Google Apps Premier and Education editions allow companies to enforce security and policy controls over some ActiveSync-enabled mobile devices in the field
Google Apps Premier and Education editions now offer limited security and policy controls for some mobile devices, allowing companies standardised on Google’s mail services to enforce a little bit of control over devices in the field. While the scope of that control is extremely limited and doesn’t stack up well against complete mobile device management solutions, what is in there works adequately and the price is right.
While Google in 2009 introduced Google Apps Connector for BlackBerry Enterprise Server to allow BlackBerry smartphones to synchronise content between Google Apps and a BES implementation, the actual mobile device management was still performed via BES. But now, Google has turned the Exchange ActiveSync protocol on its head, using Microsoft’s technology not only to synchronise Android devices with an Exchange server but to allow other ActiveSync-enabled devices to synchronise with Gmail for mail, calendar and contacts delivery as well as a limited subset of device management capabilities.
Google’s MDM features come free as part of either Google Apps Premier or Education domains. For my tests, I upgraded our Google Apps Standard domain to Premier, which would cost $50 (£33) per user account (although I took advantage of Google’s free 30-day trial for Premier) and includes other features like increased mailbox size and an uptime guarantee.
Upgrading the domain unlocked new configuration options for Google Sync services. Whereas with a Standard domain I could only enable or disable GoogleSync for mobile devices, with a Premier domain I could now restrict Google Sync access, extending support only to devices that support Exchange ActiveSync policy settings in addition to the standard email, contact and calendar content delivery.
I tested Google’s device management capabilities with a variety of ActiveSync-enabled handsets including an iPhone 3GS and an original iPod Touch, an HTC Fuze running Windows Mobile 6.1 and an HTC Pure running Windows 6.5, plus a Nokia N97 with Mail for Exchange installed.
Google’s device management capabilities are fairly limited. I found that I – as a Google Apps administrator – could define a few security parameters that would apply uniformly to every mobile device that syncs to the domain (provided I restricted sync services to ActiveSync policy-supporting devices). Specifically, I could define a policy that required users to create a device lock password on their smartphones and also defined the minimum length of the password and the inactivity timeout before the screen automatically locks. The only other requirement I could set was the password strength, and I could only select from two options here: standard (any characters) or strong (minimum one letter, one number and one punctuation mark each).
These complexity settings are uniform across all users, so I could not set different policies dictating more stringent requirements for certain user groups.
With those parameters set, upon each attempt to synchronise a device to a user account I was presented with a dialog box on the device screen prompting me to create a password. The device would not successfully synchronise the first time until a password meeting the complexity requirements was created on the device.
Devices joined to the Google domain prior to the upgrade to Premier were also forced to prompt users to create a passcode the next time they attempted to synchronise.