About the ActiveSync policy

Standalone Sentry pushes an ActiveSync policy to a device if you have applied an ActiveSync policy to that device. If an ActiveSync policy is not applied to the device, the device interaction with the ActiveSync server is determined by the settings in the Default ActiveSync Policy behavior configured in the Sentry Preferences page.

Integrated Sentry provides the ActiveSync policies to the Microsoft Exchange Server, which pushes the appropriate policy to each ActiveSync device.

Use the ActiveSync policy settings to configure the following:

Password requirements for end-user access to the device

Features to disable, such as text messaging or desktop syncing

Device encryption requirements

The maximum number of devices that can have the same mailbox

This setting is used by Core and Sentry, but is not pushed to the device.

The default ActiveSync policy is not applicable when you use Integrated Sentry.

The device applies the policy’s settings as far as its capabilities allow; not all devices support all the settings in an ActiveSync policy.

If a device is registered, then Core applies security, lockdown, privacy, and sync policies to the device. These policies are applied to the device directly from Core, based on label assignments. Because these policies provide detailed management for registered ActiveSync devices, ActiveSync policies are only useful in the following cases:

An ActiveSync device is unregistered.

An ActiveSync device cannot support the Core-provided policies.

The following illustration shows how Standalone Sentry pushes the ActiveSync policy to the device, but  Core applies the other policies to the device. It also shows that Core finds out that a device is in violation of its security policy, but does not know if the device is in violation of its ActiveSync policy.

Figure 1. ActiveSync policy and Core interaction

The following sections provide additional information:

Default ActiveSync Policy behavior

The ActiveSync mailbox policy on the ActiveSync server

ActiveSync server refresh policy interval

The security policy versus the ActiveSync policy

Default ActiveSync Policy behavior

If an ActiveSync policy is not applied, the device interaction with the ActiveSync server is determined by the settings in the Default ActiveSync Policy behavior.

The Default ActiveSync Policy behavior determines whether Sentry applies the ActiveSync server’s policy to the device syncing with the ActiveSync server.

The default ActiveSync policy behavior for the Standalone Sentry is configured in the Services > Sentry > Preferences page in the Admin Portal. The Default ActiveSync Policy behavior is applied if an ActiveSync policy is not applied to the device.

See also, Changing the default ActiveSync policy behavior.

The ActiveSync mailbox policy on the ActiveSync server

An ActiveSync server can also have ActiveSync policies, sometimes called ActiveSync mailbox policies. The ActiveSync server can push an ActiveSync mailbox policy to the device in the following cases:

You are not using Sentry.

You are using a Standalone Sentry with the following settings:

- A ActiveSync policy is not applied to the device.
- The Default ActiveSync Policy behavior is set to Apply AS Server policy.

You are using Integrated Sentry. Integrated Sentry provides the ActiveSync policies to the Microsoft Exchange Server, which updates its set of ActiveSync mailbox policies, and pushes the appropriate policy to each ActiveSync device.

The ActiveSync server does the following when a device attempts to access its email:

Compares the device’s settings with the server’s appropriate ActiveSync mailbox policy.

Rejects the device’s access attempt if the device’s settings do not comply with the policy.

 

The settings available in the ActiveSync policy are a subset of the settings available in the ActiveSync mailbox policy on the ActiveSync server.

The values of settings in the ActiveSync policy can be different than the values in the ActiveSync mailbox policy on the ActiveSync server.

When using Standalone Sentry, if the ActiveSync mailbox policy on the ActiveSync server is more restrictive than the ActiveSync policy, the ActiveSync server rejects the device’s attempts to access the ActiveSync server. Therefore, a best practice is to make the ActiveSync policy equal to or more restrictive than the ActiveSync server’s policy.

ActiveSync server refresh policy interval

The ActiveSync policy and the ActiveSync server’s ActiveSync mailbox policy both have a setting called “refresh policy interval”. This setting tells how often the ActiveSync server refreshes the ActiveSync policy on the device.

When using Standalone Sentry, set the refresh policy interval on the ActiveSync server’s ActiveSync mailbox policies as follows:

If all the devices access the ActiveSync server through Standalone Sentry, disable the refresh policy interval for the ActiveSync mailbox policies on the ActiveSync server. It is not applicable because Standalone Sentry manages which ActiveSync policies are pushed to the devices and when. Setting the interval in the ActiveSync mailbox policy on the ActiveSync server can introduce delays in email synchronization.

If some devices access the ActiveSync Server directly, without going through Standalone Sentry, set the refresh policy interval for the ActiveSync mailbox policies on the ActiveSync server to several hours.

