ActiveSync Policies vs. MDM

If you’ve got mobile devices in your environment (and let’s face it, who amongst us doesn’t?) then you have probably been asked by management about how they are being secured. What technologies are you using to lock down mobile phones and tablets? How are you making sure that no corporate data is at risk if one of those devices goes walk-about? Exchange admins can choose between what comes with Exchange and third party solutions to help secure these devices. In today’s post we’re going to take a look at some of the pros and cons of each. But first, let’s review the technologies at a higher level.

Exchange ActiveSync (EAS) Policies

EAS Policies are built into Exchange, and provide admins with a variety of configurable options to lock down mobile devices that connect via EAS. These settings can include password or PIN locks, screensaver timeouts, requiring device encryption, as well as more granular settings like disabling cameras, storage cards, etc. EAS policies are set by the Exchange admin, and then all EAS clients are supposed to download and enforce those policies. Administrators can configure Exchange to prevent non-compliant devices, or those that cannot comply, from connecting via EAS.

Mobile Device Management (MDM)

MDM solutions are a much more robust solution for, well, managing mobile devices. Really, it’s not the most creative name but it sure states what it does. MDM solutions use a variety of technologies like installable agents or sitting in line between Exchange and mobile devices and can do a lot more than just secure them. MDM can provide gateway access to internal applications on the corporate LAN, and can also handle application installs and device upgrades.

Which should you choose?

That’s a great question. The answer is “it depends.” EAS policies provide basic security settings for mobile devices. If all you are looking to do is force a screen lock with a PIN or password, and the ability to remotely wipe a device that is lost or stolen, EAS policies are exactly what you want. If you need full control of mobile devices including the ability to install (or block the install of) applications, and want more complete control of any mobile device a user might choose, MDM may be the way to go. It’s more about knowing your limitations.

Practically all modern devices that can use EAS will be able to enforce basic EAS policies like screensaver, PIN, and remote wipe, but the more detailed policies may not be supported by all devices you have. Even some mobile phones running Microsoft’s own Windows Mobile operating system don’t support hardware encryption, so if your security policy requires encryption or other mechanisms like disabling cameras, review your hardware’s compatibility with the desired settings.

MDM technologies are not a panacea either, but because they install onto the device’s operating system they can do a lot more. Of course, they require a lot more, both effort and money. MDM is not included with Exchange like EAS policies are, and most are licensed per device. Plus you, your help desk, or the end user will have to install the agent on each device. However, once installed, you do have much more control over the mobile devices and can handle application and patch management, much like you can already do with your PCs. MDM solutions can also provide mobile devices with secure access to internal resources, so your mobile users can get to LOB apps or intranet sites without using a VPN or the internal Wi-Fi network. You can get a lot with MDM, but you can pay a lot too.

Here’s how I recommend my customers approach this. First, decide if you just need device lock down, or if you need to manage apps or provide access to internal resources. If this is all about mail, review EAS Policies and the hardware you are going to allow. If they are all good with EAS, use it! It’s free, already there, and can be set up in minutes. But if you need to publish apps or lock down corporate devices to a greater level, MDM may be the way to go. The truth is, most customers may find themselves in a mixed environment; using EAS Policies for the BYOD crowd, and MDM to support and secure corporate devices which will get more than just access to Exchange.

Whichever way you go, make sure you test drive the solution(s) first. It’s easy to create multiple EAS policies and apply them to individual devices so you can test out just what you can do. And most MDM vendors will offer you trials, and some even have cloud based offerings so you don’t have to deploy hardware. At the end of the day, only you can determine the right balance between security and accessibility for your network and users. It’s nice to know you have options.

Written by Casper Manes

I currently work as a Senior Messaging Consultant for one of the premier consulting firms in the world, I cut my teeth on Exchange 5.0, and have worked with every version of Microsoft’s awesome email package since then, as well as MHS, Sendmail, and MailEnable systems. I've written dozens of articles on behalf of my past employers, their partners, and others, and I finally decided to embrace blogging and social media, so please follow me on Twitter @caspermanes if you enjoy my posts.