Applies to: Windows 7, Windows Server 2008 R2
The workplace is changing. The boundaries between peoples’ professional and personal lives are blurring. Work is no longer confined to the office. Employees check work email at home during the night and update their social media at the office during the day. In addition to their desktop computers, they're using portable computers, slates, and smartphones.
Contributing to this trend is the increasing computing power that’s available on a wide range of devices. Consumer devices, including smartphones and media tablets, are becoming powerful enough to run applications that were previously restricted to desktop and portable computers. For many workers, these devices represent the future of computing and help them do their job more efficiently.
In a world in which highly managed information technology (IT) infrastructures can seem inflexible, workers prefer to use the many consumer devices available to them. For IT, the challenge is to embrace consumerization as appropriate while minimizing risks to the enterprise and its data. Many consumer devices were not initially designed for business use, so IT must plan carefully to enable the level of management and control they require.
As a leader in business and consumer technologies, Microsoft is in a unique position to understand and provide guidance on how to responsibly embrace consumerization within enterprises. In a previous white paper, Strategies for Embracing Consumerization, you'll find specific strategies for embracing the latest consumerization trends. This article explores specific technologies that the aforementioned white paper recommends in its various scenarios.
In this article:
The Windows Optimized Desktop offers client computing choices to enhance user productivity while meeting specific business and IT needs. Built on the Windows 7 Enterprise operating system, managed by Microsoft System Center, and secured by Microsoft Forefront Endpoint Protection, the Windows Optimized Desktop includes virtualization technologies with integrated management across physical and virtual machines (VMs), including virtual desktop infrastructures. Add Microsoft Office 2010, Windows Internet Explorer 9, and the Microsoft Desktop Optimization Pack (MDOP) to enable a workforce that is more productive, manageable, and secure.
This section focuses on specific technologies in the Windows Optimized Desktop that can help IT embrace consumerization on rich devices running Windows 7. These technologies can address challenges such as managing applications and user data, safeguarding data, defending the network, and protecting intellectual property in consumerization scenarios.
In consumerization scenarios, application management is about provisioning applications and controlling which applications users can run on their computers. System Center Configuration Manager 2007 and Microsoft Application Virtualization (App-V) are key deployment technologies. Additionally, AppLocker is a Windows 7 Enterprise feature that you can use to control access to applications.
Configuration Manager provides a rich set of tools and resources that you can use to manage the complex task of creating, modifying, and distributing application packages to computers in your enterprise. Deploying applications by using an existing Configuration Manager infrastructure is remarkably straightforward. Administrator Workflows for Software Distribution on TechNet describes this process in detail:
Organizations using System Center Essentials can also use it to distribute applications. For more information about Essentials, see
System Center Essentials. Technical guidance for deploying applications is available in the
System Center Essentials 2010 Operations Guide.
To control access to physical or virtual applications, Windows 7 Enterprise offers AppLocker. AppLocker is a new feature that replaces the Software Restriction Policies feature in earlier Windows versions. It adds capabilities that reduce administrative overhead and help you control users’ access to program files, scripts, and Windows Installer files. By using AppLocker to control access to physical applications, you can prevent unlicensed, malicious, and unauthorized applications from running.
To use AppLocker, you create a Group Policy Object (GPO) and then define AppLocker rules inside it. Within a rule, you can allow or deny access to a program file, script, or Windows Installer file for a specific user or group. You identify the file based on file attributes—including the publisher, product name, file name, and file version—from the digital signature. For example, you can create rules based on product-name and file-version attributes that persist through updates, or you can create rules that target a specific version of a file. In addition to allowing or denying access to a file, you can define exceptions. For example, you can create a rule that allows all programs which ship as part of Windows 7 to run except for the Registry Editor (regedit.exe).
AppLocker is surprisingly easy to configure and deploy. It provides wizards that make defining rules for program files, scripts, and Windows Installer files straightforward. However, because AppLocker prevents users from opening or running files that are not defined explicitly in a rule, you should plan your AppLocker deployment after examining an inventory of applications used in your environment. More information about AppLocker is available in AppLocker on TechNet.
A specific challenge to embracing consumerization is people working on more than one computer. This scenario can be painful for both end users and IT pros. Users’ files and settings do not follow them when they roam from computer to computer. If a user creates a document on his or her work computer, for example, that document isn’t immediately available when he or she logs on to a slate or through a VM accessed by a non-Windows PC. For IT, decentralized storage of files and settings leads to even more challenges. Files are difficult to back up. They’re difficult to secure. And because they’re scattered across many PCs, availability of important files is difficult to manage.
