Situation Microsoft employees need to be able to use their mobile devices, including mobile phones and slates, to access mission-crucial data anytime, anywhere. With more than 170,000 user mailboxes, MSIT needed a robust solution, and found it with Exchange ActiveSync. Solution Exchange ActiveSync is a synchronization protocol that works with high-latency and low-bandwidth networks. Exchange ActiveSync enables users to use their mobile devices to access up-to-date corporate email, calendar, and contacts that are on a Microsoft Exchange Server. Meanwhile, it enables MSIT to enforce security policies on those devices that protect valuable intellectual property from malicious users, should employees lose their mobile devices or have them stolen. Benefits Enables employees to access their corporate email, calendar, and contacts by using their personal portable devices Increases employee productivity significantly by enabling anywhere, anytime access to corporate data Boosts employee satisfaction notably Enables Microsoft to attract potential employees who are technologicallysavvy, and who want the ability to work remotely Minimizes the risk of inadvertent data exposure and loss Provides institutional management of Exchange Server policies and configurations Enables cross-team collaboration between security, hardware, and email teams within an enterprise Products & Technologies Microsoft Exchange ActiveSync Microsoft Exchange Server 2010 Microsoft System Center 2012 Windows PowerShell Using Microsoft® Exchange ActiveSync® to Actively Manage Consumerization of IT Devices Published: July 2012 The following content may no longer reflect Microsoft’s current position or infrastructure. This content should be viewed as reference documentation only, to inform IT business decisions within your own company or organization. Microsoft Exchange Server 2010 has functionality that enables users to access their corporate email, calendar, global address list, and tasks with their personal portable devices. Using Microsoft Exchange ActiveSync within Exchange Server 2010, Microsoft IT (MSIT) delivers significant improvements in employee productivity and satisfaction by enabling employee access to this business-critical information in more than 170,000 user mailboxes. Situation Only a few years ago, IT departments still procured and managed electronic devices for their employees. Today, employees want to use their personal electronic devices to do their jobs, and utilize the same technologies and applications at work that they use at home. This blending of consumer and enterprise technologies is the Consumerization of IT, and it significantly boosts employee productivity and satisfaction. Employees can work just about anywhere, at any time, as long as their personal electronic devices can connect to their enterprise’s corporate network. However, this anytime, anywhere access to corporate data can make it difficult for IT departments to ensure the protection of enterprise data. Microsoft supports a hybrid, mixed-ownership model of enterprise-standard and consumerstandard hardware, and offers support to employees who want to use their own mobile devices, including phones and slates. These devices must meet minimum hardware requirements that MSIT specifies. However, if they do, then MSIT provides a way for employees to access key corporate data, but also to protect that data from inadvertent exposure and malicious users. The answer for MSIT was Microsoft® Exchange ActiveSync®, a feature of Microsoft Exchange Server® 2010. If employees use mobile devices that are Exchange ActiveSync enabled, then they also can use that device to access their: Corporate calendar, so they can view their appointments, accept and reject meeting requests, and create new appointments and meeting requests Global address lists, or contacts Tasks Line-of-business (LOB) applications By deploying Exchange ActiveSync, MSIT enables employees to access this often missioncritical data, while also enforcing security policies within an Exchange Server environment. However, MSIT had to ensure that enabling Exchange ActiveSync, and the mailbox-client traffic that it would produce, would not overtax the existing Client Access Server (CAS) infrastructure. Enabling users to access this data resulted in a quick and significant surge from approximately 50,000 clients accessing Exchange Server to more than 100,000 clients. Currently, not all employees use their mobile devices to access their corporate email, calendar, contacts, and tasks, but a large portion of them do. The Exchange ActiveSync deployment at Microsoft was smooth and seamless--most users likely did not even notice any change in their service or use, except for a message or two on which they had to act so that they could connect to the corporate network. Furthermore, Microsoft has promoted active management for its Exchange ActiveSync deployment by: Evaluating the default Exchange ActiveSync policies before deployment, to determine which ones to configure to meet enterprise needs. Reviewing these policies periodically to ensure that they continue to meet enterprise needs for data protection, while also enabling continued successful data access by users. Among the policies