Using Microsoft Exchange ActiveSync to Actively

Situation
Microsoft employees need to be able to
use their mobile devices, including
mobile phones and slates, to access
mission-crucial data anytime, anywhere.
With more than 170,000 user mailboxes,
MSIT needed a robust solution, and
found it with Exchange ActiveSync.
Solution
Exchange ActiveSync is a
synchronization protocol that works with
high-latency and low-bandwidth
networks. Exchange ActiveSync enables
users to use their mobile devices to
access up-to-date corporate email,
calendar, and contacts that are on a
Microsoft Exchange Server.
Meanwhile, it enables MSIT to enforce
security policies on those devices that
protect valuable intellectual property
from malicious users, should employees
lose their mobile devices or have them
stolen.
Benefits
 Enables employees to access their






corporate email, calendar, and
contacts by using their personal
portable devices
Increases employee productivity
significantly by enabling anywhere,
anytime access to corporate data
Boosts employee satisfaction notably
Enables Microsoft to attract potential
employees who are technologicallysavvy, and who want the ability to
work remotely
Minimizes the risk of inadvertent data
exposure and loss
Provides institutional management of
Exchange Server policies and
configurations
Enables cross-team collaboration
between security, hardware, and
email teams within an enterprise
Products & Technologies




Microsoft Exchange ActiveSync
Microsoft Exchange Server 2010
Microsoft System Center 2012
Windows PowerShell
Using Microsoft® Exchange
ActiveSync® to Actively Manage
Consumerization of IT Devices
Published: July 2012
The following content may no longer reflect Microsoft’s current position or infrastructure. This
content should be viewed as reference documentation only, to inform IT business decisions
within your own company or organization.
Microsoft Exchange Server 2010 has functionality that enables users
to access their corporate email, calendar, global address list, and
tasks with their personal portable devices. Using Microsoft Exchange
ActiveSync within Exchange Server 2010, Microsoft IT (MSIT) delivers
significant improvements in employee productivity and satisfaction by
enabling employee access to this business-critical information in more
than 170,000 user mailboxes.
Situation
Only a few years ago, IT departments still procured and managed electronic devices for their
employees. Today, employees want to use their personal electronic devices to do their jobs,
and utilize the same technologies and applications at work that they use at home. This
blending of consumer and enterprise technologies is the Consumerization of IT, and it
significantly boosts employee productivity and satisfaction. Employees can work just about
anywhere, at any time, as long as their personal electronic devices can connect to their
enterprise’s corporate network. However, this anytime, anywhere access to corporate data
can make it difficult for IT departments to ensure the protection of enterprise data.
Microsoft supports a hybrid, mixed-ownership model of enterprise-standard and consumerstandard hardware, and offers support to employees who want to use their own mobile
devices, including phones and slates. These devices must meet minimum hardware
requirements that MSIT specifies. However, if they do, then MSIT provides a way for
employees to access key corporate data, but also to protect that data from inadvertent
exposure and malicious users. The answer for MSIT was Microsoft® Exchange ActiveSync®,
a feature of Microsoft Exchange Server® 2010.
If employees use mobile devices that are Exchange ActiveSync enabled, then they also can
use that device to access their:

Corporate calendar, so they can view their appointments, accept and reject meeting
requests, and create new appointments and meeting requests

Global address lists, or contacts

Tasks

Line-of-business (LOB) applications
By deploying Exchange ActiveSync, MSIT enables employees to access this often missioncritical data, while also enforcing security policies within an Exchange Server environment.
However, MSIT had to ensure that enabling Exchange ActiveSync, and the mailbox-client
traffic that it would produce, would not overtax the existing Client Access Server (CAS)
infrastructure. Enabling users to access this data resulted in a quick and significant surge
from approximately 50,000 clients accessing Exchange Server to more than 100,000 clients.
Currently, not all employees use their mobile devices to access their corporate email,
calendar, contacts, and tasks, but a large portion of them do.
The Exchange ActiveSync deployment at Microsoft was smooth and seamless--most users
likely did not even notice any change in their service or use, except for a message or two on
which they had to act so that they could connect to the corporate network. Furthermore,
Microsoft has promoted active management for its Exchange ActiveSync deployment by:

Evaluating the default Exchange ActiveSync policies before deployment, to determine
which ones to configure to meet enterprise needs.

Reviewing these policies periodically to ensure that they continue to meet enterprise
needs for data protection, while also enabling continued successful data access by
users.
Among the policies that MSIT initially reviewed and configured during its Exchange
ActiveSync deployment were the:

Ability to enable and disable Exchange ActiveSync for specific users or groups of users.

