Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2

As an Administrator using Microsoft Exchange Server 2003 (SP2), you now have tools with which to set and enforce your mobile device security policies. You can also control some of the features on the mobile devices by using provisioning tools.

This topic provides you with instructions and pointers for doing the following administrative tasks:

Setting Up a Mobile Device Connection to Exchange Server

If mobile users have a data usage plan through a mobile operator, Exchange Active Sync on the mobile device can be used to synchronize email, contacts, calendar, and tasks over the air. Alternatively, they can use Desktop ActiveSync to partner their Windows Mobile 5.0-based device with an Exchange server by using a USB cable from a desktop computer that is connected to your network.

Regardless of the connection method that your users use, you will need to provide them with the following information before they can synchronize with your Exchange server:

Your users can use ActiveSync on their mobile devices or on their computer to choose which types of data, such as contacts, calendar, tasks, e-mail, they will synchronize with Exchange. You may advise your users to uncheck any data types that should not be stored on their mobile devices.

  Note

For more information about ActiveSync and other features on Smartphones and on Pocket PCs, including step-by-step instructions for the use of those features, visit the Windows Mobile Web site at http://go.microsoft.com/fwlink/?LinkId=37728.

Synchronizing Directly with Exchange Server

If your users use the desktop ActiveSync setup, advise them to be sure to choose the option to synchronize their mobile devices directly with the Exchange server. Direct push technology and security policy enforcement will be effective only when the devices are synchronized directly with the Exchange server. Synchronizing mobile devices with only the desktop computer is not recommended.

Connecting to an Exchange Server by Using a Phone or a Wireless Network

Your users can use ActiveSync on a Windows Mobile 5.0-based device to synchronize their mobile device directly with their Exchange server.

The first time a user starts ActiveSync on his or her mobile device, the user will see two options: to synchronize using the desktop computer or to synchronize directly. If your users have the address of their Exchange server and know their respective Exchange usernames, passwords, and domains, the ActiveSync wizard will walk them through the steps.

To connect a Windows Mobile 5.0-based device to an Exchange server

Connecting to Exchange Server by Using a Desktop Computer

Your users can set up device synchronization with their Exchange server using their laptop or desktop computer and the USB cradle/connector that accompanies most Windows Mobile-based devices.

  Important

Before a USB sync connection can be made, ActiveSync must be installed on the user’s desktop computer. The ActiveSync software is available either on the Windows Mobile Getting Started Disc provided with the mobile device, or as a download from http://www.microsoft.com/windowsmobile/activesync/default.mspx.

In the ActiveSync Setup Wizard, your users can:

To connect with Exchange Server by using a desktop computer

Accessing a Corporate Network by Using a VPN Connection

If your corporate network includes access to a VPN server based on PPTP or L2TP/IPSec VPN protocols, your employees can set up their own connection with the interface provided with the Windows Mobile 5.0-based device. The VPN setup varies from device to device, so check with your manufacturer for instructions.

You can also provision the mobile devices so that the connection is configured and the users only need to supply their usernames and passwords. For more information about configuring your Windows 5.0-based mobile devices for VPN access, see "CM_VPNEntries Configuration Service Provider" topic in the Windows Mobile 5.0 SDK http://go.microsoft.com/fwlink/?LinkId=67444.

Top of page

Using the Exchange ActiveSync Mobile Administration Web Tool to Track Mobile Devices

The following bulleted list describes several things that you can use the Exchange ActiveSync Mobile Administration Web tool to do:

The Welcome Screen of the Mobile Administration Web tool introduces its two administrative options, presented on separate Web pages:

Remote Wipe Initiate and track a remote wipe command for lost or stolen mobile devices

Transaction Log View a log of administrative actions on mobile devices, noting time, action, and user

Initiating and Tracking Remote Wipe on Mobile Devices

The Remote Device Wipe option provides the following functions:

Initiating a Remote Wipe for a Lost or a Stolen Mobile Device

To initiate a remote wipe, you can search for a user’s mobile device by specifying the user’s name. As shown in the figure below, the Remote Device Wipe Web page displays the device ID, device type, the time that the device last synchronized with the Exchange server, and the wipe status or delete status of the device for each user's mobile device. To initiate a remote wipe for a lost or stolen mobile device, you can locate the desired device and then choose Wipe. The Remote Device Wipe Web page then displays the up-to-date status for the mobile device, displaying whether and when the device was successfully wiped.

Viewing the Status on a Pending Remote Wipe for a Lost or a Stolen Mobile Device

When a remote wipe is specified for a mobile device, the remote wipe command stays active until the administrator specifies otherwise. This means that, after the initial remote wipe has been completed, the Exchange server continues to send a remote wipe directive if the same device ever tries to reconnect to the Exchange server.

