Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


August 21, 2007

Managing Mobile Messaging in Exchange 2007

OWA Light and Exchange ActiveSync help you configure and secure your users’ mobile devices
A Web Exclusive from Windows IT Pro
Brien Posey
Feature
InstantDoc #96473
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
View this exclusive article with VIP access -- click here to join | See More Outlook Web Access (OWA) Articles Here | Reprints
Or sign up for our VIP Monthly Pass!

Executive Summary:
Outlook Mobile Access (OMA) isn’t included in Exchange Server 2007 because Exchange ActiveSync (EAS) and Microsoft Direct Push technology make it obsolete. Microsoft Outlook Web Access (OWA) Light can be used over low-bandwidth connections or devices with limited Web browser capabilities. In Microsoft Exchange Server 2007, you can create EAS policies that require users to have passwords on their mobile devices.

Every year, mobile messaging becomes more popular. The Radicati Group (http://www.radicati.com) estimates that by 2008, 90 percent of professionals will carry a mobile device that can receive email messages. To meet this demand, Microsoft has integrated a plethora of new mobile messaging features into Microsoft Exchange Server 2007. Exchange 2007 works with Windows Mobile devices and even non-Windows devices, although there are several new features that will work only with Windows Mobile 6. Because Exchange 2007’s mobile messaging features are so new, I’ll walk you through how to connect, configure, and secure a mobile device using Exchange 2007.

OWA Light: Exchange 2007’s Alternative to OMA
Several features in Exchange Server 2003 aren’t included in Exchange 2007, and Outlook Mobile Access (OMA) is one of them. A member of Microsoft’s Exchange product team explained to me that OMA wasn't a widely used feature, and that ActiveSync and Direct Push technology make OMA obsolete. If you still need to use OMA, you can do so by keeping an Exchange 2003 server in your organization and configuring the server to host OMA.

Another alternative to using OMA is to use Microsoft Outlook Web Access (OWA) Light. OWA Light is a watered-down version of OWA that's designed to facilitate the use of OWA over low-bandwidth connections or on computers or other devices with limited browser capabilities. OWA Light is also a good choice for those with poor vision because it provides an uncluttered interface with good visual contrast.

OWA Light is actually part of OWA, so to use it you must have an Exchange 2007 server configured with the Client Access server role. To access OWA Light, open your Web browser and enter http://server_name/owa (where server_name is the name of your Exchange server). When the OWA logon screen appears, select the Use Outlook Web Access Light check box, which Figure 1 shows. Once you've logged on, you'll be prompted to confirm your language and time zone. This is a one-time only process. This screen also contains an option that you can select if you have poor vision. Click OK, and you’ll be taken to the main OWA Light interface, which Figure 2 shows. As you can see, the OWA Light interface is simpler than the OWA interface in Figure 3.

Connecting a Mobile Device to Exchange 2007
The process of connecting a mobile device to Exchange 2007 is fairly simple but can vary depending on the device’s OS. The procedure that I'm about to explain assumes that you're using Windows Mobile 6.0. (However, the procedure for connecting a Windows Mobile 5.0 device to Exchange is similar.) One thing to keep in mind with any mobile device is that it won't be able to connect to your Exchange organization unless you’ve configured your Exchange server to be accessible via the Internet.

The first part of the configuration process is performed directly on the mobile device. Click Start on the mobile device and select the ActiveSync command from the device’s Programs menu. When the ActiveSync screen appears, read it in case it mentions any device-specific settings. After doing so, click Set Up Your Device.

At this point, the mobile device will prompt you to enter your Exchange organization’s URL. The URL that you enter should be the same as the one you use for OWA, but with one difference. Typically, the URL for OWA ends in either /exchange or /owa, depending on the Exchange version that your OWA server is running; however, you should omit this portion of the URL when entering it now on the mobile device.

Next, you must enter the username, password, and domain name for the person who will be using the device. This screen where you enter this information also contains the Save Password check box, the usage of which has sparked debate among Exchange administrators. There are compelling arguments for never saving a password on a mobile device, but because the device can't receive new messages without being properly authenticated, I recommend selecting the Save Password check box.

Click Next, and you'll see a screen that prompts you to choose which types of data you want to synchronize. The options that you select on this screen are up to you, but I recommend synchronizing at least the Inbox and Calendar. Because mobile devices have limited amounts of memory, I recommend using the Settings buttons to control how much data should be synchronized.

Finally, click Finish, and the device should connect to the Exchange server. It might take several minutes for anything to happen, but eventually two circular arrows should appear at the top of the mobile device screen, indicating that data is being synchronized.