Length and type of lock password that users had to establish on their mobile devices.

Number of lock password attempts allowable on a device.

Action taken when the number of device password attempts is reached.

Ability to wipe the device remotely. The user can wipe the device remotely by using
Microsoft Office Outlook® Web Access, or an MSIT administrator can use Windows
PowerShell® commands to wipe the device remotely to its factory settings.
Solution
Microsoft has approximately 170,000 user mailboxes, to support its employees around the
globe. Users want to access their email, calendar, and LOB applications not just from their
work computer, but also from their personal laptops and mobile devices. This means that
MSIT is supporting a widely heterogeneous environment, which can be challenging and
costly. However, to continue boosting the productivity and satisfaction of its existing
employees, it was imperative that MSIT flow with the Consumerization of IT. Additionally,
millennials, the technologically advanced generation of young adults joining the workforce
today, often will not work for an enterprise unless telecommuting and remote operations are
part of the package.
Therefore, MSIT no longer supports only devices that it procures for users, but also a wide
variety of consumer devices. The sheer variety of devices and operating systems from which
users can select drives up cost-of-ownership from a support perspective. Then there is the
issue of data protection: how can MSIT protect data if user devices are lost or stolen?
MSIT needed to find a mechanism through which it could provide that access, while
simultaneously protecting data. The mechanism is Exchange ActiveSync and is a feature
Using Microsoft® Exchange ActiveSync® to Actively Manage Consumerization of IT Devices
Page 2
within Exchange Server. Exchange Active Sync is essential to managing employee access to
proprietary data in this vast mixed-ownership environment.
Exchange ActiveSync is a synchronization protocol that works with high-latency and lowbandwidth networks to enable users to access mission-critical, up-to-date corporate email,
calendar, and contacts on a Microsoft Exchange Server, by using their mobile devices.
“While some people feel that
having email on your phone is a
little onerous, it can be really
useful, too. You are able to
complete work after you’ve left
the office, without having to sit
home, and be in front of your
PC. There is no doubt that it
increases productivity. I don’t
think anyone could argue that.
Also, you could argue that it
actually improves your work-life
balance, because you can leave
and go do something with your
family, and still be reachable.”
Mark Riley
Principal Program Manager, Mobile
Services, for MSIT
Microsoft Corporation
“While some people feel that having email on your phone is a little onerous, it can be really
useful, too,” said Mark Riley, Principal Program Manager, Mobile Services, for MSIT. “If you
have an ongoing issue at work, not only can you be bothered about it, but you can also be
notified when it’s resolved. I think that is a huge thing. You are able to complete work after
you’ve left the office, without having to sit home, and be in front of your PC. There is no doubt
that it increases productivity. I don’t think anyone could argue that. Also, you could argue that
it actually improves your work-life balance, because you can leave and go do something with
your family, and still be reachable.”
Exchange ActiveSync allows an enterprise to provide its employee with this essential data,
when they are travelling and working remotely, while protecting its data should an employee
lose a device or it is stolen. An enterprise also can configure it to use Secure Sockets Layer
(SSL) encryption for communications between the Exchange server and the mobile-device
client. Additionally, it uses certificate-based authentication that works with self-signed
certificates, a certificate from an existing public key infrastructure (PKI), or a third-party
commercial certification authority (CA).
Additionally, Exchange ActiveSync works in conjunction with security policies to:

Enable a data wipe on the mobile device if an unauthorized user attempts to synchronize
with the Exchange Server from that device.

Provide more security by deploying RSA SecurID two-factor authentication on the
Exchange Server.

Enable configurable device-password policies.
Deploying Exchange ActiveSync at Microsoft
Three crucial steps ensured a smooth Exchange ActiveSync deployment for Microsoft users
and MSIT, including:

Analysis of the CAS infrastructure and how the potential Exchange ActiveSync load
would affect it.

Configuration of Exchange ActiveSync security policies to ensure data protection if
mobile devices were lost or stolen.

