CIOs and IT professionals realize that business users increasingly rely on personal smartphones and tablets to do their work- both at the office and at home. Recent studies show that email is the most widely used mobile client application in businesses and users increasingly expect the same level of features and functionality they get on PCs.
Read this white paper to learn how Samsung smartphones and tablets are designed to meet enterprise productivity and security needs.
White Paper: Anytime, anywhere secure email access with Samsung mobile devices
1. Anytime, anywhere secure email
access with Samsung mobile devices
Helping business users increase efficiency
with best-in-class email and PIMS
2. Anytime, anywhere secure email access with Samsung mobile devices
Contents
Executive summary 3
Introduction 4
Protect corporate data and information by enabling anytime, anywhere
secure access 6
Get the most from Exchange Server and Office 365 with a comprehensive
mobile implementation of Exchange ActiveSync 7
Provide device management and provisioning with Exchange Server and
Office 365 features and policies 9
Use case: Using basic device management 9
Increase users’ productivity by improving the user experience with
new features 10
Appendix 14
Appendix 1: Comparing Exchange ActiveSync implementations 14
Appendix 2: Samsung security features for email 18
Appendix 3: Supported feature and policy lists by Exchange Server version 19
Appendix 4: Supported Exchange ActiveSync Feature and Policy Descriptions 21
Acronyms 32
References and links 32
Legal disclaimer
This material is intended only for SAMSUNG’s customers and provided for information purpose only.
Nothing in this material shall be construed as an advertisement of SAMSUNG’s products and services.
The contents in this material are delivered on an “as-is” basis, and SAMSUNG does not warrant that
the products, services, features and contents set forth in this material will be error-free. SAMSUNG
disclaims all warranties, express or implied, including any warranties of accuracy, completeness and
non-infringement. Samsung further disclaims any and all liability for the acts, omissions and conduct
of any third party in connection with the use of this material. Samsung reserves the right to make
changes to its products and services and the contents of this material at any time, without prior notice.
Please do not i) disseminate this material to third parties, or ii) use this material for your own
advertisement purpose.
3. 3Anytime, anywhere secure email access with Samsung mobile devices
Executive summary
CIOs and IT professionals recognize that business users increasingly rely on personal smartphones
and tablets to do their work—both on the job and during off-hours. Recent studies show that email is
the most widely used mobile client application in businesses and users increasingly expect the same
level of features and functionality that they get on their PCs. The challenge for IT is how to improve the
user experience while protecting corporate data. Just as the huge Bring-Your-Own-Device (BYOD) and
Corporate-Owned-Personally-Enabled (COPE) device trends represent potential business productivity
gains, use of personal devices can also expose enterprises to security risks.
Samsung smartphones and tablets are designed to meet enterprise productivity and security needs
in today’s increasingly mobile business environment. Samsung offers best-in-class email and Personal
Information Management Services (PIMS) applications for Microsoft Exchange Server and Office 365
Exchange infrastructures by building on Microsoft Exchange ActiveSync (EAS) protocols.
Security. The Samsung KNOX platform provides robust mobile security options for devices, which can
be configured specifically for business use. Organizations can support email encryption and signing,
Sensitive Data Protection in the KNOX Workspace container, and content management via EAS in email
and PIMS.
Comprehensive EAS implementation. Samsung delivers one of the most comprehensive sets of
features and policies for email and PIMS mobile applications available to enterprise users.
Simple device management. Samsung mobile devices are a good option for enterprises that have
Exchange Server or Office 365 Exchange licenses and need security and basic Mobile Device Management
(MDM). EAS can be easily configured to perform basic MDM functions for Samsung mobile devices.
Superb user experience. Samsung devices are perfectly suited for business environments. With a
user experience that matches or exceeds industry-leading email interface functionality, Samsung
smartphones and tablets can help users increase productivity.
With this finely-tuned set of features and functionality, Samsung email can help improve employees’
work efficiency, enable IT to perform basic device management and provisioning, and give enterprises
the assurance they need in the growing mobile environment.
Samsung’s enhanced email and PIMS features work seamlessly with Samsung KNOX security protection,
MDM solutions, and Microsoft EAS to increase users’ productivity on mobile devices and maintain
security. Samsung’s defense-grade mobile security platform built into its Galaxy devices protects
corporate data and information.
As a result, IT can:
• Protect corporate data and information by enabling anytime, anywhere secure access.
• Take advantage of Samsung’s comprehensive mobile implementation of EAS for Exchange Server
and Office 365 Exchange infrastructures.
• Provide device management and provisioning with Exchange Server and Office 365 Exchange
features and policies.
• Increase users’ productivity by improving the user experience.
Note: This whitepaper covers the Exchange ActiveSync features, policies, and user experience with
Samsung Galaxy S6 phones running Android 5.0. Samsung smartphones and tablets running Android 4.1
and higher support Exchange ActiveSync features and policies, which can be configured for each model
and Android OS version.
4. 4Anytime, anywhere secure email access with Samsung mobile devices
Introduction
Business users expect their mobile devices to deliver the same rich email, contacts, and calendar
experience as a PC. But enterprises need to make sure all the data moving across mobile devices
stays secure. With powerful smartphones and tablets, Samsung delivers mobile solutions that protect
enterprise data and keep mobile workers productive.
A 2015 study by IDC showed that email is the most widely used mobile client applications in businesses.
Tablet users in 65 percent of U.S. small businesses and in 71 percent of U.S. medium-size businesses
use mobile email, according to the IDC survey. In fact, email is the most popular business application
on tablets, with more than twice the usage when compared to applications for productivity, financial
management, and Enterprise Resource Planning (ERP).
