Supporting mobile email on multiple handsets
Mobile email is an important business tool. Delivering mail to users’ phones can help them work more productively; giving them access to the information they need, when they need it. And almost every phone claims to do push email these days, so why can’t you just make the customer’s existing mobiles work instead of specifying BlackBerrys or Windows Mobile devices?
Email on the move makes life easier for users, but mobile devices are hard to provision and hard to manage. It’s particularly hard to lock down and control what’s essentially a consumer device. Both Microsoft and Research in Motion have developed business-focused devices with related management tools, but if your users want email on other phones there are plenty of security risks associated with connecting a phone to their email system. A phone with even just a few days of email on can reveal significant business information to anyone who finds it.
To keep risks to a minimum, you need to be able to lock down phones, forcing users to use passwords and PINs before they can access mail. Encrypted mail connections are also important, as messages are crossing the public Internet as well as operator networks.
Finally there needs to be some way of disabling and wiping lost and stolen devices. If this isn’t possible, then you need to educate your clients about the risks associated with mobile email.
Working with Nokia phones
Nokia phones are common, and they were among the first to offer data and email services, but many are consumer devices that are hard to manage and provision in bulk. Nokia’s purchase of Intellisync went some way to resolving this, because it’s a suite of tools you can use to manage more than just Nokia phones. However Nokia’s Intellisync Mobile Suite not a cheap option, and is best considered alongside high-end mobility management tools like Microsoft’s System Center Mobile Device Manager and HP’s Bitfone. You’re most likely to deploy these tools when working with clients who have large field service or field sales teams using mobile devices rather than laptops. If you’re just delivering email to a Nokia phone, you can use the built-in POP3 and IMAP mail tools on most handsets. POP3 and IMAP connections are supported by nearly all mail servers, including Exchange, but without using SSL or TLS connections they can be insecure. There’s a better alternative in the shape of Nokia’s own Exchange ActiveSync application Mail for Exchange, which runs on E-series phones. This connects directly to Exchange ActiveSync, so you can also manage the device using Exchange’s lock and wipe tools. While you can install Mail for Exchange on some N-series devices, these don’t have the horsepower to support many of the cryptography functions needed to secure mail connections – so they won’t receive mail unless you turn off device security on the server, which means you’ll want to recommend not using them.
Nokia’s E-series devices can connect directly to an Exchange server, using the same Exchange ActiveSync push mail services as Windows Mobile.
BlackBerry: secure by design
BlackBerrys aren’t the enterprise device of choice just because they do email well. They’re also easy to manage and control, with the right software. BlackBerry Enterprise Server (BES) is suitable for larger companies. It uses a direct connection to a corporate mail server (supporting Microsoft Exchange, Lotus Domino and Novell GroupWise) to deliver mail, contacts and calendars to a BlackBerry, sending it through Research in Motion’s secure data connections and data centres. If a BlackBerry is lost or stolen, the device can be remotely wiped the next time it connects to a network. The same tools can be used to re-initialise a company BlackBerry to pass on to a new user. Old BlackBerrys never die; they just get given to a more junior employee.
The latest versions of BES include a Web-based self-service portal, where users can register new devices themselves and connect them to the network. Each BlackBerry has a unique PIN linking it to a specific account, and a specific BES– and allowing the central RIM BlackBerry service to route messages and content to the right device, securely. All that’s needed to register a device is the PIN, and once it’s been submitted to BES, mail will synchronise, and the device can be managed remotely using the tools built into BES. You’ll be able to control email, and applications – and even push content and services to devices.
BES requires its own server if you want to get the best results; don’t try to run it on the same machine as Exchange. You’ll also need to open the appropriate ports in firewalls to route messages to and from RIM’s servers, so mail gets through to your users where ever they are.
For most customers, RIM’s BlackBerry Professional Software Express is a better alternative. This is a simplified version of BES for the SME market, for up to 30 users. The software is free to download and comes with one free access licence; you have to buy additional licences to add further users. Unlike BES, the Professional Software can be installed on an existing mail server – and there’s an upgrade path to BES.
If users get their own BlackBerrys on a consumer tariff rather than a business account they’ll use BIS, the BlackBerry Internet Service run by the mobile operator, to collect mail from POP3 and IMAP accounts. If you’re using Outlook Web Access to provide remote access to mail, you can use BIS to connect to this over HTTPS connections, rather than opening up less secure IMAP and POP3 ports. OWA connections to BIS also give the closest approximation to true push email – though there’s no folder-level access, just the contents of the user’s Exchange inbox, and not all mobile operators support Exchange 2007 OWA yet. Some aspects of consumer BlackBerrys can be managed remotely if you take over the user’s BIS accounts, and don’t give them access to service passwords. If a device gets lost, you won’t be able to remote erase it – but you will at least be able to turn off all email delivery. BIS can also be used to switch user accounts between devices.
It’s usually better to take control of consumer BlackBerry devices with RIM’s new Unite software, a free download that can manage up to five BlackBerry smartphones – giving them controlled access to POP3 and IMAP mail accounts, as well as shared calendars and contacts. You can use Unite to push mail from an Exchange server to a BlackBerry without using BES, as well as managing devices. Newer BlackBerry devices with media cards can download and view files from folders on the office network. Unite will produce usage reports and lets you deactivate lost or stolen devices. You need to install it on a PC that will be on all the time, but it currently works only on Windows XP and Vista, not Windows Server. This gives you a local Web server that handles basic user registration and phone administration, and you can carry out other administration tasks from a BlackBerry that’s managed by Unite.
