It is no secret that I have always been quite a gadget nerd. When it comes to mobile phones, I had my share of different Nokia phones combined with another share of personal digital assistants (PDAs), which to begin with was different PalmPilot versions. Back then, when you wanted to synchronize your mail, calendar, contacts, notes, tasks and what not, most of us did so using the associated cradle, which was connected to a laptop or a PC.
At that time most enterprises did not have any kind for mobile device management (MDM). When end users needed access to the corporate network and resources, they used a VPN connection.
Around 2001, I switched from PalmPilot to a Compaq iPaq, which ran the Windows Mobile OS (formerly known as PocketPC 2000). When it came to mobile phones, I switched from Nokia to an Orange SPV, which also ran the Windows Mobile OS. I have owned most Windows Mobile based devices that were released since then up until the first iPhone was released in 2007. I of course picked up one of those, but later switched back to Windows Mobile as the true Windows based device fan I was.
Compaq iPaq Pocket PC
The first time I was introduced to the concept of allowing mobile devices to do real-time synchronization over the air with a mailbox hosted on Exchange Server (Exchange 2000) was with the Mobile Information Server 2002 (MIS 2002) from Microsoft. MIS 2002 was the first product that had an implementation of the Exchange ActiveSync (EAS) protocol, which was known as “AirSync” back then. This was the time where I started to get an interest in how you manage access and control devices connecting to a corporate network.
MIS 2002 also provided access to intranet resources and access to an Exchange mailbox using the Wireless Application Protocol (WAP), which provided limited access to the mailbox via the micro-browser types that were installed on PDAs and mobile phones.
Although MIS 2002 is long gone, I actually managed to find the following MIS 2002 related piece of information on microsoft.com.
Microsoft MIS 2002 CAL Guide
At the time when we had MIS 2002, there was of course also several third party solution on the market. Many of them do not exist any longer, others have been bought by bigger players. One MDM solution that existed back then and is still a big market player today is Afaria, which since 2012 where Sybase was bought by SAP has been known as SAP Afaria.
So MIS 2002 was discontinued and AirSync now known as Exchange ActiveSync (EAS) was shipped with Exchange 2003. EAS has been a native part of every Exchange Server version released since then and has reached version 16.1 with Exchange Server 2016 and Exchange Online. Up through the years most enterprise either relied solely on EAS policies or used them in a combination with a third party MDM solution.
We should also not forget BlackBerry, that had had a big chunk of the market for several years, and controlled the access and security from the devices using BlackBerry Enterprise Server.
In Exchange Server 2016 on-premises product and EXO, we find the EAS configuration and policy settings under the “Mobile” node as shown in Figure 3. Organizations that still have an Exchange on-premises solution often combine EAS policies with a third party MDM solution such as Afaria, XenMobile or MobileIron.
Exchange ActiveSync Policies in Exchange Server 2016
Back in 2011, Microsoft announced the availability of the Windows Intune service, which at the time was a service with focused on Windows PC management. Since then Windows Intune has been rebranded as Microsoft Intune and started to also focus on management of mobile devices.
Today customers that have migrated data to one or more Office 365 workloads can use a simplified version of the Microsoft Intune service (aka Office 365 MDM) to secure their end users, devices and corporate data. Unlike EAS policies, Office 365 MDM requires device enrollment via a company portal app.
Office 365 MDM Service
Enterprises that buy Microsoft Intune licenses for their users (either as part of EMS or separately) get the full Microsoft Intune service, which is pretty comprehensive nowadays. Microsoft Intune can be used to created configuration policies (i.e. wifi and/or email profiles, certificates) to end user devices that goes through device enrollment via the company portal app.
You can create compliance policies to which the devices need to adhere. You can even combine these compliance policies with conditional access to Office 365 workloads (currently Exchange Online, SharePoint Online, Skype for Business Online and CRM Online) as well as an on-premises Exchange solution. Microsoft Intune can also be used to publish and push out apps.
Nowadays end users often use an average of three mobile devices to access corporate data some company owned and others are personal devices. For this reason, there has been a need for a method to protect users, devices and data without enrolling the devices as not all end users like the idea of enrolling their personal device. Primary reason being, if they leave their job, the enterprise may wipe the personal device, which also would result in losing personal data.
Fortunately, last year Microsoft announced a new type of Microsoft Intune policy known a Mobile Application Management (MAM) policies. The cool thing about these is that the end users do not need to enroll their device in order to get access to company data through an app that supports MAM (Microsoft Office and others). Instead the policy will be applied at the app layer. MAM policies can even differentiate between corporate and personal data within the same app.
Microsoft Intune is a serious player but there is still room for improvement and the relevant teams are introducing new features and improving the product overall on a frequent basis. For instance MAM policies have already been moved from the old Silverlight console to the Azure Portal and the rest will be moved to the Azure Portal as well.
MAM Policies in the Azure Portal
Exciting times ahead and the third party MDM vendors should worry.
This concludes this article.
Organizations looking to unite application developers, security teams, and IT operations must implement DevSecOps best…
Our Microsoft 365 administration series continues with more on configuring Microsoft Teams. In this article,…
GFI FaxMaker is a powerful and complete solution that should meet the requirements of every…
There’s no rule that says that you have to make use of port ACLs, but…
If the cloud doesn't seem right and buying a server costs too much, maybe network…