Email on smartphones is also more widely used than other business applications in both small and
medium-size organizations. The same IDC survey showed that 66 percent of U.S. small business workers
and 68 percent of U.S. medium business workers access mobile email applications on smartphones.1
A similar survey by Strategy Analytics in 2014 showcased the value of corporate email, finding that
business use of email on smartphones has surpassed voice calls. Personal Information Management
Services (PIMS), such as calendaring and scheduling applications, are also valued. According to the
Strategic Analytics survey, 34.5 percent of business smartphone users and 24.4 percent of business
tablet users regularly access these applications, while 25.4 percent of smartphone users and 22.1 percent
of business tablet users take advantage of contact management applications.2
Mobile security
The advent of smartphones and tablets has meant round-the-clock access to business email,
making it easier for employees to respond to work-related demands anytime, anywhere. While
enterprise employees enjoy the freedom and productivity that comes from always being connected,
IT administrators have to deal with the added complexity of protecting corporate intellectual property
on mobile devices that may or may not be corporate owned and controlled.
This challenge has become a mission critical imperative for IT regardless of industry or organization size.
Most are adopting Bring-Your-Own-Device (BYOD) and Corporate-Owned-Personally-Enabled (COPE)
device policies that give them the measure of control they need. But while BYOD and COPE are a growing
trend, a recent Gartner report3
found that many CIOs doubt the effectiveness of security measures that
are currently in place. Indeed, security is the most important factor when enterprise decision makers are
determining which mobility solution to adopt, according to another IDC study.4
The Samsung KNOX platform helps address these security concerns, providing robust mobile security
options for Android-enabled mobile devices. Samsung enterprise-ready devices meet rigorous security
criteria and are configured specifically for business use, providing features such as email encryption and
signing, Sensitive Data Protection (SDP) with Samsung KNOX Workspace, and content management for
email and PIMS using Exchange ActiveSync.
1 2015 U.S. Small and Medium Business (SMB) Mobile Application Usage Survey: How Industry Apps and Tablets Drive SMB
Productivity, IDC, April, 2015.
2 The State of the Business Mobility Market: Key Findings from the 2014 Mobile Workforce Strategies Survey, Strategy Analytics,
December, 2014.
3 Nick Jones, “CIO Attitudes Toward Consumerization of Mobile Devices and Applications,” Gartner, Inc., May 25, 2011. Cited in the
Samsung report, “Samsung Mobile Security: Offering Enhanced Core Capabilities for Enterprise Mobility”
4 The State of Mobile Enterprise Software in 2014: An IDC Survey of Applications, Platforms, Decisions, and Deployments, IDC,
June, 2014.
5. 5Anytime, anywhere secure email access with Samsung mobile devices
Microsoft Exchange ActiveSync implementation and reinforcement
Microsoft Exchange is by far the most widely used business email system. It’s not surprising then, that
Microsoft Exchange ActiveSync is one of the most widely used methods for managing mobile email.
According to a 2014 IDC survey, 53.2 percent of respondents say their organizations use Exchange
ActiveSync.5
Samsung mobile devices support and reinforce the standard Microsoft Exchange ActiveSync protocol by
providing enhanced features and policies, ensuring they are perfectly suited for business environments.
With a user experience that matches or exceeds industry-leading email interface functionality, Samsung
mobile devices help users increase productivity.
Samsung’s enhanced email and PIMS features work seamlessly with Samsung KNOX security protection,
Mobile Device Management (MDM) solutions, and Microsoft Exchange ActiveSync to increase users’
productivity on Samsung Galaxy mobile devices and maintain security.
As a result, IT can:
• Protect corporate data and information by enabling anytime, anywhere secure access.
• Take advantage of Samsung’s comprehensive mobile implementation of Exchange ActiveSync with
Exchange Server and Office 365 Exchange.
• Provide device management and provisioning with Exchange Server and Office 365 Exchange features
and policies.
• Increase users’ productivity by improving the user experience.
5 The State of Mobile Enterprise Software in 2014: An IDC Survey of Applications, Platforms, Decisions, and Deployments, IDC, June,
2014.
6. 6Anytime, anywhere secure email access with Samsung mobile devices
Protect corporate data and information by enabling
anytime, anywhere secure access
To meet the need for secure mobile email and to make it safer and easier to do business, Samsung has
strengthened its security capabilities and enhanced the user experience. Samsung’s essential security
technologies ensure that email and PIMS on Samsung mobile meet enterprise requirements.
Samsung designed its mobile device platform’s email and PIMS functionality to provide a high level of
security, full implementation capabilities with Exchange ActiveSync, and improved user experience.
Table 1 summarizes Samsung’s comprehensive security features.
Table 1: Samsung security features
Security Capability Implemented with
Email encryption and certificate
signing
Key encryption and digital signing through:
• Pretty Good Privacy
• Secure/Multipurpose Internet Mail Extensions (S/MIME)
Enforces encryption and protects encrypted communications between
Exchange Server/Microsoft Office 365 and mobile clients.
Sensitive Data Protection (SDP)*
available with KNOX Workspace and
My KNOX:
Protects email and attachments from
hacking.
“Sensitive” designation provides additional security:
• SDP Chamber directory automatically marks files as sensitive
• Remains encrypted while Workspace is locked
o Recoverable only if user enters Workspace password, PIN, or pattern.
o Recover by using Mobile Device Management (MDM) to unlock data
to prevent total data loss if users forget passwords.
SmartCard Framework*
on the KNOX
Platform:
Supports smart cards (microUSB,
Bluetooth, virtual) to authenticate
users, unlock devices, sign/encrypt/
decrypt emails, set up VPN tunnels,
and access high security apps (e.g.,
government, military).
Standards-based Public Key Cryptography Standards APIs:
• Allow access to hardware certificates.
• Enable app developers to select from multiple smart card readers.
Reinforced Exchange ActiveSync
Security:
Adds Samsung security to enhance
Exchange ActiveSync security.
Account management:
• Disable POP3/IMAP4 email.
• Allow consumer email.
Attachment file management:
• Allow attachment download.
• Configure email body and attachment file size.
Content management:
• Support for Information Rights Management (IRM)6
.
• Include past email and calendar items (days).
• Configure format and size.
1
* Samsung proprietary functionality.
6 Enable persistent protection for messaging content (prohibit ability to print, forward, extract, reply, and reply all).