Remote Device Wipe
See full-sized image

Canceling a Remote Wipe If a Lost or a Stolen Mobile Device Is Recovered

If a lost mobile device is recovered and the remote wipe that you initiated has not occurred, you must cancel the wipe in order for the device to successfully connect again. To cancel the wipe, locate the mobile device that has the remote wipe command set and then click Cancel Wipe.

Deleting a Mobile Device Partnership from the Exchange server

You can use the remote wipe command to delete a mobile device partnership from the Exchange server. This action, which is primarily useful for "housekeeping" purposes, will delete from the Exchange server all states that are associated with a specified device. If a user tries to connect a mobile device to the Exchange server after the partnership between the mobile device and the Exchange server has been deleted, the mobile device user will be forced to re-establish the partnership with the Exchange server.

Viewing a Log of Remote Wipe Transactions

The following table shows the information that is compiled by the Remote Wipe transaction log regarding the critical administrative actions that are performed when you use the Exchange ActiveSync Mobile Administration Web tool.

Top of page

Provisioning or Configuring the Windows Mobile 5.0-based Device

If you are working with a mobile operator or a mobile device manufacturer to deploy your Windows Mobile 5.0-based devices, you may be able to acquire mobile devices that have been pre-configured with the technologies and security settings that fit your needs.

You can use the device provisioning tools that are available in the Windows Mobile 5.0 Software Development Kit (SDK) to configure settings on the devices; to add, update, and remove software from the mobile devices; or to change the functionality of the mobile devices.

  Note

You must have either manager access to the Windows Mobile 5.0-based devices or the ability to run trusted code on them in order to use the provisioning tools. Check with your mobile operator or device manufacturer for more information on the application security settings on your devices.

For more information about managing mobile devices, see the "Managing Devices" section of the SDK for detailed information. The SDK documentation is included in the MSDN Library. The SDK documentation and tools are available at no charge from the Microsoft Download Center.

  Note

Be aware that there are two versions of Windows Mobile 5.0 software: Windows Mobile Version 5.0 software for Pocket PCs and Windows Mobile Version 5.0 software for Smartphones. Some procedures are different for these different versions of Windows Mobile 5.0 software. While working in the SDK, closely follow references and directions for the version that is on your mobile devices.

Overview of Provisioning

Provisioning a Windows Mobile 5.0-based device involves creating a provisioning XML file that contains configuration information, and then sending the file to the device. The Configuration Manager and the Configuration Service Providers configure the device based on the contents of the provisioning XML file.

The Configuration Manager is the central authority that processes the provisioning XML file. The Configuration Service Providers carry out all configuration queries and changes. After the data is passed to the Configuration Service Providers, they are responsible for carrying out the changes to the mobile device and for reporting the success or failure of the transaction.

  Note

In order to use the provisioning tools, you must have either manager access to the Windows Mobile 5.0-based devices or the ability to run trusted code on them.

The following bulleted list describes most, but not all, of the ways that you can deliver the provisioning XML file to the mobile device:

The Provisioning Process

The following is a walkthrough of the provisioning process using a sample XML file that you can use to configure your Windows Mobile-5.0 based devices with the path and the domain name of your Exchange server. The resulting configuration should enable your users to synchronize their mobile devices without having to enter this information.

During this sample provisioning process, you will perform the following tasks:

In this process, you will use the makecab.exe utility to create a .cab file. Makecab.exe is included with the Microsoft Windows Operating System and is available from the Command prompt.

  Note

XML provisioning files can be packaged as .cab or .cpf files. Because ActiveSync Application Manager does not recognize .cpf files, the .cab format is used in this sample.

Provisioning Sample: Configuring Synchronization Settings

Create a valid provisioning XML file that is named _setup.xml. This file should contain the XML code that addresses the Configuration Manager and its associated Configuration Service Providers.

To create the XML file

The _setup.xml file must be processed as a .cab file before it is transferred and installed on your user's mobile device with ActiveSync Application Manager.

To prepare the XML file for delivery through the Desktop

The provisioning .cab file can be distributed to a device that is cradled to a desktop PC. The provisioning .cab file can also be distributed to a mobile device on a variety of storage cards, such as a MultiMedia Card (MMC), a Secure Digital I/O (SDIO) card, and a Compact Flash card that are inserted into the device.

  Note

If the ActiveSync Setup wizard appears when you connect the mobile device to a desktop computer, click Cancel. It is recommended that you use Windows Explorer and File explorer to transfer the .cab file to the device.

To distribute the .cab file to a mobile device

You can check the device to verify that your device provisioning was successful.

To verify that mobile device provisioning was successful

Top of page

14 of 18