Active management of Exchange ActiveSync security policies to ensure continued data
protection as the environment changes, new threats emerge, and regulatory
requirements change.
Analyzing the CAS Infrastructure
In 2003, MSIT began analyzing its CAS infrastructure. CAS accepts incoming protocol
connections for Exchange Server, and users can connect to Exchange Server via Microsoft
Office Outlook®, Outlook Web Access, Outlook Anywhere, and Exchange ActiveSync. This
means that there typically is significant traffic on the CAS servers, and MSIT needed to
determine what the potential Exchange ActiveSync load would be prior to deployment. If the
Using Microsoft® Exchange ActiveSync® to Actively Manage Consumerization of IT Devices
Page 3
load was going to be too high, the existing CAS infrastructure could overload and crash. This,
in turn, could cause service degradation for users and potential downtime.
CAS analysis was a crucial first step in the Exchange ActiveSync deployment, and led MSIT
to arrive at its current CAS infrastructure, which includes:

41 CAS servers in Redmond for North American and South American users. These 41
CAS servers service approximately 80,000 users alone.

14 in Dublin, Ireland, which service approximately 30,000 users in Europe and parts of
the Middle East and Africa.

12 in Singapore, which service approximately 25,000 users in parts of the Far East and
Australia.
Again, this analysis was essential. When MSIT turned on Exchange ActiveSync, the phone
clients accessing CAS servers exploded literally overnight, from approximately 50,000 to
more than 100,000. However, there was no interruption in service nor did most users even
notice the change, save for a message that requested they accept a policy on their mobile
device.
Configuring Exchange ActiveSync Policies, and Establishing Reporting Procedures
The Consumerization of IT at Microsoft means that users more often than not are selecting,
procuring, and managing their own mobile devices. When added to the fact that there are
170,000 user mailboxes at Microsoft, that makes for a significant and broad management
task for MSIT. Some users do not access their mailboxes with their mobile phones or
devices, but other users synchronize several mobile devices with Exchange Server.
The ultimate question for MSIT, as it deployed Exchange ActiveSync to enable users to
access their mail and other data via their mobile devices, was how best to protect that data
from inadvertent exposure and malicious users. MSIT had to take a multifaceted approach to
data protection, which included:

Determining what threats or potential threats existed, for which MSIT needed to mitigate
exposure on mobile devices. These threats included known malware on certain phone
operating systems that synchronize to the Exchange Server environment, and which are
exposed to the public Internet.

Ensuring that Microsoft security standards were upheld and that Microsoft complied with
regulatory requirements, such as reporting. MSIT uses Microsoft System Center 2012 for
reporting, which utilizes back-end Windows PowerShell commands to poll devices that
synchronize to the Exchange Server. System Center reporting enables MSIT to see
specifically what devices are connecting to what mailboxes. This provides MSIT with a
thorough look at the Exchange environment and the devices working within it.
System Center 2012 includes the Exchange Connector feature, which reads information
on the devices that are connecting to Exchange Server, and then can set Exchange
ActiveSync policies accordingly. This enables a view through a single pane of glass,
regardless of whether a user is connecting from a desktop computer, laptop computer, or
mobile device.

Analyzing the Exchange Server environment regularly to ensure that the central
processing unit (CPU) load was not overburdening the CAS infrastructure. This analysis
is important to perform regularly, to ensure that no service interruptions occur.
Using Microsoft® Exchange ActiveSync® to Actively Manage Consumerization of IT Devices
Page 4
MSIT knew that active management of Exchange ActiveSync policies was crucial (and it
continues to be). While the Exchange ActiveSync out-of-box configuration would work well for
many enterprises, MSIT opted to look at each configuration policy separately, and then make
a decision regarding whether to keep the default setting or modify it. MSIT then configured
policies in several areas, including:

Exchange ActiveSync Policies

Exchange ActiveSync Throttle Policies

Mail Client Service Policies

Authentication Policies
Configuring EAS Policies for the Microsoft Environment
MSIT wanted to make it as simple as possible for users to synchronize their mobile devices
to their Exchange-hosted mailboxes. MSIT succeeded, after deciding initially not to ban any
devices or operating system from connecting to the Exchange Server environment. However,
this likely will change as the threat landscape changes.
MSIT currently has opted not to block any devices. However, to ensure data protection, MSIT
decided to actively manage its Exchange ActiveSync policies. Here is a sampling of the
Exchange ActiveSync policies that MSIT looked at before deploying Exchange ActiveSync:

AllowSimpleDevicePassword

AlphanumericDevicePasswordRequired

DeviceEncryptionEnabled

DevicePasswordEnabled

DevicePasswordExpiration

DevicePasswordHistory

DevicePolicyRefreshInterval

MinimumDevicePasswordLength

MaxInactivityTimeDeviceLock

MaxDevicePasswordFailedAttempts

PasswordRecoveryEnabled

RequireDeviceEncryption
While the specifics of how Microsoft configured Exchange ActiveSync policies is out of scope
for this paper, here is a quick look at the basic device security that MSIT enforced via
Exchange ActiveSync policies, including the:

Minimum password length that the users must utilize for their mobile devices. MSIT
opted to enforce a four-digit PIN, which the user selects. Users can establish an
alphanumeric PIN, although that is not required.