that MSIT initially reviewed and configured during its Exchange ActiveSync deployment were the: Ability to enable and disable Exchange ActiveSync for specific users or groups of users. Length and type of lock password that users had to establish on their mobile devices. Number of lock password attempts allowable on a device. Action taken when the number of device password attempts is reached. Ability to wipe the device remotely. The user can wipe the device remotely by using Microsoft Office Outlook® Web Access, or an MSIT administrator can use Windows PowerShell® commands to wipe the device remotely to its factory settings. Solution Microsoft has approximately 170,000 user mailboxes, to support its employees around the globe. Users want to access their email, calendar, and LOB applications not just from their work computer, but also from their personal laptops and mobile devices. This means that MSIT is supporting a widely heterogeneous environment, which can be challenging and costly. However, to continue boosting the productivity and satisfaction of its existing employees, it was imperative that MSIT flow with the Consumerization of IT. Additionally, millennials, the technologically advanced generation of young adults joining the workforce today, often will not work for an enterprise unless telecommuting and remote operations are part of the package. Therefore, MSIT no longer supports only devices that it procures for users, but also a wide variety of consumer devices. The sheer variety of devices and operating systems from which users can select drives up cost-of-ownership from a support perspective. Then there is the issue of data protection: how can MSIT protect data if user devices are lost or stolen? MSIT needed to find a mechanism through which it could provide that access, while simultaneously protecting data. The mechanism is Exchange ActiveSync and is a feature Using Microsoft® Exchange ActiveSync® to Actively Manage Consumerization of IT Devices Page 2 within Exchange Server. Exchange Active Sync is essential to managing employee access to proprietary data in this vast mixed-ownership environment. Exchange ActiveSync is a synchronization protocol that works with high-latency and lowbandwidth networks to enable users to access mission-critical, up-to-date corporate email, calendar, and contacts on a Microsoft Exchange Server, by using their mobile devices. “While some people feel that having email on your phone is a little onerous, it can be really useful, too. You are able to complete work after you’ve left the office, without having to sit home, and be in front of your PC. There is no doubt that it increases productivity. I don’t think anyone could argue that. Also, you could argue that it actually improves your work-life balance, because you can leave and go do something with your family, and still be reachable.” Mark Riley Principal Program Manager, Mobile Services, for MSIT Microsoft Corporation “While some people feel that having email on your phone is a little onerous, it can be really useful, too,” said Mark Riley, Principal Program Manager, Mobile Services, for MSIT. “If you have an ongoing issue at work, not only can you be bothered about it, but you can also be notified when it’s resolved. I think that is a huge thing. You are able to complete work after you’ve left the office, without having to sit home, and be in front of your PC. There is no doubt that it increases productivity. I don’t think anyone could argue that. Also, you could argue that it actually improves your work-life balance, because you can leave and go do something with your family, and still be reachable.” Exchange ActiveSync allows an enterprise to provide its employee with this essential data, when they are travelling and working remotely, while protecting its data should an employee lose a device or it is stolen. An enterprise also can configure it to use Secure Sockets Layer (SSL) encryption for communications between the Exchange server and the mobile-device client. Additionally, it uses certificate-based authentication that works with self-signed certificates, a certificate from an existing public key infrastructure (PKI), or a third-party commercial certification authority (CA). Additionally, Exchange ActiveSync works in conjunction with security policies to: Enable a data wipe on the mobile device if an unauthorized user attempts to synchronize with the Exchange Server from that device. Provide more security by deploying RSA SecurID two-factor authentication on the Exchange Server. Enable configurable device-password policies. Deploying Exchange ActiveSync at Microsoft Three crucial steps ensured a smooth Exchange ActiveSync deployment for Microsoft users and MSIT, including: Analysis of the CAS infrastructure and how the potential Exchange ActiveSync load would affect it. Configuration of Exchange ActiveSync security policies to ensure data protection if mobile devices were lost or stolen. Active management of Exchange ActiveSync security policies to ensure continued data protection as the environment changes, new threats emerge, and regulatory requirements change. Analyzing the CAS Infrastructure In 2003, MSIT began analyzing its CAS infrastructure. CAS accepts