Smartphone management with Microsoft products

On a Leash


To configure iPhones – currently the most widely used smartphones in the enterprise – you can use the free iPhone Configuration Utility [3]. However, you cannot transfer the settings read via a wireless connection. This means you need to transfer the policies locally or mail the files with the settings. Additionally, you cannot distribute the settings via Exchange or System Center products.

Devices that support Exchange ActiveSync implement the policies. This means not only Windows Phone 7/7.5/8, but also Blackberry, Android, and iPhones. However, policies can very easily be worked around on Android devices. The iPhone does not support all Exchange ActiveSync policy options; it only supports:

  • Remote wipe
  • Enforcing a code to block the device
  • Minimum password length
  • Minimum/maximum number of incorrect entries before the device wipes or locks itself
  • Mandatory letters and numbers in passwords
  • Inactivity time
  • Allowing simple passwords
  • Password expiration and password history
  • Policy refresh interval
  • Minimum number of complex characters in passwords
  • Enabling or disabling the camera

You can download a PDF file from Apple that shows all the options the iPhone supports for Exchange ActiveSync [4].

The policies are configured in the Exchange Management Console via Organization Configuration | Client Access . Switch to the Exchange ActiveSync Mailbox Policies tab and select the policy you want to configure. You can assign different policies to different users (Figure 3). Once the user has confirmed the policies, the endpoint implements the settings.

Figure 3: Configuring the Exchange ActiveSync policy for smartphones.

For each endpoint connect event with Exchange ActiveSync, the endpoint and the server check that the policies still match. If an administrator changes the security policy, the endpoints adopt the changes during the next sync.

Off Camera

In the Device tab, you can control smartphone features such as infrared, Bluetooth, or the camera. If you want to disable individual functions, uncheck the appropriate options:

  • Allow removable storage – If disabled, the smartphone cannot access its memory card.
  • Allow camera – If disabled, the built-in digital camera in the device cannot be used.
  • Allow Wi-Fi – If disabled, the device cannot connect to a wireless LAN.
  • Allow infrared – If disabled, the device cannot use infrared to connect to a computer or other devices.
  • Allow Internet sharing from device  – Internet connections are often shared if the device acts as a modem for a notebook. Uncheck this option to disable the function.
  • Allow remote desktop from device  – If disabled, the endpoint cannot open an RDP connection to another computer.
  • Allow desktop synchronization – If disabled, the endpoint cannot synchronize with locally installed applications.
  • Allow Bluetooth – By default, Bluetooth is enabled on the devices. You can either disable Bluetooth completely or set an option that only allows Bluetooth to connect to a car kit.

Besides controlling the device's hardware, you can also use policies to determine which applications are available on the device. To do this, go to the Device Applications and Other tabs. You can also use policies to specify that users need to enter a password before using the endpoint. By default, this option is not enabled, and users are allowed to use smartphones without passwords.

ActiveSync Device Access Rules

Exchange Server 2010 and Office 365 let you specify policies that determine which smartphones can synchronize with their own mailboxes off the Internet and which are blocked by Exchange. Besides the option of forwarding policies for security settings on the endpoints, you can also set policies that determine which smartphones and endpoints are allowed to connect to Exchange Server 2010 in the enterprise. These settings can be configured using ActiveSync device access rules.

The easiest way to define these settings is in the Exchange Control Panel, which you can access on https://<servername>/ecp . The settings can be found in the Exchange ActiveSync Access Settings via Phone & Voice  | ActiveSync Access (Figure  4).

Figure 4: Managing approved ActiveSync devices.

Device access rules in the ActiveSync Access section let you determine which devices you want to block or isolate. To do this, select New at the bottom of the page to create a new policy. Then, go to Device family or Only this model to determine the endpoint type you want to manage. You can press the Block Access button to block the respective devices. If Exchange blocks a new device, or quarantines it in Outlook Web App, you can enter an email text at this point. Users see this message in their mailbox when they attempt to synchronize with a blocked device.

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.