Maximum time that a device can be inactive before it locks. If the mobile device is
inactive for 15 minutes, the device locks. The user has to unlock the device with the fourdigit PIN. Users can opt to set this time to a shorter period, such as two minutes or five
minutes.

Ability for a user or administrator to wipe the device remotely, which deletes data and
reverts it to its factory settings. A user can logon to Outlook Web Access, navigate to the
particular mobile device in question, and select to remotely wipe the device the next time
Using Microsoft® Exchange ActiveSync® to Actively Manage Consumerization of IT Devices
Page 5
it attempts to synchronize to the Exchange Server. Conversely, a user can call the
Microsoft help desk, and the help-desk technician will escalate the ticket to an
administrator, who uses a Windows PowerShell command to issue the device wipe.

Maximum password attempts a user can make and the action that occurs when that
maximum is reached. A user has five tries to enter the correct password. On the sixth
try, a local wipe of the device occurs.

Schedule on which policies are refreshed on mobile devices. The default is 24 hours, but
MSIT opted to change that to one hour. This ensures devices stay synchronized and
data stays protected.

Maintenance of password histories, password-history lengths, and password expirations.
MSIT opted not to enforce these options because configuring the remote-wipe capability
was deemed sufficient to protect device data.

Enabling of policy exceptions. Some users, such as executives and developers, required
exceptions to Exchange ActiveSync policies. MSIT used an innovative approach to
managing these exceptions, by leveraging security groups to differentiate user access to
various mail protocols, including Exchange ActiveSync.
While MSIT did not opt to configure every Exchange ActiveSync default policy, it did look at
each one, and made a decision regarding it. MSIT managed its Exchange ActiveSync
deployment actively, and continues to do so today.
Actively Managing Exchange ActiveSync Policies
MSIT continually evolves its Exchange ActiveSync policies and configurations. They are not
standardized, but rather are malleable. This enables MSIT to respond quickly as client traffic
increases, environmental changes occur, threats emerge to devices and operating systems,
and regulatory requirements change.
MSIT recently completed its regular CAS infrastructure analysis, and will deploy 10 new
Mach-1 servers, at a cost of approximately $30,000. Additionally, MSIT carefully monitors
CPU load in the CAS environment, by parsing log files to see if CPU usage is trending up.
The analysis schedule is determined by CPU load, rather than a fixed date on a calendar.
This enables MSIT to respond with alacrity to any service spike that may cause service
degradation for users.
Additionally, MSIT:

Works closely with the Exchange operations team to ensure that it has the necessary
hardware to support its users. MSIT uses a hardware load balancer that enables it to
separate the traffic coming through the CAS infrastructure into different protocols and
rates of CPU usage. As manufacturers roll out more and more mobile devices, the
number of clients that will be hitting the CAS infrastructure will continue to climb.

Monitors operating systems and devices carefully. While MSIT currently does not ban
any devices from connecting through Exchange ActiveSync, MSIT is carefully looking at
all device operating systems, to ensure the protection of Microsoft intellectual property.
Some device operating systems are open-source, which means that malicious users can
infect them with malware much easier. MSIT may institute policies regarding the ability of
these devices to synchronize to the Microsoft Exchange environment via Exchange
ActiveSync.
Using Microsoft® Exchange ActiveSync® to Actively Manage Consumerization of IT Devices
Page 6
MSIT also is in the process of deploying device encryption. When MSIT deployed
Exchange ActiveSync several years ago, mobile-device encryption was not possible
technically. Today it is, and can provide an additional level of protection for Microsoft
intellectual property and data.
Best Practices
Deploying Exchange ActiveSync is relatively straightforward, particularly if an enterprise has
Exchange Server running already. Here are several best practices that MSIT determined
from its Exchange ActiveSync deployment:
“You need to monitor your traffic
so that you can scale your
environment as needed, and
you need to be cognizant of how
these devices are connecting to
your Exchange environment, so
that you can put policies in
place to manage them.”

