OWA Light and Exchange ActiveSync help you configure and secure your users’ mobile devices
|Outlook Mobile Access (OMA) isn’t included in Exchange Server 2007 because Exchange ActiveSync (EAS) and Microsoft Direct Push technology make it obsolete. Microsoft Outlook Web Access (OWA) Light can be used over low-bandwidth connections or devices with limited Web browser capabilities. In Microsoft Exchange Server 2007, you can create EAS policies that require users to have passwords on their mobile devices.|
Every year, mobile messaging becomes more popular. The Radicati Group (http://www.radicati.com) estimates that by 2008, 90 percent of professionals will carry a mobile device that can receive email messages. To meet this demand, Microsoft has integrated a plethora of new mobile messaging features into Microsoft Exchange Server 2007. Exchange 2007 works with Windows Mobile devices and even non-Windows devices, although there are several new features that will work only with Windows Mobile 6. Because Exchange 2007’s mobile messaging features are so new, I’ll walk you through how to connect, configure, and secure a mobile device using Exchange 2007.
OWA Light: Exchange 2007’s Alternative to OMA
Several features in Exchange Server 2003 aren’t included in Exchange 2007, and Outlook Mobile Access (OMA) is one of them. A member of Microsoft’s Exchange product team explained to me that OMA wasn't a widely used feature, and that ActiveSync and Direct Push technology make OMA obsolete. If you still need to use OMA, you can do so by keeping an Exchange 2003 server in your organization and configuring the server to host OMA.
Another alternative to using OMA is to use Microsoft Outlook Web Access (OWA) Light. OWA Light is a watered-down version of OWA that's designed to facilitate the use of OWA over low-bandwidth connections or on computers or other devices with limited browser capabilities. OWA Light is also a good choice for those with poor vision because it provides an uncluttered interface with good visual contrast.
OWA Light is actually part of OWA, so to use it you must have an Exchange 2007 server configured with the Client Access server role. To access OWA Light, open your Web browser and enter http://server_name/owa (where server_name is the name of your Exchange server). When the OWA logon screen appears, select the Use Outlook Web Access Light check box, which Figure 1 shows. Once you've logged on, you'll be prompted to confirm your language and time zone. This is a one-time only process. This screen also contains an option that you can select if you have poor vision. Click OK, and you’ll be taken to the main OWA Light interface, which Figure 2 shows. As you can see, the OWA Light interface is simpler than the OWA interface in Figure 3.
Connecting a Mobile Device to Exchange 2007
The process of connecting a mobile device to Exchange 2007 is fairly simple but can vary depending on the device’s OS. The procedure that I'm about to explain assumes that you're using Windows Mobile 6.0. (However, the procedure for connecting a Windows Mobile 5.0 device to Exchange is similar.) One thing to keep in mind with any mobile device is that it won't be able to connect to your Exchange organization unless you’ve configured your Exchange server to be accessible via the Internet.
The first part of the configuration process is performed directly on the mobile device. Click Start on the mobile device and select the ActiveSync command from the device’s Programs menu. When the ActiveSync screen appears, read it in case it mentions any device-specific settings. After doing so, click Set Up Your Device.
At this point, the mobile device will prompt you to enter your Exchange organization’s URL. The URL that you enter should be the same as the one you use for OWA, but with one difference. Typically, the URL for OWA ends in either /exchange or /owa, depending on the Exchange version that your OWA server is running; however, you should omit this portion of the URL when entering it now on the mobile device.
Next, you must enter the username, password, and domain name for the person who will be using the device. This screen where you enter this information also contains the Save Password check box, the usage of which has sparked debate among Exchange administrators. There are compelling arguments for never saving a password on a mobile device, but because the device can't receive new messages without being properly authenticated, I recommend selecting the Save Password check box.
Click Next, and you'll see a screen that prompts you to choose which types of data you want to synchronize. The options that you select on this screen are up to you, but I recommend synchronizing at least the Inbox and Calendar. Because mobile devices have limited amounts of memory, I recommend using the Settings buttons to control how much data should be synchronized.
Finally, click Finish, and the device should connect to the Exchange server. It might take several minutes for anything to happen, but eventually two circular arrows should appear at the top of the mobile device screen, indicating that data is being synchronized.
Setting Password Policy on a Mobile Device
Prior to Exchange 2003 SP2, one of the problems with mobile devices was that there was no way to require users to use passwords on their devices. Exchange 2003 SP2 lets you create security policies for mobile devices via Exchange ActiveSync (EAS), and Exchange 2007 builds on this capability.
To create a password policy for mobile devices, open Exchange Management Console and navigate through the console tree to Organization Configuration\Client Access. Then click New Exchange ActiveSync Mailbox Policy in the Actions pane. You should now see the New Exchange ActiveSync Mailbox Policy dialog box, which Figure 4 shows.
As you can see in Figure 4, you must begin the process of creating a new EAS mailbox policy by entering a mailbox policy name. This step is actually a lot more significant than you might think. In Exchange 2003 SP2, you could create a security policy for mobile devices, but the policy that you created applied to all mobile-device users. This was a problem because some mobile-device users need more security than others. For example, high-level executives typically have sensitive information on their mobile devices. Therefore, it makes sense to aggressively protect these devices. In contrast, I recently visited a company in which the office assistant had a mobile device for the sole purpose of having the department calendar accessible to him at all times. Because this person’s responsibilities were basically to make sure that corporate events were catered and that the appropriate marketing materials were available to attendees, there was no confidential or sensitive information on this person’s device.
