Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


August 21, 2007

Managing Mobile Messaging in Exchange 2007

OWA Light and Exchange ActiveSync help you configure and secure your users’ mobile devices
A Web Exclusive from Windows IT Pro
Brien Posey
Feature
InstantDoc #96473
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Outlook Web Access (OWA) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Executive Summary:
Outlook Mobile Access (OMA) isn’t included in Exchange Server 2007 because Exchange ActiveSync (EAS) and Microsoft Direct Push technology make it obsolete. Microsoft Outlook Web Access (OWA) Light can be used over low-bandwidth connections or devices with limited Web browser capabilities. In Microsoft Exchange Server 2007, you can create EAS policies that require users to have passwords on their mobile devices.

Every year, mobile messaging becomes more popular. The Radicati Group (http://www.radicati.com) estimates that by 2008, 90 percent of professionals will carry a mobile device that can receive email messages. To meet this demand, Microsoft has integrated a plethora of new mobile messaging features into Microsoft Exchange Server 2007. Exchange 2007 works with Windows Mobile devices and even non-Windows devices, although there are several new features that will work only with Windows Mobile 6. Because Exchange 2007’s mobile messaging features are so new, I’ll walk you through how to connect, configure, and secure a mobile device using Exchange 2007.

OWA Light: Exchange 2007’s Alternative to OMA
Several features in Exchange Server 2003 aren’t included in Exchange 2007, and Outlook Mobile Access (OMA) is one of them. A member of Microsoft’s Exchange product team explained to me that OMA wasn't a widely used feature, and that ActiveSync and Direct Push technology make OMA obsolete. If you still need to use OMA, you can do so by keeping an Exchange 2003 server in your organization and configuring the server to host OMA.

Another alternative to using OMA is to use Microsoft Outlook Web Access (OWA) Light. OWA Light is a watered-down version of OWA that's designed to facilitate the use of OWA over low-bandwidth connections or on computers or other devices with limited browser capabilities. OWA Light is also a good choice for those with poor vision because it provides an uncluttered interface with good visual contrast.

OWA Light is actually part of OWA, so to use it you must have an Exchange 2007 server configured with the Client Access server role. To access OWA Light, open your Web browser and enter http://server_name/owa (where server_name is the name of your Exchange server). When the OWA logon screen appears, select the Use Outlook Web Access Light check box, which Figure 1 shows. Once you've logged on, you'll be prompted to confirm your language and time zone. This is a one-time only process. This screen also contains an option that you can select if you have poor vision. Click OK, and you’ll be taken to the main OWA Light interface, which Figure 2 shows. As you can see, the OWA Light interface is simpler than the OWA interface in Figure 3.

Connecting a Mobile Device to Exchange 2007
The process of connecting a mobile device to Exchange 2007 is fairly simple but can vary depending on the device’s OS. The procedure that I'm about to explain assumes that you're using Windows Mobile 6.0. (However, the procedure for connecting a Windows Mobile 5.0 device to Exchange is similar.) One thing to keep in mind with any mobile device is that it won't be able to connect to your Exchange organization unless you’ve configured your Exchange server to be accessible via the Internet.

The first part of the configuration process is performed directly on the mobile device. Click Start on the mobile device and select the ActiveSync command from the device’s Programs menu. When the ActiveSync screen appears, read it in case it mentions any device-specific settings. After doing so, click Set Up Your Device.

At this point, the mobile device will prompt you to enter your Exchange organization’s URL. The URL that you enter should be the same as the one you use for OWA, but with one difference. Typically, the URL for OWA ends in either /exchange or /owa, depending on the Exchange version that your OWA server is running; however, you should omit this portion of the URL when entering it now on the mobile device.

Next, you must enter the username, password, and domain name for the person who will be using the device. This screen where you enter this information also contains the Save Password check box, the usage of which has sparked debate among Exchange administrators. There are compelling arguments for never saving a password on a mobile device, but because the device can't receive new messages without being properly authenticated, I recommend selecting the Save Password check box.

Click Next, and you'll see a screen that prompts you to choose which types of data you want to synchronize. The options that you select on this screen are up to you, but I recommend synchronizing at least the Inbox and Calendar. Because mobile devices have limited amounts of memory, I recommend using the Settings buttons to control how much data should be synchronized.

