Optimized Management for iPhones, iPads, and Androids with Exchange 2007 & Exchange 2010 & Office 365


Published on

Learn how to sync iPhone, iPad, and android devices with exchange 2007, exchange 2010, office 365.

Learn more: http://www.maas360.com/products/mobile-device-management/exchange-activesync/

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • In our webinar today we will talk about some things you can do with Exchange to help manage iPhones, iPads and Androids as well as some things you need be aware of. If you are just starting to think about allowing devices access to Exchange mail or already have opened Pandora's box and need to get control, I think you’ll find a few nuggets of information here that will help.
  • So, let’s set the stage and define the context for our discussion to day.If you are like the vast majority of companies these days , you have users with company or personal provided iPhones, iPads and Android devices and I am guessing you fall into one of three categories:You have Exchange ActiveSync locked down, but are getting a lot of requests from users for accessYou have opened up Exchange ActiveSync for a select few users, but the information leaked out and you now have devices connected that you did not intend to have connected.You are cautiously enabling access to Exchange Activesync by using mailbox policies.What ever the situation, based on your attendance here you are actively looking for tools,techniques and tips that can help get some basic level of control. There may also be a real sense of urgency as Smart device security starts to become more and more important.If you are like most customers we talk to on a daily basis, and we talk to quite a few, the Blackberry Enterprise Server provided you with comfort and confidence for the Blackberry deployment and you would like to get some of the same benefits and security when managing iPhones, iPads and AndroidsI am also guessing you are being pummeled by information form all sources and would like to cut through the noise and get to some specifics in how to deal with these devices. That is what we will try to do today.
  • Before we talk about turning knobs and making changes, let’s have a look at the kinds of things that can be done on Exchange for managing iPads, iPhones and Android devices.You can’t manage what you can’t see is one of our tag lines at MaaS360. Exchange offers you a few useful visibility attributes, about 10, that can help identify device type and be able to understand what type of device is connected.You can also create ActiveSync policies and assign them to ActiveSync enabled mailboxes using the Exchange Management interface. As you can see from the screen shots, the user experience is what I would call adequate, not elegant.More importantly, you can take some actions on ActiveSync connected devices including the ability to change mailbox policy, remove and block a devices and perform a remote wipe. Keep in mind the wipe command issued by an Exchange administrator is a full wipe and will cause the iPad, iPhone and Android to revert back to it’s factory settings. Not a pleasant user experience, especially if the user has not backed up their personal data.Not completely relevant to the conversation but worth mentioning is that you can also manage legacy devices like Symbian and Windows Mobile through Exchange if this is a requirement.
  • Enabling Exchange Activesync access to email for iPads, iPhones and Androids is surprisingly easy. Maybe a little too easy. This is an area where you may want to put some thought into how you want to enable access and what the ramifications of the different approaches are.Activesync access is on by default on Exchange 2007. This is the easiest approach and you will be popular with your uses, but you will have no control over who or what connects to your server. This may be an area where some more thought is required.If you want to be a little more cautious, you can enable access one mailbox at a time. More control equals more work unfortunately. Also, keep in mind you are enabling access at a mailbox level and that the user will be able to connect any number and any type of devices to the server. This comes as a surprise to many.In either case, I recommend that you periodically monitor who has connected what devices to the server. We’ll get to some of the reasons behind that in a minute.
