Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
Exchange 2010 and consumerization of mobile devices

 

What is ‘consumerization’?

Recently, I was faced with some challenges during a migration to Exchange 2010 that could be contributed as a direct result of consumerization. Reason enough for me to write a blog post about it. First, let’s have a look at what “consumerization” actually means.

According to Wikipedia, consumerization is:

“… a stable neologism that describes the trend for new information technology to emerge first in the consumer market and then spread into business organizations, resulting in the convergence of the IT and consumer electronics industries, and a shift in IT innovation from large businesses to the home. For example, many people now find that their home based IT equipment and services are both more capable and less expensive than what is provided in their workplace…”

In short, you could summarize the definition into something much shorter: people are bringing their personal devices to work.

This phenomenon, which – let’s face it – has skyrocketed over the past few years, brings it own challenges towards the overall management of the ICT environment. Not only do you have to deal with the ever growing number of services but now there’s also this new external factor which is mostly outside of your control.

Usually, an administrator has no influence towards what one can buy for personal use; but (luckily) has - to some degree - control of what device are allowed to connect to the network (or one of it’s services). However; the problems usually start if the CEO is the first to come down to IT yelling that he wants to receive his emails on his iPhone…Consider yourself lucky if that happens. Often the IT Administration has no idea of which users are using what device. Quite a lot of deployments that I’ve seen allow – without any restriction – the use of ActiveSync, which only worsens the problem.

RIM was one of the first companies that successfully created a product that allowed mobile devices to connect to the messaging environment while still allowing the Administrator to have a fair amount of control (if not full control) over the device. The evolution of the way that people deal with IT made sure that other companies jumped that train as well and started developing their own alternatives. ActiveSync was/is one of the alternatives.

Because ActiveSync is easy to implement and to use  - even someone who is completely illiterate with IT can configure a smartphone to connect to Exchange thanks to ActiveSync – it quickly became one of the most widely spread ways of connecting mobile devices to the messaging environment.

Microsoft has put a lot of effort in licensing ActiveSync, and succeeded very well at it. Almost all new mobile device types support ActiveSync.

What are the problems you can expect?

In the early implementations of ActiveSync an IT Administrator had actually very little control. With Exchange 2010 (SP1) ActiveSync matured quite a lot. You now have – amongst others – the option to create mobile device policies that you can apply throughout the entire organization.

But that doesn’t solve all of your problems. Unfortunately, not all device manufacturers implemented ActiveSync entirely in their products. It is very well possible that some devices do not apply a policy that you defined, beating the purpose of such a policy.

Most of the threats are not necessarily coming from the technological part, rather from everything around it… What if you have sensitive company data: do you want to allow access to that data from a mobile device? What happens if the user leaves the company and uses his/her personal smartphone?

In the latter case, ActiveSync allows you to remotely wipe the device. But have you ever considered that this might erase personal data as well? I have read about (fortunately not lived or seen) cases where employees sued their former employer because they lost personal data during a remote wipe.

And than there’s also the question about support: who is going to support what device and to what degree?

One of the problems I was faced with recently concerned a device that did not support the Root Certificate of the new Exchange 2010 certificate. To make matters worse, the list of Root Certificates couldn’t be updated, rendering the device unusable after the move to Exchange 2010. Immediately the following consideration was made: is it normal that a user will not be able to use a device anymore, just because a move to Exchange 2010 was considered?

Because the smartphone wasn’t one distributed by the company, the matter was quite sensitive. On the one hand, we didn’t want to block the user (taking away his ability to sync his mails with his smartphone) but on the other hand, none approved the use of that type of smartphone. Then I realized: there was no formalized approach either… In my opinion, you cannot hold the user responsible for something that is not regulated or agreed upon, let alone robbing him of his possibility to use a (his) mobile device without – at least – providing an alternative.

(FYI: we found a workaround for the issue, which enabled updating the list of the root certificates and allowed the device to connect to Exchange 2010)

What can you do about it?

Unfortunately, there’s no 100% failsafe solution. If you’re looking to support the “Bring your own device (BYOD)”-hype, you should be aware that it takes more than just configuring some technological components. Usually it comes down to finding a compromise between security/company policies/user demands/needs.

Here’s a list of things that you could (or maybe even should) do:

  1. Create a mobile device policy, in which you define what a user can and cannot do with his or her mobile device.
  2. Create a list of mobile devices that are allowed to connect to the environment. Creating this list involves weighing the devices’ possibilities against the implementation of ActiveSync (e.g.: does the device fully support ActiveSync?). Secondly, TEST the devices that you will allow to connect. Microsoft has an ActiveSync Certification Program that allows you to identify devices that implemented ActiveSync entirely (and thus will apply any policy that you define). More information on the program can be found here: http://technet.microsoft.com/en-us/exchange/gg187968.aspx
  3. Enforce the policy. Make sure that you monitor what devices a user connects (or tries to connect) to the network. Block devices that are not on the “allow-list”.
  4. Create procedures for supporting mobile devices. You wouldn’t want your support organization disabling a user before his smartphone was wiped, would you?

Achieving these goals is not always easy and requires you to talk to different stakeholders in your company. The technological part is quite well covered by features in Exchange 2010 like: ActiveSync Mailbox Policies, Access Rules etc…

Of course there are alternatives to Exchange 2010’s ActiveSync like RIM’s Blackberry Enterprise Server or other 3rd party software that can be complementary to ActiveSync like Altiris MDM, ZenPrise Mobile Manager, … Each of these solutions have their own strengths and weaknesses, but usually require additional licenses and setup.

Additional Reading

Wim and Ruben gave a nice presentation about managing mobile devices earlier this year @ the community day 2011.  You can download their presentation here. In this presentation, you will find useful information on how you can use Exchange 2010 to manage mobile device using policies etc.

If you want to read some more about Active Sync Mailbox Policies, have a look at:

 

I created this blog post, to point out some obvious and some less obvious challenges of consumerization and how you could deal with them. There’s no “one way” of doing things and it’s always interesting for me (and others) to see/hear how you deal with “consumerization” at your company. If you have feedback or remarks, please fee free to respond to this article. It’s always very much appreciated!

Michael


Posted 09-25-2011 8:17 by Michael Van Horenbeeck

Comments

Exchange 2010 wrote Get a list of mobile devices in Exchange 2010 using PowerShell
on 09-27-2011 11:21

Introduction Hi there! Following my previous blog post about Exchange 2010 and consumerization of mobile

Hack Sims 4 wrote Hack Sims 4
on 09-21-2014 12:38

Exchange 2010 and consumerization of mobile devices - Exchange 2010 - Pro-Exchange,Lync & Office 365