User state virtualization addresses these challenges. It centralizes storage of users’ files and settings to make backing up and securing them easier. Managing the availability of important files is possible. Also, user-state virtualization enables users’ files and settings to follow them from PC to PC and even to VMs. In Windows 7, three technologies support user state virtualization:
The Infrastructure Planning and Design: Windows User State Virtualization guide can help you implement user state virtualization.
BitLocker Drive Encryption is an integral security feature in Windows 7 Enterprise that helps protect data stored on fixed drives and the operating system drive. BitLocker helps protect against offline attacks, which are attacks made by disabling or circumventing the installed operating system or by physically removing the hard drive to attack the data separately. BitLocker helps ensure that users can read the data on the drive and write data to the drive only when they have either the required password, smart card credentials, or are using the data drive on a BitLocker-protected computer that has the proper keys.
BitLocker protection on operating system drives supports two-factor authentication by using a Trusted Platform Module (TPM) along with a personal identification number (PIN) or startup key as well as single-factor authentication by storing a key on a USB flash drive or just using the TPM. Using BitLocker with a TPM provides enhanced data protection and helps assure early boot component integrity. This option requires that the computer have a compatible TPM microchip and BIOS:
The TPM interacts with BitLocker operating system drive protection to help provide protection at system startup. This is not visible to the user, and the user logon experience is unchanged. However, if the startup information has changed, BitLocker will enter recovery mode, and the user will need a recovery password or recovery key to regain access to the data.
The BitLocker Drive Encryption Deployment Guide for Windows 7 provides detailed guidance for deploying BitLocker. Additionally, numerous Group Policy settings are available for managing BitLocker. You can learn about these in the BitLocker Group Policy Reference. You can provision BitLocker during deployment by using the Microsoft Deployment Toolkit (MDT) 2010 or Configuration Manager. For more information, see the MDT 2010 documentation.
Windows 7 Home Premium and Windows 7 Professional do not include BitLocker. If you allow employees to use devices that are running these operating systems, you can use the Encrypting File System (EFS) to help protect corporate data on these computers. However, EFS does not provide full-volume encryption, as BitLocker does. Instead, users choose the folders and files they want to encrypt. For more information about EFS in Windows 7, see The Encrypting File System.
|Note: Users who are running Windows 7 Home Premium or Windows 7 Professional can use Windows Anytime Upgrade to upgrade to Windows 7 Ultimate for a charge. Doing so would provide BitLocker. For more information about Windows Anytime Upgrade, see Windows Anytime Upgrade.|
In Windows 7 Enterprise, BitLocker To Go extends BitLocker to portable drives, such as USB flash drives. Users can encrypt portable drives by using a password or smart card. Authorized users can view the information on any PC that runs Windows 7, Windows Vista, or Windows XP by using the
BitLocker To Go Reader. Also, by using Group Policy, you can require data protection for writing to any removable storage device but can enable unprotected storage devices to be used in read-only mode.
The BitLocker Drive Encryption Deployment Guide for Windows 7 provides detailed guidance for using BitLocker To Go. Additionally, numerous Group Policy settings are available for managing BitLocker To Go, which the BitLocker Group Policy Reference describes.
The Windows 7 Backup and Restore feature creates safety copies of users’ most important personal files. They can let Windows choose what to back up or pick individual folders, libraries, and drives to back up—on whatever schedule works best for them. Windows supports backing up to another drive or a DVD. Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise also support backing up files to a network location.
Whereas Windows 7 provides a built-in backup feature that users can use on their own devices, System Center Data Protection Manager (DPM) 2010 enables an organization to create a two-tiered backup solution that combines the convenience and reliability of disk for short-term backup—where most recovery requests are concentrated—with the security of tape or other removable medium for long-term archiving. This two-tiered system helps to alleviate the problems associated with tape backup solutions while still allowing for the maintenance of long-term off-site archives.
Important to consumerization scenarios, DPM 2010 adds support for protecting client computers, such as laptop computers and slates, which are not always connected to the network. Additionally, users can recover their own data without waiting for the backup administrator. You can learn more about DPM 2010 at System Center Data Protection Manager 2010.
