Exchange Server 2007 Service Pack 1 (SP1) is packed with enhancements revolving around Exchange ActiveSync (EAS). As you will see throughout this article, a new default Exchange ActiveSync policy is included. Also, several new Exchange ActiveSync policy settings have been introduced. In addition, the Exchange Front End team in the Exchange Product group has made sure a remote wipe confirmation e-mail message is sent to the respective user’s mailbox once a wipe has been completed successfully, this so that the user is made aware that his/her mobile device has been reset to factory defaults. Finally, the Direct Push protocol has been enhanced. In essence, the data sent between the mobile devices and the Client Access server(s) have been reduced even further than is the case in the Exchange Server 2007 RTM version.
Note:
Most of the new Windows mobile device features and enhancements in Exchange Server 2007 SP1 requires Exchange ActiveSync protocol version 12.1. The EAS protocol included with Windows Mobile 6.0 RTM is version 12.0 meaning that your device will need an update before you can benefit from the new Exchange Server 2007 SP1 features and enhancements discussed in this article.
Note:
This article is based on Exchange Server 2007 SP1 Beta 2. This means that the EAS features covered in this article still can change before Exchange Server 2007 SP1 RTMs.
New Default Exchange ActiveSync Policy Introduced
With Exchange Server 2007 SP1 a new default Exchange ActiveSync policy is added automatically during the installation of the Client Access Server role as shown in Figure 1 below. As most of you probably know you have to manually create and assign an EAS policy to user mailboxes in the Exchange 2007 RTM version, and since this does not match the overall secure-by-default strategy used in the Exchange product group, a default EAS policy has now made its way into the product.
Figure 1: Default Exchange ActiveSync Policy
Notice that even when you upgrade an existing Exchange 2007 server, with the Client Access Server role installed, to Exchange Server 2007 SP1, the new default Exchange ActiveSync policy will be created and assigned automatically to all Exchange 2007 user mailboxes that do not already have an EAS policy assigned (Figure 2).
Figure 2: Default Exchange ActiveSync Policy assigned to a User Mailbox
The new default EAS policy is configured rather loosely, which means it does not provide the security required in most Enterprise IT organizations (it even allows non-provisionable devices to synchronize with a mailbox), but it is better than no default policy at all. The default EAS policy is configured with the settings shown in Table 1. As you can see, a lot of policy settings in the table are new policies introduced in Exchange Server 2007 SP1, and we will take a closer look at these in the next section).
|
Exchange ActiveSync Policy Settings |
Configured Value |
|
AllowNonProvisionableDevices |
True |
|
AlphanumericDevicePasswordRequired |
False |
|
AttachmentsEnabled |
True |
|
DeviceEncryptionEnabled |
False |
|
RequireStorageCardEncryption |
False |
|
DevicePasswordEnabled |
True |
|
PasswordRecoveryEnabled |
True |
|
DevicePolicyRefreshInterval |
Unlimited |
|
AllowSimpleDevicePassword |
True |
|
MaxAttachmentSize |
Unlimited |
|
WSSAccessEnabled |
True |
|
UNCAccessEnabled |
True |
|
MinDevicePasswordLength |
4 |
|
MaxInactivityTimeDeviceLock |
00:30:00 |
|
MaxDevicePasswordFailedAttempts |
8 |
|
DevicePasswordExpiration |
Unlimited |
|
DevicePasswordHistory |
0 |
|
IsDefaultPolicy |
True |
|
AllowStorageCard |
True |
|
AllowCamera |
True |
|
RequireDeviceEncryption |
False |
|
AllowUnsignedApplications |
True |
|
AllowUnsignedInstallationPackages |
True |
|
AllowWiFi |
True |
|
AllowTextMessaging |
True |
|
AllowPOPIMAPEmail |
True |
|
AllowIrDA |
True |
|
RequireManualSyncWhenRoaming |
False |
|
AllowDesktopSync |
True |
|
AllowHTMLEmail |
True |
|
RequireSignedSMIMEMessages |
False |
|
RequireEncryptedSMIMEMessages |
False |
|
AllowSMIMESoftCerts |
