What is JMU's Exchange ActiveSync (EAS) Policy?
EAS is a communication protocol, which is a way for computers to talk to each other. EAS allows you to access your Exchange account on a mobile device, such as a cell phone or tablet. Whenever anything changes on the Exchange server, EAS will communicate to your mobile device so that you see the change immediately. These changes include receiving new emails, accepting an event to add to your calendar, adding a new contact, etc.

The JMU faculty/staff email system runs on Microsoft Exchange. Microsoft Exchange includes a number of tools that allow system administrators to manage mobile devices connected to our email system. When you connect a mobile device to Exchange in order to retrieve your JMU email, you may receive a "remote security administration" notification that indicates these administrative tools are available and how they can potentially be used. This notification is similar to what you receive when you install applications on some mobile devices (e.g. Android).

While Exchange provides a number of administrative tools for managing mobile devices and enforcing various security policies, JMU IT does not use any of the tools to manage your mobile devices unless you request it or you give your explicit permission.

JMU IT does, however, give you the ability to remotely wipe/erase your device in the event it is lost or stolen. You can perform a remote wipe/erase by logging into the Outlook Web App (exchange.jmu.edu) and following these steps:

  • Click the gear in the upper right corner
  • Click the “Options” menu
  • Click "Mobile devices" in the left-hand navigation bar, under the General section
  • From this page, you can choose the device you want to wipe/erase

What is remote administration?
Remote administration allows someone (including both you and JMU IT staff) to perform a limited number of changes to your mobile device without having physical access to the device. For example, a remote administrator could require you to set a screen lock password or wipe all data from the device if it is lost or stolen.

Why is JMU IT now requiring remote administration?
Remote administration is enabled via an ActiveSync policy. Years ago, there were mobile devices with broken EAS clients that would not connect to Exchange if any EAS policy was enabled at all, even if no remote administration restrictions were set. At that time, JMU IT made the decision to disable all policies in order to allow these broken clients to connect. However, this put JMU's Exchange system in an unsupported configuration, and every time IT performs an upgrade to the system, all EAS policies must be manually disabled again. By enabling a default, no-restrictions EAS policy, JMU's Exchange environment aligns with current best practices and is in a supported configuration.

What alternatives to Exchange have JMU IT considered?
JMU IT has explored migrating to a cloud-based email service, such as Microsoft Office 365, concluding that Exchange remains the best option for the JMU community. It should also be noted that Office 365, like Exchange, uses EAS for mobile device access. As such, remote administration would also be required for this alternative.

Platform-Specific Questions:

Are Android phones and tablets affected by this change?
Yes. If any app on your mobile device is set up to get updates from EAS, you will be shown a message that remote administration must be activated. You will be given the option to activate this feature or to cancel. If you choose not to activate remote administration, these apps will no longer receive updates from EAS.

Are iPhones, iPads, and Surface tablets affected by this change?
Yes. Unlike Android devices (which show a message and require the user to accept the changes), iPhones, iPads, and Surface tablets automatically enable remote administration when requested by EAS. You will not be shown a message nor asked to activate this feature on these types of devices.

Are laptops and desktop computers affected by this change?
In general, no. All computers and mobile devices rely on a basic layer of software called an operating system (OS). Mobile devices use Android or iOS as their OS, and all of these have remote administration built in. Laptops and PCs typically use OS X, macOS, or Windows. While there are different options available, these OSs generally do not contain remote administration features.

Technical and Policy Information:

What are the benefits of remote administration?
Remote administration allows authorized administrators (including you as the device owner) to perform critical actions regardless of where your device is located. If your device is ever lost or stolen, you or a member of JMU IT could remotely delete all sensitive information (including credit card numbers, data to access banking or social networking services, personal contact information, photos and movies), preventing a thief from accessing this data. Remote administration does not allow access to device tracking capabilities. If you want to be able to locate your device if it is ever lost, you will need to investigate the abilities provided by your device's manufacturer or cellular carrier.

What actions can and cannot be performed through remote administration?
The list of remote administration capabilities is limited and designed to minimize privacy risks. You can see the full list in this Mobile device mailbox policies document. It is important to emphasize what remote administration does NOT allow. Remote administration does NOT allow JMU IT (or unauthorized persons) to access your personal information or files, change your device password, activate your microphone or camera, access your mobile web browser history, access location services, or otherwise monitor or control your actions on your device.

What are the risks of remote administration?
Any time there is a feature enabled in a computer system, there is always the possibility that it could be used for something bad. For example, it is possible that someone could hack into JMU’s or Microsoft’s systems and use remote administration tools without authorization. As another example, if you log in to your JMU email using a public computer and forget to log out, someone else using that same computer could use these tools. While possibilities like this exist with remote administration, data theft and corruption also occur without these tools. Users should follow best practices for information technology, including creating backups of important data, deleting unused data, logging out of web sites, and running virus protection software.

Help for backing up your device:

What is JMU IT's policy for using remote administration?
JMU IT will ONLY exercise the capabilities provided by remote administration under two possible circumstances: Either the device owner is specifically requesting JMU IT’s assistance (for instance, you come to JMU IT and request the data be wiped because the device is stolen) or JMU IT is ordered by law enforcement and is legally required to comply. JMU IT will NOT perform remote administration under any other circumstance, such as termination of employment. Any considered change to this policy will be discussed publicly with JMU faculty and staff before being enacted.

How can I check my email without enabling remote activation?
You can use a web browser to access the Outlook Web App at exchange.jmu.edu.

Is remote administration required to access MyMadison or other JMU IT services?
No. Remote administration is exclusively required for access to the Exchange server. The two-factor authentication process for accessing MyMadison is a separate system and is unrelated to the remote administration requirement.

Back to Top