If you missed the first part of this article series please read Mobile Messaging with Exchange Server 2007 – Part 1: New Device Features and Improvements.
Introduction
In part one of this two part article series on mobile messaging with Exchange Server 2007, we uncovered the new mobile device features and improvements available with a combination of Windows Mobile 6.0 devices and Exchange Server 2007. In this part two we’ll take a look at the new features and improvements that have been made available when it comes to managing mobile devices and Exchange ActiveSync enabled mailboxes.
Exchange ActiveSync (EAS) is enabled by default after an Exchange 2007 Client Access Server (CAS) has been deployed in your organization. In addition, EAS is enabled for all user mailboxes. This means that once you apply an SSL certificate that’s trusted by the mobile devices to the Default Web Site in IIS, your mobile device users can create an EAS profile and immediately begin to synchronize the device with their respective mailbox. Like Exchange 2003, Exchange 2007 still uses the virtual directory called Microsoft-Server-ActiveSync in IIS as the connection point for the mobile devices.
Although not much has changed when it comes to the direct push, I thought it would be a good idea to refresh your memory (just in case). Figure 1 below shows you how an Exchange 2007 CAS server communicates with a Windows mobile 5.0 with MSFP or 6.0 device.
Figure 1: Direct Push Technology Being the Scene
As you can see, direct push works by keeping an HTTPS connection alive between a mobile device and the Exchange 2007 CAS. Because the direct push technology uses long-standing HTTPS requests, it’s important that both your mobile carrier and your firewall are configured with a time-out value of a default of 15 to 30 minutes. If a short time-out value is configured, it will cause the device to initiate a new HTTPS request much more frequently, which not only can shorten battery life on your device but also be more expensive, since more data will be transferred. If the firewall solution in your organization is based on ISA Server 2004 or 2006, follow the steps mentioned in MS KB article 905013.
Note
For in-depth coverage of direct push, see this article from my Exchange 2003 Mobile Messaging series.
Exchange ActiveSync Policies
Unlike Exchange Server 2003 where the mobile device security policy settings were applied to all EAS users in the Exchange organization (except those added to the exception list), Exchange Server 2007 supports multiple EAS mailbox policies. This allows you as an Exchange administrator to assign EAS mailbox policies to sets of users, for example at a country or department level, or even based on distribution group membership.
In order to create an EAS mailbox policy using the Exchange Management Console (EMC), select the Client Access node under Organization Configuration in the navigation tree. Now click New Exchange ActiveSync Mailbox Policy in the Action pane as shown in Figure 2.
Figure 2: New Exchange ActiveSync Mailbox Policy action
The New Exchange ActiveSync Mailbox Policy wizard will appear (Figure 3). We now need to specify a name for the policy, and then select whether or not non-provisionable devices should be allowed to synchronize. What this basically means is whether legacy devices that don’t support the AutoDiscover service to connect to the Exchange 2007 Client Access Server (CAS) should be allowed to synchronize. In addition, we can specify whether it should be allowed to download attachments to a device.
Figure 3: New Exchange ActiveSync Mailbox Policy Wizard
Next we have to specify the password configuration settings. Several of these should be familiar to those of you who have deployed mobile messaging solutions based on Exchange Server 2003 SP2.
Require alphanumeric password
Enable this option to require a strong alphanumeric password that contains both numeric and non-numeric characters.
Enable password recovery
Enabling this option enables password recovery for the mobile device. The users can look up the recovery password in order to unlock their device using Outlook Web Access (OWA) 2007. In addition, you can as the Exchange administrator look up the recovery password via the EMC.
Require encryption on device
Enabling this option will require a device to be encrypted, which will increase the security on the device significantly. All information including any data held on the storage card will be encrypted.
Allow simple password
Enabling this option will allow users to use simple numeric passwords such as 8888.
Minimum password length
Enabling this option will allow you as an Exchange administrator to specify a minimum password length. Bear in mind that the longer the password is the more the security is increased, but this will also decrease device usability.
Time without user input before password must be re-entered (in minutes)
By enabling this option you as an Exchange administrator will have the option of specifying after how many inactive minutes the device should be locked and thereby require a password the next time the device is used. Setting this value too low will also affect device usability, so use it wisely.
Password expiration
Enabling this option will allow you as the Exchange administrator to specify after how many days a password will expire. Don’t set this value too low as this will inspire the users to use weak passwords.
Enforce password history
Finally we have the option of enabling password history and thereby force users to use new passwords when they expire.
When you have decided which values you want to set in your particular EAS mailbox policy, click New and voila the policy has been created as shown in Figure 4.
Figure 4: New Exchange ActiveSync Mailbox Policy listed in Exchange Management Console
By default an EAS policy will allow any mailbox user to which the particular policy has been assigned, to access documents on Windows file shares and SharePoint servers on the internal network. In order to deny users access to these documents from a Windows mobile device, open the property page for the policy, then de-select Windows File Shares and Windows SharePoint Services on the General tab (Figure 5) and then click OK. As you can see, any other settings originally configured in the EAS policy can be changed from the Property page too, if required.