Setting Password Policy on a Mobile Device
Prior to Exchange 2003 SP2, one of the problems with mobile devices was that there was no way to require users to use passwords on their devices. Exchange 2003 SP2 lets you create security policies for mobile devices via Exchange ActiveSync (EAS), and Exchange 2007 builds on this capability.

To create a password policy for mobile devices, open Exchange Management Console and navigate through the console tree to Organization Configuration\Client Access. Then click New Exchange ActiveSync Mailbox Policy in the Actions pane. You should now see the New Exchange ActiveSync Mailbox Policy dialog box, which Figure 4 shows.

As you can see in Figure 4, you must begin the process of creating a new EAS mailbox policy by entering a mailbox policy name. This step is actually a lot more significant than you might think. In Exchange 2003 SP2, you could create a security policy for mobile devices, but the policy that you created applied to all mobile-device users. This was a problem because some mobile-device users need more security than others. For example, high-level executives typically have sensitive information on their mobile devices. Therefore, it makes sense to aggressively protect these devices. In contrast, I recently visited a company in which the office assistant had a mobile device for the sole purpose of having the department calendar accessible to him at all times. Because this person’s responsibilities were basically to make sure that corporate events were catered and that the appropriate marketing materials were available to attendees, there was no confidential or sensitive information on this person’s device.

Just below the New Exchange ActiveSync Mailbox Policy dialog box’s Mailbox policy name field are two check boxes: Allow non-provisionable devices and Allow attachments to be downloaded to device. The Allow attachments to be downloaded to device check box is fairly self-explanatory. This check box, however, represents another reason why you might want to implement multiple mobile-device security policies. Email attachments can be one of the biggest threats to security. If you combine that with the fact that attachments can consume a lot of wireless bandwidth, you might decide that only a few mobile users should be allowed to download email attachments to their mobile devices. If you decide to let mobile users download attachments, you might want to enable Windows Mobile 6’s storage-card encryption feature, which lets you provide an extra degree of protection to documents that have been downloaded to a mobile device.

The Allow non-provisionable devices check box, if selected, will let mobile users connect to Exchange 2007 by using mobile devices that can't be fully controlled by the security policy. Keep in mind, however, that if you decide to allow non-provisionable devices, you aren't allowing them globally. The allowance or ban of non-provisionable devices applies only to users who have this particular security policy enabled on their device. It's possible to create multiple policies that let you permit some users to use non-provisionable devices while requiring other users to use provisionable devices only.

The remaining check boxes in the New Exchange ActiveSync Mailbox Policy dialog box are related to the mobile device’s password. As you can see in Figure 4, you have many options when it comes to passwords. You can require strong passwords or allow simple passwords. You can also set a minimum password length, enforce password history, or even require encryption on the device. Essentially, the New Exchange ActiveSync Mailbox Policy dialog box lets you enforce the same types of settings on mobile devices that you’ve been able to enforce on PCs for years. Once you've defined the security policy settings, you can create the policy by clicking New.

Setting Security Policy on a Mobile Device
Now that you’ve created security policies (known as EAS policies) for your mobile device users, you need to assign EAS policies to users. First, open Exchange Management Console and navigate through the console tree to Recipient Configuration\Mailbox. After you do so, the Details pane will display a list of all the mailboxes in your Exchange organization. Double-click the mailbox that you want to assign an EAS policy to, and Exchange Management Console will display the mailbox’s properties page.

Now, select the Mailbox Features tab on the Properties page. As Figure 5 shows, this tab lets you enable and disable various Exchange Server features for the mailbox. Select Exchange ActiveSync from the list and enable it. Then click Properties to reveal the Exchange ActiveSync Properties dialog box, which Figure 6 shows.

As you can see in Figure 6, you can enable an EAS policy for the user by selecting the Apply an Exchange ActiveSync mailbox policy check box. Now, select the policy that you want to assign by clicking Browse, which should bring up a list of available policies. Select the desired policy and click OK twice to assign it to the mailbox. Alternatively, you could use the Set-CASMailbox command to apply a policy to a group of mailboxes. You can see the syntax for this command here (http://technet.microsoft.com/en-us/library/ff7d4dc5-755e-4005-a0a3-631eed3f9b3b.aspx).

Self-Service Mobile-Device Administration
One of the problems with mobile-device users is that they're typically isolated from the rest of the company, meaning they can’t simply take their mobile devices to the Help desk when they're having problems. However, Exchange 2007 lets mobile users use OWA to perform various self-service functions related to their mobile devices.

To access these self-service mechanisms, log on to OWA (not OWA Light). Once you're logged on, click Options, and OWA will display a screen filled with various OWA configuration options. The column on the left side of the screen contains various categories of options that you can select. Select the Mobile Devices option from this list, and you'll see the Mobile Devices screen that Figure 7 shows.