incoming protocol connections for Exchange Server, and users can connect to Exchange Server via Microsoft Office Outlook®, Outlook Web Access, Outlook Anywhere, and Exchange ActiveSync. This means that there typically is significant traffic on the CAS servers, and MSIT needed to determine what the potential Exchange ActiveSync load would be prior to deployment. If the Using Microsoft® Exchange ActiveSync® to Actively Manage Consumerization of IT Devices Page 3 load was going to be too high, the existing CAS infrastructure could overload and crash. This, in turn, could cause service degradation for users and potential downtime. CAS analysis was a crucial first step in the Exchange ActiveSync deployment, and led MSIT to arrive at its current CAS infrastructure, which includes: 41 CAS servers in Redmond for North American and South American users. These 41 CAS servers service approximately 80,000 users alone. 14 in Dublin, Ireland, which service approximately 30,000 users in Europe and parts of the Middle East and Africa. 12 in Singapore, which service approximately 25,000 users in parts of the Far East and Australia. Again, this analysis was essential. When MSIT turned on Exchange ActiveSync, the phone clients accessing CAS servers exploded literally overnight, from approximately 50,000 to more than 100,000. However, there was no interruption in service nor did most users even notice the change, save for a message that requested they accept a policy on their mobile device. Configuring Exchange ActiveSync Policies, and Establishing Reporting Procedures The Consumerization of IT at Microsoft means that users more often than not are selecting, procuring, and managing their own mobile devices. When added to the fact that there are 170,000 user mailboxes at Microsoft, that makes for a significant and broad management task for MSIT. Some users do not access their mailboxes with their mobile phones or devices, but other users synchronize several mobile devices with Exchange Server. The ultimate question for MSIT, as it deployed Exchange ActiveSync to enable users to access their mail and other data via their mobile devices, was how best to protect that data from inadvertent exposure and malicious users. MSIT had to take a multifaceted approach to data protection, which included: Determining what threats or potential threats existed, for which MSIT needed to mitigate exposure on mobile devices. These threats included known malware on certain phone operating systems that synchronize to the Exchange Server environment, and which are exposed to the public Internet. Ensuring that Microsoft security standards were upheld and that Microsoft complied with regulatory requirements, such as reporting. MSIT uses Microsoft System Center 2012 for reporting, which utilizes back-end Windows PowerShell commands to poll devices that synchronize to the Exchange Server. System Center reporting enables MSIT to see specifically what devices are connecting to what mailboxes. This provides MSIT with a thorough look at the Exchange environment and the devices working within it. System Center 2012 includes the Exchange Connector feature, which reads information on the devices that are connecting to Exchange Server, and then can set Exchange ActiveSync policies accordingly. This enables a view through a single pane of glass, regardless of whether a user is connecting from a desktop computer, laptop computer, or mobile device. Analyzing the Exchange Server environment regularly to ensure that the central processing unit (CPU) load was not overburdening the CAS infrastructure. This analysis is important to perform regularly, to ensure that no service interruptions occur. Using Microsoft® Exchange ActiveSync® to Actively Manage Consumerization of IT Devices Page 4 MSIT knew that active management of Exchange ActiveSync policies was crucial (and it continues to be). While the Exchange ActiveSync out-of-box configuration would work well for many enterprises, MSIT opted to look at each configuration policy separately, and then make a decision regarding whether to keep the default setting or modify it. MSIT then configured policies in several areas, including: Exchange ActiveSync Policies Exchange ActiveSync Throttle Policies Mail Client Service Policies Authentication Policies Configuring EAS Policies for the Microsoft Environment MSIT wanted to make it as simple as possible for users to synchronize their mobile devices to their Exchange-hosted mailboxes. MSIT succeeded, after deciding initially not to ban any devices or operating system from connecting to the Exchange Server environment. However, this likely will change as the threat landscape changes. MSIT currently has opted not to block any devices. However, to ensure data protection, MSIT decided to actively manage its Exchange ActiveSync policies. Here is a sampling of the Exchange ActiveSync policies that MSIT looked at before deploying Exchange ActiveSync: AllowSimpleDevicePassword AlphanumericDevicePasswordRequired DeviceEncryptionEnabled DevicePasswordEnabled DevicePasswordExpiration DevicePasswordHistory DevicePolicyRefreshInterval MinimumDevicePasswordLength MaxInactivityTimeDeviceLock MaxDevicePasswordFailedAttempts PasswordRecoveryEnabled