Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2011-02-09
By default, when you install the Client Access server role on a computer that's running Microsoft Exchange Server 2010, you enable Microsoft Exchange ActiveSync. Exchange ActiveSync lets you synchronize a mobile phone with your Exchange 2010 mailbox.
Overview of Exchange ActiveSync
Exchange ActiveSync is a Microsoft Exchange synchronization protocol that's optimized to work together with high-latency and low-bandwidth networks. The protocol, based on HTTP and XML, lets mobile phones access an organization's information on a server that's running Microsoft Exchange. Exchange ActiveSync enables mobile phone users to access their e-mail, calendar, contacts, and tasks and to continue to be able to access this information while they're working offline.
Note: |
---|
Exchange ActiveSync can synchronize e-mail messages, calendar items, contacts, tasks, and notes. |
Important: |
---|
Windows Phone 7 mobile phones only support a subset of all Exchange ActiveSync mailbox policy settings. For a complete list, see Windows Phone 7 Synchronization. |
Features in Exchange ActiveSync
Exchange ActiveSync provides the following:
- Support for HTML messages
- Support for follow-up flags
- Conversation grouping of e-mail messages
- Ability to synchronize or not synchronize an entire
conversation
- Synchronization of SMS messages with a user's Exchange
mailbox
- Support for viewing of message reply status
- Support for fast message retrieval
- Meeting attendee information
- Enhanced Exchange Search
- PIN reset
- Enhanced device security through password policies
- Autodiscover for over-the-air provisioning
- Support for setting auto-replies when users are away, on
vacation, or out of the office
- Support for tasks synchronization
- Direct Push
- Support for availability information for contacts
Managing Exchange ActiveSync
By default, Exchange ActiveSync is enabled. All users who have an Exchange mailbox can synchronize their mobile phone with the Microsoft Exchange server.
You can perform the following Exchange ActiveSync tasks:
- Enable and disable Exchange ActiveSync for users
- Set policies such as minimum password length, device locking,
and maximum failed password attempts
- Initiate a remote wipe to clear all data from a lost or stolen
mobile phone
- Run a variety of reports for viewing or exporting into a
reporting solution
Security in Exchange ActiveSync
You can configure Exchange ActiveSync to use Secure Sockets Layer (SSL) encryption for communications between the Exchange server and the mobile phone client. Certificate-based authentication works with a self-signed certificate, a certificate from an existing public key infrastructure, or a third-party commercial certificate. You can use certificate-based authentication together with other security features, such as local device wipe and a device password, to turn the mobile phone into a smartcard. The private key and certificate for client authentication are stored in memory on the mobile phone. If an unauthorized user tries to bypass the mobile phone password, all user data is purged. This includes the certificate and private key. For more security, you can deploy RSA SecurID two-factor authentication on the Exchange server.
Device Security Features in Exchange ActiveSync
In addition to the ability to configure security options for communications between the Exchange server and your mobile phones, Exchange ActiveSync offers the following features to enhance the security of mobile phones:
- Remote wipe If a mobile phone is lost,
stolen, or otherwise compromised, you can issue a remote wipe
command from the Exchange Server computer or from any Web browser
by using Outlook Web App. This command erases all data from the
mobile phone.
- Device password policies Exchange
ActiveSync lets you configure several options for device passwords.
These options include the following:
- Minimum password length
(characters) This option specifies the length
of the password for the mobile phone. The default length is
4 characters, but as many as 18 can be included.
- Minimum number of character sets Use
this text box to specify the complexity of the alphanumeric
password and force users to use a number of different sets of
characters from among the following: lowercase letters, uppercase
letters, symbols and numbers.
- Require alphanumeric password This
option determines password strength. You can enforce the usage of a
character or symbol in the password in addition to numbers.
- Inactivity time (seconds) This option
determines how long the mobile phone must be inactive before the
user is prompted for a password to unlock the mobile phone.
- Enforce password history Select this
check box to force the mobile phone to prevent the user from
reusing their previous passwords. The number that you set
determines the number of past passwords that the user won't be
allowed to reuse.
- Enable password recovery Select this
check box to enable password recovery for the mobile phone. Users
can use Outlook Web App to look up their recovery password and
unlock their mobile phone. Administrators can use the EMC to look
up a user's recovery password.
- Wipe device after failed
(attempts) This option lets you specify
whether you want the phone's memory to be wiped after multiple
failed password attempts.
- Minimum password length
(characters) This option specifies the length
of the password for the mobile phone. The default length is
4 characters, but as many as 18 can be included.
- Device Encryption Policies There are a
number of mobile phone or device encryption policies that you can
enforce for a group of users. These policies include the
following:
- Require encryption on device Select
this check box to require encryption on the mobile phone. This
increases security by encrypting all information on the mobile
phone.
- Require encryption on storage
cards Select this check box to require
encryption on the mobile phone’s removable storage card. This
increases security by encrypting all information on the storage
cards for the mobile phone.
- Require encryption on device Select
this check box to require encryption on the mobile phone. This
increases security by encrypting all information on the mobile
phone.
Windows Phone 7 Synchronization
If you have Windows Phone 7 mobile phones in your organization, these phones will experience synchronization problems if certain Exchange ActiveSync mailbox policy properties are configured. To allow Windows Phone 7 mobile phones to synchronize with an Exchange mailbox, either set the AllowNonProvisionableDevices property to true or only configure the following Exchange ActiveSync mailbox policy properties:
- PasswordRequired
- MinPasswordLength
- IdleTimeoutFrequencyValue
- DeviceWipeThreshold
- AllowSimplePassword
- PasswordExpiration
- PasswordHistory
- DisableRemovableStorage
- DisableIrDA
- DisableDesktopSync
- BlockRemoteDesktop
- BlockInternetSharing