  • So now that we have it turned on and you have become very popular with your users, there are a few things to keep in mind. To start with there is no clean way of getting an ideas of connected devices in real-time. In fact, this is where you may want to brush upon your Powershell scripting skills. Other than writing a script, there is no real good way of getting a comprehensive device list.As mentioned before, if you want to provide more granular control over mailbox access, you have to use individual Mailbox configuration. I will mentions that for the 5 or 10 percent of you that have made the move to Exchange 2010, the new abq capability is a big help. You may want to look into that if you are Exchange 2010I mentioned earlier that the Exchange remote wipe is all or nothing. Keep that in mind when it comes time to wipe the boss’ old iPhone 3GS now that he has a shiny new iPhone 4, you better double check you have all his data off. If you issue the wipe from Exchange, everything is gone. In order to get a good handle on reporting and do to some of the tasks that are not easily accomplished in the Exchange UI you may have to do some script development. Customers we have talked to that have a handle on this definitely have what I call and “Exchange geek” in house.Another big challenge when using Exchange is trying to figure out which devices are no longer active and removing these devices from the exchange server.Policy assignment is cumbersome. If you want to have your C levels in a different policy that the default, you will have to figure out which devices they have a manually assign the policy to them and then keep a lookout for new devices they connect.One critical organizational aspect is when if you have multiple administrators taking actions on devices, there is no easy way to see the actions for a specific device or to get a history of these actions on devices.On that topic, the only team members that can execute actions and view devices are the IT team members with access to your Exchange environment. What if you need to wipe a device and you can’t get hold of an Exchange Admin. This is not really scalable.On the business intelligence front, you only have the information that Exchange holds for a device and there is no way to assign things like ownership, owner and department.
  • Not only are there a few gaps to consider, there are some real traps. Things that if are not considered, can lead to issues and effort down the road.The big one is that even if you are controlling access at a mailbox level, once enabled, multiple devices can be connected by the user of that mailbox. Say you allow an executive access for his iPhone 4 thinking it is fairly secure, but he buys an Android tablet and connects that without notifying anyone. Now you have an exposure you did not bargain for.It is also very difficult to control what can be connected. Jailbroken iPhones, rooted Androids, iPhone 3.x that do not have robust encryption. It is the wild wild west and you will have no real way to view or control what is connecting.Another thing to be aware of that Androids may lie, they can claim to be enforcing ActiveSync policies, but they may not be. There are Android apps specifically targeted at faking out ActiveSync.
  • Activesync policieswere created to leverage capabilities of windows Mobile 5 and 6. They include a comprehensive set of policies that can achieve a very secure Mobile Device posture.The issue is that Apple and Google have implemented a small subset of the Activesync policy capabilities. It is really only a best effort and basically the minimum required to even be considered for enterprise adoption.There are some critical gaps in Activesync policies including the ability to apply device and application restrictions and any ability to configure the device over the air.Please visit the MaaSters Center where I have provided a couple of useful links to detailed information on ActiveSync policy support on iPhones, iPads and Adndroid across the various Exchange versions. I would recommend getting familiar with this information.
  • Here is the list for supported Exchange active sync polices. As you can see, support varies greatly depending on the device and the version of software on the device.For Example, you are able to enforce a password on iPads, iPhones and Androids, includingstrength, and inactivity time before the devicelocks.With Exchange 2007 and 2010 you are able to have more complex password settings, including Password expiration and PasswordHistory on the iPhone and iPad and Android 2.2 and 3.0 You can also now allow or disllow the use of the camera on the iPad and iPhone as well as requireencryptionbeforeallowing the device a connection to the Exchnage server.
  • We have covered what the native Exchange Server tools can offer to manage iPads, iPhone and Androids and we have talked about some of the gaps and the traps.For some, this may be fine, for others there may be a desire to supplement these capabilities. Let’s talk about some things to consider as you try to decide whether or not you stay with the Exchange tools or whether to look at supplementing this with addition tools.It may be important to be able to block a device before it connects, this will required a device level auto-quarantine capability. This does not exist at all in 2007 although available to the Exchange administrator in Exchange 2010You may need better device data and asset information and more consistent and reliable device data to make better decisions on what is accessing your corporate data. Do you want Android 1.6 devices connecting? Do you want rooted Android devices connecting? Do you need to track devices based on department and ownership profile? These are all device lifecycle activities that Exchange does not help with.If you are embracing personal devices, an important capability may be the need to selectively wipe devices. It may also be useful to simply send a lock command to the device to ensure it is secure while your user looks for it between the cushions of their sofa or to send a passcode reset if the user has forgotten their passcode.Another useful actions is the ability to locate the device if lost or stolen.Another aspect that may be important is the ability to delegate all this to the various functions in your organization. Do you allow your help desk staff access to the Exchange serve, probably not? You may want the ability to allow your help desk person to send a lock, maybe a passcode reset, but only a level 2 support person send the wipe command. This is typical how companies work that the Exchange tools do not facilitate.These requirements may not be an issue while you have relatively few devices, but it will soon start to become a problem as you open up access. The more happy users you have, the more structured you will need to be to kept them happy.Consider how long can you get by with Exchange management capabilities before you find a situation that cannot be accommodated?