7. 7Anytime, anywhere secure email access with Samsung mobile devices
The Samsung email app supports email encryption and signing through Pretty Good Privacy and Secure/
Multipurpose Internet Mail Extensions (S/MIME), enabling secure communication between enterprise
users’ devices. Figure 1 shows Samsung’s security interface. Also see Appendix 2 for more details.
Figure 1: How Samsung enables security on email client.
Get the most from Exchange Server and Office 365 with a comprehensive
mobile implementation of Exchange ActiveSync
Organizations using Exchange Server and Office 365 can manage and configure Exchange ActiveSync
for Samsung mobile devices to reinforce security-related features and polices. In the area of account
management, Samsung supports the ability to disable POP3/IMAP4 email and allow consumer email. In
the area of attachment file management, organizations can decide to allow downloads and can configure
file size. For content management, IT can use Information Rights Management (IRM) to apply persistent
protection to messaging content and configure format and size.
How Samsung implements Exchange ActiveSync
Samsung smartphones and tablets that run on Android 4.1 and higher support Exchange ActiveSync
features and policies that are appropriate for each model and Android OS version. Organizations gain the
benefits of EAS without middleware, IT integration, or monthly service fees.
Figure 2: Samsung implementation of Exchange ActiveSync.
Table 2 details the standard, enhanced and customized features that Samsung provides as part of its
EAS implementation.
Sending option Inbox list Encrypt mail Signed mail
Microsoft
Exchange Servers
Corporate Network
Corporate
Firewall
Carrier Network
Secure Samsung
client on
Touch/QWERTY
8. 8Anytime, anywhere secure email access with Samsung mobile devices
Table 2: Samsung support for Exchange ActiveSync features and policies
Basic Functionality Enhanced Functionality
Samsung-enhanced
functionality (built on EAS
and other custom protocols)
Email Basic Features Enhanced Features Samsung-enhanced Features
Configuration
• Email Sync and Direct Push
• Sync multiple folders
• AutoDiscover
Email body
• HTML email
Transmission
• SSL Encrypted Transmission
Inbox
• Follow-up flags
• Reply state
Inbox
• Server search
• SMS Sync
Email body
• Conversation view
• Information Rights
Management (IRM) Support
• Link Access
• Set Out of Facility/Office
(OOF)
• UM card
Transmission
• S/MIME
• Bandwidth reduction
Configuration
• Peak/Off-peak sync
schedule
• Draft folder sync
• Sync options for each folder
Inbox
• Spam filter
Transmission
• Nested S/MIME
User settings
• Certificate-based
authentication
• Empty server trash
• User configurable resolution
Enhanced Policies
Attachment file management:
• Allow attachment download
• Maximum attachment size
Personal email account
management:
• Disable POP3/IMAP4 email
• Allow consumer email
Email encryption and signing
management:
• S/MIME messages,
SoftCerts, and algorithm
Email content management:
• Configure message format
• Email and HTML email body
truncation size
• Include past email items
(days)
• Require manual sync while
roaming
• Allow IRM over EAS
Calendar
and Tasks
Basic Features Enhanced Features Samsung-enhanced Features
Configuration
• Calendar sync
Meeting Schedule
• Meeting attendee
information
Configuration
• Task sync
Meeting Schedule
• Free/busy lookup
Meeting Schedule
• Edit response
• Propose new time
Enhanced Policy
Content management
• Include past calendar items
(days)
Contacts Basic Features Enhanced Features Samsung-enhanced Features
Configuration
• Contacts sync
Contact list
• GAL lookup
Contact list
• Nickname cache
• GAL photo
Configuration
• Contact sub-folder sync
9. 9Anytime, anywhere secure email access with Samsung mobile devices
Provide device management and provisioning with Exchange Server and
Office 365 features and policies
Samsung fully supports Exchange ActiveSync features and policies to increase employees’ work
efficiency with email and PIMS applications and give corporate IT basic device management and
provisioning capabilities. Using Exchange ActiveSync may be a good option for managing your Samsung
mobile devices if you already own Exchange Server or Office 365 Exchange licenses and need only
basic Mobile Device Management (MDM) and security. Exchange ActiveSync can be easily configured
to perform basic MDM. This gives you the capability, for example, to wipe devices remotely, manage the
lock-screen password requirements, disable and enable functions such as Wi-Fi and camera, and allow
or disallow applications.
Samsung smartphones and tablets that run on Android 4.1 and higher support Exchange ActiveSync
features and policies. These can be configured for each model and Android OS version. Table 3 shows the
basic and enhanced functionality provided.
Table 3: Exchange Active Server functionality that can be configured for basic MDM
Basic Functionality Enhanced Functionality
Basic Features Enhanced Features
Remote wipe Block/Allow/Quarantine list
Basic Policies Enhanced Policies
Lock screen password management
• Require password
• Require alphanumeric password
• Maximum failed password attempts
• Minimum password length
• Maximum inactivity time lock
Device management
• Allow non-provisionable devices
• Policy refresh interval
Device function management
• Camera
• SMS text
• Wi-Fi
• Bluetooth
• Browser
• Desktop ActiveSync
• Internet sharing
• Removable storage
Applications management
• Allow unsigned applications
• Approved application List
• Allow unsigned CABs
• Unapproved InROM application list
Lock screen password management
• Allow simple password
• Enable password recovery
• Password expiration (days)
• Enforce password history
• Minimum number of complex
characters
Device management
• Require device encryption
Use case: Using basic device management
Samsung has partnered with industry-leading MDM and Virtual Private Network (VPN) vendors to
support enterprise-grade security capabilities that reinforce the Samsung Android platform and address
the regulatory concerns of governments, large enterprises and SMBs. The Samsung KNOX Workspace
protects corporate data with a secure solution that includes hardware security and multiple levels of
protection for the operating system and applications.
With Samsung’s support for Exchange ActiveSync features, users have a mobile business environment
that matches or exceeds industry-standard email functionality. In addition, IT can deploy Exchange
ActiveSync policies to manage employees’ mobile devices with light MDM capabilities.
