Exchange Mobile Device Server

An Exchange Mobile Device Server allows you to manage mobile devices that are connected to an Administration Server using the Exchange ActiveSync protocol (EAS devices).

How to deploy an Exchange Mobile Device Server

If multiple Microsoft Exchange servers within a Client Access Server array have been deployed in the organization, an Exchange Mobile Device Server must be installed on each of the servers in that array. The Cluster mode option must be enabled in the Exchange Mobile Device Server Installation Wizard. In this case, the set of instances of the Exchange Mobile Device Server installed on servers in the array is called the cluster of Exchange Mobile Device Servers.

If no Client Access server array of Microsoft Exchange Servers has been deployed in the organization, an Exchange Mobile Device Server must be installed on a Microsoft Exchange Server that has Client Access. In this case, the Standard mode option must be enabled in the Setup Wizard of the Exchange Mobile Device Server.

Together with the Exchange Mobile Device Server, Network Agent must be installed on the device; it helps integrate the Exchange Mobile Device Server with Kaspersky Security Center.

The default scan scope of the Exchange Mobile Device Server is the current Active Directory domain in which it was installed. Deploying an Exchange Mobile Device Server on a server with Microsoft Exchange Server (versions 2010, 2013) installed allows you to expand the scan scope to include the entire domain forest in the Exchange Mobile Device Server (see section "Configuring the scan scope"). Information requested during a scan includes accounts of Microsoft Exchange server users, Exchange ActiveSync policies, and users' mobile devices connected to the Microsoft Exchange Server over Exchange ActiveSync protocol.

Multiple instances of Exchange Mobile Device Server cannot be installed within a single domain if they run in Standard mode being managed by a single Administration Server. Within a single Active Directory domain forest, multiple instances of Exchange Mobile Device Server (or multiple clusters of Exchange Mobile Device Servers) cannot be installed either—if they run in Standard mode with an expanded scan scope that includes the entire domain forest and if they are connected to a single Administration Server.

Rights required for deployment of Exchange Mobile Device Server

Deployment of an Exchange Mobile Device Server on Microsoft Exchange Server (2010, 2013) requires domain administrator rights and the Organization Management role. Deployment of an Exchange Mobile Device Server on Microsoft Exchange Server (2007) requires domain administrator rights and membership in the Exchange Organization Administrators security group.

Account for Exchange ActiveSync service

When an Exchange Mobile Device Server is installed, an account is automatically created in Active Directory:

• On Microsoft Exchange Server (2010, 2013): KLMDM4ExchAdmin***** account with the KLMDM Role Group role.
• On Microsoft Exchange Server (2007): KLMDM4ExchAdmin***** account, a member of the KLMDM Secure Group security group.

The Exchange Mobile Device Server service runs under this account.

If you want to cancel the automatic generation of an account, you need to create a custom one with the following rights:

• When using Microsoft Exchange Server (2010, 2013), the account must be assigned a role that has been allowed to execute the following cmdlets:
  • Get-CASMailbox
  • Set-CASMailbox
  • Remove-ActiveSyncDevice
  • Clear-ActiveSyncDevice
  • Get-ActiveSyncDeviceStatistics
  • Get-AcceptedDomain
  • Set-AdServerSettings
  • Get-ActiveSyncMailboxPolicy
  • New-ActiveSyncMailboxPolicy
  • Set-ActiveSyncMailboxPolicy
  • Remove-ActiveSyncMailboxPolicy
• When using a Microsoft Exchange Server (2007), the account must be granted the access rights to Active Directory objects (see the table below).

  Access rights to Active Directory objects

  Access	Object	Cmdlet
  Full	Thread "CN=Mobile Mailbox Policies,CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>"	Add-ADPermission -User <User or group name> -Identity "CN=Mobile Mailbox Policies,CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>" -InheritanceType All -AccessRight GenericAll
  Read	Thread "CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>"	Add-ADPermission -User <User or group name> -Identity "CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>" -InheritanceType All -AccessRight GenericRead
  Read/write	Properties msExchMobileMailboxPolicyLink and msExchOmaAdminWirelessEnable for objects in Active Directory	Add-ADPermission -User <User or group name> -Identity "DC=<Domain name>" -InheritanceType All -AccessRight ReadProperty,WriteProperty -Properties msExchMobileMailboxPolicyLink, msExchOmaAdminWirelessEnable
  Extended right ms-Exch-Store-Active	Mailbox repositories of Exchange server, thread "CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>"	Get-MailboxDatabase | Add-ADPermission -User <User or group name> -ExtendedRights ms-Exch-Store-Admin