Forefront Unified Access Gateway (UAG) provides remote client endpoints with access to corporate applications, networks, and internal resources via a Web site. Client endpoints include not only computers running Windows but also other non-Windows devices. It supports the following scenarios:
Infrastructure Planning and Design: Forefront Unified Access Gateway on TechNet provides guidance for designing a Forefront UAG deployment. Additional detailed technical guidance is available in Forefront Unified Access Gateway (UAG) on TechNet.
Network Access Protection (NAP) includes client and server components that allow you to create and enforce health requirement policies that define the required software and system configurations for computers that connect to your network. NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network access when client computers are noncompliant, and remediating noncompliant client computers for unlimited network access. NAP enforces health requirements on client computers that are attempting to connect to a network. NAP can also provide ongoing health compliance enforcement while a compliant client computer is connected to a network.
NAP enforcement occurs at the moment client computers attempt to access the network through network access servers, such as a virtual private network (VPN) server running Routing and Remote Access (RRAS), or when clients attempt to communicate with other network resources. The way in which NAP is enforced depends on the enforcement method you choose. NAP enforces health requirements for the following:
Network Access Protection Design Guide can help you design a NAP deployment. The
Network Access Protection Deployment Guide provides detailed technical guidance for the above scenarios.
In Configuration Manager, NAP lets you include software updates in your system health requirements. Configuration Manager NAP policies define which software updates to include, and a Configuration Manager System Health Validator point passes the client's compliant or non-compliant health state to the Network Policy Server (NPS). The NPS then determines whether the client has full or restricted network access, and whether non-compliant clients will be brought into compliance through remediation. For more information about NAP in Configuration Manager, see Network Access Protection in Configuration Manager.
In addition to securing local data and network access, protecting access to business information—such as intellectual property—is an important consideration if you're embracing consumerization. Two technologies are available for protecting this information:
For organizations that do not have the resources or infrastructure to support the Windows Optimized Desktop, Windows Intune can help deliver the management and security essentials. Organizations that have deployed the Windows Optimized Desktop can manage pockets of unmanaged computers (home-office computers and consumer devices running Windows that users bring to work) by using Windows Intune (Figure 1).
Figure 1. Windows Intune
Windows Intune helps you manage and secure computers in your environment through a combination of Windows cloud services and upgrade licensing. Windows Intune delivers cloud-based management and security capabilities through a single web-based administrative console. With Windows Intune, you can manage computers from almost anywhere—all you need is an Internet connection and the Windows Intune client installed on each managed computer. Additionally, with an active Windows Intune subscription, you have the rights to upgrade to future versions of Windows, with the same benefits of the Microsoft Software Assurance program for Windows.
The Windows Intune administrator console organizes management tasks into the following workspaces, which you can manage from almost any browser that supports Microsoft Silverlight:
Remote assistance alerts provide a key tool for troubleshooting problems that occur on managed computers. A user on a managed computer can initiate a remote assistance request, which generates an alert. When you view the alert in the Windows Intune administrator console, you can accept the request. Accepting the request opens a Microsoft Easy Assist session so that you can perform remote troubleshooting on the user’s computer.
Windows Intune also provides Windows 7 Enterprise upgrade rights with Software Assurance. With the upgrade rights provided by Windows Intune, you can upgrade any computer that is managed by Windows Intune and that meets the minimum Windows 7 system requirements to Windows 7 Enterprise. Windows Intune also provides all the benefits of the Microsoft Software Assurance Program for Windows, including:
Virtual applications are streamed to computers as network services. They do not leave footprints on systems and are easy to update. They’re also self-contained, helping prevent conflicts between personal and business applications that may cause downtime and require intervention from the support team.
App-V is part of MDOP that supports packaging, deployment, and management of virtual applications. App-V can make applications available to end-user computers without requiring you to install the applications directly on those computers. This is possible through a process known as sequencing the application, which enables each application to run in its own self-contained virtual environment on the client computer. Sequenced applications are isolated from one another. This scenario eliminates application conflicts, but the applications can still interact with the client computer.
The App-V client is the feature that lets end users interact with applications after they have been published to the computer. The client manages the virtual environment in which the virtualized applications run on each computer. After the client has been installed on a computer, the applications must be made available to the computer through a process known as publishing, which enables the end user to run the virtual applications. The publishing process copies the virtual application icons and shortcuts to the computer—typically on the Windows desktop or on the Start menu—and also copies the package-definition and file-type-association information to the computer. Publishing also makes the application package content available to end users’ computers.