Companies that want to enable email on their employees’ devices, but don’t use an MDM, can simply use
the basic management controls available through Exchange ActiveSync. While these do not offer the
granularity of control of an MDM solution, Exchange ActiveSync integrates with Microsoft Active Directory
to provide functionality such as setting and enforcing password policies, remotely wiping a device, and
determining whether a device can connect to a network.
10. 10Anytime, anywhere secure email access with Samsung mobile devices
Increase users’ productivity by improving the user experience with
new features
Samsung has enhanced the user experience of its email and PIMS applications to improve usability.
By simplifying the interface, Samsung has reduced complexity and thus decreased workflow steps.
Samsung’s intuitive and easy-to-use interface and user experience help make enterprise communication
more efficient. Redesigned email and PIMS applications for Android 5.0 devices now appear clearer
and better organized. The new design has reduced the number of menu items and replaced the texting
icon. The ability to assign specific colors to different email and PIMS applications adds to the clarity and
simplicity of the interface. Table 4 shows the supported features.
Table 4: Improved user experience features with email, calendar, and contacts
Basic Features Differentiated Features and Policies
Email
Samsung
basic native
app
Receive email simultaneously on device and
computer by email sync and direct push.
Configure spam filtering.
Supports multiple attachment types:
• Camera
• Gallery
• Audio
• Files
• Integration with third-party cloud storage
applications (Box, Dropbox, OneDrive) for
image and video attachments.
Snap View function: Preview an email without opening
it and reply, remind, mark as read or unread, and delete
email directly from the preview pane.
Identify most recent messages and related responses
by selecting the conversation view.
Enabled with
Exchange
ActiveSync
Set up accounts with certificate
authentication instead of basic
authentication.
Reply status: View icon in email inbox to see
if an email has been replied to or forwarded.
Apply persistent protection to messaging content,
including using Information Rights Management to
prohibit:
• printing
• forwarding
• extracting
• replying
Include past email items (days).
Calendar
Samsung
basic native
app
Calendar and Task Sync Respond to invitations to events or accept tasks by
simply entering the title of the desired event and task.
Enabled with
Exchange
ActiveSync
Meeting attendee information. Free/busy lookup.
Edit response.
Include past calendar items (days).
Propose new meeting times in a response to an
invitation.
Contacts
Samsung
basic native
app
Contacts Sync. Access accounts for third-party applications and call
logs to use contact applications more efficiently.
Enabled with
Exchange
ActiveSync
Global Address List (GAL) lookup and photo. Nickname cache.
11. 11Anytime, anywhere secure email access with Samsung mobile devices
Email
Samsung’s email application is optimized to make it easy for users to check email in the inbox. Users can
filter emails as read, unread, starred and flagged, high priority and whether or not there’s an attachment.
In addition, users can change view modes—to switch to conversation view mode, for example. Users can
preview emails and set reminder notifications without opening the email body. Users can manage emails
in separate account inboxes or merge accounts to show all emails in one inbox. These options provide
users with control and a clear overview of all emails.
As shown in Figure 3, users can preview the first five lines of email content by using a two-finger flick
down gesture, which makes it easy to reply, remind, mark as unread, and delete email from the inbox. In
addition, users can set when they want to receive a reminder notice on a received email.
Figure 3: Snap view and reminder functions on email client.
Using the continue composing feature shown in Figure 4, users can temporarily save and minimize
email drafts. The user can continue composing by simply touching the button and multitask between
composer and inbox viewer.
Figure 4: Continue composing function on email client.
12. 12Anytime, anywhere secure email access with Samsung mobile devices
Calendar and tasks
Samsung provides a well-organized calendar application that is completely tailored for business. The
calendar application is designed to enable users to create, edit, and view information about invitations
and schedules. Users can combine several calendars and schedules and synchronize status. Events and
tasks can be registered and modified by taking advantage of the simplified process steps and menus.
Samsung email includes a well-organized calendar view and smart composer app. Users can simply enter
an event’s title to register for that event, as shown in Figure 5. They can add information by tapping the
repeat, invitees, notes, and time zone icons.
Figure 5: Register an event and task.
Figure 6 shows how users can select their preferred view mode for seamless interaction. The calendar
application provides a simplified view mode and an intuitive user interface.
Figure 6: View mode in the calendar.
Month Week Day Tasks
13. 13Anytime, anywhere secure email access with Samsung mobile devices
Contacts
Samsung’s contacts application is designed to present an intuitive and easy-to-use interface and user
experience. Users can view contacts from multiple user accounts in one contact list, or users can apply
filtering to separate contact lists. Users can make a call or send an SMS text message from their favorites
menu and check call and SMS logs in their contact application. In addition, users can see account
information for third-party applications such as LinkedIn and Skype.
Figure 7 shows the easy-to-use contacts application.
Figure 7: Basic user interface and menu in contacts.
The contacts application supports consolidated sync, import, and export functions for the contact list, as
shown in Figure 8. A vCard format file (*.vcf) can be imported from device storage, for example. Duplicates
display automatically.
Figure 8: Sync, import, and export contact list and duplicated contact view in contacts.
Galaxy smartphone Galaxy tablet
1
† Screen images are provided by Android 5, Lollipop TouchWiz on Samsung Galaxy mobile smartphones and tablets.
14. 14Anytime, anywhere secure email access with Samsung mobile devices
Appendix 1: Comparing Exchange ActiveSync
implementations
[Table 1] Email: Samsung mobile devices provide 16 policies and 25 features
1
† Reference: Exchange ActiveSync Client Comparison Table at Microsoft TechNet, Comparison of Exchange ActiveSync clients at
Wikipedia, and Samsung research. Results are based on information available at time of publication, and are subject to change.