  • That is a lot of information in 30 minutes or so and hopefully you have found it useful.As we start to consider all the new information about what the Exchange tools can do, what they cannot do it may be useful to have a look at MaaS360. Specifically the Activesync Manager components as well as the advanced iOS and Android management features.Maas360 compliments Exchange Activesync capabilities to help the Administrator and othersdeal with the mobile floodgates. MaaS360 adds a mobile device context to Exchange management, given that their current context is mailbox management including device level Auto-Quarantine for 2007 and 2010, as well as Office 365.Action History/Audit Trail of who did whatMaaS30 does not replace ActiveSync and you do not stop using ActiveSync and MaaS360 does not change anything with the way you use ActiveSyncMaaS360 also provided full support for for iOS 4.0 and above and Android 2.2 plus leveraging the MDM API’s in the respective platforms.After a simple OTA enrollment workflow, the iPhone, iPad or Android and can be configured and secured over the air using MaaS360 workflows. Key Help Desk Operations such as lock, wipe, selective wipe, locate and other actions can be performed.
  • Here is a graphical view of how MaaS360 compliments Exchange management functions. It is a great way to solve the administrative challenges we have discussed that exist with Exchange and opens the door to greater possibilities by offering comprehensive management of iPhones, iPads and Androids within the same management framework.Best of all, it is Cloud based, requires no upfront cost or effort, can be turned up in minutes and is a subscription based service that can show value immediately.
  • Use IEmdm_cadamsHome Page ViewView All DevicesActivesync devicesLook at Jim Szafranski iPhoneShow Quarantine, Show ActionsUser with iOS installed: Jamie BallangeeActions: To selective wipe, “remove iOS control”Change Policy, click on user, Actions, Change iOS Policy, Change ActiveSync PolicyManage/Create PoliciesHow to enable auto quarantineReporting
  • Optimized Management for iPhones, iPads, and Androids with Exchange 2007 & Exchange 2010 & Office 365

    1. 1. Optimized Management for iPhones, iPads, and Androids with Exchange 2007 & Exchange 2010 & Office 365 Val Hetrick© 2011 Fiberlink Communications MORE Webinar Series © 2011 Fiberlink Communications
    2. 2. What will I learn today?> How Exchange can be used as a basic management tool for Mobile Devices> The features and capabilities that are available in the Exchange Administrator Interface for managing Mobile Devices> The the gaps and traps to watch out for if using Exchange to manage Mobile Devices> What to do when you need more comprehensive control and visibility> The benefits of using Exchange device management to derive additional value from an MDM solution MORE Webinar Series © 2011 Fiberlink Communications
    3. 3. Let’s get the conversation started…> You have users with personal and consumer devices that require access to your Exchange email environment  iPhones, iPads and Androids> You need tools and techniques to help get some basic level of control, now> You know how to do BlackBerry, but these other devices are uncharted territory for you and your team> You’ve been inundated with information on device management but aren’t sure which approach you should take MORE Webinar Series © 2011 Fiberlink Communications
    4. 4. So, where to start?> The built-in Exchange 2007/2010 tools may be a start for some> What can I do with these tools?  Device visibility/asset management • 10 or so device attributes  Mailbox policy creation/edit/assignment  Actions • Wipe (factory reset) • Change Mailbox policy • Remove/Block Device  Legacy Device Support • Symbian • Windows Mobile MORE Webinar Series © 2011 Fiberlink Communications
    5. 5. What are the steps?> Turn on ActiveSync, but be careful…  Things to consider when you enable ActiveSync on Exchange  Email Access Control • Full Access – Wild West • Mailbox by Mailbox – Cumbersome – Multiple device issue • Monitor for new devices for enabled mailboxes – Manual effort – 2010 ABQ may help MORE Webinar Series © 2011 Fiberlink Communications