If BlackBerry Enterprise Server isn’t on the agenda, the consumer BlackBerry Internet Server service provided by operators like T-Mobile is an acceptable alternative for controlling access to corporate email servers.
BIS lets you migrate BlackBerry service between devices, so you can quickly deploy a replacement BlackBerry in the event of loss or hardware failure.
You can finally think of the iPhone as a business device, at least in some ways. The 3G version brings a major software upgrade that adds enterprise functionality to original 2G iPhones as well. Along with support for Cisco VPNs, Apple also enables connecting an iPhone to an Exchange server using the same ActiveSync protocols as Windows Mobile. Users can still use IMAP and POP3 mail, as well as Gmail or Yahoo!’s mail service, but connecting to Exchange gives you much more control over their devices.
Configuring an iPhone to work with your mail server is relatively easy – all your users need to do is fill in the appropriate server names and passwords to make a connection. Exchange connections can be simplified using the Outlook Anywhere autodiscovery tools introduced with Exchange 2007. But things get more complex if you’re running a more secure environment than a simple SSL- protected ActiveSync connection. Adding a client-side certificate to an iPhone isn’t easy through the standard user interface – and it’s hard to see the average user filling in the L2TP configuration details of a VPN connection, so you’ll need to make a site visit.
Printing and distributing, or even emailing, the information needed to securely set up an iPhone can be a security risk, so Apple has provided a simple tool to help distribute pre-configured profiles to users. Available as a Web-based tool for Windows and OS X machines, as well as an OS X desktop application, Apple’s iPhone configuration tool is designed to give system administrators a single place to build and deploy device profiles. Download it from www.apple.com/support/iphone/enterprise/.
If you’ve got access to a recent Macintosh, then you’ll find the OS X desktop application the most efficient way of configuring iPhones for the networks you manage. To provision a device, connect it to the Macintosh before delivering any one of a library of profiles – as well as any applications you’ve developed for your clients. Both the desktop and Web tools are able to deliver client-side certificates to users’ iPhones as part of the profile set-up process.
The Web-based configuration tool installs on any Mac or PC as a Web service (written in Ruby) on port 3000. Connect a browser to this port to fill out forms with the details needed to configure iPhones for your networks. The resulting profiles can be saved locally, so you can assign different profiles to different classes of users, or deliver replacement profiles if a setting has been changed.
Profiles can be distributed by email directly to devices – if you’re changing the profile currently in use – or saved as .mobileconfig files on the Web, where users can download them to their iPhone. If you’re using Exchange, once connected an iPhone will use the existing Exchange ActiveSync device policies, and can be managed directly from Exchange’s management tools.
The iPhone software upgrade is also available for the iPod Touch, a device that’s as much a small tablet computer as an MP3 and video player. Don’t be surprised to see users with Wi-Fi connections at home asking to use their iPod for corporate email – it’s ideal for checking mail from hotspots, and can be controlled using the same profiles as the iPhone.
Setting up Exchange Mail for a managed-iPhone is as simple as filling out a Web form with the server details. Your users will add their account details themselves.
Consumer phones do mail too
Smartphones aren’t the only email-capable handsets in the market. Top-end feature phones can retrieve email through POP3 and IMAP. Some devices, like LG’s Viewty or the upcoming second version of 3’s Skypephone, approach smartphone levels of functionality. There’s little scope for direct device management though, so you’re going to have to trust that any mail services used are handled responsibly by your users.
Technically-aware users may already be using services like Gmail to scrape your mail server and deliver messages to their phone via POP3. You can stop this on a customer’s mail server by blocking access from Gmail’s IP addresses. They’re difficult to find and there’s a guide to tracking them down on the itexpert Web site, or you may prefer to lock down everything except approved IP addresses and services, and have Exchange log all mail accesses for all protocols.
You can use client certificates to control any handset that uses ActiveSync to connect and if you don’t expose POP3 and IMAP no other device can connect. In that case, watch out for users auto-forwarding all messages to other mail accounts that they can see on their phones.
The problem here is that users who have become used to mobile email will want direct access. Take the time to discuss the issues and implications of uncontrolled mobile email access with your clients’ management teams, and to develop a mobile access policy.
Be clear about the implications of data loss from using unmanaged devices. Not only are possibly sensitive messages stored on the phone, POP3 and IMAP configurations may reveal usernames and passwords that can be used to compromise the network. If an unmanaged device is being used, it needs to be accounted for at all times – and policies need to be managed by people rather than servers. If you choose to run POP3 or IMAP mail services for consumer devices, be sure to analyse logs regularly to make sure that there are no unauthorised accesses as a result of password leaks.
The business needs to make the risks clear to users. Point out the value of the data on their phones, and the effect on the company if the phone was lost. If mobile email is essential, then issue them with a supported, managed, device. If it isn’t, then make it a policy that unauthorised access to email resources is a disciplinary offence.
The risks to your clients’ businesses are that high.
You can manage non-Windows Mobile devices with Exchange ActiveSync support directly from the mail server, using Exchange’s built-in tools.