter
  • Allow simple password
  • Maximum HTML e-mail body truncation size
  • Allow S/MIME software certificates
  • Minimum device password complex characters
  • Allow storage card
  • Maximum e-mail body truncation size
  • Allow text messaging
  • Password recovery
  • Allow unsigned applications
  • Require Device Encryption
  • Allow unsigned installation packages
  • Require encrypted S/MIME messages
  • Allow Wi-Fi
  • Require manual synchronization while roaming
  • Alphanumeric password required
  • Require storage card encryption
  • Approved Application List
  • Unapproved InROM application list
  • Attachments enabled

In Addition these policy options are available with an Enterprise CAL

  • Disable desktop ActiveSync
  • Disable removable storage
  • Disable camera
  • Disable SMS text messaging
  • Disable Wi-Fi
  • Disable Bluetooth
  • Disable IrDA
  • Allow Internet sharing from device
  • Allow desktop sharing from device
  • Disable POP3/IMAP4 email
  • Allow consumer email
  • Allow web browser
  • Allow unsigned applications
  • Allow unsigned CABs
  • Application allow list
  • Application block list

These policies can be set in either the Exchange Management Console or the Exchange Management Shell, see below for an example management shell command.

Set-ActiveSyncMailboxPolicy -Identity MyPolicy -AllowNonProvisionableDevices $true - allowSimpleDevicePassword $true -AlphanumericDevicePasswordRequired $true -AttachmentsEnabled $true -DeviceEncryptionEnabled $false -DevicePasswordEnabled $true -DevicePasswordExpiration 12 -DevicePasswordHistory 20 -DevicePolicyRefreshInterval 00:60:00 -MaxAttachmentSize 4 -MaxDevicePasswordFailedAttempts 5 -MaxInactivityTimeDeviceLock 00:15:00 -MinDevicePasswordLength 4 -PasswordRecoveryEnabled $true -UNCAccessEnabled $false -WSSAccessEnabled $false

More information regarding policy configuration can be found here.

Mobile Device Management in Exchange 2010 has come a long way from its beginnings. I would expect in the next Exchange release to see an even greater feature set including additional reporting and analytics.  Until then there are a number of great resources out there that can help with ActiveSync policy management, protocol management and device information.

Find out why more than 6 million mailboxes are monitored by GSX Solutions!

Tags: Exchange 2010, Mobile Device Management, ActiveSync