Policy
Samsung
Android 5
Apple IOS
8.4
Google
Android 5.1
Microsoft
Windows 7
Allow attachment download • • •
Maximum attachment size •
Disable POP3/IMAP4 email •
Allow consumer email • •
Require signed S/MIME messages •
Require encrypted S/MIME messages •
Require signed S/MIME algorithm •
Require encrypted S/MIME algorithm •
Allow S/MIME algorithm negotiation •
Allow S/MIME SoftCerts • •
Configure message formats (HTML or
plain text) • •
Include past email items (days)
• • •
Email body truncation size (bytes) •
HTML email body truncation size (bytes) •
Require manual sync while roaming • •
Allow IRM over EAS •
15. 15Anytime, anywhere secure email access with Samsung mobile devices
1
† Reference: Exchange ActiveSync Client Comparison Table at Microsoft TechNet, Comparison of Exchange ActiveSync clients at
Wikipedia, and Samsung research. Results are based on information available at time of publication, and are subject to change.
˚ These features are developed by Samsung in ways of utilizing Exchange server protocols and applying a control in Samsung
mobile device.
1 Samsung supports this capability at the device-level only. Samsung email provides a conversation view when IT admin sets a rule
to always move messages in a conversation using local-conversation ID from device side instead of conversation ID from server.
Feature
Samsung
Android 5
Apple IOS
8.4
Google
Android 5.1
Microsoft
Windows 7
Direct Push • • • •
Email sync • • • •
Sync multiple folders • • • •
SSL encrypted transmission • • • •
HTML email • • • •
AutoDiscover • • • •
Server Search • • •
Follow-up flags • • • •
Bandwidth reduction • • •
Link Access • • •
Set Out of Facility/Office (OOF)
• • •
S/MIME
• •
Conversation View
• • •
Reply status • • • •
UM card • •
SMS sync • • •
IRM support •
Peak/off-peak sync schedule˚ • •
Empty server trash˚ • •
Certificate based authentication˚ • • •
Draft folder sync˚ • • •
Sync options for each folder˚ • • •
Spam Filter˚ • • •
Move always1
•
The Samsung EAS implementation includes two additional features for email: User configurable
resolution and Nested S/MIME.
16. 16Anytime, anywhere secure email access with Samsung mobile devices
[Table 2] Calendar: Samsung mobile devices provide 6 features and 1 policy
Feature and policy
Samsung
Android 5
Apple IOS
8.4
Google
Android 5.1
Microsoft
Windows 7
Feature
Calendar sync • • • •
Tasks sync •
Meeting attendee information • • • •
Free/Busy lookup • •
Edit response˚ • • •
Propose new time˚ • •
Policy Include past calendar items (days) • •
[Table 3] Contacts and tasks: Samsung mobile devices provide 5 features
Feature
Samsung
Android 5
Apple IOS
8.4
Google
Android 5.1
Microsoft
Windows 7
Feature
Contact sync • • • •
GAL lookup • • • •
GAL photo • •
Nickname cache • •
The Samsung EAS implementation also includes this additional contacts feature: Contact sub-folder sync.
1
† Reference: Exchange ActiveSync Client Comparison Table at Microsoft TechNet, Comparison of Exchange ActiveSync clients at
Wikipedia, and Samsung research. Results are based on information available at time of publication, and are subject to change.
˚ These features are developed by Samsung in ways of utilizing Exchange server protocols and applying a control in Samsung
mobile device.
17. 17Anytime, anywhere secure email access with Samsung mobile devices
[Table 4] Device: Samsung mobile devices provide 25 policies and 3 features
Feature and policy
Samsung
Android 5
Apple IOS
8.4
Google
Android 5.1
Microsoft
Windows 7
Policy
Allow non-provisionable devices
• • • •
Policy refresh interval
• • • •
Require password
• • • •
Require alphanumeric password
• • • •
Maximum failed password
attempts • • • •
Minimum password length
• • • •
Maximum inactivity time lock
• • • •
Allow simple password
• • •
Enable password recovery
• •
Password expiration (days)
• • •
Enforce password history
• • •
Disable desktop ActiveSync
• •
Disable removable storage
• •
Disable camera
• • •
Disable SMS text messaging
•
Disable Wi-Fi
•
Disable Bluetooth
•
Allow internet sharing from device
• •
Allow browser
• •
Allow unsigned applications
•
Allow unsigned CABs
•
Approved application list
•
Unapproved InROM application list
•
Minimum number of complex
characters • • •
Require device encryption
• • •
Disable IrDA2
•
Allow mobile OTA update3
•
Mobile OTA update mode4
•
Feature
Remote wipe
• • • •
User started remote wipe
• • • •
Block/Allow/Quarantine List
(device info) • •
1
† Reference: Exchange ActiveSync Client Comparison Table at Microsoft TechNet, Comparison of Exchange ActiveSync clients at
Wikipedia, and Samsung research. Results are based on information available at time of publication, and are subject to change.
2 Samsung provides not IrDA hardware chipset but IrLED hardware chipset.
3 Samsung will update to provide this policy next firmware update.
4 Samsung will update to provide this policy next firmware update.
18. 18Anytime, anywhere secure email access with Samsung mobile devices
Appendix 2: Samsung security features for email
The SmartCard Framework on the KNOX platform enables applications access to the hardware certificates
on the Common Access Card (CAC) via standards-based Public Key Cryptography Standards (PKCS) APIs.
This access process enables the use of the CAC by the browser, email application, and VPN client, as
well as custom government applications. Third-party smart card and reader providers can install their
solutions into the framework, as shown in Figure 1.
Figure 1: SmartCard Framework on Samsung KNOX platform.
IT can further strengthen security by enabling email encryption and digital signing between users’
devices using the widely accepted S/MIME protocols. Figure 2 shows how to set the screen lock and
install certificates to enable email encryption.
JCA/JCE/Open SSL (PKCS #11) APIs
Lock
Screen
Vendor 1 Plugin
(Bluetooth or USB)
Vendor 2 Plugin
(Bluetooth or USB)
Email Browser VPN Client 3rd Party
Apps
Bluetooth or
USB Reader
KNOX Smartcard
Framework
Figure 2: Enabling S/MIME certification.
