CAREERS »        SERVICE DESK SUPPORT »        CUSTOMER LOGIN »        01329 239900 »

How do you secure your mobile phone within a company when everyone uses them to access company resources, whilst ensuring that mobile devices can be managed as a priority?

The real question is how should mobile devices be managed, Exchange or with an MDM (Mobile Device Management) solution. Although there are a number of MDM solutions out there, today we are going to focus on the Microsoft offerings.

Microsoft offer two solutions for mobile device management in enterprise environments, one that is available through the Exchange Server and the other product is called Microsoft Intune (MDM). Below we have identified the pros and cons for each service to help you make up your own mind as to which solution is best suited for your business mobile devices.

Device Policies

You can use either Exchange Server or MDM to apply policies to mobile devices, but each works differently. Exchange Server manage mobile devices through Exchange ActiveSync mailbox policies, while Intune uses device security policies.

Although at first glance the differences seems minimal, it’s critical for the administrator who’s trying to determine the best way to securely manage mobile devices to understand the differences between the two.

The Exchange ActiveSync policies are limited. The policies focus on passwords, hardware and mobile apps which are linked to each mailbox on the device. When you use the ActiveSync polices to protect the mobile devices, the policies you define don’t apply to the device or user’s account, but apply specifically to the mail account. If the mail account is removed from the phone all management is lost.

Intune applies settings to mobile devices through either taking ownership of the device Android for Work or Apple’s Device Enrolment Program (DEP), if the device isn’t owned by the customer a standalone app will need to be installed for BYOD devices. BYOD doesn’t provide the same functionality as taking ownership of the device, however it still provides more than Exchange ActiveSync functions.

Security policies are applied in the same way as policy settings are applied to desktops and laptops. Intune provides a lot more security policies compared to ActiveSync, including device and application support.

For devices that don’t support Intune MDM, Exchange ActiveSync is the only option other than identifying 3rd party products.  Although some device aren’t supported with Intune e.g. BlackBerry OS, Windows phone 6 or 7, you aren’t going to be left with huge vulnerabilities in your network when relying on ActiveSync mailbox policies. When a device cannot use a certain policy, it is often because of the device’s hardware limitations and not Exchange. Such as the Windows Phone 7 doesn’t support a removable storage cards, which makes the “Allow Removable Storage” policy is redundant.

Some devices support more ActiveSync policies than others, which means administrators have the opportunity to create unique policies for each type of device. For example, you can create an iPhone policy, a Windows Phone policy, an Android policy and a BlackBerry policy. You can’t automatically assign a policy to a device you have to manually assign the policy to the user’s mailbox

Device Capabilities

Exchange and Intune have very similar device audiences. One of the restrictions of Intune MDM is that BlackBerry isn’t supported, however Intune supports windows PC where ActiveSync doesn’t. Similar limitations apply to the device polices, certain operating system support certain features for both Exchange ActiveSync and Intune MDM.

Within Exchange ActiveSync only specific clients are fully supported. iMail, Android email, Windows Phone mail are fully supported. Microsoft Outlook for Android/iOS allows you to connect your email, contacts and calendar, but it doesn’t fully support the security features that Exchange ActiveSync offers.

In Conclusion

As you can see, Exchange ActiveSync policies do a good job providing mobile device security, but Exchange is far from a complete MDM solution. If you require a more advance in-depth solution or need a way of deploying and managing software then the MDM route would be best way to go.

Proudly powered by WordPress