It is desirable for users to synchronize their mobile computing devices (e.g., phones, tablets, laptops) with their desktop computers and enterprise servers (e.g., a work email server administrated by a corporation, university or other organization). For example, users want to have the same, most recent email, contact and calendar data available at both their desktops and on their mobile devices.
Different solutions exist to provide such data synchronization, and they have evolved over time as the nature and usage of mobile devices have changed. Microsoft ActiveSync was a mobile data synchronization app that allowed a mobile device to be synchronized with a desktop computer, including an administrated server running a compatible platform such as Microsoft Exchange Server. ActiveSync synchronized Microsoft Outlook emails, calendar entries, contacts and tasks, along with Internet bookmarks and files. ActiveSync does not support many current mobile platforms, and is no longer included in Windows.
Exchange ActiveSync (“EAS”), not to be confused with the old ActiveSync app, is a protocol for the synchronization of email, contacts, calendar, tasks and notes from a server to a smartphone or other mobile computing device. The protocol is based on XML, and an Exchange ActiveSync server and mobile device communicate over HTTP (or HTTPS). Microsoft Exchange Server supports the use of Exchange ActiveSync to synchronize email, calendar data and contacts with mobile computing devices. Note that Microsoft Exchange Server, not to be confused with Exchange ActiveSync itself, is a Microsoft server program that provides group level mail services, calendaring software and a contact manager. In addition, Microsoft licenses Exchange ActiveSync to other parties, and support for Exchange ActiveSync is implemented in a number of competing collaboration platforms, such as Google Apps for Business, Lotus Domino and Novell GroupWise. Currently, Exchange ActiveSync is the de facto standard for synchronization between groupware and mobile devices, although other standards also exist, such as Open Mobile Alliance Data Synchronization and Device Management (formerly known as SyncML) and OpenSync.
Exchange ActiveSync provides some support for mobile device management and policy controls. For example, a server level administrator can block a specific mobile client, require mobile clients to have passwords meeting certain characteristics (e.g., minimum length, maximum duration), require manual synchronization when roaming, etc. Additionally, Microsoft Exchange and certain third party tools enable an administrator to allow or block an ActiveSync mobile client based on criteria including the presence or absence of the mobile client on a white/black list, the mobile client type (e.g., block all tablets) and the client operating system (e.g., block all devices running iOS). However, such policy control requires a significant amount of configuration and ongoing maintenance by the administrator, to account for and manage the significant number of devices connecting to a large enterprise's network environment. The administrator is responsible for approving the devices which can connect (if not all are allowed), and managing each user's allowed devices.
One third party product called ActiveSync Protector has a mode that allows an end user to self-register a single mobile device. In this mode, the first time a user attempts to connect to Exchange ActiveSync, his/her mobile device can be automatically registered. Registered devices are then automatically allowed access, unless or until the registration is cancelled or revoked. If the same user subsequently attempts to connect to Exchange ActiveSync with a different mobile device, the additional device is not automatically registered. This prevents an attacker who has obtained the user's credentials but not the user's mobile device from using a different device to connect into the enterprise's infrastructure. However, as a result the legitimate user is by default blocked from access with any additional mobile devices. Instead, the user is required to request that an administrator create an exception and explicitly allow each specific additional mobile device before the user can connect to ActiveSync with it, and thus access and synchronize with the data on the backend.
This model that allows a single mobile device per user was sufficient when each user typically carried only one mobile device (i.e., a phone). However, users are now likely to use multiple mobile devices (e.g., a smartphone and a tablet). Furthermore, newer versions of Microsoft Outlook also allow the synchronization of a Windows computer as an Exchange ActiveSync client (typically, this feature would be used in the case of a laptop). In the current environment in which a single user may well have three separate mobile devices, administrators are overwhelmed with exception requests, which are very labor intensive to review and process.
It would be desirable to address these issues.