Solved

active sync in 2013

Posted on 2015-02-13
8
64 Views
Last Modified: 2015-02-25
I am pretty new to Exchange and trying to understand the basics of active sync. From what I gather it’s a feature that allows users to get corporate mail on their smartphones etc?
Now within the EAC for our cloud mailboxes, then mobile > mobile device mailbox policies, from what I gather this is the actual active sync policies…
In our setup (I don’t work on Exchange) we have 4 different policies, some seem to be far more secure than others (i.e. default). I have exported a list of recipients for EAC, and in there is a column “Exchange Active Sync Policy”,
Q1 – does the “Exchange Active Sync Policy in the recipients report of EAC tie up to the policies listed in mobile > mobile device mailbox policies?
Q2 – there is a default policy that states no password required and encryption optional – Does that genuinely mean if any recipients who are configured with that policy can have practically no security on their device yet still connect to their 365 mailbox on their personal phone?
Q3 – in terms of password, what is it referring to? I.e. a password to access the phone, as access to our mailboxes is via domain credentials which are already 10 characters minimum, so I wasn’t sure what “password” it was actually referring to.
Q4 – can any user “active sync” to their mailbox for say a personal smartphone, or is there another level of security where admins must first allow them to connect?
Q5 - how or at what stage does an admin assign an active sync policy to a user or group of users? When is this setup?
0
Comment
Question by:pma111
  • 4
  • 2
  • 2
8 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 250 total points
Comment Utility
Answers are below...
Q1 - that is correct, in previous versions of Exchange they called it activesync device statistics. In Exchange 2013 it is now Mobile Device Statistics.

Q2 - You would typically have a username and password required to allow mail to an activesync device.

Q3 - you use your domain username and password when connecting to activesync to retrieve mail.

Q4 - If the activesync feature is configured on the mailbox (which it is by default) users will be able to use activesync. If they do not have it enabled they will not be able to connect via activesync.

Q5 - You would assign different policies based on how restrictive you want to keep the user. Activesync mailbox policy can be applied when the account is created or after the account is created (anytime).

Will.
0
 
LVL 13

Expert Comment

by:Guy Lidbetter
Comment Utility
Hi pma111

To clarify the password bit... Activesync password policy is a separate function to the Username\Password to access email on the device. By setting a require password policy, you will enforce password use on the device before it will allow you to access the device... the same as a normal security pin, however you can enforce a pass phrase as well. So a normal smartphone by default will require a 4 number pin entry to unlock, you can enforce an 8 letter mixed character password to unlock it.

So in answer... yes, if no password policy is set and the user does not lock their phone... they can still access their mailbox.
0
 
LVL 13

Assisted Solution

by:Guy Lidbetter
Guy Lidbetter earned 250 total points
Comment Utility
Regarding policies...

The ActiveSync Policies can even control what functions are allowed on the phone... i.e. Bluetooth, Camera, access to storage cards etc... you can also set what types of phones are allowed to join based on OS versions and you can quarantine certain types etc. remote wipe, encrypt etc..

Its very granular

Essentially when a user provisions a phone, they are accepting any policy settings you have created.

You can also create policies based on user types... user, power users, managers...

Regards

Guy
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Will in relation to 4 how can you tell whuch mailboxes have it enabled and which dont? Thanks again for your help...
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 3

Author Comment

by:pma111
Comment Utility
And what does the client need to no about the email server in order to establish an active sync connection...
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
Will in relation to 4 how can you tell whuch mailboxes have it enabled and which dont? Thanks again for your help...

You can do this 2 ways. You can either view this info from the EMC under the mailbox properties>mailbox features Tab.

Or

You can use Powershell to get the results as well. You would use the Get-CASMailbox cmdlet.

to have users connect to activesync they can either use the autodiscover for this (if it is configured externally). Or you can use the mail.domain.com URL.

You can also test both ways for connectivity using https://testconnectivity.microsoft.com/

Will.
0
 
LVL 13

Expert Comment

by:Guy Lidbetter
Comment Utility
Hi again pma111

For all users settings
Get-CasMailbox -resultsize unlimited  | Select Displayname, ActiveSyncEnabled

For just Activesync enabled accounts
Get-CasMailbox -resultsize unlimited  | Where {$_.ActiveSyncEnabled} | Select Displayname

For ActiveSync disabled Users
Get-CasMailbox -resultsize unlimited  | Where {-Not($_.ActiveSyncEnabled)} | Select Displayname

Regards

Guy
0
 
LVL 13

Expert Comment

by:Guy Lidbetter
Comment Utility
Hi pma111 -  I see you've accepted Will's solution, I think I need to clarify his answers (Q's 2,3 and 4) as I do not feel they are correct. I have already elaborated on Q5 above (My assisted solution).
I have copied your question, his answers and made specific notes:

Q2 – there is a default policy that states no password required and encryption optional – Does that genuinely mean if any recipients who are configured with that policy can have practically no security on their device yet still connect to their 365 mailbox on their personal phone?
Q2 - You would typically have a username and password required to allow mail to an activesync device.
The username and password Will here, is the domain account to login to mail. Once this is configured, the device will no longer require input. If the device does not have a lock screen, anyone will be able to read the emails without hinderence. The password policy you are asking about, specifically relates to the phone pin to unlock the device.

Q3 – in terms of password, what is it referring to? I.e. a password to access the phone, as access to our mailboxes is via domain credentials which are already 10 characters minimum, so I wasn’t sure what “password” it was actually referring to.
Q3 - you use your domain username and password when connecting to activesync to retrieve mail.
The password, as you assumed and as mentioned above is used to unlock the device, to make phone calls, check contacts, check emails etc.... not to configure or access activesync. This is your domain user policy and unrelated. Essentially you could have a 10 character password to unlock your phone, and separately a domain username\password to configure activesync

Q4 – can any user “active sync” to their mailbox for say a personal smartphone, or is there another level of security where admins must first allow them to connect?
Q4 - If the activesync feature is configured on the mailbox (which it is by default) users will be able to use activesync. If they do not have it enabled they will not be able to connect via activesync.
Half True - this is the default only. The admin can create a device policy which automatically quarantines any new device attempting to connect to activesync. It can be across board or by device type\family. The user will receive an email stating that an admin is making a decision to allow them access (This can also be customised). The admin will then need to allow the user access from the console.

No offence to Will, however I feel you need to properly understand these policies.

Regards

Guy
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
how to add IIS SMTP to handle application/Scanner relays into office 365.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now