    6. 6. Now that you have it tuned on….> Gaps to be aware of  No clear picture of connected devices in real-time  If you want control, having to use individual Mailbox configuration  Remote Wipe that is all or nothing  Script development to augment the limited Exchange tools  No easy way to view and remove inactive devices  No ability to perform Device and User Group based policy assignment  No concise audit history of mobile device actions (e.g., policy change, remote wipe)  No web-based access for non email administrator personnel  No ability to add asset information to mobile devices managed via ActiveSync MORE Webinar Series © 2011 Fiberlink Communications
    7. 7. Now that you have it tuned on….> Traps that will get you in trouble  Multiple devices • Once a mailbox is enabled, a user can connect any number of devices  Device diversity • No control over what type of device connects • Significant gaps exist in device capabilities that need to be considered – Apple iOS 3.x – Android 1.x, 2.0, 2.1  Android implementations • Androids lie!  Jailbroken and Rooted Devices MORE Webinar Series © 2011 Fiberlink Communications
    8. 8. The ActiveSync policy conundrum….> A comprehensive set of policies, but…  Device manufacturer implementation varies greatly • Only best effort on the part of most…  Some critical gaps • Device and application restrictions • VPN, WiFi, Email profiles • Password policies  Understand what policies are implemented by your device • Exchange ActiveSync Client Comparison Table (Microsoft) • Comparison of Exchange ActiveSync (Wikipedia) MORE Webinar Series © 2011 Fiberlink Communications
    9. 9. Supported Exchange Active Sync policies, the basics> The following Exchange policies are supported on iOS and Android  Enforce password on device  Minimum password length  Maximum failed password attempts  Require both numbers and letters  Inactivity time in minutes> The following Exchange 2007 policies are also supported on iOS  Allow or prohibit simple password  Password expiration  Password history  Policy refresh interval  Minimum number of complex characters in password  Require manual syncing while roaming  Allow camera  Require device encryption MORE Webinar Series © 2011 Fiberlink Communications 9
    10. 10. Signs that you may need more than Exchange to manageyour devices > You need device level auto-quarantine > You need better device data and asset information > You need more consistent and quality device data to make better decisions on what is accessing your corporate data > You need a consistent way to deal with variation in device/vendor support > You need important and more granular actions  Selective Wipe/Full Wipe (as required by the situation)  Lock Device  Change device passcode  Locate device > You would like to delegate administrative activities > How long you can get by with Exchange management capabilities before you find a situation that cannot be accommodated? MORE Webinar Series © 2011 Fiberlink Communications
    11. 11. MaaS360 Mobile Device Management> Offers Exchange ActiveSync Manager as well as iOS and Android Mobile Device Manager for additional capabilities> Helps organizations at-a-glance understand their mobile device posture (real-time) on their Exchange infrastructure> Helps organizations extend mobile device management operations to other teams, if desired> Eases and extends day-to-day Exchange management functionality for mobile device issues and cases> Adds Quarantine and Device Approval workflows to Exchange 2007 Environments> Able to have multiple policies> Selective Wipe with iOS> Push out VPN/Wireless Profiles with iOS and Android MORE Webinar Series © 2011 Fiberlink Communications 11
    12. 12. MaaS360 compliments Exchange/ActiveSync MORE Webinar Series © 2011 Fiberlink Communications
    13. 13. Demo of MaaS360 MDM MORE Webinar Series © 2011 Fiberlink Communications 13
    14. 14. Questions or follow-up? Wrap-up Val Hetrick vhetrick@fiberlink.com> Up-coming Webinars (http://maasters.maas360.com/webinars/)  September 1 - Best Practices for Enabling Android Devices in the Enterprise> Past Webinars (http://links.maas360.com/webinars/)  August 4 - Automated Security for iPhone, iPad, and Android Devices  July 21 - Enabling iPhones and iPads in the Enterprise  July 7 - Mobile Device Management in a Post-BlackBerry World> Plus lots of How-To content at the MaaSters Center  Mobile Device Management Best Practices • http://links.maas360.com/mdm/  Mobile Device Management Strategy Series from Lopez Research • http://links.maas360.com/mdmstrategy/  Mobile Device Management Glossary • http://links.maas360.com/mdmglossary/  Over 300 articles and posts including training videos and free tools • http://maasters.maas360.com/ MORE Webinar Series © 2011 Fiberlink Communications 14