Exchange administration is not my primary job, but in my past experience on Exchange and the iPhone, if I enforced a security policy that the phone could not meet then the user would not be able to sync with the server and setup their account. I remember having to tone back the security policy to a point where the iPhone would actually sync. So effectively they are enforced. You can also simply limit what ActiveSync devices are allowed. If you don't like iPhones but Android is ok, you can do that... at least in Exchange 2010 I can. -Vinny -----Original Message----- From: Scott Howard [mailto:scott@doc.net.au] Sent: Thursday, October 13, 2011 5:42 PM To: McCall, Gabriel Cc: NANOG Subject: Re: NANOG:RE: [outages] News item: Blackberry services down worldwide On Thu, Oct 13, 2011 at 12:21 PM, McCall, Gabriel < Gabriel.McCall@thyssenkrupp.com> wrote:
ActiveSync on Android allows corporate to force compliance with security policy and allow remote wipe. User cannot complete the exchange account setup without permitting the controls. If the user doesn't agree their sync isn't enabled. Moreover, if corporate requirements change sync is disabled until you approve again. That seems like it covers all the bases to me.
There's two key differences between ActiveSync and BES. The first is that ActiveSync implementations vary widely between different manufacturers/implementations/versions/etc. There is a core set of features that all manufacturers must implement, but it's a very small percentage of the full feature set of controls that ActiveSync supports. Things like enforcing a PIN code fit into this category, but other options like disabling the camera and (from memory) device encryption or even remote wipe are NOT in this category. As a result, even if you enable these features on your Exchange/ActiveSync server, you can't be sure that they are actually being enforced as you can't readily control which devices are being used with ActiveSync, and (realistically) you can't stop a user from changing devices so that even if you gave them a handset that supported all the features you wanted, they could simply move over to a new device that didn't. The second key difference is inbound v's outbound. ActiveSync requires you to allow connections into your network from outside, where BES doesn't. In todays world that's not really an issue - especially as most people will have their email servers accessible from the Internet in some way or other - but in BB's heyday this alone was one of the key differientators for Blackberry v's anything else (be that ActiveSync, POP/IMAP/etc, or any other protocols) With so many companies today working on the entire concept of Mobile Device Management (MDM), Blackberry will fade into insignificance in the not too distant future if they don't come out with something better than the competition - but even today they still allow far better control over handsets than ActiveSync alone does. Scott.