A-to-Z Index

ACTIVESYNC POLICY

Mobile Device (ActiveSync) Policy

The JMU faculty/staff email system runs on Microsoft Exchange.  Microsoft Exchange includes a number of tools that allow system administrators to manage mobile devices connected to our email system. When you connect a mobile device to Exchange in order to retrieve your JMU email, you may receive a "remote security administration" notification that indicates these administrative tools are available and how they can potentially be used.   This notification is similar to what you receive when you install applications on some mobile devices (e.g. Android).

While Exchange provides a number of administrative tools for managing mobile devices and enforcing various security policies, JMU IT does not use any of the tools to manage your mobile devices. 

JMU IT does, however, give you the ability to remotely wipe/erase your device in the event it is lost or stolen.  You can perform a remote wipe/erase by logging into the Outlook Web App (exchange.jmu.edu) and following these steps:

  • Click the "Options" menu
  • Click “See All Options”
  • Click "Phone" in the left-hand navigation bar
  • From this page, you can choose the device you want to wipe/erase

FAQs

What is Exchange?

Microsoft Exchange is a messaging system running on servers (powerful computers) that JMU IT owns and operates. Whenever someone sends an email to your @jmu.edu address, it is received by and stored on the Exchange server.

What services does Exchange provide?

Exchange provides a single account to access email, calendar, contact list, notes, and task lists.

What is Exchange ActiveSync (EAS)?

EAS is a communication protocol, which is a way for computers to talk to each other. EAS allows you to access your Exchange account on a mobile device, such as a cell phone or tablet. Whenever anything changes on the Exchange server, EAS will communicate to your mobile device so that you see the change immediately. These changes include receiving new emails, accepting an event to add to your calendar, adding a new contact, and so on.

What is remote administration?

Remote administration allows someone (including both you and JMU IT staff) to perform a limited number of changes to your mobile device without having physical access to the device. For example, a remote administrator could require you to set a screen lock password or wipe all data from the device if it is lost or stolen.

Why is JMU IT now requiring remote administration?

Remote administration is enabled via an ActiveSync policy. Years ago, there were mobile devices with broken EAS clients that would not connect to Exchange if any EAS policy was enabled at all, even if no remote administration restrictions were set. At that time, JMU IT made the decision to disable all policies in order to allow these broken clients to connect. However, this put JMU's Exchange system in an unsupported configuration, and every time IT performs an upgrade to the system, all EAS policies must be manually disabled again. By enabling a default, no-restrictions EAS policy, JMU's Exchange environment aligns with current best practices and is in a supported configuration.

What alternatives to Exchange have JMU IT considered?

JMU IT has explored migrating to a cloud-based email service, such as Microsoft Office 365, concluding that Exchange remains the best option for the JMU community. It should also be noted that Office 365, like Exchange, uses EAS for mobile device access. As such, remote administration would also be required for this alternative.

Platform-Specific Questions:

Are Android phones and tablets affected by this change?

Yes. If any app on your mobile device is set up to get updates from EAS, you will be shown a message that remote administration must be activated. You will be given the option to activate this feature or to cancel. If you choose not to activate remote administration, these apps will no longer receive updates from EAS.

Are iPhones, iPads, Windows Phones, and Surface tablets affected by this change?

Yes. Unlike Android devices (which show a message and require the user to accept the changes), iPhones, iPads, Windows Phones, and Surface tablets automatically enable remote administration when requested by EAS. You will not be shown a message nor asked to activate this feature on these types of devices.

Are laptops and desktop computers affected by this change?

In general, no. All computers and mobile devices rely on a basic layer of software called an operating system (OS). Mobile devices use Android, iOS, or Windows Mobile as their OS, and all of these have remote administration built in. Laptops and PCs typically use OS X, macOS, or Windows (which is different from Windows Mobile). While there are different options available, these OSs generally do not contain remote administration features.

Technical and Policy Information:

What are the benefits of remote administration?

