BYOD: Microsoft Exchange MDM Platform

Posted by in Active Directory, Exchange Server

Exchange 2010 did bring a lot of new features. And with the latest version of Exchange ActiveSync – EAS 14.1 which was released with Exchange 2010 SP1, came a few more.

A major feature that was introduced in Microsoft Exchange was the addition of Mobile Device Management (MDM) to provision command of mobile devices. This allows Exchange administrators to create Allow, Block and Quarantine lists in Exchange to control which mobile devices are allowed to access Exchange mailboxes. Microsoft Exchange ActiveSync (EAS) is a synchronization protocol based on HTTP and XML and allows mobile devices of an organisation to access information like emails, contacts, calendar, etc. from the Exchange Server.

But that’s not all. One less talked about feature among administrators is the feature of Microsoft Exchange MDM packed with EAS. It helps provide basic mobile device management and mobile data security to an organisation, such as:

  • Options for setting password policies, including password length and complexity requirements
  • The ability to remotely lock or wipe a device if it is reported lost or stolen
  • Wipe and/or encrypt removable media, such as SD cards
  • Controls for creating Access Lists
  • Password expiration and policy refresh intervals
  • Policies that control whether attachments can be downloaded
  • The ability to disable Wi-Fi, infrared ports, Bluetooth, and cameras
  • And more…

The biggest improvement that I could see was in the fact that administrators now have the option to choose whether certain mobile devices are allowed to connect to Exchange, if they should be blocked or quarantined until an administrator decides to either allow or block them. This is known as the mobile device Access State. Outlined below are the Access States that Exchange administrators can define for every user and every device:

Allow State: As the name suggests, this state allowed the mobile device to connect to Exchange and sync email, calendar, contacts, tasks and notes. The device remains in the Allow state as long as it complies with the policies configured by the Exchange administrator.

Quarantine State: In this state, if a user’s mobile device is marked under quarantine, the user cannot sync any emails from the server. The user will be able to make changes to their own calendar, contacts, tasks, etc. though. Moreover, the user will see only one email in Inbox which notifies them that the mobile device has been quarantined. This email can be customised as per the organisation’s requirement so that the end-user knows what steps need to be taken such cases.

Block State: The mobile device will not be allowed to connect to Exchange in this case and the user will receive a HTTP 403 Forbidden error. The user will be able to see emails that were synchronized before the device was blocked. The device will not be cleared of any emails such as the case when it is quarantined. Instead no new emails would be downloaded or sent.

Discovery State: This is the state when a mobile device is connecting for the first time with the Exchange server through EAS. The device is quarantined for about 1 to 15 minutes and no emails are sent or received. This happens because the Exchange server has not yet recognised and authorized the device for allowing sync.

Upgrade State: It exists to permit the device to upgrade its information and communication protocols to the latest EAS version and be recognized by Exchange when the user’s mailbox is moved from an earlier version of Exchange.

According to a recent draft of mobile security guidance from the National Institute of Standards and Technology (NIST), corporates should seriously consider the deployment of software that can provide centralized management for mobile devices. As our work becomes less and less dependent on a physical brick and mortar corporate office plugged to the network via an Ethernet cable or a Wi-Fi, the tools with which we access our office workspace and corporate data are also evolving rapidly. Devices that workers use at home are now being demanded as workspace tools as well due to the convenience and rapid ascension of products such as iPads, iPhones, and Android devices.

Exchange ActiveSync seems to provide a lot for basic MDM functionalities. Moreover, it’s absolutely free (if you are already running Microsoft Exchange) and it works with a lot of different mobile device platforms. To conclude, Exchange ActiveSync provides some attractive security benefits, but it is far from a complete mobile device management and mobile data security solution. It is an ideal fit for any organisation which is starting to consider MDM but if the organisation is large, Exchange ActiveSync should be a part of your layered approach to the endpoint protection.