Connecting a Windows Phone 7 to Exchange 2010 SP1
With the recent availability of Windows Phone 7, you may have several users (including you) that want to connect it to your Exchange 2010 mail system. Some may have event already tried it! But in order to successfully connect the new Windows Phone 7 (WP7) to Exchange 2010, there are several of steps you should follow:
- Have the device trust the Certification Authority of your organization.
- Connect the device to your Exchange system.
- What ActiveSync policies are supported by Windows Phone 7?
- Deploying and monitoring a pilot before going mainstream.
Before we proceed with the configurations steps, keep in mind that Windows Phone 7 has been designed for the general public consumption and some of the corporate features of Exchange 2010 may not be applicable in this scenario.
Make the device trust the Certification Authority
When you install Exchange 2010, the system uses by default a self-signed certificate to secure the client communications (Outlook Web App, Outlook Anywhere or ActiveSync/EAS). It is a best practice to publish those services on Internet with a certificate that is delivered either by your own internal certification authority or a public certification authority. In both cases, the client that connects to the server has to trust the authority that delivered this certificate.
By default Windows Phone 7 trusts Root CAs from the following authorities: AOL, Comodo, DigiCert, GlobalSign, Keynectics, Quovadis, RSA Security, SECOM Trust Systems, TWCA, TrustCenter, Trustwave and Verisign. This list is valid at launch but may change over time. If you publish on Internet you client Web Services with a certificate that comes from one of those authorities, it will be automatically trusted by Windows Phone 7 and you can proceed to the next section of this article.
The full list of by default trusted root CA is available for download here : https://download.microsoft.com/download/9/3/5/93565816-AD4E-4448-B49B-457D07ABB991/Windows%20Phone%207%20Root%20Certificates_FINAL_121610.pdf
If, however, like most clients you use a certificate that has been issued by your own authority, you'll have to add the Root CA of this authority to the list of the trusted Certification Authorities on you device. To do so, one method is to send the certificate of the CA to a public email address (like Hotmail) and synchronize this mailbox with your device.
The other option you have is to connect your Windows Phone 7 on the Wi-Fi of your corporate network and connect to the web server of your certification authority with a browser as bellow:
Tap on the "Download a CA certificate, Certificate Chain, or CRL"
Tap on "Download CA certificate chain" and validate the installation of the root CA:
Now that we have installed the Root CA of our environment in our device, we can connect it to our Exchange 2010.
Connect the device to your Exchange 2010 system
This step is rather simple and will walk you through the initial configuration of your Exchange account on WP7.
You have to go to the settings of your device, then "email & accounts"
Select "add an account" and choose "Outlook".
One of the great things about Windows Phone 7 is the ability to have several Exchange account on your device! It means that for example that you can have a personal account on Exchange 2010 and have a shared mailbox or another mailbox on a different Exchange system … maybe in Office 365. You can also synchronize your private account on your phone, no matter if it is on Hotmail, Gmail or Yahoo! Mail. They all can be accessed on your device!
If Exchange is well configured for auto discovery, the only information you should enter is your email address and password. If not, you'll have to enter additional information like domain and server name.
Be patient, the initial synchronization may take some time to perform after which you'll see the emails in your inbox.
This works well in a new, clean Exchange 2010 environment, however, in most cases, your messaging system is not a new clean installation and you may have configured some ActiveSync policies. Those existing policies may conflict with the capabilities of Windows Phone 7.
What ActiveSync policies are supported by Windows Phone 7?
Because Windows Phone 7 is targeting the general public, there are several configurations that are not supported and will prevent your device from synchronizing with Exchange 2010 SP1. If you are in a situation where a policy conflict with the capabilities of Windows Phone 7, you'll have the following message on your device when synchronizing it:
Outlook error
<your_server> requires that certain security policies be enforced before you can sync your information. Contact a support person or your service provider.
Last tried xx seconds ago
Error code: 86000C2B
This error code shows that the ActiveSync policy tries to enforce a feature that WP7 does not support. If you need more information about this error: https://support.microsoft.com/kb/2464593
For example, you'll experience this behavior if you ask the device to be encrypted as shown in the policy below:
If you only select the check box "Require encryption on device" the synchronization will fail. However, if you want to enforce this policy for any Windows Mobile 6.5 devices you have in your organization and allow WP7 devices to connect as well, you have to select the option "Allow non-provisionable devices" as indicated below:
So at the end of the day here is the list of policies (using the ids recognized in Exchange Management Shell) that are supported by Windows Phone 7 (WP7):
- DevicePasswordEnabled
- MinDevicePasswordLength
- MaxInactivityTimeDeviceLock
- MaxDevicePasswordFailedAttempts
- AllowSimpleDevicePassword
- DevicePasswordExpiration
- DevicePasswordHistory
- AllowStorageCard
- AllowIrDA
- AllowDesktopSync
- AllowRemoteDesktop
- AllowInternetSharing
If your EAS policy has any other settings than those indicated above, you need to set the parameter "AllowNonProvisionableDevices" to $true in your powershell cmdlet.
