Exchange ActiveSync is Microsoft’s solution for enabling mobile devices such as smart phones to securely access their email, calendar, contacts and tasks from remote networks.
Exchange ActiveSync is a feature of Exchange Server 2010 that is installed by default when you install the Client Access server role.
This is one of the greatest strengths of Exchange ActiveSync; that it is a built-in feature of Exchange that does not require additional licenses, servers, or software products to be installed in your network or on the end user devices.
This is very attractive for smaller organizations who want the convenience of mobile email access for their staff without having to incur significant additional costs.
With Exchange ActiveSync businesses get the benefits of:
- Secure mobile access to email, calendar, contacts and tasks
- Support for a wide range of consumer smart phones and devices, keeping costs down by allowing users to utilize their own personal mobile devices
- Policy-based control over devices and data, including features such as remote wipe
Here are some more details about the features of ActiveSync in Exchange Server 2010.
Direct Push
Direct Push is an attractive feature for mobile users because it allows a device to be updated instantly when new content is ready to be synchronized.
Although the name “Direct Push” suggests that the server initiates a connection when new content is available, it is the mobile device itself that makes the initial HTTPS request but with a long timeout period of 15 minutes.
If the mailbox receives a new item the server responds to the HTTPS request. If the 15 minute timeout lapses the device simply opens a new HTTPS request and the process repeats.
AutoDiscover
Similar to the way AutoDiscover allows an Outlook profile to be automatically configured for a new mailbox user, it also simplifies the configuration of a new mobile device for connectivity to a user’s mailbox.
This helps reduce administrative effort and costs by allowing a user to set up their mobile device to receive email simply by entering their email address and password.
ActiveSync Mailbox Policies
Exchange ActiveSync mailbox policies allow administrators to configure the same features and security settings to apply to each group of users.
This includes settings such as whether email attachments can be downloaded to devices, whether devices require a password to unlock them, and how many days’ worth of mailbox content to keep synchronized on the device.
Hi Paul,
As we found, Exchange Activesync is enabled by default for all existing & new user mailbox.
Is there any way to change by default setting as disabled for all new user Mailbox in our Exchange Environment.
There’s no way to set it by default. You can use the scripting agent, but I find it cumbersome and tricky to get it working properly.
https://www.practical365.com/exchange-server/using-scripting-agent-exchange-server-2013/
My preferred approach is to make it part of the mailbox provisioning script.
I Paul.,
My question is,
When my smart device connects to my exchange it automatically gets server address but not domain name.
I have added in iis but for some reason it won’t pickup correct domain name
mydomainuser
Pingback: Android Exchange Activesync | Home
Pingback: Activesync Security Policies Exchange 2010 | My Home Security Tech
Pingback: Ankündigung von EAS V16 | BB10QNX.de
Pingback: Office 365 Mobile Device Management - Getting Started
wow, awesome blog article.Really looking forward to read more. Great.
Pingback: Controlling Microsoft's Send App with Exchange Web Services
Paul,
Autodiscover for outlook clients works well for internal and external, all test passed for automatic detection, but autodiscover does not work with mobiles devices Iphone, Z10.
domain.com, autodiscovery.domain.com, and SRV records were added to dns, all that name in cert too, but automatic detection does not work in mobiles, after tried the mobil left the fields for user, server y domain with: user.domain.com, domain.com and empty.
Any idea to trace this issue ?
Thanks
If you wanted to have two ActiveSync servers — one for iPhones and another for MDM clients which use Certificate Based Authentication – would that be possible without convoluting the external namespace/internal namespace?
The MDM clients would use CAS1 (example) from both the inside network and outside network, using the ActiveSyncMDM.domain.com URL
The iPhones would use CAS2 with the current ActiveSync.domain.com URL
Would that work?
I suppose you could run one namespace (the one configured in Exchange) for iPhones that autodiscover their config, and then have the MDM use a different external namespace (because the MDM app itself pushes out the client config via policies).
But I don’t see the need to use seperate servers. The ActiveSync virtual directory can be configured to accept certificates without actually requiring them.
Hi Paul,
Thanks for sharing a concise overview of Exchange 2010 Activesync.
Have a basic querry, if I as an adminstrator create a policy that prevents viewing/downloading of attachments.
Can end users still bypass the same to succeed in accessing the attachments via some third party apps available in smartphone marketplaces- such as the Google Play ,etc ?