I don’t have a mobile device associated with the user account in use in Figure 7, but if mobile devices were registered to the user, those devices would be listed on this screen. To perform one of the various self-service options, select the device on which you want to perform the action (users can have multiple mobile devices), and click one of the four options above the device list.

The first option is Remove Device from List. Users typically choose this option if they’ve purchased a new mobile device or are replacing a unit that was lost or stolen. After all the user’s data has been replicated to the new mobile device, the user can remove the old mobile device from the device list.

The second option is Wipe All Data from Device, which lets users wipe all the data from a mobile device in the event that the device is lost or stolen. Because mobile devices almost always contain sensitive data, you don’t want to just assume that whoever happens to have your mobile device won't be able to get past the device’s password. It's better to wipe the data from the device. Think of this function as a remote-control self-destruct mechanism. Remotely wiping the mobile device destroys any data stored on it and resets the device to its factory defaults.

As you might expect, the Display Recovery Password option lets a user choose to display the recovery password. In the event that you forget the mobile device’s password, Display Recovery Password lets you retrieve the password so that you don’t have to call the Help desk to reset the password for you.

The final option on this screen, Retrieve Log, lets you view information about how your mobile device has been used. Retrieve Log retrieves the device sync log and emails it to you, so that you can easily access it through OWA or whatever email client you use.

Mobile Device Management Made Easy
 As mobile-device usage continues to spread, it's important for Exchange to not only offer low-bandwidth connections that will work with mobile devices' limited browser capabilities but also security policies for mobile devices. Exchange 2007's mobile-device–management features help you protect data on mobile devices by letting you assign security and password policies, so that you spend less time trying to track down lost or corrupt data on mobile devices and more time managing your Exchange environment.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path For more information about Exchange 2007
"Configuring Exchange Server 2007"


For more information about Exchange ActiveSync
"Making Exchange ActiveSync Work"


For more information about OWA
"Better OWA Attachment Security"
Top Viewed ArticlesView all articles
The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

Remote Control Software

Control remote machines from home or the office. ...

WinInfo Short Takes: Week of July 21, 2008

An often irreverent look at some of the week's other news, including an iPhone 3G defeat, 180 million copies of Windows Vista in the wild, Microsoft earnings some more Yahoo silliness, Wii vs. Xbox 360, EU vs. Intel, AMD ousts its CEO, and so much more ...
Related Articles New Exchange ActiveSync Policies in Exchange 2007 SP1

Exchange Server in 2008
Exchange Server and Outlook Whitepapers Anonymizers – The Latest Threat to Your Web Security

Replay for Exchange: Enterprise Protection and an Affordable Price

ETX Driving Embedded I/O
Related Events Check out our list of Free Email Newsletters!
Exchange Server and Outlook eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

The Expert's Guide for Exchange 2003: Preparing for, Moving to, and Supporting Exchange Server 2003
Related Exchange Server and Outlook Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Exchange & Outlook UPDATE eNewsletter
News, strategies, products, and developments in Exchange Server and Outlook messaging.

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Shortcut Guide to SQL Server Infrastructure Optimization
With right tools and techniques, you can have a top-performing SQL Server infrastructure without having to cram your data centers so that they're overflowing. Download this eBook to learn how.

WinConnections Conference Fall 2008
Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

Become a fan of Windows IT Pro on Facebook!
Join us on Facebook and be a fan of Windows IT Pro!

Continuous Data Protection and Recovery for Exchange
Read this white paper to learn about Continuous Data Protection (CDP), Exchange 2007's local continuous replication and cluster continuous replication features.

Rev Up Your IT Know-How with Our Recharged Magazine!
The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!

Tips to Managing Messaging
Discover three fundamental mail and messaging management services - security, availability and control services - and how you can implement them in a Microsoft-centric mail and messaging environment.

Get It All with Windows IT Pro VIP
Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!



Drag & Drop Data Mapping Tool
Try this award-winning data mapping, & transformation tool that supports multiple databases, flat files, Web services, EDI, Excel 2007, & more! Free trial for 30 days!

Overcome bloated Windows file systems
Crossroads FMA delivers powerful yet inexpensive data migration

Bandwidth Monitoring Tool from SolarWinds
Identify largest bandwidth users in seconds. Get the free download now.

Speed Deployment of Vista and Microsoft Office
Read this white paper to learn how you can maximize your Vista and Office investments while lowering costs and increasing efficiency.

Integrated Virtualization Done Right
Download this white paper on server virtualization to begin improving resource utilization and lowering operating costs.

Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.

KVM over IP Solutions
Learn about a KVM over IP solution that is specifically designed to meet the needs of the distributed IT environment.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound
IT Library Technical Resources Directory Connected Home Windows Excavator SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing