Exchange ActiveSync is Microsoft’s solution for enabling mobile devices such as smart phones to securely access their email, calendar, contacts and tasks from remote networks.

Exchange ActiveSync is a feature of Exchange Server 2010 that is installed by default when you install the Client Access server role.

This is one of the greatest strengths of Exchange ActiveSync; that it is a built-in feature of Exchange that does not require additional licenses, servers, or software products to be installed in your network or on the end user devices.

This is very attractive for smaller organizations who want the convenience of mobile email access for their staff without having to incur significant additional costs.

With Exchange ActiveSync businesses get the benefits of:

  • Secure mobile access to email, calendar, contacts and tasks
  • Support for a wide range of consumer smart phones and devices, keeping costs down by allowing users to utilize their own personal mobile devices
  • Policy-based control over devices and data, including features such as remote wipe

Here are some more details about the features of ActiveSync in Exchange Server 2010.

Direct Push

Direct Push is an attractive feature for mobile users because it allows a device to be updated instantly when new content is ready to be synchronized.

Although the name “Direct Push” suggests that the server initiates a connection when new content is available, it is the mobile device itself that makes the initial HTTPS request but with a long timeout period of 15 minutes.

Exchange 2010 ActiveSync Direct Push
Exchange 2010 ActiveSync Direct Push

If the mailbox receives a new item the server responds to the HTTPS request. If the 15 minute timeout lapses the device simply opens a new HTTPS request and the process repeats.

AutoDiscover

Similar to the way AutoDiscover allows an Outlook profile to be automatically configured for a new mailbox user, it also simplifies the configuration of a new mobile device for connectivity to a user’s mailbox.

This helps reduce administrative effort and costs by allowing a user to set up their mobile device to receive email simply by entering their email address and password.

ActiveSync Mailbox Policies

Exchange ActiveSync mailbox policies allow administrators to configure the same features and security settings to apply to each group of users.

Exchange 2010 ActiveSync Policies
Exchange 2010 ActiveSync Policies

This includes settings such as whether email attachments can be downloaded to devices, whether devices require a password to unlock them, and how many days’ worth of mailbox content to keep synchronized on the device.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Abhishek Singh

    Hi Paul,
    As we found, Exchange Activesync is enabled by default for all existing & new user mailbox.
    Is there any way to change by default setting as disabled for all new user Mailbox in our Exchange Environment.

  2. Ham

    I Paul.,
    My question is,
    When my smart device connects to my exchange it automatically gets server address but not domain name.
    I have added in iis but for some reason it won’t pickup correct domain name

    mydomainuser

  3. Cristin Malafronte

    wow, awesome blog article.Really looking forward to read more. Great.

  4. Mario

    Paul,

    Autodiscover for outlook clients works well for internal and external, all test passed for automatic detection, but autodiscover does not work with mobiles devices Iphone, Z10.

    domain.com, autodiscovery.domain.com, and SRV records were added to dns, all that name in cert too, but automatic detection does not work in mobiles, after tried the mobil left the fields for user, server y domain with: user.domain.com, domain.com and empty.

    Any idea to trace this issue ?

    Thanks

  5. Keith

    If you wanted to have two ActiveSync servers — one for iPhones and another for MDM clients which use Certificate Based Authentication – would that be possible without convoluting the external namespace/internal namespace?

    The MDM clients would use CAS1 (example) from both the inside network and outside network, using the ActiveSyncMDM.domain.com URL

    The iPhones would use CAS2 with the current ActiveSync.domain.com URL

    Would that work?

    1. Avatar photo
      Paul Cunningham

      I suppose you could run one namespace (the one configured in Exchange) for iPhones that autodiscover their config, and then have the MDM use a different external namespace (because the MDM app itself pushes out the client config via policies).

      But I don’t see the need to use seperate servers. The ActiveSync virtual directory can be configured to accept certificates without actually requiring them.

