The Trouble with Microsoft ActiveSync Security Is That You Get What You Pay For



I recently worked with a couple of enterprise customers that managed the large majority of their mobile devices on Microsoft ActiveSync. Their reasoning was that since the platform is “free,” it saved the organization money, an admittedly sound justification for smaller businesses with few devices and little sensitive data. These clients, however, were large firms operating in regulated industries.

They knew that their employees dealt with sensitive data on a regular basis, and they knew the associated costs if that data were to be leaked or stolen. On some level, they also suspected protecting that data required greater functionality than ActiveSync was capable of providing. Yet they still relied on it.

Surprisingly, the case with these clients is not a unique one – some large and many midsized enterprises use ActiveSync for mobile device management.

That is a mistake. Although ActiveSync admittedly does possess some MDM capabilities, it still falls short from an enterprise security standpoint. Larger organizations, especially those subject to regulation, should be wary of using it to manage their mobile fleets.

Why ActiveSync Is Insufficient For MDM

“Exchange ActiveSync was originally designed to synchronize data on mobile devices,” writes GCN’s Patrick Marshall. “In recent years, it has added MDM features, such as the ability to set policies on device and applications usage. However, the solution lacks some more sophisticated capabilities such as application containerization and app wrapping that protect and isolate applications on devices, which is especially important when employees are using their own devices.”

I would take it a step further, and say that ActiveSync’s security issues are more basic than that: It lacks effective capabilities for forcing users to upgrade their devices to the latest OS and application versions or risk being blocked from network access. That’s a fundamental requirement in security.  This limitation means that potentially hundreds of critical OS and application vulnerabilities could be exposing your organization to excessive and unnecessary risk.

What’s more, although ActiveSync does enable IT managers to encrypt data-at-rest on employee devices, it fails to adequately support that policy. The inability to force devices to install and run the latest version of their mobile OS means that your users’ supposedly encrypted data could still be vulnerable. And, as noted by leading mobile consultancy firm CWSI, ActiveSync’s security policies are easily bypassed:

The “risk” with ActiveSync “is that the ActiveSync Client on the mobile device is tasked with both enforcing the polices dictated by the ActiveSync Server and with informing the ActiveSync Server that it is compliant; the Server has no mechanism to check the device itself and confirm the settings,” wrote CWSI in a whitepaper. “This is quite normal behavior for a protocol like this, but is based on the premise that the ActiveSync client can be trusted to report accurate information, and unfortunately this premise is false.”

In short, there is no effective, centralized means of enforcing policies on ActiveSync, nor is the platform equipped with the capacity to detect or identify compromised devices.

Finally, the savings from using “free” ActiveSync are illusive if you look beyond the upfront price tag. One of my clients, for example, said that using ActiveSync required his employees to physically hand over devices to their IT support team whenever applications needed to be installed or updated. Such an inefficient process dramatically increased their cost of ownership far beyond any perceived savings.

After reassessing the shortcomings of ActiveSync’s management capabilities, both clients have since adopted BES12. Per my recommendation, they are also investigating the deployment of work containers. MDM may manage some of the obvious risks associated with mobile usage, but a work container is needed in order to mitigate user mistakes and malicious activity, including malware.

BES12_Logo_Horizontal_RGB_OnBlack_HRBetter Alternatives to ActiveSync

BES12, BlackBerry’s industry-leading EMM platform, incorporates mobile device management, mobile content management and mobile application management into an intuitive, single-screen console. Since deployment and management are both done centrally, all aspects of device security are readily controlled. BES12 also fully supports many leading containerization tools, including Samsung KNOX, Android for Work and Secure WorkSpace, allowing for the easy separation of work and personal data.

Using BES12 further means you’ll have access to scalable architecture, end-to-end security built atop a renowned global network, and the ability to fully manage Android, iOS and most recently, Windows 10.

There’s also our recently-acquired Good Powered by BlackBerry set of solutions. This EMM suite’s Secure Container and Apps recently received the highest level of certification for both iOS and Android from the Common Criteria Evaluation Assurance Level 4 Augmented (EAL4+) test, which is used heavily by government agencies and others handling sensitive data.


To be clear, ActiveSync does what it was originally designed to do – synchronization and management of email – quite well. However, relying on it to secure and manage your entire mobile infrastructure is hazardous for a number of reasons:

  • No containerization support for work data, applications and use cases
  • Application deployment/patching is not supported
  • Data-at-rest encryption is inconsistent
  • ActiveSync security policies can be circumvented/ignored

Although ActiveSync may indeed offer some MDM capabilities, from a device management standpoint it simply doesn’t support the needs of medium and large organizations, particularly those in regulated industries. Trying to shoehorn it into such a role just to save a bit of money upfront is a mistake. Not only will you incur a higher cost of ownership in the long run, you’ll also be putting your data unnecessarily at risk.

A purpose-designed MDM solution is mandatory. You shouldn’t stop there, however. In order to keep your data safe and your business compliant, you need both work containers and a dedicated MDM solution.

Anything else is just asking for trouble.

A strong MDM solution one small part of a comprehensive mobile security strategy. There’s much more involved in protecting your business from the latest mobile security threats – and our Definitive Guide to Enterprise Mobile Security is just the document to help you along in doing so. You can download it for free hereYou can also check out our demo of Good Secure EMM Suites to learn more about what we have to offer.

Finally, be sure to sign up for our upcoming webinar, Making Sense of the EMM Alphabet Soup – a detailed look at MDM, MAM & MCM on Tuesday, April 19, 2016 at 11:00 AM EDT. 

About Jay Barbour

Jay brings more than 15 years of security experience to BlackBerry where he serves as Security Director for the BlackBerry Security Group. He works closely with government agencies, strategic and carrier sales teams and key customers to champion security policy for BlackBerry mobile devices. Prior to joining BlackBerry, Jay was vice president of marketing at Intrusion Inc., and vice president of product management at Scansafe. Jay holds a degree in Engineering Physics from Queen’s University, Canada, an MBA from INSEAD, France, and is a Certified Information Systems Security Professional (CISSP).

Join the conversation

Show comments Hide comments
+ -
blog comments powered by Disqus