Step 6: Configure and Manage Mobile Device Access on the Exchange Server

  • Article

6/2/2010

With the Microsoft Exchange Server 2003 SP2 installation, Exchange ActiveSync features are enabled for all client mobile devices at the organizational level. If your security setup accepts the trusted certificates that are shipped on the mobile devices, all you need to do is instruct your users who have Windows Mobile 5.0-based devices sign in using the pre-installed ActiveSync software.

Note

If you want to establish a central security policy, you should use the Exchange System Manager to configure it for all users; follow the instructions in "Configuring Security Settings for Mobile Devices" later in this chapter.

For more information about setting security policies, see "Best Practice: Determine and Deploy a Device Password Policy" in Best Practices for Deploying a Mobile Messaging Solution.

For more information about managing and configuring mobile devices, see "Setting Up a Mobile Device Connection to Exchange Server" in Step 8: Manage and Configure Mobile Devices.

The management capabilities that are in Exchange Server 2003 SP2 and the security and configuration protocols that are included in Windows Mobile 5.0 with MSFP, most of the administration of the mobile devices takes place on the Exchange server or on the Mobile Administration Web tool.

You can do the following actions on your Exchange server:

  • Configure mobile access.
  • Configure security policy settings for mobile devices.
  • Monitor mobile performance on Exchange Server.

Configuring Mobile Access

During a default installation, all Exchange ActiveSync features are enabled. You can modify the feature settings at the Exchange server level with Exchange Server System Manager, and enable or disable the Exchange ActiveSync features for individual users or groups by using Active Directory.

When managing access to Exchange ActiveSync features, you can do the following:

  1. Configure Exchange ActiveSync features for your organization
  2. Disable user-initiated synchronization for users or groups (if desired)
  3. Enable or disable up-to-date notifications (Optional)

Configuring Exchange ActiveSync Features for Your Organization

Exchange ActiveSync allows users to synchronize their Exchange information with a mobile device. At the organizational level on your Exchange server, you can enable or disable the following Exchange ActiveSync features:

Feature Description

Enable user-initiated synchronization

Enables users to synchronize their Exchange information with their mobile device.

Enable up-to-date notifications via SMTP and Text Messaging

Allows users to receive notifications through SMTP in order to keep their device up to date with information on their Exchange server. This should be left enabled to accommodate users who have Windows Mobile-based devices without MSFP.

Enable notifications to user-specified SMTP addresses

Allows users to use their own wireless service provider.

Enable Direct Push over HTTP(s)

Enables users with Windows Mobile-based devices with MSFP to receive notifications through HTTP to keep their mobile device up to date with the information that is on their Exchange server.

To configure Exchange ActiveSync features for your organization

  1. On the Startmenu, point to Programs, point to Microsoft Exchange, and then click System Manager.

  2. In the console tree, double-click Global Settings, right-click Mobile Services and then click Properties. The following illustration shows the Mobile Services Properties dialog box.

  1. In Mobile Services Properties, under Exchange ActiveSync, select the check boxes for the options you wish to enable for your organization. You can then use Active Directory Users and Computers to enable or disable specific users or groups, if desired.
  2. Click OK to save your settings.

Exchange ActiveSync can also be disabled for individual users or groups by using Active Directory Users and Computers.

Disabling User-Initiated Synchronization for Users or Groups

With User-Initiated Synchronization enabled on the organizational level, you can control the capability of individual users or groups to use Exchange ActiveSync to synchronize with their Exchange mailbox by using mobile devices. Use the Active Directory Exchange Features tab to disable this functionality for individual users or for groups.

To disable user-initiated synchronization

  1. On the Start menu, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, expand the domain. Double-click Users, or double-click the node that contains the recipient information that you want to modify.

  3. In the details pane, double-click the user or users for whom you want to disable user initiated synchronization to open the Properties dialog box. The following illustration shows the Mobile Services Properties dialog box.

  1. On the Exchange Features tab, under Mobile Services, select User Initiated Synchronization, and then click Disable.
  2. Click Apply.
  3. Click OK.

Enable or Disable Up-to-date Notifications

The Enable Up-to-date Notifications feature is on by default in Exchange ActiveSync at the organizational level. If your mobile messaging solution includes mobile devices that do not support direct push technology, make sure to enable this feature for users or for groups that have Windows Mobile-based devices without MSFP. You can enable or disable Up-to-date Notifications by using Active Directory Users and Computers.

Note

To use up-to-date notifications, you must also enable user-initiated synchronization.

To enable or to disable up-to-date notifications

  1. On the Start menu, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, expand the domain. Double-click Users, or double-click the node that contains the recipient information that you want to modify.

  3. In the details pane, double-click the user name of the user for whom you want to enable or disable up-to-date notifications.

  4. On the Exchange Features tab, under Mobile Services, select User Initiated Synchronization, and then click Enable or Disable.

Note

When User Initiated Synchronization is disabled, Up-to-date Notifications is automatically disabled.

  1. If you want to enable Up-to-date Notifications, on the Exchange Features tab, under Mobile Services, select Up-to-date Notifications, and then click Enable.

  2. Click Apply.

  3. Click OK.

Configuring Security Settings for Mobile Devices

You can specify security options for your users who connect to Exchange Server by using mobile devices. With the Exchange System Manager, you can set the length and the strength of the password, the amount of inactivity time, and the number of failed attempts that can occur before the mobile device is wiped.

For more information about setting security policies, see "Best Practice: Determine and Deploy a Device Password Policy" in Best Practices for Deploying a Mobile Messaging Solution.

Note

The term password that is referenced in this topic refers to the password that a user enters to unlock his or her mobile device. It is not the same as a network user password.

Note

The Wipe device after failed option is off by default.

The following table presents the options you can use to set your security policies.

Security Option Description

Minimum password length (characters)

Use this option to specify the required length of the user's password for his or her mobile device. The default setting is 4 characters. You can specify a password length of 4 to 18 characters.

Require both numbers and letters

Use this option if you want to require that users choose a password that contains both numbers and letters. This option is not selected by default.

Inactivity time (minutes)

Use this option to specify whether your users must log on to their mobile devices after a specified number of minutes of inactivity. This option is not selected by default. If selected, the default setting is 5 minutes.

Wipe device after failed (attempts)

Use this option to specify whether you want the device memory wiped after multiple failed logon attempts. This option is not selected by default. If selected, the default setting is 8 attempts.

Refresh settings on the device (hours)

Use this option to specify how often you want to send a provision request to mobile devices. This option is not selected by default. If selected, the default setting is every 24 hours.

Allow access to devices that do not fully support password settings

Select this option if you want to allow mobile devices that do not fully support the device security settings to be able to synchronize with Exchange. This option is not selected by default.

Note

If the Allow access to devices that do not fully support password settings option is not selected, users that use mobile devices that do not fully support device security settings (for example, devices that do not support provisioning) will receive a 403 error message when they attempt to synchronize their mobile devices with Exchange.

To configure security settings for mobile devices

  1. On the Start menu, point to Programs, point to Microsoft Exchange, and then click System Manager.

  2. In the console tree, double-click Global Settings, right-click Mobile Services, and then click Properties.

  3. In Mobile Services Properties, click Device Security.

  4. To specify the device security options, select Enforce password on device, and then configure the options according to the policies that you have set. The following illustration shows the Device Security Settings dialog box.

  1. Click OK.

Specifying Users Who are Exempt from Device Security Settings

You can specify the users whom you want to be exempt from the settings that you have configured in the Device Security Settings dialog box. This exceptions list is useful if you have specific, trusted users of whom you do not need to require device security settings.

To add or to remove users who are exempt from device security settings

  1. On the Start menu, point to Programs, point to Microsoft Exchange, and then click System Manager.

  2. In the console tree, double-click Global Settings, right-click Mobile Services, and then click Properties.

  3. In Mobile Services Properties, click Device Security.

  4. In Device Security Settings, click Exceptions.

  5. Use the options in the Device Security Exception List dialog box to select the user or the group of users whom you want to be exempt from settings that you have configured in the Device Security Settings dialog box.

  6. To specify that a user be exempt from device security settings, click Add. The following illustration shows the Select User dialog box.

  7. In Select User, specify a user or group of users, and then click OK. For information about how to specify users, in the Select Users dialog box, click ? in the title bar, and then click the option you want to learn more about.

  8. To remove a user from the list of users who are exempt from device security settings, in Users list box, select the user that you want to remove, and then click Remove.

  9. Click OK.

Monitoring Mobile Performance on Exchange Server 2003 SP2

To track the performance, availability, and reliability of Exchange ActiveSync and other mobile messaging components, you can use the Exchange Server Management Pack. The Exchange Server Management pack includes rules and scripts components that validate the availability of communication services, send test e-mails to verify operations, and measure actual delivery times.

With Exchange Server 2003 SP2, the following new rules were added:

  • Exchange database sizes limits
  • Exchange ActiveSync configuration settings
  • Exchange ActiveSync Up-to-Date Notifications performance
  • Exchange ActiveSync errors
  • Monitor intelligent message filtering performance
  • Intelligent message filtering for errors
  • Sender ID configuration errors
  • Sender ID errors
  • Disk read/write performance
  • DSAccess settings
  • Public folder replication

The Exchange Management Pack Configuration Wizard provides a graphical user interface (GUI) to configure Exchange 2000 and Exchange 2003 Management Packs, including test mailboxes, message tracking, and monitoring services.

You can download the Exchange Management Pack from the Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=55885.

The Exchange Server Management Pack Guide for MOM 2005 explains how to use the Exchange Management Pack to monitor and maintain messaging resources.

You can download the management pack guide from the Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=58794.