Creating a BYOD security policy with Exchange ActiveSync

There is a shift happening in security and device management and it's a shift that's dictated by the move to 'Bring Your Own Device' (BYOD) and increasingly mobile workers. You can't manage all the devices that come into your company and connect to company services the way you manage PCs; instead you have to think about managing the user and the account they use to connect to service like email. You have to think about securing documents and information rather than securing the file share documents live on or the firewall they live behind, because documents don't stay behind the firewall any more. The new way to manage security in this age of BYOD is via Microsoft's Exchange ActiveSync (EAS) protocol.

It might have been when Apple put it in the iPhone or when RIM announced that it would be how you'd get email onto the PlayBook, but somewhere in the last couple of years Microsoft's EAS protocol (which it licences to everyone from Apple to Google to Yahoo to Nokia to RIM to Symantec) turned into the de facto standard for mobile push email, calendar and contact sync. EAS lets you search your mailbox on the server remotely and choose how many days' worth of email you want to keep on your phone, if the device you're using implements those parts of the EAS protocol.

But you can also use it for managing mobile devices (in fact it will be the only way to manage Windows RT, through the next version of the Intune service) and even for setting some simple polices on Windows 8 systems. And if you already have Exchange you can use EAS to set security without needing extra software.

Turn on mobile security features with EAS

There are policies built into EAS that let you turn on security features in mobile devices automatically, from turning off the camera, SD card slot or Bluetooth and making sure that device encryption is turned on, to forcing users to create a strong password and change it frequently before they can get their email or even use their phone. You can set how long they can leave the phone idle before they have to enter the password again and how many times they can make a mistake in entering the password before the device is locked or they have to get a new password. You can also chose how often the device has to check for any changes you make to policies.

You can also use EAS to lock or wipe mobile devices remotely, if they're lost or you want to make sure employees who leave the company don't take company email messages with them.

There are some specific policies you can set for Windows RT, including password complexity and expiry, as well as whether users can set up a Picture Password that lets them sign into their device by drawing gestures on an image rather than entering a traditional password on the on-screen keyboard â€" which can be tricky if you're making them use numbers, capital letters or punctuation to get a strong password.

EAS uses the same secure HTTPS connection as a browser; if you're using Exchange the connection is through Exchange Web Services.

If a smartphone or tablet uses EAS to sync email, calendar appointments and addresses (as almost all of them do), setting the policies for the user's account in Exchange will apply them as soon as they connect their device to get messages. It's done by the mobile operating system or in some cases the mail application (if you install Nitrodesk Touchdown on an Android device to get email, that applies EAS policies). On Windows RT, polices will be applied by a built-in client that works with the next version of Intune. Windows 8 doesn't have EAS support built into the operating system but as soon as you use the Mail, Calendar or People app to connect to an Exchange system, you'll have to accept the EAS policies set for your Exchange account and comply with any changes like password length before you'll see any message or appointments.

If you're just using EAS for messages and calendars on a device, you don't have to have Exchange or any mail server at all; Hotmail, Gmail, Yahoo Mail and other services support EAS (whether you get addressed or tasks as well depends on the service. If you want to set EAS security policies, you do need either an Exchange server or a management tool that supports EAS â€" which nearly every mobile device management system does.

Use EAS to apply policies on iOS, Android, Symbian and Windows phone

Exchange (and Exchange Online in Office 365) lets you set EAS security policies and apply them to iOS, Android, Symbian and Windows Phone devices but it's not the only tool you can use. If you're managing PCs with Windows Intune â€" which uses what Microsoft calls "a superset of EAS settings" - you can manage mobile devices through EAS as well, plus you can create a portal for offering enterprise apps and letting users lock or wipe their own devices.

There aren't any new device security policies in EAS with Exchange 2013. If you want to go a step further, mobile device management tools from companies like Symantec extend EAS with a wider set of policies â€" controlling features that are specific to a particular device, for example. They're still delivered using the EAS protocol but because they cover more than the EAS policies the operating system on the device doesn't know what to do with them, so you need to put a client on the mobile device. That's somewhat less appealing to your users, but then so is the company controlling more than the basic security options. You need to balance the extra cost of an MDM solution, the time it takes you to run it and the impact on how happy users are about using their own device for work tasks if you limit things like what apps they can use with the extra security you can apply. But if your users are connecting to work email on personal devices, the standard EAS security policies will give you a reasonable level of protection.