If you are using Integrated Sentry, set the refresh policy interval of the ActiveSync policies to several hours. Integrated Sentry passes the ActiveSync policies to the Microsoft Exchange Server, which updates its ActiveSync mailbox policies.

The security policy versus the ActiveSync policy

The security policy has many settings. It has the following settings in common with the ActiveSync policy:

Password requirements

Device encryption requirements

However, the security policy and ActiveSync policy are used differently.

Standalone Sentry (or the Microsoft Exchange Server when using Integrated Sentry) pushes an ActiveSync policy to the device using the ActiveSync protocol. The device applies the following settings from the policy, as far as the device’s capabilities allow:

Password requirements

Device encryption

Lockdown settings

Core is not aware of whether these ActiveSync policy settings are successfully applied on a device. Core is aware only of the ActiveSync policy setting that limits the number of devices with the same mailbox. If that limit is exceeded, Core tells Sentry to block the additional device from accessing the mail server.

However, Core is aware if a device violates the security policy. Core detects a security policy violation on the device when, for example, the device checks in with Core. You can configure the security policy so that upon detection of the security policy violation, Core tells Sentry to block the device’s access to the ActiveSync server. You can also configure the security policy to alert an administrator and the user of the violation.

Some types of registered devices, such as WebOS devices, do not support the security policy. Therefore, such devices, although registered, use only the ActiveSync policy. On these devices, you depend on the ActiveSync policy to appropriately secure the device.

Most devices do support the security policy, and therefore, most devices that are registered and access the ActiveSync server use both policies. However, consider the case where the ActiveSync policy and the security policy have different password requirements. Depending on the device type, this case can lead to unexpected behavior. As a best practice, configure the ActiveSync policy and security policy to have the same settings for password requirements and device encryption.

See the following for additional information:

Device usage of the ActiveSync and security policies.

Policy application on commonly used device platforms.

Comparison of ActiveSync policy and security policy settings.

System behavior regarding ActiveSync and security policies.

Device usage of the ActiveSync and security policies

An ActiveSync device can be either registered or unregistered. Furthermore, a registered device is not necessarily an ActiveSync device. For example, when using Standalone Sentry, if a registered device has not yet accessed the ActiveSync server, Core does not consider it an ActiveSync device.

The following table summarizes how devices in any of these combinations use the ActiveSync and security policies.

Table 22.   ActiveSync policy and security policy use

ActiveSync device

Registered

Unregistered

Yes

ActiveSync policy

Security policy, if the device type supports security policies

ActiveSync policy

No

Security policy, if the device type supports security policies

 

The ability of a specific device to apply the policies’ settings can vary.

Policy application on commonly used device platforms

The following table shows how some commonly used device platforms and email clients apply the security policy and ActiveSync policy:

Table 23.   ActiveSync policy and security policy application

Device platform / email client

Behavior regarding applying the ActiveSync and security policies

iOS Mail client

Applies the strictest policy.

Android with NitroDesk’s Touchdown email client

Applies only the security policy.

Android on Samsung devices with Samsung native email client

Applies strictest password policy.

Encryption policies must be the same.

Comparison of ActiveSync policy and security policy settings

The following table summarizes the differences between the settings of ActiveSync and security policies:

Table 24.   Differences in settings for ActiveSync and security policies

 

ActiveSync policy

Security policy

Specifies password requirements for accessing the device

Yes

Yes

Specifies device encryption requirements

Require device encryption: Block ActiveSync server access if the device does not support and enable device encryption.

Enable device encryption: Enable device encryption if available.

Whether device encryption is required, and for what data types.

Whether to encrypt the SD card.

Specifies maximum devices that can have the same mailbox

Yes

No

Specifies access control policies, such as device OS version requirements, application requirements, and more.

No

Yes

Specifies the maximum time a device can be out of contact before it is wiped.

No

Yes

System behavior regarding ActiveSync and security policies

The following table summarizes the differences between the behavior of your deployment with regard to ActiveSync and security policies:

Table 25.   ActiveSync and security policy behavior

 

ActiveSync policy

Security policy

Standalone Sentry pushes the policy to the device.

Yes

No

Integrated Sentry provides the policy to the Microsoft Exchange Server, which pushes it to the device.

Yes

No

Core detects policy violations.

No

Yes

Specifies whether to block ActiveSync server access when a policy violation occurs.

No

Yes

The policy applies to devices with a specified mailbox.

Yes

No

The policy applies to devices according to label assignments.

No

Yes