Exchange Active Sync Policies

["Gregg, Christopher S." <csgregg () STTHOMAS EDU>]

Hello,

I looked through the archives and didn't see anything recent on this subject...

How are you managing security policies for mobile devices connecting to your e-mail via Exchange Active Sync?

We currently require a PIN (with expiration), a device timeout, and there is a warning that we reserve the right to 
wipe the device for anyone (faculty, staff, student) who connects to our on premise Exchange via Active Sync.  We have 
never done that, but the warning is there when a user first connects.

The policies work fine for most, but we have received feedback that some of the population is avoiding Active Sync as a 
result of the security policies.  It's a classic case of security vs. convenience.  However, they then are not happy 
with their mobile alternatives for e-mail (using Outlook Web Access, our home grown portal, etc) which are lesser 
quality services on mobile devices.

So we are revisiting our policy stance, including the possibility of having different levels of security for different 
populations... primarily that we might reduce the restrictions for students who don't have access to sensitive 
university information.  We're also in the process of planning a migration from on premise Exchange to Office365 so we 
want to take that into consideration, though there don't seem to be differences we have encountered so far.

If you run Exchange, on premise or with Office365, would you be willing to share how you manage your Active Sync 
security policy, and whether you differentiate by population (or some other factor)?  If you would prefer to contact me 
directly, that would be fine as well.

Thank you in advance for any feedback you are able to provide.

Chris

Chris Gregg
Director of IT
Information Resources and Technologies (IRT)
University of St. Thomas, Minnesota
csgregg () stthomas edu<mailto:csgregg () stthomas edu>