Remote administration allows authorized administrators (including you as the device owner) to perform critical actions regardless of where your device is located. If your device is ever lost or stolen, you or a member of JMU IT could remotely delete any sensitive information (including credit card numbers, data to access banking or social networking services, personal contact information, photos and movies), preventing a thief from accessing this data. Remote administration does not allow access to device tracking capabilities. If you want to be able to locate your device if it is ever lost, you will need to investigate the abilities provided by your device's manufacturer or cellular carrier.

What actions can and cannot be performed through remote administration?

The list of remote administration capabilities is limited and designed to minimize privacy risks. You can see the full list in this Mobile device mailbox policies article. It is important to emphasize what remote administration does NOT allow. Remote administration does NOT allow JMU IT (or unauthorized persons) to access your personal information or files, change your device password, activate your microphone or camera, access your mobile web browser history, access location services, or otherwise monitor or control your actions on your device.

What are the risks of remote administration?

Any time there is a feature enabled in a computer system, there is always the possibility that it could be used for something bad. For example, it is possible that someone could hack into JMU’s or Microsoft’s systems and use remote administration tools without authorization. As another example, if you login to your JMU email using a public computer and forget to log out, someone else using that same computer could use these tools. While possibilities like this exist with remote administration, data theft and corruption also occur without these tools. Users should follow best practices for information technology, including creating backups of important data, deleting unused data, logging out of web sites, running virus protection software (for example – Lookout Mobile Security) and so on.

Help for backing up your device:

Apple iOS devices

Android devices

Windows 10 Mobile

What is JMU IT's policy for using remote administration?

JMU IT will ONLY exercise the capabilities provided by remote administration under two possible circumstances: Either the device owner is specifically requesting JMU IT’s assistance (for instance, you come to JMU IT and request the data be wiped because the device is stolen) or JMU IT is ordered by law enforcement and is legally required to comply. JMU IT will NOT perform remote administration under any other circumstance, such as termination of employment. Any considered change to this policy will be discussed publicly with JMU faculty and staff before being enacted.

How can I check my email without enabling remote activation?

There are three options that we are aware of at the current time. One option is to use a web browser to access the Outlook Web App (OWA) at exchange.jmu.edu. The second option is to use a separate email app on your phone other than the default email app, and the third option is to configure your email program to use the IMAP protocol instead of EAS. An example of a separate email app is TouchDown by Symantec. Visit https://www.symantec.com/theme/touchdown for more information.

What is similar between EAS and IMAP?

With both EAS and IMAP, your mobile device will automatically download copies of your email messages for you. The original email will still be stored on the Exchange server, so you can still access your account from other devices, such as a laptop or PC.

What is different between EAS and IMAP?

The main difference is timing. EAS is called a “push” protocol. Any time something happens on the Exchange server (such as a new email message arrives), the updates immediately get “pushed” to the mobile device and you see them right away. IMAP is called a “pull” protocol. You configure your device to check for new messages at regular intervals (say, every 15 minutes). When IMAP discovers there is a new message, it will “pull” a copy to your mobile device.

What features are lost with using IMAP instead of EAS?

IMAP only provides email access. If you use IMAP, your contact list, calendar, notes, and tasks will not be synchronized with what is on the Exchange server. When you compose an email, you will not be able to search for a JMU contact automatically. If you add an event to your calendar on your mobile device, it will not be updated on your computer’s calendar program (and vice versa).

What if I use IMAP for email but EAS for everything else?

There is no benefit to doing this. If you use EAS for any service (such as keeping your calendar synchronized), remote administration is required.

Is remote administration required to access MyMadison or other JMU IT services?

No. Remote administration is exclusively required for access to the Exchange server. The two-factor authentication process for accessing MyMadison is a separate system and is unrelated to the remote administration requirement.

Does JMU provide mobile devices free of charge to faculty and staff?

Unless such a device is required to fulfill job duties, no. For example, some JMU IT staff are considered “on-call” and are required to respond to emergency situations (such as a power outage, server crash, or security attack) 24 hours a day, 7 days a week; these staff are given pagers to support these requirements. The use of personal devices for general access to email is voluntary and will remain so for the foreseeable future. See University Policy #1505, Use of University Owned Telephones & Services by University Employees for more information.