Finally, click Finish, and the device should connect to the Exchange server. It might take several minutes for anything to happen, but eventually two circular arrows should appear at the top of the mobile device screen, indicating that data is being synchronized.

Setting Password Policy on a Mobile Device
Prior to Exchange 2003 SP2, one of the problems with mobile devices was that there was no way to require users to use passwords on their devices. Exchange 2003 SP2 lets you create security policies for mobile devices via Exchange ActiveSync (EAS), and Exchange 2007 builds on this capability.

To create a password policy for mobile devices, open Exchange Management Console and navigate through the console tree to Organization Configuration\Client Access. Then click New Exchange ActiveSync Mailbox Policy in the Actions pane. You should now see the New Exchange ActiveSync Mailbox Policy dialog box, which Figure 4 shows.

As you can see in Figure 4, you must begin the process of creating a new EAS mailbox policy by entering a mailbox policy name. This step is actually a lot more significant than you might think. In Exchange 2003 SP2, you could create a security policy for mobile devices, but the policy that you created applied to all mobile-device users. This was a problem because some mobile-device users need more security than others. For example, high-level executives typically have sensitive information on their mobile devices. Therefore, it makes sense to aggressively protect these devices. In contrast, I recently visited a company in which the office assistant had a mobile device for the sole purpose of having the department calendar accessible to him at all times. Because this person’s responsibilities were basically to make sure that corporate events were catered and that the appropriate marketing materials were available to attendees, there was no confidential or sensitive information on this person’s device.

Just below the New Exchange ActiveSync Mailbox Policy dialog box’s Mailbox policy name field are two check boxes: Allow non-provisionable devices and Allow attachments to be downloaded to device. The Allow attachments to be downloaded to device check box is fairly self-explanatory. This check box, however, represents another reason why you might want to implement multiple mobile-device security policies. Email attachments can be one of the biggest threats to security. If you combine that with the fact that attachments can consume a lot of wireless bandwidth, you might decide that only a few mobile users should be allowed to download email attachments to their mobile devices. If you decide to let mobile users download attachments, you might want to enable Windows Mobile 6’s storage-card encryption feature, which lets you provide an extra degree of protection to documents that have been downloaded to a mobile device.

The Allow non-provisionable devices check box, if selected, will let mobile users connect to Exchange 2007 by using mobile devices that can't be fully controlled by the security policy. Keep in mind, however, that if you decide to allow non-provisionable devices, you aren't allowing them globally. The allowance or ban of non-provisionable devices applies only to users who have this particular security policy enabled on their device. It's possible to create multiple policies that let you permit some users to use non-provisionable devices while requiring other users to use provisionable devices only.

The remaining check boxes in the New Exchange ActiveSync Mailbox Policy dialog box are related to the mobile device’s password. As you can see in Figure 4, you have many options when it comes to passwords. You can require strong passwords or allow simple passwords. You can also set a minimum password length, enforce password history, or even require encryption on the device. Essentially, the New Exchange ActiveSync Mailbox Policy dialog box lets you enforce the same types of settings on mobile devices that you’ve been able to enforce on PCs for years. Once you've defined the security policy settings, you can create the policy by clicking New.

Setting Security Policy on a Mobile Device
Now that you’ve created security policies (known as EAS policies) for your mobile device users, you need to assign EAS policies to users. First, open Exchange Management Console and navigate through the console tree to Recipient Configuration\Mailbox. After you do so, the Details pane will display a list of all the mailboxes in your Exchange organization. Double-click the mailbox that you want to assign an EAS policy to, and Exchange Management Console will display the mailbox’s properties page.

Now, select the Mailbox Features tab on the Properties page. As Figure 5 shows, this tab lets you enable and disable various Exchange Server features for the mailbox. Select Exchange ActiveSync from the list and enable it. Then click Properties to reveal the Exchange ActiveSync Properties dialog box, which Figure 6 shows.

As you can see in Figure 6, you can enable an EAS policy for the user by selecting the Apply an Exchange ActiveSync mailbox policy check box. Now, select the policy that you want to assign by clicking Browse, which should bring up a list of available policies. Select the desired policy and click OK twice to assign it to the mailbox. Alternatively, you could use the Set-CASMailbox command to apply a policy to a group of mailboxes. You can see the syntax for this command here (http://technet.microsoft.com/en-us/library/ff7d4dc5-755e-4005-a0a3-631eed3f9b3b.aspx).

