ActiveSync consideration for device control

TAC is fully capable of handling Exchange ActiveSync operations in mobile devices. ActiveSync is a client protocol that allows mobile devices to synchronize with your organization’s mailbox. With the concept of Bring Your Own Device (BYOD) organizations need a way of controlling logging and accessing corporate information from any device, which is unknown for the corporate policy. In most cases users are willing to configure their email into their personal mobile for the reason of ease of access and prompt in responding. Therefor, it is vital to control those devices in a security perspective of the information draining out of the organization.

To address this, TAC is equipped with a device control mechanism where users are required to register their mobile devices with a unique ID.

First, the administrator needs to publish ActiveSync service as an application in the site before users are able to use ActiveSync on their mobile devices.

 Then,  in Device Control under Configuration menu, the administrator is able to configure the device settings for ActiveSync.

In the ActiveSync tab, under Generic section you can export Device CA certificate and make it available to configure certificate based authentication to grant policy based device access permission. This certificate is used to setup certificate based authentication when configuring ActiveSync device control, when device approval is used and to provide two factor authentication as extra security.

 Under the Security section, you can setup compliance for the mobile devices. TAC has its agent component that retrieves mobile data to TAC server, which helps to collect mobile device information and execute TAC policies. For ActiveSync, device information is important to generate ActiveSync ID and Device ID to differentiate user devices. Therefore, TAC Mobile Agent will be required to run on the end devices to collect device information. To enable TAC Mobile, select “Require TAC mobile client data” checkbox under Security section.

The administrator can limit ActiveSync features only for approved devices; it will not configure ActiveSync for blocked devices. To enable only ActiveSync for approved devices, check Allow Approved Devices Only checkbox under Security tab.

Further, TAC provides flexibility in configuring ActiveSync for devices that do not have TAC Client application (Windows Phone, Blackberry). For such devices, admin may enter device's user agent string used during ActiveSync connection, enabling those devices to perform ActiveSync connection. To enable this option, check: Device with user-agent string that contains one of the values bellow may access without approval checkbox and enter User-agent string in the field.

Click OK to complete the action.

 Remember to apply the configuration.