This article can also be found in the Premium Editorial Download "Exchange Insider: Don't dismiss the power of PowerShell."
Download it now to read this article plus other related content.
The popularity of the iPhone, iPad and Android devices presents Exchange administrators with several logistical challenges. These consumer devices are portable and easy to use, and employees expect to use them to access enterprise systems and email from anywhere.
In bring your own device (BYOD) and
Complicating this is the fact that many of the people pushing the hardest for that access are at the executive level. They want their new gadgets configured to access business resources, and it is especially hard to say “No” to them.
What are the key BYOD concerns in relation to Exchange Server?
Exchange administrators are normally concerned about keeping data secure on standardized devices that are procured by the company. Catering to devices that employees have brought in from home, however, can increase security risks.
Consider the following common factors when mixing personal devices with your corporate email infrastructure:
- Data leakage/theft: Personal
devices are just that -- personal. They are rarely encrypted and, particularly in the
case of smartphones, go everywhere with their owners. Since they are typically used with home PCs
and random Wi-Fi access points, mobile
devices are open to all kinds of attacks. These devices are also easily lost or stolen.
If a particular device is connected to corporate email, it likely stores sensitive data. This, in turn, will be accessible to anyone who has access to the handset, including a thief if that device is stolen.
- Ecosystem control: The enterprise doesn’t own endpoint hardware in BYOD, which can make
it difficult to apply ActiveSync mailbox policies to such devices. It can be very hard to persuade
users to disable certain aspects of a beloved technology that they own. You may want to apply a
central policy developed for work, such as disabling removable storage.
Even if you already apply support and security policies to company-owned devices via ActiveSync, you’ll have to work to gain acceptance to apply the same policies to BYOD devices. In addition, IT must set boundaries and specify how far it will support personal devices.
- Proliferation: As “smart device” user interfaces and products like Exchange
Server 2010 have matured, it has become much easier for end users to configure device settings
and connect to corporate resources like email without IT intervention.
Most modern smartphones that have licensed ActiveSync allow users to set up an Exchange mailbox simply by providing an email address.
Since the company doesn’t procure devices under BYOD, it’s easy to deviate from support and security standards.
- Support: If a user wishes to connect a personal device to company mail and things either
don’t work or stop working, who is responsible for fixing the problem? The employee might expect
the IT department to handle it; IT staff might look at things differently, since that device is not
issued by the company.
These issues can be considered “policy” decisions rather than technical issues specific to Exchange, but Exchange administrators should be aware of them so they can make plans to mitigate them within the organization’s email environment.
Addressing BYOD problems: Organizational policies
A number of principles of your existing mobile device security policies might already conflict with the concept of BYOD.
For example, your organization may have a policy stating that no data should be removed from the company on unauthorized USB memory sticks. That said, if you allow BYOD devices to sync email with attachments, data is in effect being removed on non-company equipment.
Furthermore, if you have a policy requiring devices that connect to the network to be configured with relevant restrictions -- say, password complexity, certain applications disabled and Wi-Fi disabled -- you will need to apply it to personal devices.
Users may not initially agree to mobile policies that already apply to company-owned devices. By making an exception for BYOD, however, you may be riding roughshod over existing standards and increasing the risk of enterprise data being compromised.
Organizations should consider modifying their policies so employees understand that if they connect personal devices to the corporate infrastructure, they will be held to the same standards as they are with corporate devices.
Consider what can happen if a BYOD device with company email gets lost. Your organization may have an agreement with the user to “remote wipe” the device. This will result in the deletion of personal texts, photos, video, etc., as well as company data.
If you say that personal mobile devices aren’t subject to that agreement, are you overstepping your legal data-protection limits?
Your organizational policy on BYOD should be clear, and explain what measures the company will take to prevent data or end-user systems from being compromised. In addition, it should also be clear on end-user support.
BYOD technical awareness -- through Exchange Server 2010
How can Exchange administrators know which devices are connecting to Exchange Server and who is using them?
Thankfully, Exchange 2010 provides a number of ways in which you can determine these statistics:
- Using PowerShell: Admins can use PowerShell
cmdlets to both manage and gather ActiveSync information. You can view them by entering the
following command within the Exchange Management Shell:
This will produce output similar to the following in Figure 1 below:
Figure 1: Use Powershell to gather Activesync info.