Virtual application package contents can be replicated to one or more App-V servers so that they can be streamed to the clients on demand and cached locally. File servers and Web servers can also be used as streaming servers, or the content can be copied directly to end users’ computers. In a multi-server implementation, maintaining the package content and keeping it up to date on all the streaming servers requires a comprehensive package-management solution. Depending on the size of your organization, you might need to have many virtual applications available to end users located all over the world. Managing the packages to ensure that the appropriate applications are available to all users where and when they need access to them is therefore an important requirement.
As shown in Figure 2, the primary components of App-V are:
Figure 2. Application Virtualization
App-V 4.6 is the latest version of the product. With App-V 4.6, you can sequence and run 32-bit and 64-bit applications on the 64-bit version of Windows 7. It supports new Windows 7 features such as the taskbar, Jump Lists, AppLocker, BranchCache, and BitLocker To Go. App-V 4.6 adds support for 12 additional languages. To support Microsoft Virtual Desktop Infrastructure (VDI), App-V 4.6 provides the capability for a read-only shared cache to help optimize server disk storage. Last, App-V 4.6 improves the sequencing experience and provides support for sequencing 32-bit and 64-bit applications. You can learn more about App-V at the Microsoft Desktop Optimization Pack Web site. More detailed technical information is available on TechNet at Application Virtualization.
|Note: Citrix XenApp is a Microsoft Partner solution that extends support for traditional and App-V virtual applications to a wide range of devices, including smartphones and other non-Windows-based devices. It provides on-demand application delivery that can virtualize, centralize, and manage almost any application in the datacenter. By using XenApp, you can centralize applications in the data center, control and encrypt access to data and applications, and deliver applications instantly to users almost anywhere. To learn more about Citrix XenApp, see the Citrix XenApp website. Additionally, the article How to publish an App-V-enabledapplication in Citrix XenApp describes how to use XenApp to publish App-V applications.|
Configuration Manager gives IT pros the ability to deploy, upgrade, and track usage of both physical and virtual applications in a single management experience. By seamlessly integrating virtual application formats into the Configuration Manager software-distribution capability, IT pros can follow known processes and workflow for delivering virtual applications to end users. This enables IT to deliver applications more quickly while also isolating potentially conflicting applications from interfering with one another. Configuration Manager’s integration with App-V provides added scalability while also allowing IT to enable existing distribution points to stream virtual applications, eliminating the need for a separate App-V infrastructure. With Configuration Manager, virtual applications can be delivered to either computers or users. Administrators can inventory virtual applications and deliver virtual applications as part of Operating System Deployment task sequences.
Configuration Manager takes the place of the publishing and streaming components in a typical App-V full infrastructure by integrating with an existing Configuration Manager infrastructure that is already delivering traditional applications, updates, and more. Figure 3 illustrates the minimal Configuration Manager and App-V processes and components required to manage virtual applications with Configuration Manager. The App-V Sequencer produces packages that can be distributed via a Configuration Manager infrastructure to the Configuration Manager clients. This eliminates the need for two separate infrastructures to support application deployment, allowing both traditional and virtual applications to be deployed from the same console.
Figure 3. Configuration Manager and App-V Infrastructure
Using Configuration Manager to publish virtual applications requires that you follow a simple process. At a high level, managing virtual applications with Configuration Manager requires applications to be sequenced, published by using Configuration Manager advertisements, and delivered to the end clients. The following minimum process is required to support App-V in a Configuration Manager infrastructure:
Managing virtual applications with Configuration Manger will require an App-V sequencer for creating packages, a Configuration Manager site server, Configuration Manager distribution points for delivery of the packages, and Configuration Manager client computers with the App-V client installed. The following minimum components are required to support App-V in a Configuration Manager Infrastructure:
Configuration Manager 2012, now in beta 2 release, helps IT empower their users with the devices and applications they need to be productive, while maintaining the control necessary to protect corporate assets. It provides a unified infrastructure for managing mobile, physical, and virtual environments that allows IT to deliver and control user experiences based on user identity, connectivity, and device specifics. Along with all of the world-class inventory, operating system deployment, update management, assessment, and settings enforcement you’ve come to expect from Configuration Manager, the new release will deliver:
You can find more information about the new updated capabilities involving the deployment of virtual applications in System Center Configuration Manager 2012 beta 2 release at
Introduction to Application Management in Configuration Manager 2012.
