Control smartphone usage with Exchange 2010 ActiveSync

Thanks to: http://www.techrepublic.com


Exchange 2010 includes controls to help IT departments provide mobility services and enable automated methods by which user's devices are required to adhere to organizational policies. 
Users in Exchange-based organizations enjoy comprehensive built-in mobility via ActiveSync; however, even as users clamor for smartphones, IT needs to make sure that these services are used in ways that are consistent with organizational policies. Although some users believe that these policies can be constraining, the situation would be much worse if the mobile device were to create a major security incident.
There are a variety of third party solutions to manage, monitor, and control mobile devices, but many organizations loathe spending a lot of money on these kinds of services and are most concerned with being able to simply control how devices interact with their systems. Exchange 2010 includes a number of administrative controls to help IT departments provide these mobility services while enabling automated methods by which user's devices are required to adhere to policy.
This blog post is also available as a TechRepublic gallery.
First and foremost, you get to decide whether ActiveSync is even available on a user by user basis. You can opt to disable ActiveSync for all users and then enable it only for those users who need it. In Figure A, you see an Exchange Management Console screenshot that shows you my Exchange profile with ActiveSync enabled. Figure A
You can enable and disable ActiveSync for any user.
Exchange 2010 includes a default ActiveSync policy, but you can create others if you like. Each individual mailbox needs to be associated with an ActiveSync policy. To change the policy, choose ActiveSync and click Properties. On the Properties page (Figure B), choose the policy that should apply to this user's devices. Figure B
Choose the ActiveSync policy that should apply to this mailbox
If a user happens to lose his or her smartphone, you can take direct action by administratively disassociating that user's phone from the Exchange server or initiating a remote wipe of that user's attached device. To do so, from the Exchange Management Console, right-click the user's name and choose Manage Mobile Phone. You will see a screen like the one in Figure C.Figure C
Remote wipe a device or remove its ActiveSync partnership

ActiveSync policies

You can be even more granular through the use of ActiveSync policies. In Exchange 2010, you can create any number of ActiveSync policies and associate different policies with different users.
ActiveSync policies are managed in the Exchange Management Console by navigating to the Organization Configuration | Clint Access node. From there, choose the Exchange ActiveSync Policies tab (Figure D), right-click a policy you'd like to modify and, from the shortcut menu, choose Properties. I'll introduce you to each of the primary ActiveSync policy areas. Figure D
ActiveSync policies in Exchange 2010
Note: Some ActiveSync policies can only be used if your users have an Exchange Enterprise Client Access License. The General tab (Figure E) is a place for general information about the policy, such as the policy name and how often the policy is refreshed. If you make regular changes to policies, you can specify a short refresh time, which ensures that devices will receive a new policy within that time period. Figure E
ActiveSync policy - General tab
By requiring the use of a password, you protect a user's mobile device from casual snooping or from being immediately cracked in the event that it is lost or stolen. Via the ActiveSync Password tab (Figure F), you can configure how long the password must be, how many failed attempts are allowed, password complexity, password expiration, and more. On this page, you can also indicate that only users with devices that support encryption can use ActiveSync.Figure F
ActiveSync policy - Password tab
The Sync Settings tab (Figure G) is the place for deciding how much information should be sent down to the device. You get to decide whether past calendar appointments are synchronized, and you can decide the maximum email size that will be pushed. You can also choose to disable the ability of roaming users to use ActiveSync/Direct Push. Depending on your organization's data plans, this could save the company money. Figure G
ActiveSync policy - Sync Settings tab
Some device features, such as cameras, Wi-Fi, and the other connectivity options shown inFigure H, can present a security hazard to organizations in which sensitive information must be closely controlled. You can choose to disable specific device features such as cameras and Bluetooth in order to combat the security issue. Figure H
ActiveSync policy - Device tab
How a device is used can be as important as the kind of data you allow it to access. Do you want users accessing the web using their phone's browser? Should they be allowed to check their personal mail account using the phone? In Figure I, you can see that these items and more can be configured on the Device Applications tab. Figure I
ActiveSync policy - Device Applications tab
On the Other tab (Figure J), Microsoft has put everything else; in this case, that boils down to being able to decide which applications can be used on mobile devices. Figure J
ActiveSync policy - Other tab

Summary

While not necessarily as full-featured as comprehensive third-party solutions, Exchange's built-in ActiveSync provides you with a baseline set of security controls that might be enough to protect your company from the pitfalls sometimes associated with mobility.

Comentarios

Publicar un comentario

Dime si la información de este blog te sirvio.

Entradas populares de este blog

Guía de herramientas básicas para estudiantes: 31 apps y webs imprescindibles para ayudarte con los estudios

Imagen
  Te traemos una guía con   31 aplicaciones y herramientas web para ayudarte como estudiante , una colección muy variada para sacar provecho en diferentes ámbitos en los que puedas necesitarlo. Nos hemos dejado fuera el ámbito educativo para los más jóvenes, recursos que tenemos en   esta otra guía , y nos hemos centrado en estudiantes más adultos. Hemos decidido centrarnos en herramientas prácticas, dejando fuera las plataformas para cursos online, tanto  las más conocidas  como  otras menos conocidas . Lo que hemos preferido buscar son recursos que puedas usar en tu día a día, como gestores de fuentes y citaciones, herramientas para diagramas, para intercambiar apuntes o para crear diferentes contenidos. Y lo que decimos siempre en Xataka Basics hoy cobra más sentido que nunca. Nosotros te traemos 31 herramientas, pero te invitamos a  compartir tus propuestas en la sección de comentarios  para que el resto de usuarios también pueda beneficiarse de los conocimientos de nuestros xatake
Leer más

Comando FOR para archivos BAT

Gracias a: http://profesoremiliobarco.blogspot.com/ El comando FOR sirve para ejecutar bucles de instrucciones, y es una instrucción que se encuentra disponible en todos los lenguajes de programación. Un bucle son varias repeticiones de algunas instrucciones. Este comando suele ser el más complicado de entender para las personas que empiezan a escribir archivos BAT complejos. Aqui intentaré explicar todas las opciones y usos del comando FOR, así como intentar resolver las dudas que los usuarios de Internet me puedan plantear. La sintaxis normal del comando FOR es: FOR %var IN (lista) DO (      comando     comando      ... )  Pero si lo vamos a usar dentro de un archivo BAT será así: FOR %%var IN (lista) DO (      comando     comando      ... ) Observa que la variable "var" ahora va precedida por dos simbolos de "%". Además, si este for está dentro de un archivo BAT, el nombre de la variable debe ser UNA SOLA LETRA (p.ej: %%n, %%i,  %%j , etc
Leer más

How to Fix Failed to Connect a Hyper-V Standalone to Veeam Backup

Imagen
 Thank to: https://bonguides.com/ Invalid Credentials Error Adding a Hyper-V Host When attempting to add a Hyper-V host to  Veeam Backup & Replication  using a local (non-domain) user account, the following error occurs: Failed to connect to host Access denied or timeout expired . Check if you have local administrator privileges on computer Possible reasons: 1 . Invalid credentials . 2 . Specified host is not a Hyper - V server . Solutions 1. Login into the Hyper-V host then open  Registry Editor . 2. Navigate to the following location then create a new  DWORD  value. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 3. Enter the name  LocalAccountTokenFilterPolicy  then double click on it and set the value data is  1. Or you can create a DWORD value using PowerShell, let run below command in PowerShell Admin. reg add HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system / v LocalAccountTokenFilterPolicy / t Reg_DWORD / d 1 Fin
Leer más