Communications
Explore New Mobile Messaging Capabilities with Exchange 2007
Yee-Chen Tjie
At a Glance:
- Mobile device configuration
- Policy enforcement
- Advanced messaging
- Mobile file access
Only a few years ago accessing corporate e-mail while away from your desktop computer was an uncommon and complex task. Today, not only do people expect to have remote e-mail access, but
it’s not unusual to see someone at the local coffee shop with a mobile messaging device. Mobile messaging has changed the way people work. It has enabled the nomadic employee to become more efficient at getting work done while away from the office.
Yet thanks to these recent advancements in mobile messaging technology, the security of mobile devices has become a concern. Companies are looking for better ways to protect sensitive business data residing on mobile devices.
The introduction of Exchange Server 2003 and a technology called Exchange ActiveSync® provided the capability for a Windows Mobile® device (Pocket PC phone or Smartphone) to connect securely to Exchange Server 2003 using HTTPS. However, mobile device management was lacking. With the release of Exchange Server 2003 Service Pack 2 (SP2) and the Messaging and Security Feature Pack (MSFP) on Windows Mobile 5.0, setting a global policy affecting all Windows Mobile devices connecting to Exchange became possible. These policies allowed for mandatory PINs of a specified length, inactivity timeouts before requiring PIN entry, and device wipe after a specified number of failed PIN attempts.
Exchange Server 2003 SP2 also added the capacity for remote wipe with the Exchange Mobile Admin Tool, shown in Figure 1. This tool offered administrators the ability to issue a wipe command for a lost Windows Mobile device. The next time the device connected to Exchange, the device would perform a hard reset, erasing all content in the device’s memory.
.gif)
Figure 1 Exchange Mobile Admin Tool for wiping devices (Click the image for a larger view)
Although this was a good start in mobile device management and security, there remained a number of security requirements left to address. Exchange Server 2007 helps to fill these gaps.
Device Configuration and Enforcement
Exchange ActiveSync is enabled by default for all mailbox users in Exchange Server 2007. If you want this feature enabled for only a subset of users, start out by disabling it for all users. The Exchange Management Console does not let you disable a group of users for ActiveSync, but it’s easy to do using an Exchange Management Shell command such as this one:
Get-mailbox –server <servername> | Set-CASMailbox –ActiveSyncEnabled $false
This command retrieves all mailboxes on an Exchange 2007 server and pipes the information to a Set-CASMailbox command to disable ActiveSync for all existing mailboxes.
The next step involves the construction of Exchange Mailbox ActiveSync policies for your organization. The number of policies constructed will depend on the varied security profiles of your users. For example, a financial analyst who receives sensitive financial information in e-mail may need to have a more stringent security device policy than a general user.
To configure the ActiveSync policy, go to the Exchange Management Console navigation tree and select Client Access under the Organizational Configuration container. In the Actions pane, select New Exchange ActiveSync Mailbox Policy.
In the New Exchange ActiveSync Mailbox Policy dialog box, flexible policies can be created for settings that control whether to allow downloading attachments to a device or allowing non-provisionable devices (see Figure 2). Provisionable devices are Windows Mobile devices that are capable of applying and enforcing specified policies. Non-provisionable devices are those that can only apply a subset of the policy (or none at all).
.gif)
Figure 2 Exchange Server 2007 ActiveSync mailbox policies (Click the image for a larger view)
Other features include the ability to configure settings for encryption and password recovery. If the Require encryption on the device option is turned on, all files on the device’s storage cards will be encrypted. The Enable password recovery option allows a user to retrieve the device PIN through Outlook® Web Access 2007.
Consider your password policies for devices very carefully before applying them. Long, complex PINs provide better security, but may make devices more difficult to use. A good balance between security and usability is the key in determining both password strength and the timeout period before a PIN is required. Turning on the Password expiration and Enforce password history options can also increase security, but might frustrate users if keeping track of passwords and PINs becomes too complex.
Exchange Server 2007 ActiveSync mailbox policies help improve device security, but some of its features require Windows Mobile 6.0, which is just becoming available on devices as we go to press. Of the features shown in Figure 2, Require encryption on device, Enforce password history, and Password expiration (days) all require the new version. However, you can still take advantage of the new Exchange Server 2007 flexible policies to target users who use devices with Windows Mobile 5.0 installed.
Once your policies are defined, you can apply them to users. In the Exchange Management Console, go to Recipient Configuration and select Mailbox. Choose the mailbox user you want to enable for an ActiveSync policy and select Properties from the Actions pane. Go to the Mailbox Features tab and double-click Exchange ActiveSync. In the Exchange ActiveSync Properties box, click the Browse button and select the ActiveSync policy you want applied to the user (see Figure 3). You can repeat the same steps to apply different policies to different users, or you can use the following Exchange Management Shell command to apply a policy to a group of users:
.gif)
Figure 3 Applying ActiveSync mailbox policy (Click the image for a larger view)
Set-CASMailbox –Activesyncmailpolicy
The final step is to train your end users and help desk. Tell your end users that a PIN of specified length will be required on their devices when they connect to Exchange Server 2007 (see Figure 4). Educate them on the security policies applied to them so they don’t view these changes as a hindrance to their daily work.
