The ability to receive push email is now present even on entry-level smartphones, be it a free consumer email service such as Googlemail or Microsoft Hotmail, as well as corporate messaging systems. This ubiquitous email capability brings with it other considerations for corporate IT departments: with the ability of virtually any phone to access company information, how can this access can be secured and controlled? In this article I shall provide an overview of the mainstream email systems available, the ability of the major mobile platforms to access these systems, and the device management options available as standard to secure those platforms.
For an overview of dedicated, third-party MDM solutions available in the market, read this article.
The email systems I shall look at include:
The mobile device platforms I shall look at include:
Microsoft's Exchange product is the de facto standard for corporate messaging, either deployed on site or available via a large number of hosting providers, including Microsoft themselves via their Office 365 offering.
The component of Exchange that enables the synchronisation of email, contacts, calendar and task information between a mobile device and the server is called Exchange ActiveSync (EAS), and has been available since the release of Service Pack 2 for Exchange 2003. All subsequent releases of Exchange after 2003 have included this functionality as standard.
The Exchange ActiveSync protocol has been updated with each new release of Exchange, adding a larger number of features and device control capabilities.
EAS capability ships as standard on a wide range of devices, including Windows Mobile, Windows Phone, Nokia Symbian, Apple iOS, Android and now BlackBerry 10.
The EAS protocol itself is a standard: the extent to which a mobile device supports some or all of the capabilities of the EAS protocol is ultimately down to the device manufacturer, which is why, as we shall see later, there are marked differences between the ability to control, say, a Google-branded device, an HTC device and a Samsung device even though they are all running the same Android operating system.
It is perhaps relevant at this stage to point out that BlackBerry 7.x devices do not use Exchange ActiveSync to synchronise email if they are being used with a BlackBerry Enterprise Server (BES 5), I shall look at this product in more detail in a moment.
All versions of EAS allow for the synchronisation of email, contacts, calendar and task information. Users can also search for contacts in the Global Address List (GAL). Newer versions offer additional benefits such as the ability to also synchronise SMS text messages, I shall look at these features in more detail below.
Alongside the ability to synchronise user information, the EAS protocol also allows administrators to define how devices that are connecting to the Exchange server should be used. For example, all versions of EAS allow administrators to require that any device synchronising data must have its unlock password feature enabled. If this feature is not enabled on the device, before the user can begin synchronising their folders, the device will prompt for the user to enable it - and once enabled this feature cannot be deactivated unless the Exchange account is first removed from the device.
The settings defined by the administrator on the Exchange server is called the Exchange ActiveSync Mailbox Policy.
All versions of EAS also allow for a device to be remotely wiped over the air if it is suspected lost or stolen. In Exchange 2010 / 2013, there are now a significant number of mailbox policy items. The below table provides an overview of the features supported:
Exchange 2003 SP2
Exchange 2003 only offers limited device management capability: administrators can enforce the use of a password on user devices, specify how "complex" that password must be, specify after what time period of inactivity the device should lock itself, and also specify how many attempts users can have to enter their password incorrectly before the device automatically wipes itself.
Administrators can also remotely wipe user devices in the event that they are reported lost or stolen, but this feature (the Exchange ActiveSync Web Administration Tool) must be installed separately on the server as it does not come as standard:
and once installed is accessed via https://(exchange_server)/mobileadmin/:
Exchange 2003 does not offer the ability to set different requirements for different users or groups: only one policy can be defined which applies to all users on that server.
The release of Exchange 2007 heralded an expansion of the EAS protocol, adding the ability for users to not only synchronise mailbox folders, but to also set out of office status and automatic reply message from their smartphone.
Administrators also gained a number of new capabilities to control how connected devices may be used, as well as the ability to define multiple EAS policies and assign different policies to individual users or groups.
Device password usage and complexity can be set, as well as the ability to enforce a password expiration and history (so that device passwords must be changed on a regular interval and cannot be re-used for a set interval). If the device supports it, memory encryption (both internal and storage card memory) can also be required.
The amount of data that users can synchronise can also be specified, allowing administrators to keep the amount of data used by staff can be kept to a minimum to keep costs down. Email synchronisation can automatically be set to "manual" rather than "push" if the user travels abroad.
Administrators also gained the ability to disable hardware and software elements on the device, including use of external storage, camera, WiFi and Bluetooth as well as the ability to tether the device or synchronise data with a desktop computer.
Use of the web browser and the ability to set up email accounts other than the company email account can also be restricted.
The ability to install new applications on the device can also be turned off.
