With more users relying on mobile devices to connect to Exchange, IT administrators have to identify the best way...
to secure and manage those devices. That includes ensuring that all mobile devices used in your organization adhere to your company’s security requirements.
Microsoft provides two primary solutions for mobile device management in enterprise environments -- through Exchange Server and through System Center Mobile Device Manager (MDM). Let’s explore the pros and cons of each to help you determine which approach best suits your company.
Mobile device policy basics
You can use either Exchange Server or MDM to apply policies to mobile devices, but each works differently. Exchange Server 2007 and Exchange 2010 manage mobile devices through ActiveSync mailbox policies, while MDM uses group policies.
Although the difference seems small, it’s important for any admin who’s trying to determine the best way to secure and manage mobile devices using one of the two products.
Exchange Server has received a lot of criticism because its policies -- which focus on passwords, device hardware and mobile applications -- are bound to individual mailboxes. When you use Exchange Server to secure mobile devices, the policies you establish are not applied to the device itself -- or even to the user account -- but to the user's mailbox.
MDM applies settings to mobile devices through group policies. Group policies are applied the same way policy settings are applied to desktop and laptop computers. MDM 2008 provides around 130 different policy settings, compared to about 50 policy settings available in Exchange 2010.
Mobile device compatibility
MDM appears to be a more comprehensive mobile management solution due to its great number of available policies, but there is a huge caveat -- device compatibility. If you want to manage devices through MDM 2008, you must be able to join the devices to a domain. This seemingly simple requirement causes major problems for organizations that want to use MDM as their primary device management solution.
At the present time, only Windows Mobile 6.1 and Windows Mobile 6.5 may be joined to a Windows domain. Even Microsoft's own Windows Phone 7 operating system cannot be joined to a Windows domain.
Exchange Server 2007 and Exchange 2010 can both be used to manage mobile devices without the devices actually being joined to the domain. Additionally, every major mobile operating system except BlackBerry offers some degree of ActiveSync support.
Even though it is not a completely comprehensive solution, the policies Exchange ActiveSync offers can be used in mixed environments that include Windows Mobile, iPhone, Android and other platforms.
This isn't to say that Exchange Server offers a better mobile management solution. But if your company only uses Windows Mobile 6.X devices, then Mobile Device Manager is clearly the way to go. And it’s even possible to use Mobile Device Manager and Exchange ActiveSync together.
For companies whose users rely on devices that MDM doesn’t support, Exchange ActiveSync is the only option other than investing in a third-party product. Also, it’s important to know that only Windows Mobile 6.X devices fully support all the available ActiveSync mailbox policy settings. Additionally, some mobile operating systems support more of the policy settings than others.
That said, you’re not going to be left with huge security holes if you rely on ActiveSync mailbox policies. When a device cannot use a particular policy setting, it’s often because of the device’s hardware limitations -- not Exchange. For example, the Windows Phone 7 operating system does not support removable storage cards. Thus, Exchange’s Allow Removable Storage setting is useless on Windows Phone 7 devices.
Some devices support more ActiveSync mailbox policy settings than others, so administrators have the option to create a different policy for each type of device. For example, you can create an iPhone policy, a Windows Phone policy and a Droid policy. You can’t actually assign a policy to a device, but as long as you know what type of device the user has, you can assign the appropriate policy to his mailbox.
As you can see, Exchange ActiveSync mailbox policies do a good job providing mobile device security, but Exchange is far from a comprehensive mobile device management solution. If you require better cross-platform support, or need device inventory or software deployment capabilities, you should probably invest in a mobile device management tool.
ABOUT THE AUTHOR:
Brien Posey is an eight-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox.