You've probably seen the fancy Exchange Server 2010 Architecture Poster put out by the Microsoft Exchange Server team last October and which you can download from the Exchange Team Blog. Many admins have wondered how to get a printed copy of the poster. Well, Windows IT Pro subscribers will be receiving a full-size, full-color reproduction of the poster with the March 2011 print magazine, courtesy of the Exchange team.
I've recently had the opportunity to talk with several members of the Exchange team to get a deeper technical understanding of some of the features represented on the poster, and I'll be presenting those interviews for you here. First up is Adam Glick, a senior product manager on the Exchange team, who spoke with me about the role of Exchange ActiveSync (EAS) and other techniques in Exchange for controlling smartphones and other mobile device connections.
BKW: To start with, can you just give us a good, basic definition of EAS—what it is and what it does?
Adam: Exchange ActiveSync is a protocol for syncing your email and PIM information. That's kind of the easy, succinct way to put it. What that really means is that you get—we called it AUTD, Always Up-To-Date—that's what we called the feature when we rolled it out. That was in the Exchange 2003 SP2 timeframe.
When people were taking their phones and trying to connect to email servers, they were using things like POP or IMAP, which are polling technologies. So their phone, every 15 minutes or 30 minutes, whatever they set it to, would go and grab that information. And we've changed that by making the ability for the server to just send the mail to the phone directly when it's there, and that connection can be maintained. So the way that ActiveSync does that is by using the technology in the modern version of ActiveSync called a hanging sync. What it does is there's actually some intelligence that says, "How long can you keep a connection open before it gets shut down by a firewall, by the carrier, by the device?" So basically it tests it, and then it sets the time that it will wait to keep the connection open to that time. So It figures it out and whatever that timeframe is—let's say it will keep the connection open for 30 minutes before it closes it off and drops the connection—so at 29 minutes, it will basically send a ping and say, "Hey, I'm still here," and reset that clock.
It always keeps the connection open without really using any data across that line. Because that connection is open, it's able to send messages across. So as soon as the email server gets an email or a calendar invite or an update to a contact, those are immediately sent out to the Exchange ActiveSync device. So that was a novel way to make sure that you had real-time email and PIM capabilities while making sure that you weren't constantly using data or making users wait 15 minutes to get that information.
The pieces that go beyond email are the ones that really separate it from POP and IMAP, which have no email or contacts capabilities. In the modern versions of ActiveSync, you also have Tasks and Notes, and then obviously additional metadata things like marking something as high importance or putting IRM [Information Rights Management] protection on a message. All these are things that are unique to Exchange ActiveSync and not available in other mail-linking protocols that people tend to use. That's kind of a fast overview of Exchange ActiveSync, why people use it, what the value is, in terms of technically.
In terms of market space, people use it because it's an openly licensed standard. If you buy any smartphone that's on the market, there's an Exchange ActiveSync solution for it, and in most cases that Exchange ActiveSync solution is built in. So if you go down to AT&T, or T-Mobile, or Vodafone for that matter, and you take a look at their smartphones, the only ones you'll find that don't have it built in are in most cases the BlackBerrys, which have two third-party solutions that are available, and obviously BlackBerry has its own solution that they provide users [BlackBerry Enterprise Server—BES].
So it's a fairly universal standard. For IT pros, it also provides additional benefits that other mail-syncing standards don't provide around policy control. We've talked before about the ability to block and limit what comes into an enterprise, but policy control is about controlling the devices that you choose to allow into your organization. These policies are things everywhere from ensuring that people use a PIN, how long that PIN is, how complex it is—is it just numbers or is it numbers and letters? Is there encryption enforced on the device? Is the main memory, is it a storage card, if storage cards are allowed? Do you allow certain other functionality on the device—for instance, can you Bluetooth tether to the device? Can you use the device to tether to a computer?
These are features that we built in based around the questions asked from IT pros who were concerned with people circumventing corporate networks. So when people ask, you know, what does tethering have to do, or what good is blocking Bluetooth, the reason was because there was concern from IT pros. We talked to them: "How are you worried about these phones when they come in your enterprise?" They said, "Well, I know how my network is protected. I've got my firewall. I've got my monitoring systems in place. But if someone takes one of these phones and tethers it to their work computer, all of a sudden they have a totally different channel that they can take information from that I have no eyes on." And so you can have the ability, if you wanted to, to lock those things down—that's where a lot of these policy pieces came in.
Same thing with blocking cameras. For certain organizations, they wouldn't allow cameras in at all, and when camera phones started to get popular, it became a big concern. We said, hey, we can always put a policy on them. Phones can be connected, you're going to allow that device, but the camera doesn't work. You can effectively create that same outcome. Certain organizations want that, certain ones don't.
There are 52 policies in total. About 49 of them are exposed to users. The others are used by just the server itself. These policies are what IT pros told us were what they needed to secure their organizations. We think of organizations all the way from people who just let in everything, they don't care, to organizations that want to lock out stuff, that are very security-conscious. We talk to them about what they need. You don't hear it as much anymore—but there used to be a big debate around policies. People used to say, "I have so many policies—you've got 25, I've got 40. You've got 45, now I've got 65." So there was this kind of arms race about policy numbers. People didn't stop to ask which features are the ones the people actually need.
The way I usually communicate this to people is that policies are like pounds: More isn't always better, and you always want them in the right places. So we talked to our IT pros and said, where are the places that you needed, what are the things that you actually want? By doing that, we avoid some of the confusion with certain other organizations that would say, "We're just going to put in every policy under the sun." That actually became a confusion point for a lot of IT pros. So our goal was, let's make this simple for people to administer, powerful to give them the control they want, and free enough to let users make the decisions about what devices they wanted while protecting IT pro infrastructure. That's probably the quick overview of it all.
BKW: Within the last couple of years, there's been a real explosion of consumer-oriented devices, with users asking IT departments to support those devices. How is user choice of devices affecting what policies IT pros are asking for?