Note: if a device has already been synchronized changing the AllowNonProvisionableDevices setting will not impact the existing synchronization.
You can check the following Technet articles for more information on this topic: https://technet.microsoft.com/en-us/library/bb123704.aspx and https://support.microsoft.com/kb/2464593
The list of supported features and unsupported features with Windows Phone 7 has been summarized here: https://social.technet.microsoft.com/wiki/contents/articles/exchange-activesync-considerations-when-using-windows-phone-7-clients.aspx
Deploying a pilot before going mainstream and monitoring the deployment.
Before you deploy a large number of Windows Phone 7, you likely will want to test your settings on a small number of lucky users (hopefully you as well).
The least impacting way of doing a pilot it to:
- Create a separate ActiveSync policy
- Apply this policy to the pilot users
To create a policy that matches the WP7 criteria, you can use the following powershell cmdlet and change the values you want; it has only the settings supported by WP7:
New-ActiveSyncMailboxPolicy -Name "My WP7 Policy" -AllowNonProvisionableDevices $false -DevicePasswordEnabled $false -MinDevicePasswordLength $null -MaxInactivityTimeDeviceLock unlimited -MaxDevicePasswordFailedAttempts unlimited -AllowSimpleDevicePassword $true -DevicePasswordExpiration unlimited -DevicePasswordHistory 0 -AllowStorageCard $true -AllowIrDA $true -AllowDesktopSync $true -AllowRemoteDesktop $true -AllowInternetSharing $true
To apply this policy to a specific user you need to use the following cmdlet.
Set-CASMailbox -Identity <user_alias> -ActiveSyncEnabled $true -ActiveSyncMailboxPolicy "My WP7 Policy"
You'll find more information about Exchange 2010 SP1 ActiveSync policies in the following technet article: https://technet.microsoft.com/en-us/library/bb123994.aspx
Monitoring from the administrator perspective:
Now it is time to monitor the behavior of the devices of your pilot users! With Exchange 2010 SP1, you can first of all verify if your users are effectively using their new devices and have connected it to their mailbox by using the following cmdelt :
Get-ActiveSyncDeviceStatistics -Mailbox <mailbox_alias>
The result on my demo environment is:
If you have several devices connected on a mailbox, you can verify the last time the synchronization has occurred (LastSuccessSync) and the OS version of the device (DeviceOS) or the user agent (DeviceUserAgent) which will give you a good indication of the behavior of the phone per user.
Now if you want to monitor with a more general perspective what happens with your deployment of WP7 in your enterprise, you can use the following cmdlet :
Get-ActiveSyncDevice -Filter {DeviceOS –like "*Windows Phone7.0"}
This cmdlet will return a list of all devices connected to your organization that appear as running a version of Windows Phone 7. You can work on how to display the result of this cmdlet and link any mailbox linked to a blocked device. Below is an example of this cmdlet executed in my demo environment:
Note that the field "DeviceAccessState" has the value "Blocked" which indicated that there is a policy that prevents this device from being synchronized with Exchange.
Troubleshooting from the end-user perspective:
If the administrative work described above is not sufficient to prevent users having synchronization issues, the users can always start a logging session from Outlook Web App (OWA) and receive the logs in their mailbox that they can forward to their support representative.
Enabling logging is performed in OWA as indicated below:
The log generated is a text file attached to an email dropped in the user's mailbox after he goes again in the settings of the mobile phones and select "Retrieve Log".
Summary
If you want to deploy Windows Phone 7 in your enterprise, keep in mind that:
- If you have not published your ActiveSync web service with a certificate that comes from a publically trusted root CA you have to add the Root CA certificate on your device.
- For the pilot phase, create a specific ActiveSync policy for the pilot users.
- If you need to use ActiveSync settings that are not compatible with WP7, ensure you enable the "allow non provisionable device" check box.
- Leverage the ActiveSync cmdlets that comes with Exchange 2010 SP1 to monitor your deployment of Windows Phone 7 (WP7).
Happy deployment of Windows Phone 7 in your enterprise!
Comments
Anonymous
January 01, 2003
Hello, with Exchange 2010 it is still possible to enroll client certificates but you'll have to do a manual step. That is to say, use a MMC on a desktop to generate the request, export the cert manually and make it available either on a webpage or send it to an email address that is already connected.Anonymous
December 06, 2010
With Exchange 2003 it was possible to enroll client certificates on the device with ActiveSync. What's the new procedure? This only talks about the server certificate for the CAS.Anonymous
June 11, 2014
Pingback from Windows Phone 7 Exchange Activesync Encryption