True |
|
AllowBrowser |
True |
|
AllowConsumerEmail |
True |
|
AllowRemoteDesktop |
True |
|
AllowInternetSharing |
True |
|
AllowBluetooth |
Allow |
|
MaxCalendarAgeFilter |
All |
|
MaxEmailAgeFilter |
All |
|
RequireSignedSMIMEAlgorithm |
SHA1 |
|
RequireEncryptionSMIMEAlgorithm |
TripleDES |
|
AllowSMIMEEncryptionAlgorithmNegotiation |
RequireEncryptionSMIMEAlgorithm |
|
MinDevicePasswordComplexCharacters |
3 |
|
MaxEmailBodyTruncationSize |
Unlimited |
|
MaxEmailHTMLBodyTruncationSize |
Unlimited |
|
UnapprovedInROMApplicationList |
{} |
|
ApprovedApplicationList |
{} |
|
ExternallyDeviceManaged |
False |
|
MailboxPolicyFlags |
0 |
Table 1: Exchange ActiveSync Policy Configuration Settings
You can see or modify the configured EAS policy settings on your Client Access Server by opening the Exchange Management Shell and typing Get-ActiveSyncMailboxPolicy –Identity “Default” or by opening the Default EAS policy property page in the Exchange Management Console.
When you have one or more custom EAS policies in addition to the default EAS policy, you have the option of setting one of the custom EAS policies as the default policy, so that policy will be assigned to all Exchange 2007 user mailboxes (Figure 3) instead of the default policy.
Figure 3: Specifying the Default Exchange ActiveSync Policy
Exchange ActiveSync Policy Setting Enhancements
As already mentioned, Exchange Server 2007 SP1 introduces several new EAS policies, which allow us to lock down and secure mobile devices even further than it was possible with the Exchange Server 2007 RTM version. We will take a look through the default EAS policy property page and see how each new policy affects the mobile devices in your Exchange Server 2007 organization. Let us start by opening the Exchange Management Console, and then click on the Client Access node under the Organization Configuration work center (shown in Figure 1). Since EAS policies are organization-wide, this is the place to create and modify them. Now right-click on the Default EAS policy, and then select Properties in the context menu. As you can see the property page consists of five tabs in Exchange Server 2007 SP1, and not two, which was the case in the Exchange Server 2007 RTM version. Introducing three additional tabs indicates that there are a lot of enhancements in Exchange Server 2007 SP1.
Let us begin by taking a quick look at the General tab shown Figure 4 below. Not much has changed here other than we now can see whether the respective policy is configured as the default, and that the Maximum attachment size (KB) setting has been replaced by a Refresh interval (hours) setting (the Maximum attachment size (KB) setting can now be found under the Sync Settings tab). With the Refresh interval (hours) setting we can specify how frequently mobile devices should be updated with the Exchange ActiveSync policy from the server.
Figure 4: General tab on the Default Exchange ActiveSync Property Page
Let us move on to the Password tab (Figure 5). As you can see the settings under this tab have almost been left untouched. Only one new setting has been added on this tab, and that is the Minimum number of complex characters settings, which allows us to specify the minimum number of complex characters our device password(s) should contain.
Figure 5: Password tab on the Default Exchange ActiveSync Property Page
Since I have covered all the policy settings under this tab in my Mobile Messaging with Exchange Server 2007 article series, there is no reason why I should do so again. So let us move on to the next tab which is the Sync Settings tab (Figure 6). Here we can configure how many past calendar and e-mail items should be synchronized to a device. We can also configure the limit message size, whether it should be allowed to synchronize while roaming, specify if html formatted email can be read on a device and finally whether it should be allowed to download attachments to a device and if it is, specify the attachment’s maximum size.