Finally, Exchange 2007 also provided the ability to map network file shares and access SharePoint file directories from their smartphone using the EAS protocol:
Again, although the EAS protocol provided all of this functionality, not all smartphone devices supported the entire EAS feature set. When Exchange 2007 was launched, the only device that did support all features was Windows Mobile 6.1 / 6.5. Although this platform has largely now been discontinued by most mobile device manufacturers, it is still available on some devices such as the Motorola ES400.
Users also gained the ability to remotely lock or wipe devices themselves from their browser via Outlook Web Access:
Exchange 2010 / 2013
Exchange 2010 added the ability to synchronise SMS text messages between a user's mailbox and their device, meaning that a user can create a text message from their desktop using Outlook or Outlook Web Access and have it sent from their smartphone.
As well as the ability for administrators to grant or deny EAS access to groups of devices, or specify that all connecting devices should be added to the server in a "quarantined" state for review by the administrator - http://ukblog.im-mobility.com/restricting-access-exchange-2010-activesync
EAS operates between the smartphone and the Exchange server, therefore the Exchange server must be Internet-facing. This may sound obvious, but if you are using an email relaying service such as MessageLabs to filter incoming email, then your Exchange server may be firewalled to only accept connections from MessageLabs as a security measure, and not from the Internet at large.
To reduce the risk of exposing the Exchange server to the Internet at large, Exchange can be deployed in a multi-server arrangement so that the "Client Access" features are available to the Internet, but user mailboxes are stored on other servers not directly accessible remotely.
More information on configuring Exchange for EAS can be found in the Microsoft Exchange section.
EAS itself is a web application, running within IIS on the Exchange server. As with other web sites, communications can be secured using SSL by use of a certificate. Smartphone devices will check that the certificate used by the server is genuine before allowing synchronisation to begin. This certificate can be one that you generate yourself (if you want to keep costs down), but it is important to be aware that doing so will require additional setup on certain devices that do not as standard allow you to skip or ignore SSL certificate checking. I'll look at this in more detail later.
Microsoft's Office 365 service provides an entirely hosted Exchange server, providing EAS access and the features available in Exchange 2010 / 2013 that we have seen above. As a general rule, when a newer version of Exchange is released, Office 365 will be updated to offer the new features shortly afterward, as part of your subscription at no extra cost.
Mobile access to a Lotus Domino mailbox is provided by an optional server component: Lotus Traveler, originally released alongside Domino 8.0.1
Now in version 9.0 at the time of writing, Traveler provides support for Windows Mobile, Windows Phone, Nokia Symbian, Apple iOS, Android and BlackBerry 10.
Interestingly, Traveler actually uses the Exchange ActiveSync protocol to transfer data from mobile devices, and then converts it into a format that Domino can understand. Therefore a similar feature set is available: users can synchronise mailbox folders (email, contacts, calendar and tasks) and administrators can define specific usage policies including password usage, strength and history, can enforce device encryption, can disable the device camera and can remotely wipe devices if lost or stolen.
More information is available here - http://ukblog.im-mobility.com/lotus
The BlackBerry Enterprise Server (BES) is widely regarded as the "safe" way to deploy mobile email, providing secure end-to-end communications and the biggest range of device control - but only if you are using a BlackBerry smartphone.
The BES is not an email solution in its own rite: it still requires that an email server be deployed, be it Microsoft Exchange or Lotus Domino (or Novell Groupwise); the BES acts as a secure gateway between the mobile device and the internal network. Because the BES software and the operating system on BlackBerry smartphones are both written by the same company, BlackBerry offers the widest range of device management features currently available on any smartphone.
As with EAS, BlackBerry offers users the ability to synchronise email, contacts, calendar and task folders. Message and attachment size limits can be defined as well as synchronisation date ranges and synchronisation schedules. The type of email attachments that users can open on their device can also be specified.
Access to the Global Address List is also available. Users can set out of office status and message and can also access network file shares from their device (available in BES 5.0).
Also as with EAS, administrators can define policies on a per-user or per-group basis.
The range of items that can be controlled on the BlackBerry smartphone is extensive, including use of the camera, WiFi, mobile hotspot, SMS, MMS, phone, browser, desktop synchronisation, memory card, Bluetooth, NFC, instant messaging, personal email, applications, and more:
Password policy can naturally be set, and devices can be remotely locked or wiped both by the administrator and the end user.
