Managing Exchange ActiveSync mobile devices

This section describes advanced features for management of EAS devices through Kaspersky Security Center.

In addition to management of EAS devices by means of commands, the administrator can use the following options:

• Create management profiles for EAS devices, assign them to users' mailboxes. EAS device management profile is a policy of Exchange ActiveSync that is used on a Microsoft Exchange server to manage EAS devices. In an EAS device management profile, you can configure the following groups of settings:
  • User password management settings
  • Mail synchronization settings
  • Restrictions on the use of the mobile device features
  • Restrictions on the use of mobile applications on the mobile device

  Depending on the mobile device model, settings of a management profile can be applied partially. The status of an Exchange ActiveSync policy that has been applied can be viewed in the mobile device properties.

• View information about the settings of EAS device management. For example, in the mobile device properties, the administrator can view the time of the last synchronization with a Microsoft Exchange server, the EAS device ID, the Exchange ActiveSync policy name and its current status on the mobile device.
• Disconnect EAS devices from management if they are out of use.
• Define the settings of Active Directory polling by the Exchange Mobile Device Server, which allows updating the information about users' mailboxes and mobile devices.

Adding a management profile

To manage EAS devices, you can create EAS device management profiles and assign them to selected Microsoft Exchange mailboxes.

Only one EAS device management profile can be assigned to a Microsoft Exchange mailbox.

To add an EAS device management profile for a Microsoft Exchange mailbox:

1. In the console tree, open the Mobile Device Management folder.
2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
3. In the workspace of the Mobile Device Servers folder, select an Exchange Mobile Device Server.
4. In the context menu of the Exchange Mobile Device Server, select Properties.

   The Mobile Device Server properties window opens.

5. In the properties window of the Exchange Mobile Device Server, select the Mailboxes section.
6. Select a mailbox and click the Assign profile button.

   The Policy profiles window opens.

7. In the Policy profiles window, click the Add button.

   The New profile window opens.

8. Configure the profile on the tabs of the New profile window.
   • If you want to specify the profile name and the update interval, select the General tab.
   • If you want to configure the password of the mobile device user, select the Password tab.
   • If you want to configure synchronization with the Microsoft Exchange server, select the Synchronization tab.
   • If you want to configure restrictions on the mobile device features, select the Feature Restrictions tab.
   • If you want to configure restrictions on the use of mobile applications on the mobile device, select the Application Restrictions tab.
9. Click OK.

   The new profile will be displayed in the list of profiles in the Policy profiles window.

   If you want this profile to be automatically assigned to new mailboxes, as well as to mailboxes whose profiles have been deleted, select it in the list of profiles and click the Set as default profile button.

   The default profile cannot be deleted. To delete the current default profile, you must assign the "default profile" attribute to a different profile.

10. In the Policy profiles window, click OK.

    The management profile settings will be applied on the EAS device at the next synchronization of the device with the Exchange Mobile Device Server.

Removing a management profile

To remove an EAS device management profile for a Microsoft Exchange mailbox:

1. In the console tree, open the Mobile Device Management folder.
2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
3. In the workspace of the Mobile Device Servers folder, select an Exchange Mobile Device Server.
4. In the context menu of the Exchange Mobile Device Server, select Properties.

   The Mobile Device Server properties window opens.

5. In the properties window of the Exchange Mobile Device Server, select the Mailboxes section.
6. Select a mailbox and click the Change profiles button.

   The Policy profiles window opens.

7. In the Policy profiles window, select the profile that you want to remove and click the red Delete button.

   The selected profile will be removed from the list of management profiles. The current default profile will be applied to EAS devices managed by the profile that has been removed.

   If you want to remove the current default profile, re-assign the "default profile" property to another profile, then remove the first one.

Handling Exchange ActiveSync policies

After you install Exchange Mobile Device Server, in the Mailboxes section of the Server properties window, you can view information about accounts of the Microsoft Exchange server that have been retrieved by polling the current domain or domain forest.

