As mobile devices are increasingly being used in business contexts, it's important to understand the Exchange ActiveSync policies, Password options and other restrictions available.
If you've used Microsoft Exchange, you're probably familiar with ActiveSync. It enables the synchronization of email, calendars, contacts and tasks on users' mobile devices.
If you intend ActiveSync, it's important you understand ActiveSync policies, because as the range of available mobile devices and mobile operating systems increases, you need to understand exactly what does and doesn't happen when policies are enforced, or are not enforced.
As more employees rely on the likes of personal iPhone, iPad, Android and Windows Mobile devices to access business information, it's critical you understand which ActiveSync policies can be applied, and exactly what they do.
ActiveSync Policies in Exchange Server
When it comes to mobile devices and sensitive business information, we know that security is critical. Fortunately, ActiveSync password policies are supported on iOS, Android and Windows Mobile devices.
The password policies listed below can be enabled or disabled via Cloud Control by clicking on the ActiveSync Policies icon:
- Require a password. This option ensures that the user has set a passcode on their mobile device.
- Allow simple passwords. This option enables a user to set a simple four-digit PIN/passcode, and is available on, for example, the General > Passcode Lock settings screen on iOS devices under the Simple Passcode option. When the passcode is set with ActiveSync, the option is greyed out to the end user.
- Require an alphanumeric password. This option is self-explanatory. It requires users to create a more complicated password, one that can include a combination of lower and uppercase characters, numbers and/or symbols. Users are informed about the requirements that are set in the policy on their mobile devices.
- Require encryption on the device. As an example, all iOS devices released since the iPhone 3GS use encryption by default. If you want to ensure that only devices of this age or newer can connect, you should enable this option.
- Minimum Password Length. If you plan on keeping the minimum password lengths in line with our current requirements of 7 digits including one uppercase letter, you'll be pleased to hear that this policy is supported on all current mobile devices. When users are prompted to set a password (or PIN/passcode), they are notified of the minimum length required.
- Number of sign-in failures before device is wiped. As solid as device encryption and passwords are, if a hacker tries enough times, they'll eventually force their way in. Automatic device wipe is initiated, not by Remote Wipe, but by the device itself. As an example, this ActiveSync policy option maps to the standard iOS feature, General > Passcode Lock > Erase Data.
- Require sign-in after the device has been inactive for X minutes. Once a device is unlocked, you can choose to provide a grace period before an idle device requires that the passcode be re-entered. Again using iOS as an example, this ActiveSync policy option maps to the General > Passcode Lock > Require Passcode after being set on the iOS device.
- Enforce password lifetime (days) and password recycle count. Users often choose a familiar letter or number combination for their password. It might be the date of their wedding anniversary or their birthday. Therefore, you should require them to change their password once in a while. When you implement this ActiveSync policy, both the PIN/passcode expiration date and history settings take effect on on mobile devices.