.gif)
Figure 4 ActiveSync mailbox policy requires a PIN
You’ll also want to make them aware of a new capability in Exchange Server 2007—self-service remote wipe using Outlook Web Access 2007. If a user loses his device, he can initiate a wipe of the device through the Options link in Outlook Web Access—without contacting the help desk (see Figure 5). This can be quite useful if a device is lost outside of regular work hours.
.gif)
Figure 5 Managing a device through Outlook Web Access (Click the image for a larger view)
Finally, show your help desk how to remote-wipe devices. This is easily done by opening the Exchange Management Console, navigating to Recipient Configuration, and selecting Mailbox. From there, you choose the users you want to initiate the wipe for and select Manage Mobile Device from the Actions pane. The Manage Mobile Device interface is shown in Figure 6. Note that a user could have more than one Windows Mobile device connecting to Exchange 2007, so be careful to select the right one when initiating wipes.
.gif)
Figure 6 Wiping a user’s device remotely (Click the image for a larger view)
E-Mail Handling and Search
Windows Mobile 6.0 lets you read e-mail in HTML format, set out-of-office notifications (see Figure 7), and flag e-mail messages. When e-mail messages are flagged on a Windows Mobile 6.0 device, they are treated the same as when you flag an e-mail in Outlook. Instead of marking e-mail messages as unread for you to follow up, you can now flag them and use the advanced capabilities of Outlook to follow up when you’re back at your desk. Reading e-mail in HTML provides a benefit not just to the mobile device user, but also to other recipients of the e-mail thread. When you reply to an e-mail using Windows Mobile 6.0, the e-mail isn’t converted to basic text, thus improving the experience of the other e-mail recipients who are also using Outlook.
.gif)
Figure 7 Out-of-office message
Significant enhancements have been made to the calendaring features with Windows Mobile 6.0. You can now forward, reply, or reply all within a calendar entry, as well as see the acceptance status of all invitees.
Windows Mobile 6.0, used in conjunction with Exchange Server 2007, provides two new capabilities related to search and mobile document access. One of the challenges of using mobile devices is limited storage capacity. Because of this, many users only keep e-mail on their devices for one to three days. Users often also elect to grab e-mail messages from only one folder of their Inbox. Such a minimalist approach can be a problem when you want to access older messages or messages that are stored in different folders in your mailbox.
With Windows Mobile 6.0, a user can execute an over-the-air search across his entire mailbox via the Exchange Server 2007 search-and-index engine. An e-mail search can be initiated based on keywords across multiple folders (see Figure 8). A real-time fetch of the e-mail messages from the results of the search can then be performed.
.gif)
Figure 8 Over-the-air e-mail search
Mobile Document Access
With the growth of document collaboration software, such as SharePoint® and limits on the maximum e-mail sizes allowed for transport, end users are attaching fewer document to e-mail and sending more links to file shares and SharePoint sites. Unless you can connect to your corporate network through a virtual private network (VPN), accessing these documents via a mobile device might seem impossible. For the nomadic worker, this could be a hindrance.
Windows Mobile 6.0 and Exchange Server 2007 enable users to access their data by way of UNC file shares and SharePoint sites, which can be made accessible in read-only mode. Exchange Server 2007 can proxy requests for these documents on behalf of the Windows Mobile device (see Figure 9). Even without a VPN connection to the corporate network, users are not limited to accessing only documents attached to e-mail messages; instead they can get to any document that resides in file shares or SharePoint sites.
.gif)
Figure 9 Document access via UNC links
To administer Mobile Document Access, open the Exchange Management Console and select Client Access under Server Configuration in the navigation tree. Then go to the ActiveSync tab, select the Microsoft-Server-ActiveSync object, and click properties in the Action pane. Under the Remote File Servers tab, you can configure the allow list and block list for hostnames of SharePoint sites and file servers.
Once this is done, go back to your Exchange ActiveSync mailbox policy and make sure that the checkboxes for Windows® File Shares and Windows SharePoint Services are checked (Figure 10).
.gif)
Figure 10 Enabling document access (Click the image for a larger view)
Now you are on your way to providing better document access for all your Windows Mobile device users.
Summary
In today’s world of remote workers, Windows Mobile devices offer powerful ways to access information anytime, anywhere. Security and management of mobile devices have become major concerns for IT departments. Exchange Server 2007, together with Windows Mobile 6.0, ease the creation and targeting of policies for Windows Mobile devices that can help mitigate problems as well as provide a foundation for new capabilities for remote workers.
Yee-Chen Tjie is a Technology Specialist for Microsoft in the New England region. He focuses on mobility and unified communication solutions.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.