The default mobile device mailbox policy for Exchange Server or Exchange Online does not require encryption for mobile devices.
Encryption is important for protecting corporate data stored on mobile devices from being accessed by anybody who has physical access to the device. Most modern smartphones and tablets support device encryption, however it is not always enabled by default. Requiring encryption as part of your mobile device policies is a good practice.
However, it isn’t as simple as ticking one box. Some devices do not support encryption at all, but if you are allowing non-provisionable devices in your policies then they will still be able to connect and synchronize data even if you are trying to enforce encryption. Furthermore, encryption for iOS devices is not enforced by the option shown above, but rather is a result of enforcing a password on the device.
If you’re using the native ActiveSync controls in Exchange or Exchange Online, some extra considerations come into play if corporate data is able to be stored on devices independent of an ActiveSync/email connection. For example, if your users are able to use OneDrive for Business to access files on a mobile device, they will be able to do so regardless of any ActiveSync policies that are configured. In those situations you should consider your mobile device management strategy, and implement a more comprehensive MDM solution such as Office 365 MDM, Intune, or a third party product.
In addition to encryption of the device itself, you should also consider the device backups. If mobile device backups are stored in an insecure location, such as the user’s laptop that does not have Bitlocker enabled, then they are just as susceptible to compromise by anyone with physical access to that computer. Again, considering your entire MDM solution is important, and you should consider deploying an MDM solution that is not just for smartphones and tablets, but can also manage your laptops and other computers that may be at risk of loss or theft.
