Sign in
Microsoft.com
 
System Center Mobile Device Manager TechCenter
 
 
 
System Center Mobile Device Manager TechCenter > Mobility Forums > System Center Mobile Device Manager > different activesync policies for different devices belonging to same user
Ask a questionAsk a question
Search Forums:
 

Questiondifferent activesync policies for different devices belonging to same user

  • Wednesday, October 28, 2009 2:19 AMym81 Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi,
      Using SCMDM, I can specified whether a user can download emails and/or attachments to his mobile device.  This is done by applying a user (not device) policy to that user.

      I have a requirement such that a user has 2 mobile devices.  PDA A is self-owned while PDA B is company-issued.  The user is only supposed to sync calendar events and not emails to PDA A.  But he can sync all emails, task, calendar to PDA B.

      Given that the a user would have only 1 MS Exchange mailbox and the activesync policy is applied on the user and not device, how can I achieve this?  Pls advise.

      Thanks.

    Regards.
     

All Replies

  • Wednesday, October 28, 2009 10:22 PMAndreas Helland Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    I haven't tested lately if it is possible to not sync email in ActiveSync. I believe it wasn't possible back in the Exchange 2003 vs WM 5 days to sync only other items. Exchange as you say is only able to apply policies on the user-level though, so to run different policies you need to get creative :)

    Will you be enrolling both PDAs in SCMDM, or only the company-owned one? If only PDA A is enrolled to SCMDM you can set a policy, and all the settings on the user/device in SCMDM. Make sure that the device is enrolled to SCMDM, and not partnered with Exchange first. Also apply the -AllowExternalDeviceManagement parameter on the mailbox on Exchange (if you're running Exchange 2007 that is.) Send out provisining cabs for the users for setting up PDA B, with the settings only configuring contacts/calendar. Haven't tested this - it's just a thought :)

    If both PDAs are enrolled you could apply device level GPOs to them I guess.

    But think through the scenario one more time before implementing. Why are you allowing devices that will not sync email? Is it because the user doesn't want/need mail on their privately owned deivces? It is possible to have corporate sensitive data in other item types than mail, and I would apply protection mechanisms even if mail isn't synced.

    Another challenge is that if the user is authenticated, and is allowed to connect to ActiveSync the user will probably be able to "hack" his way around this limitation in the registry so it's not bulletproof either.

    If you install some PIM middleware that the devices will use for syncing most of these will be able to restrict sync policies on the device level, but it's probably not worth the investment for this purpose. (Well, if you happen to have a lot of cash piling up in the office you are of course welcome to spend.)

    I have had customers asking for this functionality, but they usually end up in a scenario where they either allow all items to be synced, or no items at all except for the company issued devices. This is just my observation, maybe others have different experiences.
     
  • Thursday, October 29, 2009 1:42 AMym81 Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi Andreas,

      What I am thinking is to reduce the size of the emails allowed to the minimum and disallow attachments for the PDA that is not supposed to get any emails.

      As the user needs to VPN into the corporate network to access the MS Exchange 2007 server, both will have SCMDM enrolled.

    "If both PDAs are enrolled you could apply device level GPOs to them I guess." 
    As activesync policies are applied to the user and not to device, Im not sure how to do this.

    "Why are you allowing devices that will not sync email? Is it because the user doesn't want/need mail on their privately owned deivces? It is possible to have corporate sensitive data in other item types than mail, and I would apply protection mechanisms even if mail isn't synced."
     This is company's policy set by higher management.  Yes, protection mechanisms will be in place as if they can store emails.

    "If you install some PIM middleware that the devices will use for syncing most of these will be able to restrict sync policies on the device level, but it's probably not worth the investment for this purpose. (Well, if you happen to have a lot of cash piling up in the office you are of course welcome to spend.)"
    Do you happen to know the name of any such middleware that I can eval?

    Thanks.

    Regards.