About the ActiveSync policy
Ivanti Standalone Sentry pushes an ActiveSync policy to a device if you have applied an ActiveSync policy to that device. If an ActiveSync policy is not applied to the device, the device interaction with the ActiveSync server is determined by the settings in the Default ActiveSync Policy behavior configured in the Sentry Preferences page.
Integrated Sentry provides the ActiveSync policies to the Microsoft Exchange Server, which pushes the appropriate policy to each ActiveSync device.
Use the ActiveSync policy settings to configure the following:
•Password requirements for end-user access to the device
•Features to disable, such as text messaging or desktop syncing
•Device encryption requirements
•The maximum number of devices that can have the same mailbox
This setting is used by Ivanti EPMM and Sentry, but is not pushed to the device.
The default ActiveSync policy is not applicable when you use Integrated Sentry.
The device applies the policy’s settings as far as its capabilities allow; not all devices support all the settings in an ActiveSync policy.
If a device is registered, then Ivanti EPMM applies security, lockdown, privacy, and sync policies to the device. These policies are applied to the device directly from Ivanti EPMM, based on label assignments. Because these policies provide detailed management for registered ActiveSync devices, ActiveSync policies are only useful in the following cases:
•An ActiveSync device is unregistered.
•An ActiveSync device cannot support the Ivanti EPMM-provided policies.
The following illustration shows how Ivanti Standalone Sentry pushes the ActiveSync policy to the device, but Ivanti EPMM applies the other policies to the device. It also shows that Ivanti EPMM finds out that a device is in violation of its security policy, but does not know if the device is in violation of its ActiveSync policy.
Figure 1. activesync policy and ivanti epmm interaction
The following sections provide additional information:
| • | Default ActiveSync Policy behavior |
•The ActiveSync mailbox policy on the ActiveSync server
•ActiveSync server refresh policy interval
•The security policy versus the ActiveSync policy
Default ActiveSync Policy behavior
If an ActiveSync policy is not applied, the device interaction with the ActiveSync server is determined by the settings in the Default ActiveSync Policy behavior.
The Default ActiveSync Policy behavior determines whether Sentry applies the ActiveSync server’s policy to the device syncing with the ActiveSync server.
The default ActiveSync policy behavior for the Standalone Sentry is configured in the Services > Sentry > Preferences page in the Admin Portal. The Default ActiveSync Policy behavior is applied if an ActiveSync policy is not applied to the device.
See also, Changing the default ActiveSync policy behavior.
The ActiveSync mailbox policy on the ActiveSync server
An ActiveSync server can also have ActiveSync policies, sometimes called ActiveSync mailbox policies. The ActiveSync server can push an ActiveSync mailbox policy to the device in the following cases:
•You are not using Sentry.
•You are using a Ivanti Standalone Sentry with the following settings:
| - | A ActiveSync policy is not applied to the device. |
| - | The Default ActiveSync Policy behavior is set to Apply AS Server policy. |
•You are using Integrated Sentry. Integrated Sentry provides the ActiveSync policies to the Microsoft Exchange Server, which updates its set of ActiveSync mailbox policies, and pushes the appropriate policy to each ActiveSync device.
The ActiveSync server does the following when a device attempts to access its email:
•Compares the device’s settings with the server’s appropriate ActiveSync mailbox policy.
•Rejects the device’s access attempt if the device’s settings do not comply with the policy.
| • | The settings available in the ActiveSync policy are a subset of the settings available in the ActiveSync mailbox policy on the ActiveSync server. |
•The values of settings in the ActiveSync policy can be different than the values in the ActiveSync mailbox policy on the ActiveSync server.
•When using Ivanti Standalone Sentry, if the ActiveSync mailbox policy on the ActiveSync server is more restrictive than the ActiveSync policy, the ActiveSync server rejects the device’s attempts to access the ActiveSync server. Therefore, a best practice is to make the ActiveSync policy equal to or more restrictive than the ActiveSync server’s policy.
ActiveSync server refresh policy interval
The ActiveSync policy and the ActiveSync server’s ActiveSync mailbox policy both have a setting called “refresh policy interval”. This setting tells how often the ActiveSync server refreshes the ActiveSync policy on the device.
When using Ivanti Standalone Sentry, set the refresh policy interval on the ActiveSync server’s ActiveSync mailbox policies as follows:
•If all the devices access the ActiveSync server through Ivanti Standalone Sentry, disable the refresh policy interval for the ActiveSync mailbox policies on the ActiveSync server. It is not applicable because Standalone Sentry manages which ActiveSync policies are pushed to the devices and when. Setting the interval in the ActiveSync mailbox policy on the ActiveSync server can introduce delays in email synchronization.
•If some devices access the ActiveSync Server directly, without going through Standalone Sentry, set the refresh policy interval for the ActiveSync mailbox policies on the ActiveSync server to several hours.