19. 19Anytime, anywhere secure email access with Samsung mobile devices
Appendix 3: Supported feature and policy lists by
Exchange Server version
To enable connection to a Microsoft Exchange server, Samsung mobile devices support:
• EAS 14.2 with Exchange Server 2010 SP2 • EAS 12.1 with Exchange Server 2007 SP1
• EAS 14.1 with Exchange Server 2010 SP1 • EAS 12.0 with Exchange Server 2007
• EAS 14.0 with Exchange Server 2010 • EAS 2.5 with Exchange Server 2003 SP2
[Table 5] Features classified by Exchange Server version on Samsung mobile devices
Feature
Exchange Server
2003 SP2
Exchange Server
2007 SP1
Exchange Server
2010 SP2
Exchange Server
2013
Direct Push • • • •
Email sync • • • •
Calendar sync • • • •
Contacts sync • • • •
Tasks Sync • • • •
Remote wipe • • • •
Sync multiple folders • • • •
GAL lookup • • • •
SSL encrypted transmission • • • •
Peak/off-peak sync schedule • • • •
User Configurable Resolution • • • •
Certificate Based Authentication • • • •
Draft Folder Sync • • • •
Sync options for each folder • • • •
Nested S/MIME • • • •
Edit Response • • • •
Propose New Time • • • •
Spam Filter • • • •
Contact sub-folder sync • • • •
User started remote wipe • • •
Link Access • • •
HTML email • • •
Server Search • • •
Set Out of Facility/Office (OOF) • • •
Follow-up flags • • •
Meeting attendee information • • •
AutoDiscover • • •
Bandwidth reduction • • •
S/MIME • • •
Empty server trash • • •
Conversation View • •
Reply status • •
UM card (client side only) • •
Free/Busy lookup • •
Nickname cache • •
SMS sync • •
GAL photo • •
IRM support • •
Block/Allow/Quarantine List • •
Move always5
1
5 Samsung supports this capability at the device-level only. Samsung email provides a conversation view when IT admin sets a rule
to always move messages in a conversation using local-conversation ID from device side instead of conversation ID from server.
20. 20Anytime, anywhere secure email access with Samsung mobile devices
[Table 6] Policies classified by Exchange Server version on Samsung mobile devices
Policy
Exchange Server
2003 SP2
Exchange Server
2007 SP1
Exchange Server
2010 SP2
Exchange Server
2013
Allow non-provisionable devices • • • •
Policy refresh interval • • • •
Require password • • • •
Require alphanumeric password • • • •
Maximum failed password
attempts • • • •
Minimum password length • • • •
Maximum inactivity time lock • • • •
Allow attachment download • • •
Maximum attachment size • • •
Enable password recovery • • •
Allow simple password • • •
Password expiration (days) • • •
Enforce password history • • •
Disable desktop ActiveSync • • •
Disable removable storage • • •
Disable camera • • •
Disable SMS text messaging • • •
Disable Wi-Fi • • •
Disable Bluetooth • • •
Allow internet sharing from device • • •
Disable POP3/IMAP4 email • • •
Allow consumer email • • •
Allow browser • • •
Allow unsigned applications • • •
Allow unsigned CABs • • •
Approved application list • • •
Unapproved InROM application list • • •
Require signed S/MIME messages • • •
Require encrypted S/MIME
messages • • •
Require signed S/MIME algorithm • • •
Require encrypted S/MIME
algorithm • • •
Allow S/MIME encrypted • • •
algorithm negotiation • • •
Allow S/MIME SoftCerts • • •
Require device encryption • • •
Minimum number of complex
characters • • •
Configure message formats
(HTML or plain text) • • •
Include past email items (days) • • •
Email body truncation size (bytes) • • •
HTML email body truncation size
(bytes) • • •
Include past calendar items (days) • • •
Require manual sync while roaming • • •
Disable IrDA
Allow mobile OTA update
Mobile OTA update mode
Allow IRM over EAS • •
21. 21Anytime, anywhere secure email access with Samsung mobile devices
Appendix 4: Supported Exchange ActiveSync Feature and
Policy Descriptions
[Table 7] Feature and policy descriptions
Feature Description
Sync
multiple
folders
Synchronizes
multiple folders
across devices.
Global
Address
List (GAL)
lookup
Enables users to
look up a coworker
in their company
directory to find an
email address.
SSL
encrypted
trans-
mission
Enables mobile
devices to send
and receive
encrypted email
over an Exchange
ActiveSync
connection by using
Secure Sockets
Layer (SSL).
Feature Description
Direct
Push
Keeps a mobile
device up to
date over a
cellular network
connection.
Email
sync
Synchronized email
across devices.
Calendar
sync
Synchronizes
calendars across
devices.
Contacts
sync
Synchronizes
contacts across
devices.
Tasks
Sync
Synchronizes tasks
across devices.
Remote
wipe
Enables administrators to remotely wipe
a device to remove company data from
a device that is lost or stolen, or after an
employee has left the company.
Exchange ActiveSync 2.5 Exchange Server 2003 SP2
22. 22Anytime, anywhere secure email access with Samsung mobile devices
Policy Description
Allow non-
provision-
able
devices
Enables IT to specify whether older phones
that may not support application of all
policy settings are allowed to connect
to Exchange 2010 by using Exchange
ActiveSync.
Policy
refresh
interval
Defines how frequently the mobile device
updates the Exchange ActiveSync policy
from the server.
Require
password
Requires users to enable the mobile device
password feature.
Require
Alpha-
numeric
password
Determines
password strength
by enforcing
usage of numeric
and non-numeric
characters.
Policy Description
Maximum
failed
password
attempts
Specifies how many
times the device
user can enter an
incorrect password
before the device
performs a wipe of
all data.
Minimum
password
length
Specifies the length
of the password
for the device.
The default is four
(which is also the
minimum length).
IT can specify up to
18 characters.
Maximum
inactivity
time lock
Determines how long the device can be
inactive before the user is prompted for the
password.
Exchange ActiveSync 2.5 Exchange Server 2003 SP2
23. 23Anytime, anywhere secure email access with Samsung mobile devices
Feature Description
User-
started
remote
wipe
Sends a command to a mobile device that
will perform a wipe of that device.
