ActiveSync mailbox policies vs. Windows Intune: What's better for MDM?

At one time, ActiveSync and Intune were so similar it didn't matter which one admins chose to managing mobile devices. That's no longer the case.

Microsoft Exchange ActiveSync has long been the standard for connecting mobile devices with end user mailboxes....

Not only does it enable mobile mailbox access, it can also be used for corporate mobile device management. A series of ActiveSync policies built into Exchange Server allows administrators to provision mobile devices according to the corporate security policy.

While many admins deploy Exchange Server for ActiveSync's mailbox policies, such as Mobile Device Mailbox Policies in Exchange 2013, that's not the only option for managing mobile devices. Windows Intune is another option. But ActiveSync Mailbox Policies and Windows Intune offer similar mobile device management capabilities. So, which tool should you use?

The answer to this question ultimately depends on your organization's needs. If you're already using ActiveSync Mailbox Policies to manage mobile devices and Exchange Server is adequately meeting all of your MDM needs, there's probably no reason to use Windows Intune. However, if you're just beginning to evaluate your MDM options, it's a good idea to look at both technologies to see which is a better fit.

What does Exchange 2013 bring to the table?

Exchange Server 2013 can manage mobile devices by device type. Administrators can choose to allow, block or quarantine specific device models -- or even entire device families.

Exchange 2013's mobile device policies are largely security-related. For example, it's possible to specify password length and complexity and to implement an automatic device wipe after a specified number of failed password attempts.

Although the Exchange Administrative Center exposes a limited number of policy settings, the Exchange Management Shell has more available. These additional settings are primarily oriented toward mobile device hardware usage. For example, you could use a mobile device policy to disable a device's camera or to turn off Bluetooth.

What does Windows Intune offer Exchange admins?

ActiveSync mailbox policies are primarily designed to secure mobile devices, but Windows Intune is more focused on MDM. For example, Windows Intune provides health alerts for mobile devices and can be used to deliver applications.
Just as Exchange uses ActiveSync to apply policy settings to mobile devices, Windows Intune also allows for comprehensive policy management. In fact, Windows Intune makes it possible to take advantage of Active Directory security groups.

An important caveat about mobile device manufacturers

Regardless of whether you choose Exchange Server or Windows Intune for your MDM needs, there is one extremely important caveat: Mobile device manufacturers offer support for ActiveSync policies as they see fit.

Each device manufacturer or mobile OS developer can pick and choose the ActiveSync policy settings it wishes to support. A manufacturer might choose to support the password-related policies but withhold support for policies related to device encryption. Because Exchange and Windows Intune depend on ActiveSync policies at some level, different device types can lead to better management of some devices than other types.

Even some of Microsoft's own devices lack support for several policies. The policy setting that enforces storage card encryption, for example, is not supported on Windows Phone 7, 7.5 or 8 devices. Similarly, your ability to apply policy settings will vary widely among non-Microsoft devices. This article outlines policy support among common mobile operating systems.

So, which option is better for mobile device management: Exchange ActiveSync mailbox policies or Intune?

Currently, Windows Intune has more comprehensive MDM capabilities than those available through Exchange. But Windows Intune isn't always the best choice. It's designed to work with Windows Phone 8, Windows RT, iOS and Android devices.

In contrast, Exchange ActiveSync mailbox policies can be applied to any device that allows ActiveSync client; therefore, Exchange can manage more devices than Windows Intune. Administrators will have to consider the level of ActiveSync policy support that may or may not be present on some of the less popular devices.

About the author:
Brien Posey is an eight-time Microsoft MVP for his work with Windows Server, IIS, Exchange Server and file system storage technologies. Brien has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once responsible for IT operations at Fort Knox. He has also served as a network administrator for some of the nation's largest insurance companies.

Dig Deeper on Outlook management