Also, in the Exchange Mobile Device Server properties window, you can use the following buttons:

• Change profiles allows you to open the Policy profiles window, which contains a list of policies retrieved from the Microsoft Exchange server. In this window, you can create, edit, or delete Exchange ActiveSync policies. The Policy profiles window is almost identical to the policy editing window in Exchange Management Console.
• Assign profiles to mobile devices allows you to assign a selected Exchange ActiveSync policy to one or several accounts.
• Enable/disable ActiveSync allows you to enable or disable Exchange ActiveSync HTTP for one or multiple accounts.

Configuring the scan scope

In the properties of the newly installed Exchange Mobile Device Server, in the Settings section, you can configure the scan scope. By default, the scan scope is the current domain in which the Exchange Mobile Device Server is installed. Selecting the Entire domain forest value expands the scan scope to include the entire domain forest.

Working with EAS devices

Devices retrieved by scanning the Microsoft Exchange server will be added to the common list of devices, which is located in the Mobile Device Management node, in the Mobile devices folder.

If you want the Mobile devices folder to display Exchange ActiveSync devices only (hereinafter referred to as EAS devices), filter the device list by clicking the Exchange ActiveSync (EAS) link that is located above this list.

You can manage EAS devices by means of commands. For example, the Reset to factory settings command allows you to remove all data from a device and reset the device settings to the factory settings. This command is useful if the device is lost or stolen, when you need to prevent corporate or personal data from falling into the hands of a third party.

If all data has been deleted from the device, it will be deleted again the next time the device connects to the Microsoft Exchange Server. The command will be reiterated until the device is removed from the list of devices. This behavior is caused by the operation principles of the Microsoft Exchange server.

To remove an EAS device from the list, in the context menu of the device, select Delete. If the Exchange ActiveSync account is not deleted from the EAS device, the latter will reappear on the list of devices after the next synchronization of the device with the Microsoft Exchange server.

Viewing information about an EAS device

To view information about an EAS device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter EAS devices by clicking the Exchange ActiveSync (EAS) link.
3. From the context menu of the mobile device select Properties.

   The properties window of the EAS device opens.

The properties window of the mobile device displays information about the connected EAS device.

Disconnecting an EAS device from management

To disconnect an EAS device from management by the Exchange Mobile Device Server:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter EAS devices by clicking the Exchange ActiveSync (EAS) link.
3. Select the mobile device that you want to disconnect from management by the Exchange Mobile Device Server.
4. In the context menu of the mobile device, select Delete.

The EAS device is marked for removal with a red cross icon. The mobile device is removed from the list of managed devices after it is removed from the Exchange ActiveSync Server database. To do so, the administrator must remove the user account on the Microsoft Exchange server.

User's rights to manage Exchange ActiveSync mobile devices

To manage mobile devices running under the Exchange ActiveSync protocol with Microsoft Exchange Server 2010 or Microsoft Exchange Server 2013, make sure that the user is included in a role group for which the following commandlets are allowed to execute:

• Get-CASMailbox
• Set-CASMailbox
• Remove-ActiveSyncDevice
• Clear-ActiveSyncDevice
• Get-ActiveSyncDeviceStatistics
• Get-AcceptedDomain
• Set-AdServerSettings
• Get-ActiveSyncMailboxPolicy
• New-ActiveSyncMailboxPolicy
• Set-ActiveSyncMailboxPolicy
• Remove-ActiveSyncMailboxPolicy

To manage mobile devices running under Exchange ActiveSync protocol with Microsoft Exchange Server 2007, make sure that the user has been granted administrator rights. If the rights have not been granted, execute the commandlets to assign the administrator rights to the user (see the table below).

Administrator rights required for managing Exchange ActiveSync mobile devices on Microsoft Exchange Server 2007

For detailed information about how to use commandlets in Exchange Management Shell console, please refer to the Microsoft Exchange Server Technical Support website.