Figure 6: Sync Settings tab on the Default Exchange ActiveSync Property Page
The Sync Settings tab is new and I have listed each policy setting on this tab with a short description in Table 2.
|
Exchange ActiveSync Policy Setting |
Description |
|
Include Past Calendar items |
With this setting you can specify how far back calendar items should be kept on the mobile device. You can choose between All, Two Weeks, One Month, Three Months and Six Months. |
|
Include past e-mail items |
With this setting you can specify how far back e-mail items should be kept on the mobile device. You can choose between All, One Day, Three Days, One Week, Two Weeks and One month. |
|
Limit message size to (KB) |
With this setting you can specify a maximum size for e-mail messages that you are allowed to synchronize to a mobile device. |
|
Allow synchronization when roaming |
With this setting you can allow or prohibit users from synchronizing their mobile devices when roaming. |
|
Allow html formatted email |
With this setting you can specify whether or not your mobile device users should be allowed to read html formatted e-mail message on their device(s). |
|
Allow attachments to be downloaded to the device and maximum attachment size (KB) |
With this setting you can specify whether or not your mobile device users should be able to download e-mail message attachments to their mobile device(s). In addition, you can set a maximum size for attachments that can be downloaded to the mobile devices. |
Table 2: Exchange ActiveSync Policy Configuration Settings
Let us move on to the Device tab (Figure 7). On this tab, we can disable mobile device features such as removable storage cards, built-in camera, Wi-Fi, the infrared port, Internet sharing, remote desktop, Desktop ActiveSync client synchronization, and Bluetooth.
Figure 7: Device tab on the Default Exchange ActiveSync Property Page
The Device tab is new and I have listed each policy setting on this tab with a short description in Table 3 below.
|
Exchange ActiveSync Policy Setting |
Description |
|
Allow removable storage |
You can specify whether or not the mobile device users should be allowed to use a removable storage card (mini SD data card) as data repository in their mobile devices. |
|
Allow camera |
You can prohibit your mobile device users from using the camera, which is included with most Windows mobile devices. |
|
Allow Wi-Fi |
With this setting you can prohibit your mobile device users from using Wi-Fi (wireless network card), which is included with most Windows mobile devices. |
|
Allow infrared |
With this setting you can prohibit your mobile device users from using the infrared port, which is included with most Windows mobile devices. |
|
Allow Internet sharing from the device |
You can prohibit your mobile device users from using the Internet sharing feature included with Windows mobile 6.0 devices. The Internet sharing feature makes it possible to connect your laptop to Internet using your mobile device. |
|
Allow remote desktop from the device |
Prohibit your mobile device users from using the remote desktop feature, which is included with most Windows mobile devices. With remote desktop you can connect remotely to a Windows XP/Vista client or an Windows 2003/2008 server. |
|
Allow synchronization from a desktop |
Allow or prohibit your mobile device users from using the Desktop ActiveSync client to synchronize a mobile device. If prohibited the mobile device users can only issue a sync over the air. |
|
Allow Bluetooth |
Allow or prohibit your mobile device users from using a Bluetooth connection. You can also specify if the users should only be able to use Bluetooth for hands free. |
Table 3: Exchange ActiveSync Policy Configuration Settings
Note:
All settings on the Device tab are premium features, which means that you must have Exchange Enterprise CALs in order to use them.
Moving on to the last tab, which is the Advanced tab. As can be seen in Figure 8, we can specify whether mobile device users should be allowed to use the Internet browser, consumer mail, unsigned applications, and install unsigned installation packages. In addition it is possible to allow or block specific applications.
