Deploying a system for management via Exchange ActiveSync protocol

Kaspersky Security Center allows you to manage mobile devices that are connected to the Administration Server using the Exchange ActiveSync protocol. Exchange ActiveSync (EAS) mobile devices are those connected to an Exchange Mobile Device Server and managed by Administration Server.

The following operating systems support Exchange ActiveSync protocol:

• Windows Phone 8
• Windows Phone 8.1
• Windows 10 Mobile
• Android 
• iOS

The set of management settings for an Exchange ActiveSync device is dependent on the operating system under which the mobile device is running. For details on the support features of Exchange ActiveSync protocol for a specific operating system, please refer to the documentation enclosed with the operating system.

Deployment of a mobile device management system using Exchange ActiveSync protocol includes the following steps:

1. The administrator installs Exchange Mobile Device Server on the selected client device.
2. The administrator creates a management profile(s) in Administration Console for managing EAS devices and adds the profile(s) to the mailboxes of Exchange ActiveSync users.

   Management profile of Exchange ActiveSync mobile devices is an ActiveSync policy used on a Microsoft Exchange server for managing Exchange ActiveSync mobile devices. Only one EAS device management profile can be assigned to a Microsoft Exchange mailbox.

   Users of mobile EAS devices connect to their Exchange mailboxes. Any management profile imposes some restrictions on mobile devices.

Installing Mobile Device Server for Exchange ActiveSync

An Exchange Mobile Device Server is installed on a client device with a Microsoft Exchange server installed. We recommend that you install the Exchange Mobile Device Server on a Microsoft Exchange server with the Client Access role assigned. If several Microsoft Exchange servers with the Client Access role in the same domain are combined into a Client Access Array, it is recommended to install the Exchange Mobile Device Server on each Microsoft Exchange server in that array in cluster mode.

To install an Exchange Mobile Device Server on a local device:

1. Run the setup.exe executable file.

   A window opens prompting you to select Kaspersky applications to install.

2. In the applications selection window, click the Install Exchange Mobile Device Server link to run the Setup Wizard of Exchange Mobile Device Server.
3. In the Installation settings window, select the type of Exchange Mobile Device Server installation:
   • To install Exchange Mobile Device Server with the default settings, select Standard installation and click the Next button.
   • To define the settings for installation of the Exchange Mobile Device Server manually, select Custom installation and click Next. Then do the following:
     1. Select destination folder in Destination Folder window. The default folder is <Disk>:\Program Files\Kaspersky Lab\Mobile Device Management for Exchange. If such a folder does not exist, it is created automatically during the installation. You can change the destination folder by using the Browse button.
     2. Choose the type of Exchange Mobile Device Server installation in the Installation mode window: normal mode or cluster mode.
     3. In Select Account window, choose an account that will be used to manage mobile devices:
        • Create account and role group automatically. Account will be created automatically.
        • Specify an account. The account should be selected manually. Click the Browse button to select the user whose account will be used and specify the password. The selected user must belong to a group that has rights to manage mobile devices using ActiveSync.
     4. In the IIS settings window, allow or prohibit automatic configuration of the  Internet Information Services (IIS) web server properties.

        If you have prohibited automatic configuration of the Internet Information Services (IIS) properties, enable the "Windows authentication" mechanism manually in the IIS settings for Microsoft PowerShell Virtual Directory. If "Windows authentication" mechanism is disabled, Exchange Mobile Device Server will not operate correctly. Please refer to IIS documentation for more information about configuring IIS.

     5. Click Next.
4. In the window that opens, verify the Exchange Mobile Device Server installation properties, and then click Install.

When the Wizard finishes, the Exchange Mobile Device Server is installed on the local device. The Exchange Mobile Device Server will be displayed in the Mobile Device Management folder in the console tree.

Connecting mobile devices to an Exchange Mobile Device Server

Before connecting any mobile devices, you must configure Microsoft Exchange Server in order to allow the devices to be connected using ActiveSync protocol.

To connect a mobile device to an Exchange Mobile Device Server, the user connects to his or her Microsoft Exchange mailbox from the mobile device through ActiveSync. When connecting, the user must specify the connection settings in the ActiveSync client, such as email address and email password.

The user's mobile device, connected to the Microsoft Exchange server, is displayed in the Mobile devices subfolder contained in the Mobile Device Management folder in the console tree.

After the Exchange ActiveSync mobile device is connected to an Exchange Mobile Device Server, the administrator can manage the connected Exchange ActiveSync mobile device.

Configuring the Internet Information Services web server

When using Microsoft Exchange Server (versions 2010 and 2013), you have to activate the Windows authentication mechanism for a Windows PowerShell virtual directory in the settings of the Internet Information Services (IIS) web server. This authentication mechanism is activated automatically if the Configure Microsoft Internet Information Services (IIS) automatically option is selected in the Exchange Mobile Device Server Installation Wizard (default option).

Otherwise, you will have to activate the authentication mechanism on your own.

To activate the Windows authentication mechanism for a PowerShell virtual directory manually:

1. In Internet Information Services (IIS) Manager console, open the properties of the PowerShell virtual directory.
2. Go to the Authentication section.
3. Select Microsoft Windows Authentication, and then click the Enable button.
4. Open Advanced Settings.
5. Select the Enable Kernel-mode authentication option.
6. In the Extended protection drop-down list, select Required.

When using Microsoft Exchange Server 2007, the IIS web server requires no configuration.

Local installation of an Exchange Mobile Device Server

For a local installation of an Exchange Mobile Device Server, the administrator must perform the following operations:

1. Copy the contents of the \Server\Packages\MDM4Exchange\ folder from the Kaspersky Security Center distribution package to a client device.
2. Run the setup.exe executable file.

Local installation includes two types of installation:

• Standard installation is a simplified installation that does not require the administrator to define any settings; it is recommended in most cases.
• Extended installation is an installation that requires from the administrator to define the following settings:
  • Path for Exchange Mobile Device Server installation.
  • Exchange Mobile Device Server operation mode: standard mode or cluster mode.
  • Possibility of specifying the account under which the Exchange Mobile Device Server service will run.
  • Enabling / disabling automatic configuration of the IIS web server.

The Exchange Mobile Device Server Installation Wizard must be run under an account that has all of the required rights.

Remote installation of an Exchange Mobile Device Server

To configure the remote installation of Exchange Mobile Device Server, the administrator must perform the following actions:

1. In the tree of Kaspersky Security Center Administration Console, select the Remote installation folder, then the Installation packages subfolder.
2. In the Installation packages subfolder, open the properties of the Exchange Mobile Device Server package.
3. Go to the Settings section.

   This section contains the same settings as those used for the local installation of the application.

After the remote installation is configured, you can start installing Exchange Mobile Device Server.

To install Exchange Mobile Device Server:

1. In the tree of Kaspersky Security Center Administration Console, select the Remote installation folder, then the Installation packages subfolder.
2. In the Installation packages subfolder, select the Exchange Mobile Device Server package.
3. Open the context menu of the package and select Install application.
4. In the Remote Installation Wizard that opens, select a device (or multiple devices for installation in cluster mode).
5. In the Run application Setup Wizard under specified account field, specify the account under which the installation process will be run on the remote device.

   The account must have the required rights.