Organizations using Exchange ActiveSync (EAS) can set up email accounts and enforce basic password policies on Android devices through Gmail.
Set up Exchange accounts with managed configurations
Managed configurations are available in Gmail version 6.4 and later.
Gmail's managed configurations provide a way to set up Exchange accounts on Android devices. As an IT admin, use your enterprise mobility management (EMM) console to configure the following Gmail settings for each user.
Enter a string that the EMM proxy or gateway can use to identify the device. It should contain the device identifier that's part of the Microsoft® Exchange ActiveSync® (EAS) protocol that some EMM gateways use for device correlation.
Enter a specific email address or a string that contains wildcards that the EMM provider uses to pull the user's email address from Microsoft® Active Directory®.
Examples:
- %emailaddress%
- janedoe@altostrat.com
Enter the default email signature that you want to be automatically added at the bottom of all sent emails.
Example:
Jane Doe, President
Altostrat, Inc.
Enter the URL of the Exchange ActiveSync (EAS) email server. This might be an EMM on-site proxy server, a load-balanced virtual internet protocol address in front of several EAS email servers, a public client access server (CAS). You don't need to use HTTP:// or HTTPS:// in front of the URL.
The port number is optional. If not specified, the default port number is 443.
Examples:
- corp.exchange.com
- corp.exchange.com:443
Enter the string alias that represents a certificate with a private key stored in the work profile keystore. The certificate is often a user certificate for authenticating to the Exchange ActiveSync (EAS) servers.
If you enabled and defined a Certificate Authority (CA) in the EMM console, you'll be able to choose an alias from a drop-down list that the EMM provider populates when the device is enrolled.
Specifies Secure Sockets Layer (SSL) communication to the server port that you specified in the Host field. This setting is ignored if port 443 is specified in the Host field.
Set to true to use SSL, or set to false.
If not specified, the default setting is true.
Enter an integer, from 1 to 5, for the default time window when the Exchange ActiveSync (EAS) servers synchronize mail items to Gmail.
The start of the time window is determined by subtracting the period of time represented by the filter type from the current time.
Value | Default time window |
---|---|
1 | 1 day |
2 | 3 days |
3 | 1 week |
4 | 2 weeks |
5 | 1 month |
If not specified, the default setting is 3.
Specifies validation checks on Secure Sockets Layer (SSL) certificates that are used on Exchange ActiveSync (EAS) servers, proxies, or gateways in front of email servers.
Set to false to perform checks, or set to true.
Tip: Performing a check is useful if certificates are self-signed.
If not specified, the default setting is false.
Enter a specific username or a string that contains wildcards that the EMM provider uses to pull the username from Active Directory. It might be different from their email address.
Examples:
- %username%
- janedoe
- altostrat\janedoe
Available in Gmail versions released after November 15, 2019.
Sets the type of authentication used to verify a user's email credentials with Microsoft® Active Directory®. Set to allow_modern_authentication
(recommended) or allow_basic_authentication
.
allow_modern_authentication
: Uses modern authentication, a token-based method of identity management that offers more secure user authentication and authorization. If modern authentication isn't possible, basic authentication is used.allow_basic_authentication
: Uses basic authentication, an older method of authentication that prompts users for their password and stores this password for future use.
If not specified, the default setting is allow_modern_authentication
.
This setting allows users to add or remove any Exchange account, other than the account specified in this managed configuration.
When this setting is enabled:
- Users will be able to add other Exchange accounts to Gmail.
- There will be no controls in place over the data shared between other apps and Exchange accounts added by users.
Only enable this setting if your users need to maintain more than one work Exchange account in Gmail.
Configure mobile device mailbox policies
In 2019, Android 10 introduced changes to the way some Exchange ActiveSync (EAS) password policies are handled. These changes apply to all Android devices. The table below details how Exchange mobile device mailbox policy password settings are interpreted and applied by Android devices.
Exchange mobile device mailbox policy setting |
Android password complexity level | Password requirements |
---|---|---|
Password enabled = false | None | No password requirements are configured. |
Allow simple password = true Min password length < 4 |
Low | Password can be a pattern or a PIN with either repeating (4444) or ordered (1234, 4321, 2468) sequences. |
Allow simple password = true Min password length = 4 |
Medium |
Passwords that meet one of the following criteria:
|
Allow simple password = false Alphanumeric password required = true Min password length <= 4 |
||
Allow simple password = true Min password > 4 |
High |
Passwords that meet one of the following criteria:
|
Allow simple password = false Alphanumeric password required = true Min password length > 4 |
Policies supported by default
Android supports some EAS policies by default. As a result, the following EAS policies aren't directly configurable:
- Password expiration
- Password history
- Max password failed attempts
- Max inactivity time lock
- Require device encryption
Wipe a device remotely
If a wipe command is sent from Exchange Server, Gmail will remove the EAS account from the device (or work profile) rather than wiping the entire device (or work profile). If you have an EMM provider, you can wipe a device or a work profile in your EMM console.
What should my organization do to handle these changes?
You don't need to take any action. The changes to the way Gmail handles wipe commands and certain EAS password policies will not disrupt device functionality, though you may want to review your current device password policies to ensure they're suitable for your organization.