Mobile communication with Exchange Server 2007 - Part 2: Mobile device management

In Part 1, we still leave some new features and improvements provided through a combination of Windows Mobile 6.0 and Exchange Server 2007 devices. In Part 2, we will introduce you. about new and improved features related to mobile device management and Exchange ActiveSync for mailboxes.

Exchange ActiveSync (EAS) is provided by default when the Exchange 2007 Client Access Server (CAS) is deployed in your organization. In addition, EAS is enabled for all user mailboxes. This means that when you apply an SSL certificate trusted by mobile devices to the Default Web Site in IIS, mobile device users can create an EAS profile right from the start. device with corresponding mailbox. Like Exchange 2003, Exchange 2007 still uses a virtual directory called Microsoft-Server-ActiveSync in IIS as a connection point for mobile devices.

There is not much change when it comes to Direct Push. Figure 1 below shows you how an Exchange 2007 CAS server communicates with a Windows mobile 5.0 with MSFP or 6.0 device.

Figure 1: Direct Push technology

As you can see in Figure 1, Direct Push is by keeping the HTTPS connection alive between the mobile device and the Exchange 2007 CAS. Because Direct Push technology uses long HTTPS requests, your carrier and firewall must be configured with a default time-out value of about 15 to 30 minutes. If this value is shorter then the device initiating a new HTTPS request will occur more. This not only costs money but also causes many other problems when data will have to transmit more. If the firewall solution in your organization is based on ISA Server 2004 or 2006, you can refer to it here.

Exchange ActiveSync policies

Unlike Exchange Server 2003 (mobile device security policy settings are applied to all EAS users in the Exchange organization, except for exceptions list), Exchange Server 2007 supports many EAS mailbox policies. . This allows you to feel like an administrator when assigning EAS mailbox policies to users, for example at the office or country level or even based on distribution group membership. To create an EAS mailbox policy using the Exchange Management Console (EMC), select the Client Access button under Organization Configuration in the menu tree. Click New Exchange ActiveSync Mailbox Policy in the Action window as shown in Figure 2.

Figure 2: New Mailbox Policy of Exchange ActiveSync

The New Exchange ActiveSync Mailbox Policy window will appear, as shown in Figure 3. Now we need to name the policy and then select the ' Allow non-provisionable devices ' option. This option asks if the device does not support the AutoDiscover service connecting to the Exchange 2007 Client Access Server (CAS) server is allowed to synchronize. In addition, we can specify whether it is allowed to download attachments to the device.

Figure 3: New Exchange ActiveSync Mailbox Policy window

Next we have to specify the password configuration settings. Some components in the setup are the same as what you deploy mobile messaging solutions on Exchange Server 2003 SP2.

Requires a password layout that has both a number and a letter .

Check this option to request a strong password that includes both alphanumeric characters.

Allow password recovery

Enable this option to enable password recovery for mobile devices. Users can search for a recovery password to unlock their device using Outlook Web Access (OWA) 2007. In addition, you can be like a recoverable password lookup administrator. YOU C.

Encryption required on device

This option will require a device to be encrypted, which will significantly increase security. All data information stored in the memory card will be encrypted.

Allow simple passwords

This option will allow users to use simple passwords such as 8888.

Minimum length of password

This option requires you to specify the minimum length of the password. Here you should remember that the longer the password, the more security will increase but the ability to use the device will decrease.

Time to re-enter the password (in minutes)

You specify after how long the device will be locked and therefore need to re-enter the password when using it again. This low value also affects the performance of the device, so consider using it.

Term of password

Specify after how many days your password will expire. Do not set this value too low, it will make users prefer to use weak passwords.

Apply password history

Finally we have the password history option, which forces users to use new passwords when they expire. Once you have decided which values ​​you want to set in a separate mailbox policy, click New and the policy will be created as shown in Figure 4.

Figure 4: New Mailbox Policy of Exchange ActiveSync
listed in the Exchange Management Console

By default, EAS policy will allow mailbox users to have a separate policy to access documents on Windows shared files and SharePoint servers within the internal network. To deny users access to documents from Windows mobile devices, you must open the policy properties page, then uncheck Windows File Shares and Windows SharePoint Services as shown in Figure 5, then click OK . As you can see, other settings that were originally configured in the EAS policy can be changed in the property sheet if needed.

