There's no denying that more and more people are connecting to corporate mail systems through mobile devices such as PDAs and cell phones. I recently read an article which projected that in two years, 95% of all corporate executives will use mobile messaging. For that reason, it is important to know how to configure Exchange Server 2007 to support mobile messaging, and how to administer mobile messaging once it is enabled. In this article, I will show you how it's done.
Connecting mobile devices to Exchange Server
Mobile devices can connect to an Exchange 2007 server by using Exchange ActiveSync. As you may recall, Exchange ActiveSync (also called Direct Push) was originally introduced with Exchange Server 2003 Service Pack 2. The original idea behind Direct Push technology is that when the Exchange Server receives messages intended for a particular user, those messages can be transmitted to the user's mobile device nearly instantaneously. During the development process, Microsoft began to realize they could transmit other types of messages from the Exchange Server to mobile devices as well. Since special system level messages could be sent to mobile devices, it became possible to enforce security policies on mobile devices or to perform remote wipes of devices.
The Exchange 2007 implementation of ActiveSync is actually very similar to what is found in Exchange Server 2003 Service Pack 2. The main difference is that the Exchange Server 2003 Service Pack 2 implementation of ActiveSync was Microsoft’s first attempt at enforcing mobile device security via a policy on an Exchange Server. Since the new version of ActiveSync is no longer a first generation product, it contains a few more features than the original version did, and there have been some minor improvements to its functionality.
For the purposes of this article, I am assuming ActiveSync has already been installed on a workstation running Outlook 2007, and the user’s mailbox is located on an Exchange 2007 server. I am also assuming the ActiveSync software has been installed onto the mobile device, and the mobile device can be physically attached to the workstation via a USB connection.
Press the mobile device’s Start button, and go to Programs | ActiveSync. When ActiveSync opens, select Set Up Your Device To Sync With It. You will be prompted to enter your Exchange Server’s address. For this field, enter your Exchange Server’s URL. (This is the same URL that you use to access OWA, minus the /owa portion of the URL. For example, if your OWA server’s URL is http://www.contoso.com/owa, then you would enter http://www.contoso.com. Note: In order for ActiveSync to work, your Exchange organization must be accessible from the Internet.)
After entering the server’s URL, you'll be prompted to enter your username, password, and domain name. As you enter this information, keep in mind that you are entering the name of the domain containing your user account, not the name of the domain on the Exchange Server resides.
Before you press Next, select the Save Password check box. Typically, telling Windows to save passwords is somewhat of a security risk, and is therefore a practice that I do not normally condone. In this particular case, however, ActiveSync needs to communicate with your Exchange Server on such a frequent basis that you really need to save your password just to get it to work correctly.
Press Next, and you'll be prompted to select the data you want to synchronize. The actual data that needs to be synchronized between the Exchange Server and the mobile device will vary, depending on your own individual business needs. For the purposes of this article, I am going to assume you need to synchronize your messages and your calendar. (If you need to synchronize other types of data, the procedure is very similar.)
Select the Calendar check box, and then press the Settings button. You will see a drop-down list that allows you to synchronize the time period you want to synchronize. Select All from this list and press OK. You will be returned to the Choose The Data That You Wish To Synchronize screen. Select the E-mail check box and press the Settings button. Once again, choose All from the Include The Previous drop-down list, so all e-mail messages are synchronized. If you have a large inbox, you might be better off only synchronizing items from the last month, to conserve memory on the mobile device.
Press OK to continue. If you also want to synchronize your contacts and tasks, then select the Contacts and Tasks check boxes before pressing Finish.
Creating a mobile messaging security policy
Mobile messaging security policies are nothing new to Exchange 2007. In fact, Exchange Server 2003 Service Pack 2 let you create a security policy that allowed you to enforce passwords for mobile users. Exchange Server 2003 Service Pack 2 is the first version of Exchange that supported mobile device security policies. As you would probably expect of just about any first-generation product, the mobile security policies in Exchange 2003 had some shortcomings.
The biggest shortcoming of mobile messaging security policies in Exchange 2003 was that they were global in nature. When you implemented a mobile messaging security policy, those policy settings applied to all mobile users. In Exchange 2007, however, Microsoft allows you to create multiple policies, and apply those policies on a user-by-user basis. This is helpful because you may wish to require stronger passwords for users most likely to have sensitive data on their mobile devices.