If you are using Integrated Sentry, set the refresh policy interval of the ActiveSync policies to several hours. Integrated Sentry passes the ActiveSync policies to the Microsoft Exchange Server, which updates its ActiveSync mailbox policies.
The security policy versus the ActiveSync policy
The security policy has many settings. It has the following settings in common with the ActiveSync policy:
•Password requirements
•Device encryption requirements
However, the security policy and ActiveSync policy are used differently.
Ivanti Standalone Sentry (or the Microsoft Exchange Server when using Integrated Sentry) pushes an ActiveSync policy to the device using the ActiveSync protocol. The device applies the following settings from the policy, as far as the device’s capabilities allow:
•Password requirements
•Device encryption
•Lockdown settings
Ivanti EPMM is not aware of whether these ActiveSync policy settings are successfully applied on a device. Ivanti EPMM is aware only of the ActiveSync policy setting that limits the number of devices with the same mailbox. If that limit is exceeded, Ivanti EPMM tells Sentry to block the additional device from accessing the mail server.
However, Ivanti EPMM is aware if a device violates the security policy. Ivanti EPMM detects a security policy violation on the device when, for example, the device checks in with Ivanti EPMM. You can configure the security policy so that upon detection of the security policy violation, Ivanti EPMM tells Sentry to block the device’s access to the ActiveSync server. You can also configure the security policy to alert an administrator and the user of the violation.
Some types of registered devices, such as WebOS devices, do not support the security policy. Therefore, such devices, although registered, use only the ActiveSync policy. On these devices, you depend on the ActiveSync policy to appropriately secure the device.
Most devices do support the security policy, and therefore, most devices that are registered and access the ActiveSync server use both policies. However, consider the case where the ActiveSync policy and the security policy have different password requirements. Depending on the device type, this case can lead to unexpected behavior. As a best practice, configure the ActiveSync policy and security policy to have the same settings for password requirements and device encryption.
See the following for additional information:
| • | Device usage of the ActiveSync and security policies. |
•Policy application on commonly used device platforms.
•Comparison of ActiveSync policy and security policy settings.
•System behavior regarding ActiveSync and security policies.
Device usage of the ActiveSync and security policies
An ActiveSync device can be either registered or unregistered. Furthermore, a registered device is not necessarily an ActiveSync device. For example, when using Ivanti Standalone Sentry, if a registered device has not yet accessed the ActiveSync server, Ivanti EPMM does not consider it an ActiveSync device.
The following table summarizes how devices in any of these combinations use the ActiveSync and security policies.
|
ActiveSync device |
Registered |
Unregistered |
|
Yes |
ActiveSync policy Security policy, if the device type supports security policies |
ActiveSync policy |
|
No |
Security policy, if the device type supports security policies |
|
The ability of a specific device to apply the policies’ settings can vary.
Policy application on commonly used device platforms
The following table shows how some commonly used device platforms and email clients apply the security policy and ActiveSync policy:
|
Device platform / email client |
Behavior regarding applying the ActiveSync and security policies |
|
iOS Mail client |
Applies the strictest policy. |
|
Android with NitroDesk’s Touchdown email client |
Applies only the security policy. |
|
Android on Samsung devices with Samsung native email client |
Applies strictest password policy. Encryption policies must be the same. |
Comparison of ActiveSync policy and security policy settings
The following table summarizes the differences between the settings of ActiveSync and security policies:
|
|
ActiveSync policy |
Security policy |
|
Specifies password requirements for accessing the device |
Yes |
Yes |
|
Specifies device encryption requirements |
Require device encryption: Block ActiveSync server access if the device does not support and enable device encryption. Enable device encryption: Enable device encryption if available. |
Whether device encryption is required, and for what data types. Whether to encrypt the SD card. |
|
Specifies maximum devices that can have the same mailbox |
Yes |
No |
|
Specifies access control policies, such as device OS version requirements, application requirements, and more. |
No |
Yes |
|
Specifies the maximum time a device can be out of contact before it is wiped. |
No |
Yes |
System behavior regarding ActiveSync and security policies
The following table summarizes the differences between the behavior of your deployment with regard to ActiveSync and security policies:
|
|
ActiveSync policy |
Security policy |
|
Standalone Sentry pushes the policy to the device. |
Yes |
No |
|
Integrated Sentry provides the policy to the Microsoft Exchange Server, which pushes it to the device. |
Yes |
No |
|
Ivanti EPMM detects policy violations. |
No |
Yes |
|
Specifies whether to block ActiveSync server access when a policy violation occurs. |
No |
Yes |
|
The policy applies to devices with a specified mailbox. |
Yes |
No |
|
The policy applies to devices according to label assignments. |
No |
Yes |