Just below the New Exchange ActiveSync Mailbox Policy dialog box’s Mailbox policy name field are two check boxes: Allow non-provisionable devices and Allow attachments to be downloaded to device. The Allow attachments to be downloaded to device check box is fairly self-explanatory. This check box, however, represents another reason why you might want to implement multiple mobile-device security policies. Email attachments can be one of the biggest threats to security. If you combine that with the fact that attachments can consume a lot of wireless bandwidth, you might decide that only a few mobile users should be allowed to download email attachments to their mobile devices. If you decide to let mobile users download attachments, you might want to enable Windows Mobile 6’s storage-card encryption feature, which lets you provide an extra degree of protection to documents that have been downloaded to a mobile device.
The Allow non-provisionable devices check box, if selected, will let mobile users connect to Exchange 2007 by using mobile devices that can't be fully controlled by the security policy. Keep in mind, however, that if you decide to allow non-provisionable devices, you aren't allowing them globally. The allowance or ban of non-provisionable devices applies only to users who have this particular security policy enabled on their device. It's possible to create multiple policies that let you permit some users to use non-provisionable devices while requiring other users to use provisionable devices only.
The remaining check boxes in the New Exchange ActiveSync Mailbox Policy dialog box are related to the mobile device’s password. As you can see in Figure 4, you have many options when it comes to passwords. You can require strong passwords or allow simple passwords. You can also set a minimum password length, enforce password history, or even require encryption on the device. Essentially, the New Exchange ActiveSync Mailbox Policy dialog box lets you enforce the same types of settings on mobile devices that you’ve been able to enforce on PCs for years. Once you've defined the security policy settings, you can create the policy by clicking New.
Setting Security Policy on a Mobile Device
Now that you’ve created security policies (known as EAS policies) for your mobile device users, you need to assign EAS policies to users. First, open Exchange Management Console and navigate through the console tree to Recipient Configuration\Mailbox. After you do so, the Details pane will display a list of all the mailboxes in your Exchange organization. Double-click the mailbox that you want to assign an EAS policy to, and Exchange Management Console will display the mailbox’s properties page.
Now, select the Mailbox Features tab on the Properties page. As Figure 5 shows, this tab lets you enable and disable various Exchange Server features for the mailbox. Select Exchange ActiveSync from the list and enable it. Then click Properties to reveal the Exchange ActiveSync Properties dialog box, which Figure 6 shows.
As you can see in Figure 6, you can enable an EAS policy for the user by selecting the Apply an Exchange ActiveSync mailbox policy check box. Now, select the policy that you want to assign by clicking Browse, which should bring up a list of available policies. Select the desired policy and click OK twice to assign it to the mailbox. Alternatively, you could use the Set-CASMailbox command to apply a policy to a group of mailboxes. You can see the syntax for this command here (http://technet.microsoft.com/en-us/library/ff7d4dc5-755e-4005-a0a3-631eed3f9b3b.aspx).
Self-Service Mobile-Device Administration
One of the problems with mobile-device users is that they're typically isolated from the rest of the company, meaning they can’t simply take their mobile devices to the Help desk when they're having problems. However, Exchange 2007 lets mobile users use OWA to perform various self-service functions related to their mobile devices.
To access these self-service mechanisms, log on to OWA (not OWA Light). Once you're logged on, click Options, and OWA will display a screen filled with various OWA configuration options. The column on the left side of the screen contains various categories of options that you can select. Select the Mobile Devices option from this list, and you'll see the Mobile Devices screen that Figure 7 shows.
I don’t have a mobile device associated with the user account in use in Figure 7, but if mobile devices were registered to the user, those devices would be listed on this screen. To perform one of the various self-service options, select the device on which you want to perform the action (users can have multiple mobile devices), and click one of the four options above the device list.
The first option is Remove Device from List. Users typically choose this option if they’ve purchased a new mobile device or are replacing a unit that was lost or stolen. After all the user’s data has been replicated to the new mobile device, the user can remove the old mobile device from the device list.
The second option is Wipe All Data from Device, which lets users wipe all the data from a mobile device in the event that the device is lost or stolen. Because mobile devices almost always contain sensitive data, you don’t want to just assume that whoever happens to have your mobile device won't be able to get past the device’s password. It's better to wipe the data from the device. Think of this function as a remote-control self-destruct mechanism. Remotely wiping the mobile device destroys any data stored on it and resets the device to its factory defaults.
As you might expect, the Display Recovery Password option lets a user choose to display the recovery password. In the event that you forget the mobile device’s password, Display Recovery Password lets you retrieve the password so that you don’t have to call the Help desk to reset the password for you.
The final option on this screen, Retrieve Log, lets you view information about how your mobile device has been used. Retrieve Log retrieves the device sync log and emails it to you, so that you can easily access it through OWA or whatever email client you use.
Mobile Device Management Made Easy
As mobile-device usage continues to spread, it's important for Exchange to not only offer low-bandwidth connections that will work with mobile devices' limited browser capabilities but also security policies for mobile devices. Exchange 2007's mobile-device–management features help you protect data on mobile devices by letting you assign security and password policies, so that you spend less time trying to track down lost or corrupt data on mobile devices and more time managing your Exchange environment.