The following applications have the ability to bypass your ActiveSync policies, you should check them out to understand their capabilities.
TouchDown
Moxier Mail
Email+ (Exchange)
Suggest to run scheduled reports of your ActiveSync connections to ensure your users are connecting using the built-in email clients which will enforce the policies.
You could also try Log Parser Studio, pretty handy tool if you are unfamiliar with shell scripting
http://blogs.technet.com/b/exchange/archive/2013/06/17/log-parser-studio-2-2-is-now-available.aspx
and…let’s not forget about EWS (Exchange Web Services)
http://blogs.technet.com/b/matabra/archive/2012/08/23/block-mobile-apps-that-use-exchange-web-services.aspx
Good tips.
Thanks Carol!
Great to get this insight, will try and look more into the apps you mentioned & explore workarounds…
Pingback: Test-ActiveSyncConnectivity Failure Due to ActiveSync Policies
Hi Paul,
Would Exchange 2010 be able to handle if ActiveSync is enabled for 25K users and all is using it?
Dear Paul,
Is there any way to allow opening of attachment at the same time blocking the downloading for the attachement in Mobile using active sync policy ? or any other way.
In Mobile Device, (We have Exchange 2010 Org, all are exchange servers but no egde)
1. Need to allow users to open attachement.
2. Need to block users to download the attcachment.
I don’t understand your requirements. They can’t open an attachment if they can’t download it first.
Pingback: How Exchange ActiveSync Device Access State is Determined
Pingback: Spoofing Demo Highlights Risk of Untrusted SSL Certificates
Hi Paul,
I’m wanting to use this, but am getting a bit confused about how to configure it. I have SBS 2008 and I think currently that my server is only configured as a local server not on the web. I have tried previously to get OWA working but again that only works locally not outside. I am also having the same issue with Activesync in that when I try and configure my iphone it does not recognise my server name, again is this because it is only configured locally. If that’s the case how do I configure the SBS server so that it is recognised outside m company.
Pingback: Exchange 2010 ActiveSync: User-Initiated Remote Device Wipe
Pingback: Exchange Server 2010 SSL Certificates
Pingback: Exchange 2010: Creating ActiveSync Device Access Rules
Pingback: Exchange ActiveSync/Windows Phone Outlook Error 80072F0D
Pingback: Preventing New ActiveSync Devices from Connecting to Exchange 2010
Pingback: How to Run Virtual Android Devices for Exchange ActiveSync Training « Fabio Pecinho
Hey Paul,
What about the issue where ActiveSync devices continue to sync for several hours after a password change or the account is disabled. I find it very odd that Microsoft hasn’t provided a better solution other than restart IIS. For terminating employees this could cause a problem.
http://support.microsoft.com/kb/2612821
Any recommendations to help without taking down services for everyone?
I have seen the follwing suggestions:
Moving mailbox after account is disabled/password change
Disable OWA and Active Sync for the user
Disable the mailbox from the user
No better solution I’m afraid. But consider that if the matter is serious enough that you’re trying to lock someone out of EAS, then an IIS reset may be worth it.
Pingback: Publishing Different Geographic ActiveSync URLs using AutoDiscover
Got a question about autodiscover name on multiple SAN certs, we have one Exchange org, one forest, multiple child domains. Exchange 2010 will be installed in two separate child domains (let’s say regions APAC and North America).
I was planning on requesting a cert from our Internal CA, apply that cert to our CAS Servers and then get a third party cert, install it on the TMG Server and make TMG trust our internal CA (cert).
It’s my understanding that internal clients on the trusted LAN would all use SCP to resolve autodiscover & use the internal url (FQDN of the CAS) and for external clients such as iphones or android autodiscover would be needed on external DNS.
What would be your suggestion to have APAC activesync users to go to APAC Exchange Servers and US activesync users to go to the NA Exchange Servers? I have been reading that maybe SRV records could be a suggestion but thought checking with you guys, in case you have seen a similar scenario.
Thanks so much in advance!
Hi Carol, see if this article answers your question about NA vs APAC
https://www.practical365.com/exchange-2010-activesync-autodiscover-geographic-urls
Hi Paul,
Hope that you are well.
i tried to open the below link is not working
https://pratical365.com/exchange-2010-activesync-autodiscover-grographic-urls
+1
Thanks
Pingback: How to Run Virtual Android Devices for Exchange ActiveSync Training