The BES also provides functionality besides mobile email, including the ability to push applications to devices over the air. An added feature of the way in which the BlackBerry architecture works, is that once activated devices automatically have a secure connection to the local company network, with no need for a separate virtual private network (VPN) solution. This brings additional benefits such as the ability to access an intranet, and also control the web pages accessible to users from their smartphone devices.
Unlike Exchange ActiveSync, where clients communicate directly with the server, requiring that the Exchange server be Internet-facing, BlackBerry handhelds register against a middleware server maintained by RIM, known as the "RIM Relay". The BES server also registers with this Relay enabling end to end communications between the server and handhelds. One benefit of this approach is that the BES only needs outbound access to the Relay on a single port (TCP 3101) and no inbound access needs to be configured on any firewalls. Exchange therefore can also be protected (if not using EAS as well). This is why BES is regarded as a secure mobile email solution. There is also no need to mess about configuring or renewing SSL certificates, all client-server communications being secured by AES encryption automatically.
This approach does, therefore, mean that you are entirely reliant on third-party hardware and services being available. The BES solution also requires that a specific service be applied to the SIM card inside the BlackBerry smartphone by the network operator.
Detailed setup and configuration articles can be found in the BlackBerry section of the blog.
The BlackBerry Protect feature for consumer customers allows users to remotely lock, wipe and map their device, as well as perform a device backup to RIM's online storage:
NOTE - BlackBerry Protect is not available on BlackBerry devices that have been activated against a BlackBerry Enterprise Server.
BlackBerry 10 devices work differently from BlackBerry 7.x devices and earlier. These devices are not managed by the BES 5.x software, instead they feature an Exchange ActiveSync client which can connect to an Exchange server directly. For details on the EAS policy items supported by BlackBerry 10, view this article. This means that you no longer need to deploy a BES server alongside your Exchange server to use a BlackBerry phone. You can still synchronise email, contacts, calendar and task information as well as remotely require a password and remotely wipe devices.
Alternately, for the security-conscious, a newer device management product is available, BES 10. This product offers the same ability as BES 5 to "hide" your Exchange server and have all communications pass, encrypted, over the RIM network infrastructure: the BlackBerry 10 device communicates with the BES 10 server via a secure tunnel, the BES 10 server then passes EAS traffic to the Exchange server over the local network.
Significantly, no BlackBerry subscription is required on the SIM card with BlackBerry 10 devices, whether used with or without a BES 10 server.
BES 10 does offer limited device management capability as well as the ability to access email securely, such as the ability to enforce use of a password, remotely wipe and lock devices over the air, push applications as well as separate work and personal content on user devices via the BlackBerry Balance feature. The level of device management is not as advanced as that offered by BES 5, however.
Due to the similarities in architecture, however, when activated with a BES 10 server, a BlackBerry 10 devices also has the same automatic secure connection to the local network as that created by BES 5, with no need for a separate VPN solution, granting access to local resources.
More information is available in the BlackBerry 10 section.
BlackBerry 10 does offer the same BlackBerry Protect features available on the BlackBerry 7 platform, enabling you to remotely locate, lock, wipe, and cause to ring your device from any desktop web browser:
Googlemail, or Gmail, is a free-to-use email service that can be accessed from mobile devices either via IMAP, via a GMail application, or thanks to Google's licensing of the EAS protocol, can also be set up as an Exchange account on a number of devices including Windows Mobile, Windows Phone, Nokia Symbian, Apple iOS, Android and BlackBerry 10 if you are using the paid version of Google Apps. Synchronisation of email, contacts and calendar information is possible.
A dedicated Gmail application is also available for a wide range of platforms including Android, and iOS.
By signing up for a Google account you also gain access to a wide range of other Google services also free of charge, including Google Drive for online storage and Google Talk for instant messaging.
Google's business email service also provides administrators with the ability to define some device usage policies:
Password usage can be enforced, as well as the complexity of the password, password expiration, password history, device lock interval and automatic device wipe.
Memory encryption can be required. The device camera can be disabled, and synchronisation can be set to manual rather than automatic if the user roams onto a foreign network.
Administrators can block or wipe devices from their web browser:
Or end users can lock, wipe or locate their phone via the "My Devices" feature from their web browser - http://ukblog.im-mobility.com/google-adds-end-user-remote-wipe-capabilit...
Also known as Windows Live, or more recently as Outlook.com, Hotmail is Microsoft's free-to-use consumer email service which can also be accessed from a wide variety of smartphones also using the Exchange ActiveSync protocol.
A dedicated app is available for Android and iOS.