Figure 5: Property Page of EAS Policy
Now that we have created the EAS policy, the next step is to apply it to the respective mailboxes within the organization. This is done by opening the property page for the mailbox under the Recipient Configuration work center node. With the property page opened, select the Mailbox Features tab. Under this tab we can enable and disable the different client protocols for the mailbox, but since Exchange ActiveSync is enabled by default, let’s select Exchange ActiveSync and then click the Properties button as shown in Figure 6. On the Exchange ActiveSync property page click Browse, select the EAS policy we just created and then make sure Apply an Exchange ActiveSync mailbox policy is checked. Click OK twice and the EAS policy has been applied to the mailbox.
Figure 6: Applying the EAS Policy to a User Mailbox
If you need to apply an EAS policy to, let’s say, hundreds or thousands of users, you would need to use Set-CASMAilbox cmdlet in the Exchange Management Shell (EMC). For example, applying the above EAS policy to all mailbox users, run the following command:
Get-Mailbox | Set-CASMailbox -ActiveSyncMailboxPolicy (Get-ActiveSyncMailboxPolicy “Exchange Hosting – General”).Identity
Managing Mobile Devices
The first time a user synchronizes his mobile device with his mailbox using EAS, a mobile device partnership is established. When the partnership has been established, a new option called Manage Mobile Device is added to the context menu. This appears when right-clicking on a mailbox-enabled user beneath the Recipient Configuration work center as shown in Figure 7.
Figure 7: Manage Mobile Device option in Context Menu
When selecting Manage Mobile Device, the Manage Mobile Device wizard (Figure 8) is launched. Here you can see the mobile devices that have an established partnership with the respective user mailbox. Under Additional device information you can see when the first synchronization occurred, when the last device wipe was sent, the acknowledge time for the device wipe, when the device was last updated with a policy as well as the last ping heartbeat in seconds (this should be between 15-30 minutes depending on how keep alive sessions have been configured at your mobile service provider and on your firewall). Finally you can (if enabled) see the recovery password here.
Under Action you have the option of either removing (aka deleting) a mobile device partnership as well as perform a remote wipe of a mobile device. Performing a remote wipe of a mobile device will delete any data held in memory as well as on the storage card. Send in another way, the device will be reset to its factory defaults.
Note:
Deleting a mobile device partnership will not delete any data on the mobile device itself. And next time a user tries to synchronize a device with his mailbox, a new partnership will be established.
Figure 8: Manage Mobile Device Wizard
If you want to view mobile device and Exchange ActiveSync statistics for a user by using the EMS, you can do so with the Get-ActiveSyncDeviceStatistics cmdlet. For example, to get EAS statistics for a mailbox with an alias of HEW, we would need to type:
Get-ActiveSyncDeviceStatistics -Mailbox hew
This would give us the information shown in Figure 9.
Figure 9: Mobile Device Partnerships for a User Mailbox
Note
If you want to view statistics for a specific partnership, you would need to specify the identity string instead of the mailbox alias.
As you can see in Figure 10, the recovery password is replaced with asterisks. If you want to show the recovery password, add the -ShowRecoveryPassword $True parameter to the command we ran above.
To remove a partnership, use the Remove-ActiveSyncDevice –Identity <DeviceID> cmdlet.
Figure 10: Removing a Mobile Device Partnership using the Exchange Management Shell
To remote wipe a device use Clear-ActiveSyncDevice -Identity <DeviceID> as shown in Figure 11.
Figure 11: Remote Wiping a Mobile Device using the Exchange Management Shell
Self-Service Management
In order to reduce the load Windows mobile device incidents helpdesk staff in an organization, the Exchange Product group has also come up with a self-service management feature, allowing a user to manage a device partnership himself if required. These self-service features have been integrated directly into the OWA 2007 UI as shown in Figure 12. As you can see, the mobile device management features are accessed via the Options page.
Basically a user can view and perform the same things from within OWA as the Exchange administrator can from the Manage Mobile Device wizard in the Exchange Management Console.
Figure 12: Mobile Device Self-Service Management from within OWA 2007
The user can even retrieve the recovery password for a device (Figure 13) should he for some reason have forgotten it.
Figure 13: Retrieving Recovery Password in OWA 2007
Conclusion
As you have seen throughout this article, the Exchange Product group have focused a lot on improving the mobile device/user features in Exchange Server 2007. We can now create multiple Exchange ActiveSync mailbox policies as well as perform all mobile device management directly from within the Exchange Management Console or Exchange Management Shell. Lastly the mobile device users themselves have the option of performing self-service management from OWA 2007 so that the load of incidents sent to the helpdesk staff is reduced.
If you missed the first part of this article series please read Mobile Messaging with Exchange Server 2007 – Part 1: New Device Features and Improvements.
