More about Windows 8 CP and ActiveSync
Since yesterday’s blog post “Yes, there is ActiveSync in Windows 8!”, I have fiddled some more with the Windows 8 Mail app.
So, which other ActiveSync settings do work within Windows 8? There are quite a few, and some aren’t supported by all devices. So, which are important and could I use as a baseline? Well, Microsoft already made a baseline:
Exchange ActiveSync Logo Program
The Exchange ActiveSync Logo program was created to easily identify devices which had a certain minimum ActiveSync capabilities. I have checked to see whether these options are available in the Windows 8 Mail app:
- Direct Push email, contacts & calendar – Yes
- Accept, Decline & Tentatively Accept meetings – No (not within Mail or Calendar App)
- Rich formatted email (HTML) – Yes
- Reply/Forward state on email – Partial. Not from Mail app to Exchange, other way yes
- GAL Lookup – No (in both Mail and People app)
- Autodiscover – Yes
- ABQ strings (device type and model) provided – Yes & Yes*
- Remote Wipe – Well, not whole device. No?
- Password Required – Yes
- Minimum Password Length – Unknown
- Timeout without User Input – Yes
- Number of Failed Attempts – Yes
* Device Family is “WindowsMail” and Model has two entries: “Windows PC” and “WindowsMail”.
So, no Logo then…
ActiveSync password settings
The ActiveSync password settings are a bit funny though, as I log into Windows 8 with my Live account. That account has it’s own password rules. This will also be the case with domain joined computers. Furthermore, I’m guessing that the local computer security settings also provide a baseline rule.
I did notice that Windows 8 locked itself sooner due to the 1 minute time-out setting in the ActiveSync policy. Which makes this the first indication that some ActiveSync settings do affect the OS directly.
The maximum number of failed attempts was also a affected by ActiveSync, normally you get a warning after about 5/6 wrong entries. With a Failed Attempts setting of 4 (the minimum) you get the same warning:
So no wipe, just a reboot. I’ve checked and all data and settings where still present. If you check the options in the Exchange Control panel, it mentions wipe:
Concluding this part: After setting only the four settings mentioned in the logo program Exchange regards the policy as fully applied:
How about some other features?
I’ve made some changes in my default Exchange ActiveSync Policy in order to further test the ActiveSync implementation not part of the Logo program. I choose some that were easy to check on my virtual Windows 8 device:
- Limit email size to (KB): 10 (was unlimited)
- Allow attachments to be downloaded to device: Unchecked (was Checked)
- Allow camera: Unchecked (was Checked)
Limit email size
I could read mails larger than 10KB in the Mail app and on my iPad, but not on Windows Phone 7.5
Can’t save (right click on icon) it anymore and can’t downloaded it. Same behavior as most ActiveSync devices.
My virtual Windows 8 CP didn’t have a camera, so this is a bit speculating. But if you check the permissions within the app (Charm bar>Permissions), you can set the camera permission manually. The Webcam and Microphone permission is disabled at default. After enabling it and changing the EAS policy, the option was still enabled.
It is not a 100% check, but interesting enough… The Camera app was also still present. Surprising enough it also still works within Windows Phone 7.
Within iOS (my iPad 2) all camera related apps disappear. It would be interesting to see this (and other) function work, especially on Windows 8 slates/tablets.
And on Exchange
Let’s see on the Exchange end how the new EAS policy is applied.
Ha, it’s partially applied! This is probably the Camera setting and it’s positive that this is visible in feedback.
So, ActiveSync in Windows 8? Well, not exactly.
As stated, it does not deliver all the features as required by the Exchange ActiveSync Logo Program (EALP). If this doesn’t change, this would mean no Windows 8 device would receive the ActiveSync logo.
Furthermore, the functionality is apparently (mostly) confined to the Mail app within Windows 8. The most important proof of this is the remote wipe option, which only wipes the synced information and not the whole device.
The above observation is an important distinction as ActiveSync policies are mostly only valid within the App and not the OS. Aside from the partial Remote Wipe, this could have some impact on Mobile Device Management for Windows 8 devices, especially Windows on ARM (WOA).
As we are told that WOA would have almost no differences regarding the x86 versions, this would mean that ActiveSync functionality would also be an App and not OS functionality. We can somewhat expect that WOA devices will not be EALP compliant as the iPad is.
This is another indication on how Microsoft regards WOA; a consumer device as ActiveSync policies are more Enterprise features. It is however still possible that functionality will change in the coming months. I personally would hope so, as I regard ActiveSync as a sort of light mobile device management tool.
If an organization will not have WOA devices, there are ActiveSync Device Security settings that do have an impact on Windows 8 (x86 based) computers. Which setting will win? ActiveSync polices? Active Directory Polices? Or the most constricting one? This will undoubted lead to interesting discussions between users, those responsible for Exchange ActiveSync policies and those for Active Directory Group Policies…
Granted, most organizations probably also have Outlook (2010 with the option of multiple accounts) and thus no need for the Windows 8 Mail app. But still, I already think it a best practice to at least consider blocking out the Mail app within AD environments…