All of the business-oriented versions of Office 365 support simple Exchange ActiveSync (EAS)-based mobile device management capabilities, helping ensure that the devices that connect to your corporate resources are secure. Only the granularity of control varies between the small business and enterprise versions of Office 365.
Exchange ActiveSync (EAS) is a de facto corporate standard for synchronizing some combination of email, contacts, calendar, tasks, and/or notes from an Exchange or Exchange-like server with a mobile device such as a smart phone or tablet. I previously wrote about connecting various mobile clients—Windows Phone, Windows 8/RT, iOS (iPhone, iPad) and Android—to Office 365 using the EAS protocol in a series of articles.
EAS also provides basic mobile device management capabilities that are delivered via a series of policies at the time the user connects their account to the device. Unfortunately, support for these policies varies from device to device (or, more appropriately, from mobile platform version to mobile platform version), so a good understanding of which policies work with which devices is a must. Microsoft provides a decent guide to how this works across mobile platforms in its online help for Office 365.
Here, what I’d like to focus on which policies are available through Office 365 for small businesses (Small Business and Small Business Premium) as well as Office 365 for enterprises. The interfaces, and available policies, differ a bit between each.
To find the EAS management interface in Office 365 Small Business (and SBP), sign-in to the web interface as an administrator and navigate to Admin and then Email, Calendar and Contacts (under Service Settings). Then, choose Mobile Access and click the Device Security Settings link.
For the enterprise versions of Office 365, sign-in to the web interface as an administrator and navigate to Admin, Exchange, Mobile, Mobile Device Mailbox Policies and then edit the Default policy or create a new policy. The pop-up window that appears has two pages, General and Security.
All versions of Office 365 offer the following mobile device management capabilities:
Require a password. When this option is enabled, the following capabilities are made available.
Allow simple passwords. When enabled, the user can use a four-digit PIN as a password.
Require a minimum password length. If enabled, you can specify a minimum length of 2 to 16 characters (on Small Business) or an arbitrary length (on Enterprise).
Wipe the device after x number of failed password attempts. If enabled, the device can be remotely wiped after the specified number of failed password attempts (4 to 16 on Small Business, any number on Enterprise).
Lock the phone and require user to sign in if the device isn’t used for x minutes. If enabled, can be set to 1 to 60 minutes.
As noted earlier, the enterprise versions of Office 365 offer additional capabilities. In addition to being able to allow devices that don’t fully meet your policy requirements to still connect, these versions of Office 365 also offer the following additional policies:
Require an alphanumeric password. When enabled, the password must include both letters and numbers and can be configured to require 1 to 4 character sets, which include lowercase letters, uppercase letters, numbers, and symbols.
Require encryption on device. When enabled, the device must be encrypted before it can connect to EAS resources.
Enforce password lifetime (days). Use this option to force users to change their password every x number of days, where x can be any number. A related password recycle count can be used to ensure that users don’t cycle between the same two or more passwords as well.
The nice thing about EAS policies is that they can be changed on the fly. Any new requirements will be broadcast to the device on the next connection and the user will be prompted, when needed, to make a required change. For example, just enabling EAS controls and requiring a password will require users who don’t have device passwords to add one before they can connect to their corporate resources again. (And of course any new device connections will need to meet the same requirements.)
Here’s how this looks in Windows Phone 8.
You can expand on the management capabilities in EAS by using related device management services such as Windows Intune. I’ll be looking more at Intune in the near future.