iPads and Exchange Active Sync

The state agency I work for is in the process of exploring a BYOD approach to mobile devices using Microsoft Exchange ActiveSync (EAS). This post documents and explores how it has changed the user experience on a test iPad.

Central Technical Services (CTS), the state agency responsible for central, shared services has made Exchange 2010 ActiveSync available for agencies. A couple of weeks ago our agency converted our mailboxes. We are now conducting tests and defining policies for the agency.

To start with, just to see if things were configured correctly, the Exchange administrator enabled EAS for my account. I promptly configured my iPad’s mail to use EAS. After a minute or so I was prompted to provide a strong password for the iPad (one of the required state and agency security requirements). I gave it a strong password. I was then required to log into my iPad with the alphanumeric soft keyboard that replaced the numeric keypad. Yes, that alphanumeric keyboard lies latent on an iPad waiting for a mobile device management (MDM) system requiring strong passwords to activate it.

After logging in I looked at my calendar and mail apps. The agency e-mail and calendar information was populated in a separate calendar. I was very detailed and consistent with the experience expected for an iPad…it was after all using the iOS mail and calendar apps.

With my Outlook Web Apps (OWA) screen up on a PC I watched my exchange information update dynamically both in the iPad and OWA when I made changes in either place.

…so far, so good…and now for the interesting part….

I needed to attend a meeting and told the exchange administrator she could test wiping my iPad from the exchange console. She needed a little bit of time to figure out the correct approach. I continued to use the iPad for the remainder of the day. I packed it away when I went home at the end of the day.

The next morning when I returned to work I was preparing to look at my calendar and thought I would use the iPad for my calendar and mail since it really was a pretty good experience. I had forgotten about the wiping.

Powered the iPad on, it got a network connection. I was then confronted with the white Apple symbol and a progress bar as I watched everything on the iPad get set back to factory default….so the wipe worked pretty well. I also received an e-mail message in Outlook at my desktop telling me the iPad was successfully wiped.

I went about my business during the day. Toward the end of the day I thought I would set the iPad up and try to use it again. I took about ten minutes to finish the basic setup including wireless and VPN connectivity. I then configured the iPad to use EAS. As soon as the EAS was configured, the screen cleared, I saw the Apple logo and progress bar again as the device was wiped again.

I hadn’t removed the iPad’s record in Exchange. Once a mobile device is successfully wiped, the record or the device needs to be removed or it will be continually wiped. I removed the record using OWA. I setup the iPad again. It connected correctly.

What I learned:

1. Any EAS user will also need to be an OWA user. The iPad is administered through OWA either by the administrator or the user.

2. The administrator needs to use each individual user’s mailbox to administer EAS enabled mobile devices…that will be a huge administrative burden. Other experienced EAS administrators have confirmed this to be the case but I will still verify with Microsoft.

3. There will need to be some administrative procedure to address clearing a wiped device’s record from Exchange. If the device is lost or stolen and the user receives the e-mail indicating the device has been successfully wiped, presumably it would be OK to remove the record. The device may never be recovered but the data will have been removed.

4. Everything, work related and personal appeared to have been destroyed.

If a personal device will have all its data removed when EAS wipes the device, I would want to back up the iPad so that after it is wiped I would be able to recover my personal data.

Backup / Restore test:

I setup my iPad again with some non-work related apps and photos to see what would happen the next time I wiped the device. I then backed it up using iTunes. What I wanted to know was whether the security profile pushed to the device from EAS requiring the strong password and other setting would be restored from the backup after wiping the device.

I wiped the device again, removed the device record from Exchange using OWA, then restored it from the iTunes backup. The EAS security profile was restored! So, if I hadn’t removed the record from Exchange the iPad would have been wiped again.

This seems to have implications for personal devices for four different use cases:

1. The device is stolen – the user is the benefactor of the EAS security and all personal confidential information in addition to corporate data is destroyed. You wouldn’t want the thief to get personal confidential information.

2. The device is lost and not found – the scenario is the same as if the device were stolen.

3. The device is lost but recovered after it was successfully wiped – It would be restored to factory default. If if the user had the forethought to back it up, it could be restored to that point either with or without the EAS configuration depending on whether the backup was done before or after it was configured for EAS.

These three use cases seem to be just fine from both a corporate data and personal data perspective; however, the next one seems to be problematic.

4. The user leaves the organization under amicable terms; new employment, retirement, etc. – If the user didn’t back up the device after it was configured for EAS, no harm done from a corporate perspective. The user however would lose everything personal on the device. If the user did back up the device after it was configured for EAS then restored it after leaving the organization, the EAS configuration will be restored. If the organization didn’t take appropriate measures to disable the user’s mailbox the user would continue to have access to corporate data.

– Posted using BlogPress from my iPad