One of the big topics for Enterprises at the moment is the security of mobile devices and the ever increasing amount of data stored on them. The explosion of smartphone use that has followed the rise of the iPhone and iPad has lead many organisations to look at how best to apply and enforce security configurations to devices accessing corporate email.
Fortunately out the box MS Exchange has the ability to push and enforce policies using it’s Exchange ActiveSync (EAS) protocol. This is supported by most smartphones these days including the iPhone, iPad, Windows Mobile and Google Android (to a limited extent, but better support is due in Gingerbread). The polices allow you to configure the same sort of settings that Blackberries tout, pass codes, encryption and all that good stuff. I wrote a table showing all the options and device compatibility whilst looking into it a few months ago.
With MS practically owning the corporate email market with Exchange, you’d have expected its new Windows Phone 7 platform to lead the field when it came to integration with Exchange and it’s security options. Unfortunately they seem to have missed that bit out the spec. As it turns out WP7 has less support and integration than the Windows Mobile 6 platform it replaced. Whilst it uses EAS to connect to Exchange and sync email, it’s only aware of a subset of the policies that can be applied.
Only the following are supported:
- Password Required
- Minimum Password Length
- Idle Timeout Frequency Value
- Device Wipe Threshold
- Allow Simple Password
- Password Expiration
- Password History
- Disable Removable Storage
- Disable IrDA
- Disable Desktop Sync
- Block Remote Desktop
- Block Internet Sharing
Whilst this subset offers very basic core security options there are far more important ones that are not there – support for encryption for example. Indeed I have an open question with MS about whether there is support for encryption at all in WP7.
So what happens if you have any of the more detailed policies already configured? Well there’s a good chance WP7 devices won’t be allowed to connect at all. There’s a policy called ‘Allow Non-provisionable Devices’ which unless enabled will block any device that doesn’t comply with your polices from connecting. This will almost always be set to prevent non-compatible devices gaining access so if you’re enforcing encryption for example WP7 phones will just be blocked.
This leaves you with a few options…
First you can turn on the ‘Allow Non-provisionable Devices’ on whatever policies you currently use. But, to be honest that pretty much opens up your exchange system to any and all devices that claim Activesync support, personally I wouldn’t do it.
Second you could create a new policy which only uses the WP7 supported settings. While that might sound easy, you have to remember that EAS policies are applied to users not devices, so you’d have to keep track of which users have WP7 phones and ensure they are allocated the correct policy applied. Of course you then have to hope that that person does not also have say an iPad alongside their phone.
In all honesty I find this all very odd. MS could easily have positioned WP7 as the smartphone of choice for organisations using Exchange. Instead it has provided limited support similar to Android and significantly less support than Apples iPhone. Whats worse is that if it turns out WP7 doesn’t support encryption it will almost certainly be ruled out of many companies lists of permissible phones. These days organisations just can’t take the chance of having email and data transported around unencrypted.
I can only imagine that full support was skipped in the urgency to get WP7 out to market. If that’s so I’d hope that an update will arrive sometime soon to fix the problem. Until it does I can’t see many companies allowing, let alone adopting WP7 in the same way they have iPhones.
Update: I’ve added some more information in a follow up post.