By signing up for a Hotmail, or Windows Live, account, you also get access to the other Windows Live services also free of charge, including SkyDrive for online storage and Messenger for IM chatting.
Having looked at the major email platforms available to both the consumer and the enterprise, I will now run through the email capabilities of a number of smartphone devices.
As I mentioned above, the Windows Mobile 6.5 operating system, still alive and well on certain enterprise devices such as the Motorola ES400, supports the full range of Exchange ActiveSync policy elements, and as such makes it a powerful platform for enterprises that need granular control over their mobile devices.
The one limitation of the Windows Mobile platform when compared to other devices for mobile email, is that only one Exchange email account can be configured on the device at a time.
It is also important to be aware that Windows Mobile devices do not accept the use of non-trusted SSL certificates on the Exchange server as standard. Therefore if you use a self-signed SSL certificate on the Exchange server, you will need to install the corresponding root certificate of the CA that issued the certificate to Exchange, onto the Windows Mobile device manually before synchronisation will be possible.
Windows Phone marked a departure from Windows Mobile for Microsoft, and the EAS support is correspondingly different. Email, contacts, calendar and tasks can be synchronised, and the Global Address List can be accessed. It is also possible to set out of office message and status.
Available administrator options include the ability to enforce password settings and remote wipe devices:
Windows Phone devices also support Information Rights Management (IRM): the ability to specify whether specific emails can be sent outside the organisation, can be edited or copied or printed.
Multiple Exchange email accounts can be set up concurrently on Windows Phone.
Windows Phone 7 / 7.5 also has the same limitation as Windows Mobile on its ability to support self-signed SSL certificates used on the Exchange server - the root certificate must be identified and installed onto the Windows Phone device manually before synchronisation will be possible. I have detailed how to do this in this article - http://ukblog.im-mobility.com/locating-and-installing-non-trusted-exchan...
Windows Phone 8 does not suffer from this limitation.
Windows Phone does offer users the ability to remotely locate, lock and wipe devices via their PC web browser using the Find My Phone feature of Windows Live.
The stock version of Android, available on Google-branded Nexus devices as well as ZTE units, provides native support for Exchange ActiveSync (provided you're running Android 2.1 or later), and the ability to set up multiple Exchange accounts.
When setting up an Exchange email account for a server using a self-signed SSL certificate, a warning will be displayed on the device indicating that the identity of the certificate cannot be validated, but an option to continue anyway is present, removing the need to have to install client certificates manually.
Android 4.0.4 provides the ability to synchronise email, contacts and calendar information in the stock version, as well as the ability to access the Global Address List and set out of office message and status.
Administrators can make use of the following Exchange ActiveSync policies:
HTC's Sense package on their Android devices is much more than simply a skin for the user interface, it also includes enhanced functionality across a number of applications, including the email client. The HTC One Series support a wide range of Exchange ActiveSync items above and beyond the capabilities of the stock version of Android.
Task synchronisation is available. Users can specify synchronisation schedule settings so that between certain hours on certain days new items will be pushed to the device, but outside of those times mail can be checked on a schedule.
Administrators can make use of the following wide range of EAS policy items:
Beginning with the Galaxy S III, Samsung Android devices can not only synchronise tasks as well as email, contacts and calendar, but if used with an Exchange 2010 server can also synchronise SMS text messages, allowing you to compose messages on your PC via either Outlook or Outlook Web Access and have them sent from your phone.
It is also possible to access network file shares and SharePoint workspaces from the smartphone via EAS, if enabled by the administrator.
As with the HTC One series, peak and off-peak synchronisation schedules can be defined. The Galaxy S III also has a feature which allows you to forward emails without their attachments, removing the need to have to download an entire attachment first before being able to then forward that email:
Support for email encryption is also available:
Administrators can make use of the following EAS policy items:
The Samsung Dive online service further allows you to track, lock and wipe your device via your PC web browser:
iOS 5 provides support for multiple Exchange email accounts, and the ability to synchronise email, contacts, calendar and tasks.
As with Android, iOS does not need to have client SSL certificates installed if the Exchange server is using a self-signed SSL certificate.
Access to the Global Address List is possible. It is not possible to set Out of Office message or status as standard.
The following Exchange ActiveSync policies are supported:
The Find My Phone service (part of iCloud), allows users to track, lock and wipe their device from their PC web browser:
The below table summarises the device management capabilities of the platforms discussed in this article when used with an Exchange 2010 server (I have included BlackBerry, note that this assumes the deployment of a BlackBerry Enterprise Server 5 alongside the Exchange server):