At its origin, Exchange wasn't meant to be a mobile device management platform. It's a communications platform. More specifically, it's a messaging option. Still, many administrators wonder what mobile device management features Exchange 2013 offers and how they compare to other MDM options. And in the ever-mobile enterprise, it's important to know what's available -- and what's not.
When Microsoft first introduced Push Mail (the ancestor to ActiveSync), there was virtually no feature that allowed admins to manage a device used to synchronize with Exchange. That changed when Exchange ActiveSync saw the light.
ActiveSync allows you to create device policies to control certain functions on your mobile phone. These policies include settings to control device encryption, password/pin policies and enable or disable features.
The problem with ActiveSync is that mobile device manufacturers can choose how to implement it and what features to support. Because ActiveSync is easy to use and has stable synchronization, it quickly became the industry's standard for synchronizing enterprise messaging options to mobile devices. Unfortunately for Microsoft and its customers, history has shown that the freedom of implementation causes a lot of problems.
First, no uniformity across devices exists, which makes managing a pool of different devices difficult. This is especially true with the hype around bring your own device (BYOD). Enterprise IT departments need an option that honors the BYOD policies and settings they define.
Second, mobile device makers are unable to deliver quality in the ActiveSync parts they choose to implement. In the past, some of these poor implementations led to bigger issues, including instances where badly behaving devices forced servers to their knees.
To overcome these hurdles, Microsoft created the ActiveSync Logo Program to ensure devices that fully support all ActiveSync features would be granted the Designed for ActiveSync logo. Very few devices ever got that far, not because device makers were unable to do so, but they chose not to because they didn't see the benefit.
ActiveSync autoblock policies in Exchange 2013
With this feature, you start by defining thresholds of certain actions and what or how many of these actions a mobile device can execute. If a device goes over the threshold, Exchange automatically blocks future connections for a configurable amount of time.
The difficulty of this feature involves defining the thresholds. Every environment is unique, so what's considered a badly behaving device in one environment might just be a busy user in another. That's why properly defining these thresholds is important.
But ActiveSync has its limitations. It can't control what is happening on the client side, at least not natively, so Microsoft created the OWA app to retrieve email from Exchange.
As the name implies, the OWA app connects to Exchange similar to the way OWA does and no longer uses ActiveSync. The beauty behind this is that Microsoft circumvents the limitations of ActiveSync and takes control of the endpoint device.
The app is fully compliant with the settings you configure through server-side policies, and I suspect the feature set will only grow over time. The OWA app also supports selective wipes, which only wipe the data in an application in a device through Exchange.
Currently, the app is only available for iOS devices and will only work with a new Office 365 tenant. However, Microsoft plans to support the OWA app for on-premises deployments.
Mobile device management platform policies
Exchange cannot control or enforce policies on mobile devices if these devices do not support all of the ActiveSync features. The horrible truth is that even Microsoft's Windows Phone platform isn't fully EAS compatible -- but neither is iOS or Android.
ActiveSync mobile device policies offer a good way to manage devices. It might not offer all of the features in the aforementioned options, but it gets the job done, especially when you only care about reading email. If data-leakage prevention is important, ActiveSync has remote wiping, although this action will wipe all data from the device.
So, is Exchange a good mobile device management platform? From a pure MDM option point of view, probably not. In reality, it depends on what your expectations are. Exchange 2013 has nowhere near the capabilities a full-blown option like Mobile Iron, Airwatch or Symantec MDM offers. But that was never the goal.
Exchange might not be able to control applications you install, and it doesn't allow for remote control. It's a challenge to simply ensure policies are correctly applied. However, it does a pretty good job of dealing with mobile devices from a corporate messaging point of view. If you can look past the limitations like not being able to manage applications, the built-in features (and future features) offer value for their money and will probably fit your needs.
About the author:
Michael Van Horenbeeck is a technology consultant, Microsoft Certified Trainer and Exchange MVP from Belgium, mainly working with Exchange Server, Office 365, Active Directory and a bit of Lync. He has been active in the industry for 12 years and is a frequent blogger, member of the Belgian Unified Communications User Group Pro-Exchange and a regular contributor to The UC Architects podcast.