Educause Security Discussion mailing list archives
Re: Exchange Active Sync Policies
From: "Don M." <djmurd () COX NET>
Date: Thu, 9 Jul 2015 13:48:15 -0400
Greetings. Sharing what we do in fortune 500 across 2 Healthcare companies. For us, we use a central solution and allow end users to enroll for personal devices once their manager has authorized access in writing and both associate + manager have signed physical form. We also only allow enrollment via Corp email, enrollments not sent to non Corp email. Net effect is user must be fully enrolled participant. Sent via the Samsung Galaxy Note® 4, an AT&T 4G LTE smartphone -------- Original message -------- From: Thomas Carter <tcarter () AUSTINCOLLEGE EDU> Date: 07/09/2015 11:37 AM (GMT-05:00) To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Exchange Active Sync Policies We only reserve the right to wipe devices for employees; we explicitly state that we will not wipe student devices. This was unofficial policy, but we had to add it in writing when some of our savvy students read through all the permissions being granted on Android when setting up their email. Of course, instead of talking to us, they started circulating rumors that IT would wipe their phones/tablets. As you mention, there isn’t a big issue with protecting college information assets with students so we give them a longer leash. We will remote wipe the device if the student requests and they have lost their device. But generally, we lock their account, change the password, and make them reset it. This just seems better PR as well as better legally. Thomas Carter Network & Operations Manager Austin College From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gregg, Christopher S. Sent: Wednesday, July 8, 2015 12:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Exchange Active Sync Policies Hello, I looked through the archives and didn’t see anything recent on this subject… How are you managing security policies for mobile devices connecting to your e-mail via Exchange Active Sync? We currently require a PIN (with expiration), a device timeout, and there is a warning that we reserve the right to wipe the device for anyone (faculty, staff, student) who connects to our on premise Exchange via Active Sync. We have never done that, but the warning is there when a user first connects. The policies work fine for most, but we have received feedback that some of the population is avoiding Active Sync as a result of the security policies. It’s a classic case of security vs. convenience. However, they then are not happy with their mobile alternatives for e-mail (using Outlook Web Access, our home grown portal, etc) which are lesser quality services on mobile devices. So we are revisiting our policy stance, including the possibility of having different levels of security for different populations… primarily that we might reduce the restrictions for students who don’t have access to sensitive university information. We’re also in the process of planning a migration from on premise Exchange to Office365 so we want to take that into consideration, though there don’t seem to be differences we have encountered so far. If you run Exchange, on premise or with Office365, would you be willing to share how you manage your Active Sync security policy, and whether you differentiate by population (or some other factor)? If you would prefer to contact me directly, that would be fine as well. Thank you in advance for any feedback you are able to provide. Chris Chris Gregg Director of IT Information Resources and Technologies (IRT) University of St. Thomas, Minnesota csgregg () stthomas edu
Current thread:
- Exchange Active Sync Policies Gregg, Christopher S. (Jul 08)
- Re: Exchange Active Sync Policies Thomas Carter (Jul 09)
- Re: Exchange Active Sync Policies Gregg, Christopher S. (Jul 09)
- <Possible follow-ups>
- Re: Exchange Active Sync Policies Don M. (Jul 09)
- Re: Exchange Active Sync Policies Thomas Carter (Jul 09)