Self-Service Mobile-Device Administration
One of the problems with mobile-device users is that they're typically isolated from the rest of the company, meaning they can’t simply take their mobile devices to the Help desk when they're having problems. However, Exchange 2007 lets mobile users use OWA to perform various self-service functions related to their mobile devices.

To access these self-service mechanisms, log on to OWA (not OWA Light). Once you're logged on, click Options, and OWA will display a screen filled with various OWA configuration options. The column on the left side of the screen contains various categories of options that you can select. Select the Mobile Devices option from this list, and you'll see the Mobile Devices screen that Figure 7 shows.

I don’t have a mobile device associated with the user account in use in Figure 7, but if mobile devices were registered to the user, those devices would be listed on this screen. To perform one of the various self-service options, select the device on which you want to perform the action (users can have multiple mobile devices), and click one of the four options above the device list.

The first option is Remove Device from List. Users typically choose this option if they’ve purchased a new mobile device or are replacing a unit that was lost or stolen. After all the user’s data has been replicated to the new mobile device, the user can remove the old mobile device from the device list.

The second option is Wipe All Data from Device, which lets users wipe all the data from a mobile device in the event that the device is lost or stolen. Because mobile devices almost always contain sensitive data, you don’t want to just assume that whoever happens to have your mobile device won't be able to get past the device’s password. It's better to wipe the data from the device. Think of this function as a remote-control self-destruct mechanism. Remotely wiping the mobile device destroys any data stored on it and resets the device to its factory defaults.

As you might expect, the Display Recovery Password option lets a user choose to display the recovery password. In the event that you forget the mobile device’s password, Display Recovery Password lets you retrieve the password so that you don’t have to call the Help desk to reset the password for you.

The final option on this screen, Retrieve Log, lets you view information about how your mobile device has been used. Retrieve Log retrieves the device sync log and emails it to you, so that you can easily access it through OWA or whatever email client you use.

Mobile Device Management Made Easy
 As mobile-device usage continues to spread, it's important for Exchange to not only offer low-bandwidth connections that will work with mobile devices' limited browser capabilities but also security policies for mobile devices. Exchange 2007's mobile-device–management features help you protect data on mobile devices by letting you assign security and password policies, so that you spend less time trying to track down lost or corrupt data on mobile devices and more time managing your Exchange environment.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path For more information about Exchange 2007
"Configuring Exchange Server 2007"


For more information about Exchange ActiveSync
"Making Exchange ActiveSync Work"


For more information about OWA
"Better OWA Attachment Security"
Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

Escape From Yesterworld

Kevin points you to the funniest SQL Server website ever! ...

The Desktop tab is missing from the Display Properties in Windows XP?

...
Related Articles New Exchange ActiveSync Policies in Exchange 2007 SP1

Exchange Server in 2008
Exchange Server and Outlook Whitepapers Anonymizers – The Latest Threat to Your Web Security

Replay for Exchange: Enterprise Protection and an Affordable Price

ETX Driving Embedded I/O
Related Events Check out our list of Free Email Newsletters!
Exchange Server and Outlook eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

The Expert's Guide for Exchange 2003: Preparing for, Moving to, and Supporting Exchange Server 2003
Related Exchange Server and Outlook Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Exchange & Outlook UPDATE eNewsletter
News, strategies, products, and developments in Exchange Server and Outlook messaging.
Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

WinConnections Conference Fall 2008
Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

Maximize your SharePoint Investment – 8 Cities
Discover best practices and tips for both architecting and administering SharePoint. Early Bird Price of $99 through Sept 15th.

Find a new job now on the all new IT Job Hound!
Search jobs, post your resume, and set up job e-mail alerts!

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Top Tools for Virtualization Disaster Recovery & Replication
View this web seminar on August 14th to learn about two tools that will result in faster backup and restore with P2V disaster recovery.

SharePointConnections Conference Fall 2008
Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

VMworld 2008 - Sign Up Today!
Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.



When managing just VMware isn’t enough
Plan/Manage/Secure – NetIQ VMware management. Download whitepaper.

What’s up with your network? Find out with ipMonitor
Availability monitoring for servers, applications and networks – FREE trial

Microsoft® Tech•Ed EMEA 2008 IT Professionals
Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.

Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.

Are You Really Compliant with Software Regulations?
View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing