BYOD: Microsoft Exchange MDM Platform

BYOD Facts

Exchange 2010 did bring a lot of new features. And with the latest version of Exchange ActiveSync – EAS 14.1 which was released with Exchange 2010 SP1, came a few more.

A major feature that was introduced in Microsoft Exchange was the addition of Mobile Device Management (MDM) to provision command of mobile devices. This allows Exchange administrators to create Allow, Block and Quarantine lists in Exchange to control which mobile devices are allowed to access Exchange mailboxes. Microsoft Exchange ActiveSync (EAS) is a synchronization protocol based on HTTP and XML and allows mobile devices of an organisation to access information like emails, contacts, calendar, etc. from the Exchange Server.

But that’s not all. One less talked about feature among administrators is the feature of Microsoft Exchange MDM packed with EAS. It helps provide basic mobile device management and mobile data security to an organisation, such as:

  • Options for setting password policies, including password length and complexity requirements
  • The ability to remotely lock or wipe a device if it is reported lost or stolen
  • Wipe and/or encrypt removable media, such as SD cards
  • Controls for creating Access Lists
  • Password expiration and policy refresh intervals
  • Policies that control whether attachments can be downloaded
  • The ability to disable Wi-Fi, infrared ports, Bluetooth, and cameras
  • And more…

The biggest improvement that I could see was in the fact that administrators now have the option to choose whether certain mobile devices are allowed to connect to Exchange, if they should be blocked or quarantined until an administrator decides to either allow or block them. This is known as the mobile device Access State. Outlined below are the Access States that Exchange administrators can define for every user and every device:

Allow State: As the name suggests, this state allowed the mobile device to connect to Exchange and sync email, calendar, contacts, tasks and notes. The device remains in the Allow state as long as it complies with the policies configured by the Exchange administrator.

Quarantine State: In this state, if a user’s mobile device is marked under quarantine, the user cannot sync any emails from the server. The user will be able to make changes to their own calendar, contacts, tasks, etc. though. Moreover, the user will see only one email in Inbox which notifies them that the mobile device has been quarantined. This email can be customised as per the organisation’s requirement so that the end-user knows what steps need to be taken such cases.

Block State: The mobile device will not be allowed to connect to Exchange in this case and the user will receive a HTTP 403 Forbidden error. The user will be able to see emails that were synchronized before the device was blocked. The device will not be cleared of any emails such as the case when it is quarantined. Instead no new emails would be downloaded or sent.

Discovery State: This is the state when a mobile device is connecting for the first time with the Exchange server through EAS. The device is quarantined for about 1 to 15 minutes and no emails are sent or received. This happens because the Exchange server has not yet recognised and authorized the device for allowing sync.

Upgrade State: It exists to permit the device to upgrade its information and communication protocols to the latest EAS version and be recognized by Exchange when the user’s mailbox is moved from an earlier version of Exchange.

According to a recent draft of mobile security guidance from the National Institute of Standards and Technology (NIST), corporates should seriously consider the deployment of software that can provide centralized management for mobile devices. As our work becomes less and less dependent on a physical brick and mortar corporate office plugged to the network via an Ethernet cable or a Wi-Fi, the tools with which we access our office workspace and corporate data are also evolving rapidly. Devices that workers use at home are now being demanded as workspace tools as well due to the convenience and rapid ascension of products such as iPads, iPhones, and Android devices.

Exchange ActiveSync seems to provide a lot for basic MDM functionalities. Moreover, it’s absolutely free (if you are already running Microsoft Exchange) and it works with a lot of different mobile device platforms. To conclude, Exchange ActiveSync provides some attractive security benefits, but it is far from a complete mobile device management and mobile data security solution. It is an ideal fit for any organisation which is starting to consider MDM but if the organisation is large, Exchange ActiveSync should be a part of your layered approach to the endpoint protection.

3 thoughts on “BYOD: Microsoft Exchange MDM Platform”

  1. Great article – there is still a (growing) need for EMM solutions like and Mobileiren IMHO to complement Exchange’s basic MDM capabilities.

  2. Dear Zenul,

    Before a decision is made it is important to look at the organization and its needs. Typically for a large organization where the number of email users are high, setting up an in-house Exchange server always makes sense. The initial capital investment for Exchange and the required hardware is not much of a challenge for larger organizations. Another option for large companies is to lease a managed server or colocation services from a hosting company if they do not have the redundant systems, backup power and security required.

    For a small or medium size organization it all settles down to the cost factor. It is necessary for SME’s to engage a IT consultant who can help them to prepare a roadmap keeping in mind the immediate needs and the future IT requirements. This helps to ensure that the investments made in IT do not go obsolete over time.

    Ideally, for large companies it is advised to go in for a in-house Exchange server and than probably outsource the management to a Managed IT Services company which can offer their services based on the SLA. For SME’s there is a choice of going in for Office 365 or Hosted Exchange if the number of users is less. If they are on the higher side (70-75+), it would be better to invest in the Exchange licenses and co-locate or host the same with a web hosting company while outsourcing technical support for Exchange Server Management

    Vishal Vasu

  3. Sir,
    Organisations face a hard time today when it it comes to taking the right decision whether to have exchange servers in-house or outsource it to trusted managed service providers. When it comes to having the skilled IT resources to manage the infrastructure, MSPs turn out to be clear winners as they nurture the best talent in the industry which might be a nightmare for many organizations. What markers according to you should be considered while weighing down the options for enabling organizations to take that right decision?

    Zenul Jinwala

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.