The ActiveSync policy
Using the Admin Portal, you configure the ActiveSync policies.
About the ActiveSync policy
Standalone Sentry pushes a MobileIron ActiveSync policy to each ActiveSync device if you have applied and MobileIron ActiveSync policy to that device. If an ActiveSync policy is not applied to the device, the device interaction with the ActiveSync server is determined by the settings in the Default ActiveSync Policy behavior configured in the Sentry Preferences page.
Integrated Sentry provides the ActiveSync policies to the Microsoft Exchange Server, which pushes the appropriate policy to each ActiveSync device.
Use the MobileIron ActiveSync policy settings to configure the following:
•Password requirements for end-user access to the device
•Features to disable, such as text messaging or desktop syncing
•Device encryption requirements
•The maximum number of devices that can have the same mailbox
This setting is used by MobileIron Core and Sentry, but is not pushed to the device.
Note: The default ActiveSync policy is not applicable when you use Integrated Sentry.
The device applies the policy’s settings as far as its capabilities allow; not all devices support all the settings in an ActiveSync policy.
If a device is registered, then MobileIron Core applies security, lockdown, privacy, and sync policies to the device. These policies are applied to the device directly from Core, based on label assignments. Because these policies provide detailed management for registered ActiveSync devices, ActiveSync policies are only useful in the following cases:
•An ActiveSync device is unregistered.
•An ActiveSync device cannot support the Core-provided policies.
The following illustration shows how Standalone Sentry pushes the ActiveSync policy to the device, but MobileIron Core applies the other policies to the device. It also shows that Core finds out that a device is in violation of its security policy, but does not know if the device is in violation of its ActiveSync policy.
Default ActiveSync Policy behavior
If an ActiveSync policy is not applied, the device interaction with the ActiveSync server is determined by the settings in the Default ActiveSync Policy behavior.
This behavior determines whether the Sentry applies the ActiveSync server’s policy to the device syncing with the ActiveSync server.
The default ActiveSync policy behavior for the Standalone Sentry is configured in the Sentry > Preferences page in the Admin Portal. The Default ActiveSync Policy behavior is applied if an ActiveSync policy is not applied to the device.
Note: It may take up to twenty-four hours for any changes to the Default ActiveSync Policy behavior to take effect.
|
Item |
Description |
|
Remove AS Server policy |
The ActiveSync server’s policy is not applied to the device. |
|
Pass-through AS Server policy |
The ActiveSync server’s policy is applied to the device. |
The ActiveSync mailbox policy on the ActiveSync server
An ActiveSync server can also have ActiveSync policies, sometimes called ActiveSync mailbox policies. The ActiveSync server can push an ActiveSync mailbox policy to the device in the following cases:
•You are not using Sentry.
•You are using a Standalone Sentry with the following settings:
| - | A MobileIron ActiveSync policy is not applied to the device. |
| - | The Default ActiveSync Policy behavior is set to Pass-through AS Server policy. |
•You are using Integrated Sentry. Integrated Sentry provides the MobileIron ActiveSync policies to the Microsoft Exchange Server, which updates its set of ActiveSync mailbox policies, and pushes the appropriate policy to each ActiveSync device.
The ActiveSync server does the following when a device attempts to access its email:
•Compares the device’s settings with the server’s appropriate ActiveSync mailbox policy.
•Rejects the device’s access attempt if the device’s settings do not comply with the policy.
Note the following about the MobileIron ActiveSync policies that you configure using the Admin Portal :
•The settings available in the MobileIron ActiveSync policy are a subset of the settings available in the ActiveSync mailbox policy on the ActiveSync server.
•The values of settings in the MobileIron ActiveSync policy can be different than the values in the ActiveSync mailbox policy on the ActiveSync server.
Note: When using Standalone Sentry, if the ActiveSync mailbox policy on the ActiveSync server is more restrictive than the MobileIron ActiveSync policy, the ActiveSync server rejects the device’s attempts to access the ActiveSync server. Therefore, a best practice is to make the MobileIron ActiveSync policy equal to or more restrictive than the ActiveSync server’s policy.
ActiveSync server refresh policy interval
The MobileIron ActiveSync policy and the ActiveSync server’s ActiveSync mailbox policy both have a setting called “refresh policy interval”. This setting tells how often the ActiveSync server refreshes the ActiveSync policy on the device.
When using Standalone Sentry, set the refresh policy interval on the ActiveSync server’s ActiveSync mailbox policies as follows:
•If all the devices access the ActiveSync server through Standalone Sentry, disable the refresh policy interval for the ActiveSync mailbox policies on the ActiveSync server. It is not applicable because Standalone Sentry manages which ActiveSync policies are pushed to the devices and when. Setting the interval in the ActiveSync mailbox policy on the ActiveSync server can introduce delays in email synchronization.