In Exchange 2007, Microsoft refers to a mobile messaging security policy as an ActiveSync mailbox policy. You can create an ActiveSync mailbox policy by opening the Exchange Management Console and navigating to Organization Configuration | Client Access. Next, select the New Exchange ActiveSync Mailbox Policy link, found in the Actions pane. You will see the New Exchange ActiveSync Mailbox Policy screen, as shown in Figure A.
|The New Exchange ActiveSync Mailbox Policy screen allows you to create mobile messaging security policies.|
Assign a name to the policy you're creating. You can call the policy anything you want; I recommend using a name that is somewhat descriptive of the policy's purpose.
Just below the Mailbox Policy Name field is a check box you can select to allow non-provisionable devices. If you select this check box, users will be allowed to use older mobile devices that may not support ActiveSync mailbox policies. Essentially, this would mean that your policies do not apply to users of those devices. One thing to keep in mind: If you choose to select this check box, you are not allowing non-provisionable devices to be used by everyone. After all, this is not a global policy. Selecting this check box will only allow the users to whom the policy applies to use non-provisional devices.
The next check box allows you to control whether or not users to whom the policy applies will be allowed to download attachments to their mobile devices. Blocking the use of attachments reduces the risks of e-mail virus infections, and it also conserves bandwidth and air time (which could result in substantial savings on your cellular bill). On the other hand, depending on the nature of your company, preventing users from downloading attachments could interfere with the ability to do their jobs.
Another thing you can do with Exchange ActiveSync Mailbox Policies is require passwords to be used on mobile devices. To do so, select the Require Password check box. Below this checkbox, there are a number of other check boxes that you can select to enforce the length, complexity, expiration period, and other aspects of the device's password.
When you have finished configuring the various policy elements, press the New button to create the Exchange ActiveSync mailbox policy. The policy you created will now appear in the Details pane when the Client Access container is selected, as shown in Figure B.
|The policy that you have created appears as on the Details pane.|
Assigning a policy
Now you can assign the policy to a user. To do so, navigate to Recipient Configuration | Mailbox. When you select the Mailbox container, the Details pane will display a list of all of the mailboxes in the entire Exchange Server organization. Right-click on the mailbox belonging to the user to whom you want to assign the newly created policy, and select Properties from the resulting shortcut menu. You will then see the mailbox's properties sheet.
Once the properties sheet opens, select the Mailbox Features tab, shown in Figure C. The Mailbox Features tab allows you to enable or disable various Exchange Server features on a user-by-user basis. One of the features listed is Exchange ActiveSync. Although Exchange ActiveSync is enabled by default, there is no default Exchange ActiveSync mailbox policy that applies to the user's mailbox. It's up to you to apply the policy you created earlier.
|The Mailbox Features tab allows you to enable or disable various Exchange Server features on a user-by-user basis.|
To assign a policy to the mailbox, select Exchange ActiveSync from the list of mailbox features, and then press the Properties button. You'll see the Exchange ActiveSync Properties dialog box, as shown in Figure D. Select the Apply An Exchange ActiveSync Mailbox Policy check box. Next, press the Browse button and browse for the policy you want to assign to the mailbox. Press OK twice to assign the policy.
|The Exchange ActiveSync Properties dialog box allows you to assign an Exchange ActiveSync mailbox policy to a user's mailbox.|
Self-service mobile device options
So far, I've shown you how to prepare a mobile device to be used in an Exchange 2007 environment, and how to create a security policy that could be used to ensure the mobile device is used in a manner consistent with corporate security policy. There's one last thing I want to show you: Exchange 2007 allows mobile users to perform some degree of mobile device management on their own. All a user has to do to manage their mobile device is sign into the Exchange Server organization using OWA.
After signing into OWA, press the Options button found in the upper right portion of the screen. You'll be taken to a screen that allows you to set various options related to OWA's behavior. Although most of these options are related to OWA, there are options related specifically to mobile devices.
To access these options, select the Mobile Devices link found in the options list. When you do, you'll see a screen similar to the one shown in Figure E. This screen allows you to view the device's status and the last time the device was synchronized. There are also options for retrieving the device log, displaying the recovery password, or wiping all data from the device. These are all things the end user can do on their own without intervention from the helpdesk.
|Users can perform some level of device management through OWA.|