Figure 5: Property page of EAS policy

Now we have created the EAS policy, followed by applying it to the corresponding mailboxes within an organization. This is done by opening the properties page of the mailbox under the Recipient Configuration node. Once the property sheet is open, select the Mailbox Features tab. Under this tab, we can enable and disable different client protocols for mailboxes, but since Exchange ActiveSync is enabled by default, select Exchange ActiveSync and then click your mouse on the Properties button shown in Figure 6. In the Exchange ActiveSync Properties window, click Browse, select the EAS policy we just created, and then check the Apply an Exchange ActiveSync mailbox policy check box. Click OK twice when the EAS policy will be applied to the mailbox.

Figure 6: Applying EAS policy for user mailboxes.

If you need to apply an EAS policy, you must use the Set-CASMAilbox command in Exchange Management Shell (EMC). For example, applying the above EAS policy to all mailbox users, use the following command:

Get-Mailbox | Set-CASMailbox -ActiveSyncMailboxPolicy (Get-ActiveSyncMailboxPolicy "Exchange Hosting - General"). Identity

Management of mobile devices

The first time a user synced the device with his mailbox using EAS, a group of mobile devices was established. When this group is set up, a new option called Manage Mobile Device is added to the menu. This menu appears when you right-click as shown in Figure 7.

Figure 7: Options to manage in the context menu

When choosing Manage Mobile Device , the Manage Mobile Device window (Figure 8) appears. Under the Additional device information section, you can see when the first synchronization time appears, the action is performed on the device that was last sent ( Device wipe sent time ), time. acknowledged for device operation, the device is upgraded policy as well as last heartbeat ping (in seconds). Finally you can (if needed) see password recovery here.

Under Action you have two options: one is to remove the mobile device group, the other is to perform a remote action of a mobile device. Performing a remote control action of a mobile device can erase the data stored in the memory as well as the memory card. The mobile device will then restart the factory defaults.

Note

Deleting a mobile device group will not delete any data on the device itself. Next, the user will have to try to synchronize the device with the mailbox, a new group will be re-established.

Figure 8: Mobile device management

If you want to view mobile devices and Exchange ActiveSync statistics for users with EMC, you can do so with the Get-ActiveSyncDeviceStatistics command. For example, to get EAS statistics for mailboxes with a name of HEW, we need to type:

Get-ActiveSyncDeviceStatistics -Mailbox hew

After executing this command we will get the information like Figure 9.

Figure 9: Grouping mobile devices for user mailboxes

Note

If you want to see statistics about specific groups, you need to specify identity strings instead of mailbox names. As you can see in Figure 10, the recovery password is set with '*' marks. If you want to display it, add $ True ShowRecoveryPassword parameter to the command we run above.

To remove a group, use the Remove-ActiveSyncDevice -Identity command.

Figure 10: Removing a mobile device group using the Exchange Management Shell

To perform remote actions we use Clear-ActiveSyncDevice -Identity as shown in Figure 11

Figure 11: Performing remote actions for a mobile device
with Exchange Management Shell

Self-management mode

To reduce the requirement from the help desk staff in an organization, the Exchange Product team offers a self-management feature that allows users to manage a group of devices if required. The self-management features are directly integrated in the user interface of OWA 2007 as shown in Figure 12, the device management features are accessed via the Option page.

Basically, users can observe and perform similar tasks from within OWA as an Exchange administrator works with Manage Mobile Device wizard in the Exchange Management Console.

Figure 12: Self-management mode from within OWA 2007

Users can retrieve the recovered password for the device (Figure 13).

Figure 13: Password retrieval in OWA 2007

Conclude

The Exchange Product team has focused on making a lot of improvements to the features of devices and users in Exchange Server 2007. We can now create multiple Exchange ActiveSync mailbox policies as well as perform all device management. directly from within the Exchange Management Console or Exchange Management Shell. Another point is that users themselves also have an option to perform self-management from OWA 2007 to reduce support from the support staff.