Manage your Exchange ActiveSync policies actively. Periodically review the devices and
operating systems that will attempt to synchronize with your Exchange Server; monitor
ongoing threats to those devices and operating systems; and determine your risk
tolerance. Determine your review rhythm. If an annual review is enough, stay with that
schedule. However, if your risk tolerance is lower (such as in the banking industry), a
semiannual or quarterly review may be necessary. Continue to monitor what policies you
have turned on or off, depending on your environment and other factors.

Monitor your CAS infrastructure carefully and regularly. If CPU loads begins to increase,
or spikes suddenly, this could cause the CAS servers to fail, which leads to downtime
and service interruptions to users. Review logs at least quarterly.
Shad Morris
Network Engineer for Service
Engineering
Microsoft Corporation
“You need to monitor your traffic so that you can scale your environment as needed, and
you need to be cognizant of how these devices are connecting to your Exchange
environment, so that you can put policies in place to manage them,” said Shad Morris,
network engineer for service engineering at Microsoft.

Manage exceptions to Exchange ActiveSync policies. Some users will require
exceptions to policies. Think out of the box, as MSIT did when opting to manage other
protocols, such as IMAP and POP settings, for specific security groups, while
simultaneously enabling their access to data and securing that data.
Benefits
There are several benefits to deploying Exchange ActiveSync, including that it:

Increases employee productivity significantly by enabling them to access their missioncritical email, calendar, tasks, and contacts from anywhere, at any time, by using their
mobile devices.

Boosts employee satisfaction notably, by allowing employees to work remotely, on
devices of their choosing.

Enables Microsoft to attract employees who are technologically proficient, and who
demand the ability to work remotely, while utilizing the devices and applications with
which they are familiar and comfortable.

Enables an organization’s IT department to mitigate risk to data from inadvertent
exposure or loss of a mobile device, as well as provide institutional management for
Exchange security settings.

Facilitates cross-team collaboration. Most IT organizations use Exchange Server to run
their email system, and most of those probably have mobile devices connecting to
Exchange. Typically, however, the people who establish and configure security policies
and manage the enterprise’s network are not the same people who manage the
Using Microsoft® Exchange ActiveSync® to Actively Manage Consumerization of IT Devices
Page 7
enterprise’s email infrastructure. Furthermore, most enterprises typically have another
team that manages server hardware. Thus, cross-team collaboration is essential to a
successful Exchange ActiveSync deployment.

Providing an easy reporting mechanism, as MSIT can use System Center 2012 and
back-end Windows PowerShell commands to poll devices that synchronize to the
Exchange Server. This enables MSIT to determine specifically what devices are
connecting to what mailboxes, and provides a thorough look at the Exchange
environment.
Conclusion
Exchange ActiveSync, a feature of Exchange Server, provides an invaluable mechanism
through which an IT organization can provide its employees with anytime, anywhere access
to synchronized data from Exchange Server, while simultaneously protecting that data from
inadvertent exposure and malicious users.
MSIT capitalized on the functionality of Exchange ActiveSync to continue its support for the
Consumerization of IT, and the resulting mixed-ownership hybrid environment of portable
electronic devices that its employees choose to use. Employee productivity and satisfaction
are boosted significantly, because they can use their chosen portable electronic devices to
access their email, contacts, tasks, and applications, regardless of whether they are at work,
at home, or working while on the go. Furthermore, protection of valuable Microsoft data and
intellectual property is assured through MSIT’s active management of Exchange ActiveSync
policies.
Currently, approximately 100,000 Microsoft employees utilize Exchange ActiveSync
functionality to access their data. However, with 170,000 user mailboxes, not to mention the
plethora of mobile and slate devices that continue to come to market seemingly on a daily
basis, the number is sure to rise. However, with continued active management of Exchange
ActiveSync policies, MSIT can assure the protection of Microsoft data, with little or no
interruption to its users, who will continue to be productive and happy, and hopefully continue
to have a positive life-work balance as they help Microsoft continue its dominance in the
world of software and hardware development.
For More Information
For more information about Microsoft products or services, call the Microsoft Sales
Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at
(800) 933-4750. Outside the 50 United States and Canada, please contact your local
Microsoft subsidiary. To access information via the World Wide Web, go to:
http://www.microsoft.com
http://www.microsoft.com/technet/itshowcase
© 2012 Microsoft Corporation. All rights reserved.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR
IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Exchange ActiveSync, Microsoft Exchange Server, and
Windows PowerShell are either registered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries. The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.
Using Microsoft® Exchange ActiveSync® to Actively Manage Consumerization of IT Devices
Page 8