RequireDeviceEncryption While the specifics of how Microsoft configured Exchange ActiveSync policies is out of scope for this paper, here is a quick look at the basic device security that MSIT enforced via Exchange ActiveSync policies, including the: Minimum password length that the users must utilize for their mobile devices. MSIT opted to enforce a four-digit PIN, which the user selects. Users can establish an alphanumeric PIN, although that is not required. Maximum time that a device can be inactive before it locks. If the mobile device is inactive for 15 minutes, the device locks. The user has to unlock the device with the fourdigit PIN. Users can opt to set this time to a shorter period, such as two minutes or five minutes. Ability for a user or administrator to wipe the device remotely, which deletes data and reverts it to its factory settings. A user can logon to Outlook Web Access, navigate to the particular mobile device in question, and select to remotely wipe the device the next time Using Microsoft® Exchange ActiveSync® to Actively Manage Consumerization of IT Devices Page 5 it attempts to synchronize to the Exchange Server. Conversely, a user can call the Microsoft help desk, and the help-desk technician will escalate the ticket to an administrator, who uses a Windows PowerShell command to issue the device wipe. Maximum password attempts a user can make and the action that occurs when that maximum is reached. A user has five tries to enter the correct password. On the sixth try, a local wipe of the device occurs. Schedule on which policies are refreshed on mobile devices. The default is 24 hours, but MSIT opted to change that to one hour. This ensures devices stay synchronized and data stays protected. Maintenance of password histories, password-history lengths, and password expirations. MSIT opted not to enforce these options because configuring the remote-wipe capability was deemed sufficient to protect device data. Enabling of policy exceptions. Some users, such as executives and developers, required exceptions to Exchange ActiveSync policies. MSIT used an innovative approach to managing these exceptions, by leveraging security groups to differentiate user access to various mail protocols, including Exchange ActiveSync. While MSIT did not opt to configure every Exchange ActiveSync default policy, it did look at each one, and made a decision regarding it. MSIT managed its Exchange ActiveSync deployment actively, and continues to do so today. Actively Managing Exchange ActiveSync Policies MSIT continually evolves its Exchange ActiveSync policies and configurations. They are not standardized, but rather are malleable. This enables MSIT to respond quickly as client traffic increases, environmental changes occur, threats emerge to devices and operating systems, and regulatory requirements change. MSIT recently completed its regular CAS infrastructure analysis, and will deploy 10 new Mach-1 servers, at a cost of approximately $30,000. Additionally, MSIT carefully monitors CPU load in the CAS environment, by parsing log files to see if CPU usage is trending up. The analysis schedule is determined by CPU load, rather than a fixed date on a calendar. This enables MSIT to respond with alacrity to any service spike that may cause service degradation for users. Additionally, MSIT: Works closely with the Exchange operations team to ensure that it has the necessary hardware to support its users. MSIT uses a hardware load balancer that enables it to separate the traffic coming through the CAS infrastructure into different protocols and rates of CPU usage. As manufacturers roll out more and more mobile devices, the number of clients that will be hitting the CAS infrastructure will continue to climb. Monitors operating systems and devices carefully. While MSIT currently does not ban any devices from connecting through Exchange ActiveSync, MSIT is carefully looking at all device operating systems, to ensure the protection of Microsoft intellectual property. Some device operating systems are open-source, which means that malicious users can infect them with malware much easier. MSIT may institute policies regarding the ability of these devices to synchronize to the Microsoft Exchange environment via Exchange ActiveSync. Using Microsoft® Exchange ActiveSync® to Actively Manage Consumerization of IT Devices Page 6 MSIT also is in the process of deploying device encryption. When MSIT deployed Exchange ActiveSync several years ago, mobile-device encryption was not possible technically. Today it is, and can provide an additional level of protection for Microsoft intellectual property and data. Best Practices Deploying Exchange ActiveSync is relatively straightforward, particularly if an enterprise has Exchange Server running already. Here are several best practices that MSIT determined from its Exchange ActiveSync deployment: “You need to monitor your traffic so that you can scale your environment as needed, and you need to be cognizant of how these devices are connecting to your Exchange environment, so that you can put policies in place to manage them.” Manage your Exchange ActiveSync policies actively. Periodically review the devices and operating systems that will attempt