Link
Access
Enables user to access documents remotely
from a mobile device through email by
using Exchange Server. If a user receives
an email message that contains a link to a
supported document type (e.g., Microsoft
Word or Microsoft Excel on a Windows
SharePoint Services or Windows file share
path), the user can follow the link and
access the document.
HTML
email
Enables HTML
display via Exchange
ActiveSync so users
can view email with
tables, graphics,
fonts, and colors
displayed similar to
a PC-based Outlook
client.
Server
Search
Enables users to
store as much of
their mailbox as they
like, and enables
easy access to
every message in
the mailbox. If the
information they
want is not synced
with the mobile
device, users can
easily search the
server to find the
message anywhere
in the mailbox, including subfolders, and
return that message to the device.
Set Out of
Facility/
Office
(OOF)
Enables users to set
or edit out-of-office
status.
Exchange ActiveSync 12.0 - Exchange Server 2007
Feature Description
Follow-up
flags
Enables users to
mark messages with
follow-up flags, as on
the PC with Outlook.
Meeting
attendee
informa-
tion
Enables users to see
who was invited to a
meeting.
Auto-
Discover
Allows devices
to automatically
configure the EAS
connection with
just a user login and
password.
Band-
width
reduction
Reduces number of round trips and amount
of data transferred, while maintaining
functionality. Reduction is the same as the
compression rate of Gzip.
24. 24Anytime, anywhere secure email access with Samsung mobile devices
Policy Description
Allow
attach-
ment
download
Enables or disables the ability to download
the attachment
Maximum
attach-
ment size
Specifies the
maximum file
size that can be
attached.
Enable
password
recovery
Enables the mobile device to generate a
recovery password that’s sent to the server.
If users forget their mobile device password,
the recovery password can be used to
unlock the mobile device and enable
the user to create a new mobile device
password.
Allow
simple
password
Enables or disables
the ability to use
a simple password
such as 1234.
Policy Description
Password
expiration
(days)
Enables the
administrator to
configure a length
of time after which
a mobile device
password must be
changed.
Enforce
password
history
Specifies the
number of past
passwords that can
be stored in a user’s
mailbox. A user
can’t reuse a stored
password.
Exchange ActiveSync 12.0 - Exchange Server 2007
25. 25Anytime, anywhere secure email access with Samsung mobile devices
Feature Description
S/MIME Enables email
encryption and
digital signing using
the widely accepted
S/MIME (Secure/
Multipurpose
Internet Mail
Extensions) protocol.
Policy Description Image
Disable
desktop
Active-
Sync
Specifies whether the mobile device can
synchronize with a computer through
a cable, Bluetooth, or IrDA connection;
requires an Exchange Enterprise Client
Access License. On Android devices, it
disables the MTP function of KIES6
.
Disable
removable
storage
Specifies whether the mobile device can
access information that’s stored on a
storage card.
Disable
camera
Determines
whether the mobile
device’s camera is
allowed; the default
value is $true.
Disable
SMS text
messaging
Specifies whether text messaging is
allowed from the mobile device; requires an
Exchange Enterprise Client Access License.
Disable
Wi-Fi
Specifies whether
wireless Internet
access is allowed
on the mobile
device; requires an
Exchange Enterprise
Client Access
License.
Exchange ActiveSync 12.1 - Exchange Server 2007 SP1
Policy Description
Disable
Bluetooth
Specifies whether
the Bluetooth
capabilities of the
mobile device
are allowed. The
available options are
Disable, Handsfree
Only, and Allow;
the default value is
Allow.
Disable
IrDA
Determines whether the mobile device’s
IrDA is allowed.
Allow
internet
sharing
from
device
Specifies whether
the mobile device
can be used as
a modem for
a desktop or a
portable computer;
requires an
Exchange Enterprise
Client Access
License.
Disable
POP3/
IMAP4
email
Specifies whether
the user can
configure a POP3
or an IMAP4 e-mail
account on the
mobile device.
Allow
consumer
email
Determines whether
the mobile device
user can configure
a personal email
account on the
device; the default
value is $true.
1
6 KIES is a freeware software application used to communicate between Windows or Macintosh operating systems and recently
manufactured Samsung mobile devices, usually over a USB connection (wireless LAN KIES connectivity is now possible for some
devices). See http://www.samsung.com/us/kies
26. 26Anytime, anywhere secure email access with Samsung mobile devices
Policy Description
Allow
browser
Determines whether
Pocket Internet
Explorer is allowed
on the mobile
device; the default
value is $true. This
parameter does not
affect third-party
browsers.
Allow
unsigned
applica-
tions
Specifies whether unsigned applications
can be installed on the mobile device;
requires an Exchange Enterprise Client
Access License.
Allow
unsigned
CABs
Specifies whether
unsigned packages
can be installed
on the mobile
device; requires an
Exchange Enterprise
Client Access
License.
Approved
applica-
tion list
Stores a list of approved applications that
can be run on the mobile device; Exchange
Enterprise Client Access License is required
to change the values of this setting.
Un-
approved
InROM
application
list
Specifies a list of applications that cannot
be run InROM; Exchange Enterprise Client
Access License is required to change the
values of this setting.
Require
signed
S/MIME
messages
Specifies whether
the mobile device
must send signed
S/MIME messages.
Policy Description
Require
encrypted
S/MIME
messages
Specifies whether
S/MIME messages
must be encrypted.
Require
signed
S/MIME
algorithm
Specifies what
required algorithm
must be used when
signing a message.
Require
encrypted
S/MIME
algorithm
Specifies what
required algorithm
must be used
when encrypting a
message.
Allow
encrypted
S/MIME
algorithm
negotia-
tion
Specifies whether the messaging
application on the mobile device can
negotiate the encryption algorithm if a
recipient’s certificate doesn’t support the
specified encryption algorithm.
Allow
S/MIME
SoftCerts
Specifies whether S/MIME software
certificates are allowed on the mobile
device.