Figure 8: Advanced tab on the Default Exchange ActiveSync Property Page
The Advanced tab is also new and I have listed each policy settings on this tab with a short description in Table 4 below.
|
Exchange ActiveSync Policy Setting |
Description |
|
Allow browser |
Allow or prohibit users from using the browser on their mobile device. |
|
Allow consumer mail |
Allow or prohibit users from receiving consumer email on their mobile device. |
|
Allow unsigned applications |
With this setting enabled, mobile device users are allowed to run applications that have not been signed with a trusted certificate. |
|
Allow unsigned installation packages |
With this setting enabled, mobile device users are allowed to install applications that have not been signed with a trusted certificate. |
Table 4: Exchange ActiveSync Policy Configuration Settings
In addition to the policy settings in Table 4, you can enter in the Allowed and Blocked Applications boxes any applications that should be specifically allowed or blocked.
Note:
All settings on the Advanced tab are premium features, which mean that you must have Exchange Enterprise CALs in order to use them.
Those of you who paid close attention to Table 1 would have noticed that not all the new policy settings in Exchange Server 2007 SP1 have been exposed in the EMC GUI. The following policies must be manipulated via the Exchange Management Shell:
- AllowTextMessaging
- AllowPOPIMAPEmail
- RequireSignedSMIMEMessages
- RequireEncryptedSMIMEMessages
- AllowSMIMESoftCerts
- RequireSignedSMIMEAlgorithm
- RequireEncryptionSMIMEAlgorithm
- AllowSMIMEEncryptionAlgorithmNegotiation
- MaxEmailBodyTruncationSize
- MaxEmailHTMLBodyTruncationSize
- UnapprovedInROMApplicationList
- ExternallyDeviceManaged
- MailboxPolicyFlags
Time will tell whether any of these will be included in the GUI in the RTM version of Exchange Server 2007 SP1.
Remote Wipe Confirmation
In addition to a new default EAS policy and the introduction of several new policy settings, Exchange Server 2007 SP1 also includes enhancements related to the remote wipe feature, which is used to remotely reset a mobile device back to factory defaults in case it is lost or stolen. Since this feature works well, not much has changed, but now a confirmation e-mail message is sent to the user’s mailbox once the mobile device has been remotely wiped successfully. This happens even if the wipe has been initiated by an Exchange administrator through either the Exchange Management Console or the Exchange Management Shell as well as if a user initiates the wipe via the Mobile Devices page under Options in Outlook Web Access 2007 (Figure 9).
Figure 9: Successful Remote Device Wipe via OWA 2007
When the mobile device has been wiped successfully, an e-mail confirmation similar to the one shown in Figure 10 is sent to the respective user’s Inbox.
Figure 10: Remote Device Wipe Confirmation E-Mail
In addition, you now have the option of cancelling a remote wipe both from OWA 2007 and the Exchange Management Console/Shell.
S/MIME Supported again
As some of you probably are aware, the S/MIME components for OWA 2007 and EAS didn’t make it into the Exchange 2007 RTM version. Well now they’re back! This means you once again are able to digitally sign as well as encrypt E-mail messages right from your mobile device. As you saw in the tables previously in this article, you can control S/MIME on mobile devices via several S/MIME specific policies.
Direct Push Protocol Data Reduction
The Exchange product group Front End team has also improved the Direct Push protocol, which is the protocol used by Exchange ActiveSync. The team has managed to reduce the size of the HTTPS request and response headers even further, which reduces the overall amount of data sent between the devices and the Client Access server(s). Although this enhancement is well hidden from device users, it is actually a rather important enhancement as it means that Enterprise organizations, where most end-users synchronize a mobile device with their mailbox will be able to lower the expenses used for over the air data.
Conclusion
Enterprise IT organizations that require strictly configured policies for all types of messaging clients in the organization will benefit from the new Exchange ActiveSync policy settings available in Exchange Server 2007 SP1, as they will let you allow or prohibit most features on a mobile device. Also, the new default EAS policy is a clever move that fits the overall “secure by default” strategy in the Exchange Product group. Finally, the enhancements made to the Direct Push protocols in order to reduce the amount of data sent between mobile devices and the Client Access server(s) will be welcomed with open arms by any CIO responsible for the overall IT budget.
