You can configure Exchange ActiveSync to use Secure Sockets Layer (SSL) encryption for communications between the Exchange server and the mobile device. Certificate-based authentication works with a self-signed certificate, a certificate from an existing public key infrastructure, or a third-party commercial certificate. You can use certificate-based authentication together with other security features, such as local device wipe and a device password, so the mobile device functions like a smart card. The private key and certificate for client authentication are stored in memory on the mobile phone. If an unauthorized user tries to bypass the mobile device password, all user data is purged. This includes the certificate and private key. For more security, you can deploy RSA SecurID two-factor authentication on the Exchange server.

You can control which mobile devices can synchronize. You do this by monitoring new mobile devices as they connect to your organization or by setting up rules that determine which types of mobile devices are allowed to connect. Regardless of the method you choose to specify which mobile devices can synchronize, you can approve or deny access for any specific mobile device for a specific user at any time

In addition to the ability to configure security options for communications between the Exchange server and your mobile devices, Exchange ActiveSync offers the following features to enhance the security of mobile devices:

• Remote wipe   If a mobile device is lost, stolen, or otherwise compromised, you can issue a remote wipe command from the Exchange Server computer or from any Web browser by using Outlook Web App. This command erases all data from the mobile device.
  
  
• Device password policies   Exchange ActiveSync lets you configure several options for device passwords. These options include the following:
  
  
  • Minimum password length (characters)   This option specifies the length of the password for the mobile device. The default length is 4 characters, but as many as 18 can be included.
    
    
  • Minimum number of character sets   Use this text box to specify the complexity of the alphanumeric password and force users to use a number of different sets of characters from among the following: lowercase letters, uppercase letters, symbols, and numbers.
    
    
  • Require alphanumeric password   This option determines password strength. You can enforce the usage of a character or symbol in the password in addition to numbers.
    
    
  • Inactivity time (seconds)   This option determines how long the mobile device must be inactive before the user is prompted for a password to unlock the mobile device.
    
    
  • Enforce password history   Select this check box to force the mobile phone to prevent the user from reusing their previous passwords. The number that you set determines the number of past passwords that the user won't be allowed to reuse.
    
    
  • Enable password recovery   Select this check box to enable password recovery for the mobile device. Users can use Outlook Web App to look up their recovery password and unlock their mobile device. Administrators can use the Exchange Administration Center to look up a user's recovery password.
    
    
  • Wipe device after failed (attempts)   This option lets you specify whether you want the phone's memory to be wiped after multiple failed password attempts.
    
    
• Device encryption policies   There are a number of mobile device encryption policies that you can enforce for a group of users. These policies include the following:
  
  
  • Require encryption on device   Select this check box to require encryption on the mobile device. This increases security by encrypting all information on the mobile device.
    
    
  • Require encryption on storage cards   Select this check box to require encryption on the mobile device’s removable storage card. This increases security by encrypting all information on the storage cards for the mobile device.