Exchange ActiveSync 12.1 - Exchange Server 2007 SP1
27. 27Anytime, anywhere secure email access with Samsung mobile devices
Policy Description
Require
device
encryption
Enables encryption
on the mobile
device. Not all
mobile devices can
enforce encryption.
Minimum
number of
complex
characters
Specifies the
minimum number
of complex
characters required
in a mobile device
password: A
complex character
is any character that
is not a letter.
Configure
message
formats
(HTML or
plain text)
Specifies whether
email synchronized
to the mobile
device can be in
HTML format. If
this setting is set
to false, all email is
converted to plain
text.
Policy Description
Include
past email
items
(days)
Specifies the maximum number of days’
worth of email items to synchronize to the
mobile device; the value is specified in days.
Email body
truncation
size (bytes)
Specifies the size
beyond which
email messages
are truncated
when they are
synchronized to the
mobile device; the
value is specified in
bytes.
HTML
email
body
truncation
size (bytes)
Include
past
calendar
items
(days)
Specifies the maximum range of calendar
days that can be synchronized to the
mobile device; the value is specified in days.
Require
manual
sync while
roaming
Specifies whether the mobile device must
synchronize manually while roaming.
Allowing automatic synchronization while
roaming will frequently lead to larger-than-
expected data costs for the mobile device
plan.
Exchange ActiveSync 12.1 - Exchange Server 2007 SP1
Specifies the size
beyond which
HTML-formatted
email messages
are truncated when they are synchronized
to the mobile device; the value is specified
in kilobytes (KB).
28. 28Anytime, anywhere secure email access with Samsung mobile devices
Feature Description
Conver-
sation
View
Enables users to
quickly and easily
identify the most
recent messages and
related responses.
By treating multiple
messages as a single
conversation, the
conversation can be
managed, ignored,
moved, and deleted
as a whole, so users
don’t have to deal
with each email
individually. New replies to old conversations
are automatically placed in the same folder
as previous messages, even if a user has
ignored or deleted a conversation.
Move
always
Enables setting a server-side rule to always
move messages in a conversation.
Reply
status
Displays an icon
to remind users
whether they replied
to or forwarded an
email.
UM card
(client
side only)
Enables users to read an automatically
generated speech-to-text preview of
voicemail that has been stored in Exchange
2010. One click enables users to hear the
voicemail audio or call the person who left
the message.
Exchange ActiveSync 14.0 - Exchange Server 2010
Feature Description
Free/
Busy
lookup
Enables users to
view a contact’s
calendar availability
from within the
contact information;
a free/busy timeline
shows when contacts
are available for a
call or meeting.
Nickname
cache
Shares the names of commonly used
contacts between Outlook Web App (OWA)
and Exchange ActiveSync
SMS sync Enables users to see their SMS messages
in their email inbox and reply to them from
their inbox instead of on their device.
Policy Description Image
Allow
mobile
OTA
update
Specifies whether over-the-air Exchange
ActiveSync software updates are allowed.
Mobile
OTA
update
mode
Available for multi-tenant deployments; not
available for on-premises deployments.
29. 29Anytime, anywhere secure email access with Samsung mobile devices
Feature Description
GAL
photo
Provides images,
which are stored in
an Active Directory
server, of the user
who sent an email.
IRM
support
Enables Information
Rights Management
(IRM) to email
messages that are
sent and received
for digital rights
management
control and
encryption..
Exchange ActiveSync 14.1 - Exchange Server 2010 SP1
Feature Description
Block/
Allow/
Quaran-
tine List
(device
info)
Enables administrators to create allow
and block lists for devices that connect
using Exchange ActiveSync; provides
control over which devices can connect
to an Exchange Server. Administrators
can create approved device lists and
block specific devices; set exceptions at
the individual level; and quarantine any
device not on the block or allow lists for
additional evaluation.
Policy Description
Allow IRM
over EAS
Enables Information Rights Management
(IRM) to EAS email messages that are
sent and received for digital rights
management control and encryption.
30. 30Anytime, anywhere secure email access with Samsung mobile devices
Feature Description
Peak/off-
peak sync
schedule
Enables the user
to configure sync
schedule on a daily
and time basis.
Empty
server
trash
Enables users to
empty the account’s
trash .
User
Config-
uration
Resolution
Enables the user
to configure
preference when
a conflict occurs
during sync.
Certificate
Based
Authen-
tication
Enables the user to
set up an account
with a certificate
instead of basic
authentication.
New features added from Samsung
Feature Description
Draft
Folder
Sync
Enables the user
to sync draft folder
(down sync only).
Sync
options
for each
folder
Enables the user
to configure sync
option for each
folder, including
user-created folders.
Nested
S/MIME
Enables the user to forward S/MIME
messages with original certificate.
Edit
Response
Enables user to
edit response to
meeting invitation.
Propose
New Time
Enables a user to
propose a new time
when responding to
a meeting invitation.
31. 31Anytime, anywhere secure email access with Samsung mobile devices
Feature Description
Spam
Filter
Enables a user to
configure filtering
of spam messages.
Contact
sub-folder
sync
Enables a user to sync contact subfolders.
New features added from Samsung
32. 32Anytime, anywhere secure email access with Samsung mobile devices
Acronyms
PIMS Personal Information Management Services
ERP Enterprise resource planning
BI Business Intelligence
BYOD Bring-Your-Own-Device
COPE Corporate-Owned-Personally-Enabled
SDP Sensitive Data Protection
CAC Common Access Card
PKCS Public key Cryptography Standards
GAL Global Address List
S/MIME Secure/Multipurpose Internet Mail Extensions
MDM Mobile Device Management
VPN Virtual Private Network
API Application Programming Interface
PGP Pretty Good Privacy
IRM Information Rights Management
SSL Secure Socket Layer
POP3 Post Office Protocol version 3
IMAP4 Internet Message Access Protocol version 4
OWA Outlook Web App
References and links
Exchange ActiveSync Client Comparison Table at Microsoft TechNet
Exchange Mailbox Policy Support (Windows Embedded Compact 7) at Microsoft TechNet
Comparison of Exchange ActiveSync clients at Wikipedia