Back to top
Due to consumerization, users are bringing to work more than just PCs running Windows. Non-Windows-based slates and tablets run a range of operating systems, such as Apple iOS, Google Android, Linux, and so on. These devices provide different user interfaces, different levels of security, and different management capabilities. There are multiple operating systems across consumer devices, so adopting a systematic approach to management and security is essential.
Microsoft offers technologies with which to enable management and security across these kinds of disparate consumer devices. For devices that cannot provide the full Windows 7 experience and security, you can use a VDI-based strategy to enable secure access to a server-hosted, Windows-based desktop. This approach is the most effective one for non-Windows-based portable computers and slates. However, a VDI-based strategy can also be useful when employees bring their own Windows-based portable computers into the workplace. In this case, VDI is used to deliver a secure enterprise desktop while keeping all personal data and software out of the corporate network.
VDI is a centralized desktop-delivery solution. Illustrated in Figure 4, the concept of VDI is to store and run desktop workloads—including a Windows client operating system, applications, and data—in a server-based VM in a data center and enable a user to interact with the desktop presented onto a user device via Remote Desktop Protocol (RDP) and RemoteFX. VDI is part of an enterprise’s cohesive, holistic virtualization strategy across the IT infrastructure to support Microsoft’s vision of Dynamic IT. VDI is not an isolated architecture but rather one of the many technologies available to optimize enterprise desktops.
For devices that cannot provide a full Windows 7 environment, VDI can enable secure access to a server-hosted Windows 7 desktop. For computers and slates that do not run Windows (i.e., Apple Mac, Apple iPad, and netbooks based on Linux), VDI can be the most effective solution. However, VDI can also be useful when employees bring their own portable computers running Windows into the workplace. It can deliver a secure enterprise desktop, keeping all personal data and software off the corporate network.
Figure 4. Virtual Desktop Infrastructure
For more information about VDI, see Virtualization Products and Technologies.
Part of Windows Server 2008 R2, Remote Desktop Services (RDS) provides the Remote Desktop Connection Broker (RD Connection Broker). RD Connection Broker is a native VDI connection broker that provides a unified experience for accessing VDI as well as traditional session-based remote desktops. RD Connection Broker delivers virtual desktops similarly to RemoteApp. For example, a user will access http://rds-all.contoso.corp/rdweb to see a Web page listing both authorized applications and desktops, once authenticated.
Figure 5 shows three Office 2007 applications published by using RemoteApp. In Windows Server 2008 R2, RemoteApp programs shown at a URL can be composed from multiple sources. They do not need to be installed on the same Remote Desktop Session Host (RD Session Host) or Terminal Services server. They can be from multiple RD Session Hosts and Terminal Services servers, yet composed and presented with the same URL. Further, the presence of a RemoteApp program is based on the access control list (ACL) of a published application in RD Session Host. By default, all authenticated users will have access to published RemoteApp programs.
Figure 5. Remote Desktop Connection Broker
The My Desktop icon appears only to those users who are assigned with a personal virtual desktop. The assignment can be done in RD Connection Broker or the user object in AD DS. When a user clicks the My Desktop icon, a virtual desktop will be delivered to the user’s device, after the user is authenticated.
The Contoso Desktop icon is for accessing a virtual desktop running on a VM dynamically picked from a VM pool defined in RD Connection Broker. Once a VM pool is defined, the icon to access a VM in the pool will show up on the RDS webpage for all authenticated users, regardless of whether a user has access to the pool. Both the display name of the page and the display name of the icon to access a VM pool can be easily customized in RD Connection Broker; in this example, “Contoso Wonder LAN” and “Contoso Desktop” are customized display names. Further information about the RDS architecture and how RD Connection Broker plays a central role in a VDI solution is available in Remote Desktop Services (RDS) Architecture Explained.
A new feature in Windows Server 2008 R2 is RemoteApp and Desktop Connection, which provides the ability to access RemoteApp programs, remote desktops, and virtual desktops from the Start menu of a computer running Windows 7. You can configure RemoteApp and Desktop Connection as follows:
With RemoteApp and Desktop Connection, users can access RemoteApp programs and virtual desktops directly from the Start menu without specifying the RDS URL. This capability minimizes user training and offers a consistent user experience on Windows applications.