to synchronize with your Exchange Server; monitor ongoing threats to those devices and operating systems; and determine your risk tolerance. Determine your review rhythm. If an annual review is enough, stay with that schedule. However, if your risk tolerance is lower (such as in the banking industry), a semiannual or quarterly review may be necessary. Continue to monitor what policies you have turned on or off, depending on your environment and other factors. Monitor your CAS infrastructure carefully and regularly. If CPU loads begins to increase, or spikes suddenly, this could cause the CAS servers to fail, which leads to downtime and service interruptions to users. Review logs at least quarterly. Shad Morris Network Engineer for Service Engineering Microsoft Corporation “You need to monitor your traffic so that you can scale your environment as needed, and you need to be cognizant of how these devices are connecting to your Exchange environment, so that you can put policies in place to manage them,” said Shad Morris, network engineer for service engineering at Microsoft. Manage exceptions to Exchange ActiveSync policies. Some users will require exceptions to policies. Think out of the box, as MSIT did when opting to manage other protocols, such as IMAP and POP settings, for specific security groups, while simultaneously enabling their access to data and securing that data. Benefits There are several benefits to deploying Exchange ActiveSync, including that it: Increases employee productivity significantly by enabling them to access their missioncritical email, calendar, tasks, and contacts from anywhere, at any time, by using their mobile devices. Boosts employee satisfaction notably, by allowing employees to work remotely, on devices of their choosing. Enables Microsoft to attract employees who are technologically proficient, and who demand the ability to work remotely, while utilizing the devices and applications with which they are familiar and comfortable. Enables an organization’s IT department to mitigate risk to data from inadvertent exposure or loss of a mobile device, as well as provide institutional management for Exchange security settings. Facilitates cross-team collaboration. Most IT organizations use Exchange Server to run their email system, and most of those probably have mobile devices connecting to Exchange. Typically, however, the people who establish and configure security policies and manage the enterprise’s network are not the same people who manage the Using Microsoft® Exchange ActiveSync® to Actively Manage Consumerization of IT Devices Page 7 enterprise’s email infrastructure. Furthermore, most enterprises typically have another team that manages server hardware. Thus, cross-team collaboration is essential to a successful Exchange ActiveSync deployment. Providing an easy reporting mechanism, as MSIT can use System Center 2012 and back-end Windows PowerShell commands to poll devices that synchronize to the Exchange Server. This enables MSIT to determine specifically what devices are connecting to what mailboxes, and provides a thorough look at the Exchange environment. Conclusion Exchange ActiveSync, a feature of Exchange Server, provides an invaluable mechanism through which an IT organization can provide its employees with anytime, anywhere access to synchronized data from Exchange Server, while simultaneously protecting that data from inadvertent exposure and malicious users. MSIT capitalized on the functionality of Exchange ActiveSync to continue its support for the Consumerization of IT, and the resulting mixed-ownership hybrid environment of portable electronic devices that its employees choose to use. Employee productivity and satisfaction are boosted significantly, because they can use their chosen portable electronic devices to access their email, contacts, tasks, and applications, regardless of whether they are at work, at home, or working while on the go. Furthermore, protection of valuable Microsoft data and intellectual property is assured through MSIT’s active management of Exchange ActiveSync policies. Currently, approximately 100,000 Microsoft employees utilize Exchange ActiveSync functionality to access their data. However, with 170,000 user mailboxes, not to mention the plethora of mobile and slate devices that continue to come to market seemingly on a daily basis, the number is sure to rise. However, with continued active management of Exchange ActiveSync policies, MSIT can assure the protection of Microsoft data, with little or no interruption to its users, who will continue to be productive and happy, and hopefully continue to have a positive life-work balance as they help Microsoft continue its dominance in the world of software and hardware development. For More Information For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to: http://www.microsoft.com http://www.microsoft.com/technet/itshowcase © 2012 Microsoft Corporation. All rights reserved. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Exchange ActiveSync, Microsoft Exchange Server, and Windows PowerShell are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Using Microsoft® Exchange ActiveSync® to Actively Manage Consumerization of IT Devices Page 8