All the commands in Figure 1 are relevant to both configuring and retrieving data for and from ActiveSync. They are intrinsically linked to the behavior and control of each mobile device -- e.g. iPhone, iPad, Android or Windows Mobile phone -- that connects to your client access servers.
To gain business intelligence about your remote device estate so that you know who and what is connecting, I recommend a few more PowerShell commands:
Parsing IIS Logs for ActiveSync device and user information: Use the cmdlet below to grab all of the ActiveSync data from the Internet Information Services (IIS) logs on your client access servers.
In essence, you can pass the directory that contains the IIS access logs to the Export-ActiveSyncLog cmdlet, which will parse all relevant information into a set of .csv files. These files are saved to the location that you specify in the –OutputPath parameter:
dir C:\inetpub\logs\LogFiles\W3SVC1\*.log | Export-ActiveSyncLog -OutputPath x:\Logs\
Getting ActiveSync device statistics for a specific user: If you want to get statistical information about the mobile devices assigned to a specific user, such as the device type, the last time the Active Sync policy was updated or when the device last connected to your infrastructure, you can use the following cmdlet:
Get-ActiveSyncDeviceStatistics -Mailbox andy | select DeviceType,DeviceUserAgent,LastPolicyUpdateTime,LastSuccessSync
Getting the configured ActiveSync devices for a specific user: If you want to see which devices are associated with a specific account, you can use the Get-ActiveSyncDevice cmdlet:
Get-ActiveSyncDevice –Mailbox “User Mailbox”
A number of other examples on the Web show what you can do with the PS Active Sync cmdlets. One of the best sites on this subject is Steve Goodman’s blog.
- Using Microsoft Log Parser Studio
If you are not a fan of the command line, Microsoft released Log Parser Studio in March 2012. It provides a very nice interface to the Microsoft Log Parser tool. It requires .NET 4.0 and Log Parser 2.2.
Log Parser Studio is useful because it comes pre-packaged with a number of reports that provide key intelligence about which mobile devices are connecting, and to which users they are associated. (Figure 2.)
Figure 2: Here’s a screen shot of Log Parser Studio ActiveSync reports
You can also produce some very cool graphs in Log Parser Studio, presenting a picture of your remote device real estate.
How to secure connected devices with Exchange Server
In the Exchange Management Console, navigate to Organizational Configuration -> Client Access -> Exchange ActiveSync Policies. From there, you can define policies that can be applied to all users or specific groups of users.
Within these policies, you can define password complexity; prevent the download of attachments to a device; and disable features such as the camera, Wi-Fi access or removable storage. You can also control application behavior (Figure 3).
Figure 3: Here’s a look at Exchange 2010 ActiveSync mailbox policies.
Quarantine or block particular handset types: Exchange 2010 has a feature that allows admins to either quarantine or block particular handset types. These are called Active Sync Access Rules.
These rules can apply to all devices and can be tied to a specific manufacturer or particular mobile device type. In my examples, I have applied policies to iPhones.
The quarantine feature of Access Rules may be of particular interest to organizations that want to keep control of devices that connect to their infrastructure.
The quarantine function will stop all or selected devices from initially syncing to a mailbox until they have been verified by a relevant administrator. Admins can filter on the family or the specific device type.
The administrator will get an email letting him know that he needs to allow a specific device for a user, giving the admin control over what devices connect to the infrastructure (Figure 4).
Figure 4: Here's an example of an administrative message for an ActiveSync device.
Exchange administrators can configure access rules via the Exchange Control Panel (ECP) by selecting Phone and Voice -> ActiveSync Access -> Device Access Rules (Figure 5).
Figure 5: Here’s an example of Microsoft ActiveSync device access rules
You can also use PowerShell to configure these rules using the Get-ActiveSyncDeviceAccessRule cmdlet.
Consumerization and BYOD programs will no doubt keep enterprise IT busy. With these policies and commands, Exchange administrators should be able to get a grip on security and control of email and personal devices in the workplace.
Andy Grogan, an Exchange MVP based in the U.K., has worked in the IT industry for the last 14 years -- primarily with Microsoft, HP and IBM technologies. His main passion is Exchange Server, but he also specializes in Active Directory, SQL Server and storage solutions. Andy is currently working for a large council in West London as the Networks and Operations Manager supporting 6,000 customers on more than 240 sites. Visit Andy’s website at www.telnetport25.com/.
This was first published in September 2012