Deploying ActiveSync as a Foundational MDM Solution

Agenda

What is ActiveSync? Deployment Considerations Connection Overview Device management

What is ActiveSync?
Protocol for synchronizing email, contacts, calendar data over-the-air from Exchange Server to a mobile device XML-based protocol that communicates over HTTPS Provides foundational mobile device management (MDM) capabilities

Increasingly used by desktop mail clients and OSs

Licensed by 3rd party mail server, mobile device, and software vendors

Deployment
Infrastructure Key Considerations
Deployment model
Cloud vs. On-Premise
Single vs. multiple servers Location on network

Quantity of connected devices & clients

Capacity Planning

SSL Certificates
Self Signed vs. 3rd Party CA

Device enrollment process Corporate Device vs. BYOD

Connection Overview
After authentication a connection is established and defined ActiveSync policies are applied to the device

Firewall

Device requests access to Exchange ActiveSync over port 443 (HTTPS)

Exchange Server authenticates the incoming user via Active Directory

Active Directory

ActiveSync Security Configuration Policies

WiFi, 3G, 4G

1
Mobile Device
Internet

Exchange Server

4
Updates/changes are pushed over the air, sent mail and any changes made on the mobile device are synchronized to the Exchange Server

Managing Devices
ActiveSync can control device features and security settings similar to full-featured MDM solutions Managed via EMC, EMS, ECP Sample device policies:
Require password, encryption, device auto-lock Enforce password complexity, history, min/max age

Remote Wipe after failed password attempts exceeded

Prevent non-provisionable devices, attachment downloads Disable camera, web browser, Wi-Fi, Bluetooth, SMS, removable storage Whitelist/Blacklist by device identifier

Advanced Device Management

EMS adds greater management capabilities Obtain device inventory across users

Identify non-working or lost/stolen devices by last sync time

Get a report on security state of devices Find rogue devices Identify unpatched mobile OSs & notify users to update Better connectivity troubleshooting features It can be scripted & automated!!

Closing

Pros

Cons

Often little or no additional cost

Management capabilities vary by device Fragmented management tools No mobile app management capabilities Lacks built-in reporting

Many orgs already have it deployed

Does not require an agent

It works with most devices already

It can be scripted

Questions?