Last week at Microsoft Management Summit, Brad Anderson said in the keynote that Microsoft’s approach to controlling personal iOS and Android devices is through the abilities built into Exchange ActiveSync (EAS). This brought to mind the question of whether EAS is good enough or if a full-fledged mobile device management (MDM) solution is needed. Compared to MDM, EAS lacks many capabilities. Some organizations might be okay with this, while others will find it completely unacceptable. Let’s look at the difference between EAS and MDM, and where either solution would satisfy a company’s security needs.
Exchange ActiveSync is a protocol that’s used to communicate between mobile device email clients and Microsoft Exchange Server. It supports many different device management features and policies—the most important being password requirements, encryption, remote wiping, and reporting device information. While EAS works well in a lot of cases, it has some drawbacks. For example, not all devices support all of the settings. On iOS devices, EAS can do slightly more advanced things like disable the browser or camera. For iOS devices, beyond those basic features the browser and camera can be turned off. Check out this page at help.apple.com for a full list of EAS features supported by iOS. Android is similar, but unfortunately it’s always a little bit more difficult to know what’s supported with so many different device configurations floating around. The basic difference is that Android does not allow disabling the browser.
Full MDM goes beyond the capabilities of EAS with a slew of features, but the one that we care about here is the ability to view and block apps on the device. (By the way, for iOS devices, one great way to explore MDM capabilities and test out configurations is through the iPhone Configuration Utility (Mac | Windows). All MDM solutions use the same set of APIs provided by the Apple, while more advanced features come through having an agent application on the device.)
So why should we care about what apps are on a device?
The answer is because built-in email clients can share contacts with other applications. EAS is completely blind to the applications on a device, leaving administrators with no way of knowing if sensitive contact information is being syphoned off.
MDM gives administrators visibility and control over the applications installed on a device—it’s possible to blacklist and whitelist apps, but this can be very difficult. If you’re too permissive, you run the risks that an unsavory app will siphon out all the user’s contacts. If you’re too restrictive, you’ll annoys users and drain productivity. On top of that, some apps actually need to access a user’s contacts, and then you’ll have to decide whether they’re legit or not.
There are many ways to solve the contact stealing problem. Some vendors actually replace the built-in email client with their own more tightly sealed app, making it difficult for other apps steal contacts.
EAS or MDM?
EAS has a lot going for it: it’s free (assuming you’re already using Exchange, all you have to do is turn on the features you want) it lets you control the basics, and it works with a ton of different mobile device platforms. If you want to do anything more complicated, though, you’ll have to turn to a third-party solution.