  6. Tim

    Hi Paul,

    Thanks for sharing a concise overview of Exchange 2010 Activesync.

    Have a basic querry, if I as an adminstrator create a policy that prevents viewing/downloading of attachments.

    Can end users still bypass the same to succeed in accessing the attachments via some third party apps available in smartphone marketplaces- such as the Google Play ,etc ?

    1. Carol Ostos

      The following applications have the ability to bypass your ActiveSync policies, you should check them out to understand their capabilities.

      TouchDown
      Moxier Mail
      Email+ (Exchange)

      Suggest to run scheduled reports of your ActiveSync connections to ensure your users are connecting using the built-in email clients which will enforce the policies.

      You could also try Log Parser Studio, pretty handy tool if you are unfamiliar with shell scripting
      http://blogs.technet.com/b/exchange/archive/2013/06/17/log-parser-studio-2-2-is-now-available.aspx

      and…let’s not forget about EWS (Exchange Web Services)
      http://blogs.technet.com/b/matabra/archive/2012/08/23/block-mobile-apps-that-use-exchange-web-services.aspx

      1. Tim

        Thanks Carol!

        Great to get this insight, will try and look more into the apps you mentioned & explore workarounds…

  7. Dax

    Hi Paul,

    Would Exchange 2010 be able to handle if ActiveSync is enabled for 25K users and all is using it?

  8. PRINCE VARGHESE

    Dear Paul,

    Is there any way to allow opening of attachment at the same time blocking the downloading for the attachement in Mobile using active sync policy ? or any other way.

    In Mobile Device, (We have Exchange 2010 Org, all are exchange servers but no egde)
    1. Need to allow users to open attachement.
    2. Need to block users to download the attcachment.

    1. Avatar photo
      Paul Cunningham

      I don’t understand your requirements. They can’t open an attachment if they can’t download it first.

  9. Carol Matthews

    Hi Paul,

    I’m wanting to use this, but am getting a bit confused about how to configure it. I have SBS 2008 and I think currently that my server is only configured as a local server not on the web. I have tried previously to get OWA working but again that only works locally not outside. I am also having the same issue with Activesync in that when I try and configure my iphone it does not recognise my server name, again is this because it is only configured locally. If that’s the case how do I configure the SBS server so that it is recognised outside m company.

  10. Pete

    Hey Paul,
    What about the issue where ActiveSync devices continue to sync for several hours after a password change or the account is disabled. I find it very odd that Microsoft hasn’t provided a better solution other than restart IIS. For terminating employees this could cause a problem.
    http://support.microsoft.com/kb/2612821

    Any recommendations to help without taking down services for everyone?
    I have seen the follwing suggestions:
    Moving mailbox after account is disabled/password change
    Disable OWA and Active Sync for the user
    Disable the mailbox from the user

    1. Avatar photo
      Paul Cunningham

      No better solution I’m afraid. But consider that if the matter is serious enough that you’re trying to lock someone out of EAS, then an IIS reset may be worth it.

  11. Carol Ostos

    Got a question about autodiscover name on multiple SAN certs, we have one Exchange org, one forest, multiple child domains. Exchange 2010 will be installed in two separate child domains (let’s say regions APAC and North America).

    I was planning on requesting a cert from our Internal CA, apply that cert to our CAS Servers and then get a third party cert, install it on the TMG Server and make TMG trust our internal CA (cert).

    It’s my understanding that internal clients on the trusted LAN would all use SCP to resolve autodiscover & use the internal url (FQDN of the CAS) and for external clients such as iphones or android autodiscover would be needed on external DNS.

    What would be your suggestion to have APAC activesync users to go to APAC Exchange Servers and US activesync users to go to the NA Exchange Servers? I have been reading that maybe SRV records could be a suggestion but thought checking with you guys, in case you have seen a similar scenario.

    Thanks so much in advance!

  12. A.Fuchs

    +1

  13. turbomcp

    Thanks

Leave a Reply