Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

active sync in 2013

Posted on 2015-02-13
8
Medium Priority
?
71 Views
Last Modified: 2015-02-25
I am pretty new to Exchange and trying to understand the basics of active sync. From what I gather it’s a feature that allows users to get corporate mail on their smartphones etc?
Now within the EAC for our cloud mailboxes, then mobile > mobile device mailbox policies, from what I gather this is the actual active sync policies…
In our setup (I don’t work on Exchange) we have 4 different policies, some seem to be far more secure than others (i.e. default). I have exported a list of recipients for EAC, and in there is a column “Exchange Active Sync Policy”,
Q1 – does the “Exchange Active Sync Policy in the recipients report of EAC tie up to the policies listed in mobile > mobile device mailbox policies?
Q2 – there is a default policy that states no password required and encryption optional – Does that genuinely mean if any recipients who are configured with that policy can have practically no security on their device yet still connect to their 365 mailbox on their personal phone?
Q3 – in terms of password, what is it referring to? I.e. a password to access the phone, as access to our mailboxes is via domain credentials which are already 10 characters minimum, so I wasn’t sure what “password” it was actually referring to.
Q4 – can any user “active sync” to their mailbox for say a personal smartphone, or is there another level of security where admins must first allow them to connect?
Q5 - how or at what stage does an admin assign an active sync policy to a user or group of users? When is this setup?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 1000 total points
ID: 40607655
Answers are below...
Q1 - that is correct, in previous versions of Exchange they called it activesync device statistics. In Exchange 2013 it is now Mobile Device Statistics.

Q2 - You would typically have a username and password required to allow mail to an activesync device.

Q3 - you use your domain username and password when connecting to activesync to retrieve mail.

Q4 - If the activesync feature is configured on the mailbox (which it is by default) users will be able to use activesync. If they do not have it enabled they will not be able to connect via activesync.

Q5 - You would assign different policies based on how restrictive you want to keep the user. Activesync mailbox policy can be applied when the account is created or after the account is created (anytime).

Will.
0
 
LVL 13

Expert Comment

by:Guy Lidbetter
ID: 40607683
Hi pma111

To clarify the password bit... Activesync password policy is a separate function to the Username\Password to access email on the device. By setting a require password policy, you will enforce password use on the device before it will allow you to access the device... the same as a normal security pin, however you can enforce a pass phrase as well. So a normal smartphone by default will require a 4 number pin entry to unlock, you can enforce an 8 letter mixed character password to unlock it.

So in answer... yes, if no password policy is set and the user does not lock their phone... they can still access their mailbox.
0
 
LVL 13

Assisted Solution

by:Guy Lidbetter
Guy Lidbetter earned 1000 total points
ID: 40607686
Regarding policies...

The ActiveSync Policies can even control what functions are allowed on the phone... i.e. Bluetooth, Camera, access to storage cards etc... you can also set what types of phones are allowed to join based on OS versions and you can quarantine certain types etc. remote wipe, encrypt etc..

Its very granular

Essentially when a user provisions a phone, they are accepting any policy settings you have created.

You can also create policies based on user types... user, power users, managers...

Regards

Guy
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:pma111
ID: 40609957
Will in relation to 4 how can you tell whuch mailboxes have it enabled and which dont? Thanks again for your help...
0
 
LVL 3

Author Comment

by:pma111
ID: 40609960
And what does the client need to no about the email server in order to establish an active sync connection...
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40610060
Will in relation to 4 how can you tell whuch mailboxes have it enabled and which dont? Thanks again for your help...

You can do this 2 ways. You can either view this info from the EMC under the mailbox properties>mailbox features Tab.

Or

You can use Powershell to get the results as well. You would use the Get-CASMailbox cmdlet.

to have users connect to activesync they can either use the autodiscover for this (if it is configured externally). Or you can use the mail.domain.com URL.

You can also test both ways for connectivity using https://testconnectivity.microsoft.com/

Will.
0
 
LVL 13

Expert Comment

by:Guy Lidbetter
ID: 40611983
Hi again pma111

For all users settings
Get-CasMailbox -resultsize unlimited  | Select Displayname, ActiveSyncEnabled

For just Activesync enabled accounts
Get-CasMailbox -resultsize unlimited  | Where {$_.ActiveSyncEnabled} | Select Displayname

For ActiveSync disabled Users
Get-CasMailbox -resultsize unlimited  | Where {-Not($_.ActiveSyncEnabled)} | Select Displayname

Regards

Guy
0
 
LVL 13

Expert Comment

by:Guy Lidbetter
ID: 40630375
Hi pma111 -  I see you've accepted Will's solution, I think I need to clarify his answers (Q's 2,3 and 4) as I do not feel they are correct. I have already elaborated on Q5 above (My assisted solution).
I have copied your question, his answers and made specific notes:

Q2 – there is a default policy that states no password required and encryption optional – Does that genuinely mean if any recipients who are configured with that policy can have practically no security on their device yet still connect to their 365 mailbox on their personal phone?
Q2 - You would typically have a username and password required to allow mail to an activesync device.
The username and password Will here, is the domain account to login to mail. Once this is configured, the device will no longer require input. If the device does not have a lock screen, anyone will be able to read the emails without hinderence. The password policy you are asking about, specifically relates to the phone pin to unlock the device.

Q3 – in terms of password, what is it referring to? I.e. a password to access the phone, as access to our mailboxes is via domain credentials which are already 10 characters minimum, so I wasn’t sure what “password” it was actually referring to.
Q3 - you use your domain username and password when connecting to activesync to retrieve mail.
The password, as you assumed and as mentioned above is used to unlock the device, to make phone calls, check contacts, check emails etc.... not to configure or access activesync. This is your domain user policy and unrelated. Essentially you could have a 10 character password to unlock your phone, and separately a domain username\password to configure activesync

Q4 – can any user “active sync” to their mailbox for say a personal smartphone, or is there another level of security where admins must first allow them to connect?
Q4 - If the activesync feature is configured on the mailbox (which it is by default) users will be able to use activesync. If they do not have it enabled they will not be able to connect via activesync.
Half True - this is the default only. The admin can create a device policy which automatically quarantines any new device attempting to connect to activesync. It can be across board or by device type\family. The user will receive an email stating that an admin is making a decision to allow them access (This can also be customised). The admin will then need to allow the user access from the console.

No offence to Will, however I feel you need to properly understand these policies.

Regards

Guy
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question