With VDI, a virtual desktop is isolated from the client’s device and runs in a VM maintained in a data center. The device can be a desktop, laptop, slate, or thin-client computer—running Windows or another operating system. Users interact with their virtual desktops through RDP and RemoteFX, which provides a rich desktop experience. Similar to session-based remote desktops (i.e., Terminal Services), VDI provides a server session with a full-fidelity desktop environment that is virtualized within a server-based hypervisor. The premise of VDI is that all users are running virtual desktops on VMs. Key technical components making VDI a reality include:
There are two VDI deployment models:
VDI essentially delivers a desktop on demand to a user device via a network connection. This is different from running a conventional desktop computer, in which an OEM license is bound to hardware and cannot be dynamically assigned, as with VDI. Traditional licensing has become insufficient to correctly reflect the number of licenses consumed in a desktop deployment delivered with VDI.
To accommodate new deployment scenarios, Microsoft has introduced two new offerings for VDI:
Both the VDI Standard Suite and the VDI Premium Suite are licensed per client device that accesses the VDI environment, and thereby allow for flexibility of server infrastructure design and growth. You can learn more about VDI suite licensing at Microsoft's Remote Desktop Services site. Additional information about Remote Desktop Services Licensing is available at Licensing Remote Desktop Services in Windows Server 2008 R2.
Both RDS and VDI are core components of desktop virtualization, and they satisfy specific computing requirements and scenarios with deployment readiness and flexibility. For a remote task worker who needs to access a specific application for carrying out a well-defined task—such as entering data or reporting a status for time reporting, inventory updating, or incident reporting—RemoteApp might be sufficient. However, a knowledge worker—who performs complex or unstructured routines such as analyzing data, architecting a solution, designing a product, writing code, or troubleshooting systems—will likely require full access to a desktop to assure productivity, and deploying a virtual desktop is one solution.
Although VDI is flexible, it does require more server hardware resources than the traditional session-based remote desktop approach. Table 1 compares session-based virtualization with VDI. In general, VDI requires an upfront investment in server and storage hardware to store and execute all needed VMs. To ensure that users are able to access virtual desktops, the network supporting VDI needs to be highly available. Generally speaking, the network-bandwidth requirement is higher to support VDI than to support Terminal Services. VM management software is also essential to manage enterprise virtual desktops.
Table 1. Session-based virtualization versus VDI
Additionally, users should not expect a remote desktop or a virtual desktop to perform exactly as well as a locally installed desktop. Audio, video, and USB performance on a remote desktop might not be as rich as those directly running on or attaching to a user’s device. A rich client will always provide a superior user experience to that delivered with VDI. Overall, considerations of a VDI solution should include, but not be limited to:
Note: Citrix XenDesktop is a Microsoft Partner solution that can deliver on-demand virtual desktops and applications to users on any device they use, anywhere they use it. To learn more about Citrix XenDesktop, see the
Citrix XenDesktop website. Additionally, the blog entry
Microsoft Virtual DesktopInfrastructure (VDI) utilising Citrix Xendesktop as the Broker describes in detail how XenDesktop fits into and enhances VDI architectures.
Back to top
This article has described four technologies that can help your organization embrace consumerization. These technologies are Windows Optimized Desktop, Windows Intune, Application Virtualization, and VDI. The following list describes how these technologies fit in to specific consumerization scenarios:
In all cases, application virtualization can provide users access to the applications they need. For more information, see the section titled “Application Virtualization,” earlier in this article.
Back to top
Tools are available to manage smartphones in the enterprise. For example, you can use Exchange ActiveSync to manage many Microsoft and non-Microsoft smartphones. Exchange ActiveSync is a Microsoft Exchange Server synchronization protocol that is optimized to work over high-latency and low-bandwidth networks. The protocol, based on HTTP and XML, enables devices to access information such as e-mail, calendars, and contacts on an Exchange Server system.
Exchange ActiveSync also provides management tools through Exchange ActiveSync mailbox policies and related tools. For example, Windows Phone 7 supports management policies like requiring passwords and enforcing password strength. It also provides the ability to remotely wipe the device and restore a mobile phone’s original factory settings after multiple failed attempts to unlock it.
Management based on Exchange ActiveSync is an industry standard for smartphones and other small-form-factor devices. Platforms such as Apple iPhone and iPad, Google Android, Nokia Symbian, and Palm support Exchange ActiveSync and mailbox polices to varying degrees. The blog post Updated - Comparison of Exchange ActiveSync Clients ( Windows phone, Windows Mobile, Android, Nokia, Apple, Palm ) compares support for Exchange ActiveSync across many different platforms.
This section describes some of the mailbox policies and tools in Exchange ActiveSync that you can use to manage smartphones. For more information about Exchange ActiveSync, see Managing Exchange ActiveSync Devices on TechNet.
Mobile phones can store sensitive corporate data and provide access to many corporate resources. If a device is lost or stolen, that data can be compromised. Through Exchange ActiveSync policies, you can add a password requirement to mobile phones, mandating that users enter a password to access their phones. Microsoft recommends that, in addition to requiring a device password, you configure your mobile phones to automatically prompt for a password after a period of inactivity. The combination of a device password and inactivity locking provides more security for your corporate data. For more information, see the “Device Management” section later in this article.
In addition to these features, Microsoft Exchange Server 2010 provides a remote device wipe feature. You can issue a remote device wipe command from the Exchange Management Console (EMC). Users can issue their own remote device wipe commands from the Microsoft Office Outlook Web App user interface. The remote device wipe feature also includes a confirmation function that writes a time stamp in the sync state data of the user's mailbox. This time stamp is displayed in Outlook Web App and in the user's mobile phone properties dialog box in the EMC. In addition to resetting the mobile phone to factory-default condition, a remote device wipe also deletes any data on any storage card that's inserted in the mobile phone.
|Important: After a remote device wipe has occurred, data recovery is very difficult. However, no data-removal process leaves a device as free from residual data as when it's new. Recovery of data from a device might still be possible by using sophisticated tools.|
You can remotely wipe a device by using one of three methods:
For more information about remote device wipe in Exchange Server 2010, see Perform a Remote Wipe on a Mobile Phone on TechNet.
You can create an Exchange ActiveSync mailbox policy to configure a variety of security options for users and their devices. In addition to password requirements and settings, you can use the General tab on the policy to specify the types of mobile phones that can connect to the Exchange Server system and whether attachments can be synchronized. The following summarizes the available policies:
On TechNet, Managing Exchange ActiveSync with Policies provides a full list of mailbox policies and describes how to configure them by using the EMC and the Shell. The ability to manage devices through Exchange Active Synch will also be a core feature of the upcoming System Center Configuration Manager 2012, which is now in beta 2 release.
Direct Push Technology uses Exchange ActiveSync to keep data on a smartphone synchronized with data on Exchange Server. On firewalls, a network idle connection time-out indicates how long a connection is permitted to live without traffic after a Transmission Control Protocol (TCP) connection is fully established. You must correctly set this time-out value to allow the Exchange ActiveSync heartbeat interval and the enterprise session interval to communicate effectively. If the firewall closes the session, mail would remain undelivered until the client reconnects, and the user could be unsynchronized for long periods of time. Microsoft recommends that organizations set time-outs on their incoming firewalls to 30 minutes. For more information, see Understanding Direct Push and Exchange Server 2010.
Exchange Server includes the Autodiscover service, which simplifies the provisioning of mobile phones by returning the required system settings after a user enters his or her e-mail address and password. The Autodiscover service is enabled by default in Exchange Server 2010 (Figure 6).
Figure 6. Autodiscover with Exchange ActiveSync
The process that Figure 6 describes is as follows:
The ability to use Autodiscover depends on the operating system of the mobile phone you're using. Not all mobile phone operating systems that support synchronization with Exchange Server support Autodiscover. For more information about operating systems that support Autodiscover, see the blog post
Updated - Comparison of Exchange ActiveSync Clients (Windows phone, Windows Mobile, Android, Nokia, Apple, Palm).
For instructions on configuring Autodiscover in Exchange Server, see Configure Exchange ActiveSync Autodiscover Settings.
Back to top
IT must be able to embrace consumerization where it is appropriate, while at the same time minimizing risks to the enterprise and its data. By assessing and understanding your users, in addition to the devices that they want to use, you can help ensure that consumerization benefits your business, and that these benefits can be measured and evaluated.
Embracing consumerization enables businesses to deliver productivity gains and competitive advantage. Consumerization becomes a major opportunity when the strategies that are described in this paper are followed, ensuring that corporate assets are secure and establishing new roles for empowered employees and IT as partners. Microsoft has a range of enterprise-ready solutions that can help you address your users’ needs surrounding consumerization, from deployments of Windows Optimized Desktop, through cloud-based management using Windows Intune, to Windows-based and non-Windows-based smartphones.