•If some devices access the ActiveSync Server directly, without going through Standalone Sentry, set the refresh policy interval for the ActiveSync mailbox policies on the ActiveSync server to several hours.
If you are using Integrated Sentry, set the refresh policy interval of the MobileIron ActiveSync policies to several hours. Integrated Sentry passes the MobileIron ActiveSync policies to the Microsoft Exchange Server, which updates its ActiveSync mailbox policies.
The security policy versus the ActiveSync policy
The security policy has many settings. It has the following settings in common with the ActiveSync policy:
•Password requirements
•Device encryption requirements
However, the security policy and ActiveSync policy are used differently.
Standalone Sentry (or the Microsoft Exchange Server when using Integrated Sentry) pushes an ActiveSync policy to the device using the ActiveSync protocol. The device applies the following settings from the policy, as far as the device’s capabilities allow:
•Password requirements
•Device encryption
•Lockdown settings
MobileIron Core is not aware of whether these ActiveSync policy settings are successfully applied on a device. Core is aware only of the ActiveSync policy setting that limits the number of devices with the same mailbox. If that limit is exceeded, Core tells Sentry to block the additional device from accessing the mail server.
However, Core is aware if a device violates the security policy. Core detects a security policy violation on the device when, for example, the device checks in with Core. You can configure the security policy so that upon detection of the security policy violation, Core tells Sentry to block the device’s access to the ActiveSync server. You can also configure the security policy to alert an administrator and the user of the violation.
Some types of registered devices, such as WebOS devices, do not support the security policy. Therefore, such devices, although registered, use only the ActiveSync policy. On these devices, you depend on the ActiveSync policy to appropriately secure the device.
Most devices do support the security policy, and therefore, most devices that are registered and access the ActiveSync server use both policies. However, consider the case where the ActiveSync policy and the security policy have different password requirements. Depending on the device type, this case can lead to unexpected behavior. As a best practice, configure the ActiveSync policy and security policy to have the same settings for password requirements and device encryption.
Device usage of the ActiveSync and security policies
An ActiveSync device can be either registered or unregistered. Furthermore, a registered device is not necessarily an ActiveSync device. For example, when using Standalone Sentry, if a registered device has not yet accessed the ActiveSync server, Core does not consider it an ActiveSync device.
The following table summarizes how devices in any of these combinations use the ActiveSync and security policies.
|
|
Registered |
Unregistered |
|
ActiveSync device
|
ActiveSync policy Security policy, if the device type supports security policies |
ActiveSync policy |
|
Non-ActiveSync device
|
Security policy, if the device type supports security policies |
|
Note: The ability of a specific device to apply the policies’ settings can vary.
Policy application on commonly used device platforms
The following table shows how some commonly used device platforms and email clients apply the security policy and ActiveSync policy:
|
Device platform / email client |
Behavior regarding applying the ActiveSync and security policies |
|
iOS Mail client |
Applies the strictest policy. |
|
Android with NitroDesk’s Touchdown email client |
Applies only the security policy. |
|
Android on Samsung devices with Samsung native email client |
Applies strictest password policy. Encryption policies must be the same. |
Comparison of ActiveSync policy and security policy settings
The following table summarizes the differences between the settings of ActiveSync and security policies:
|
|
ActiveSync policy |
Security policy |
|
Specifies password requirements for accessing the device |
Yes |
Yes |
|
Specifies device encryption requirements |
Require device encryption: Block ActiveSync server access if the device does not support and enable device encryption. Enable device encryption: Enable device encryption if available. |
Whether device encryption is required, and for what data types. Whether to encrypt the SD card. |
|
Specifies maximum devices that can have the same mailbox |
Yes |
No |
|
Specifies access control policies, such as device OS version requirements, application requirements, and more. |
No |
Yes |
|
Specifies the maximum time a device can be out of contact before it is wiped. |
No |
Yes |
MobileIron system behavior regarding ActiveSync and security policies
The following table summarizes the differences between the behavior of your MobileIron deployment with regard to ActiveSync and security policies:
|
|
ActiveSync policy |
Security policy |
|
Standalone Sentry pushes the policy to the device. |
Yes |
No |
|
Integrated Sentry provides the policy to the Microsoft Exchange Server, which pushes it to the device. |
Yes |
No |
|
Core detects policy violations. |
No |
Yes |
|
Specifies whether to block ActiveSync server access when a policy violation occurs. |
No |
Yes |
|
The policy applies to devices with a specified mailbox. |
Yes |
No |
|
The policy applies to devices according to label assignments. |
No |
Yes |