Using ActiveSync or BlackBerry you can give users the ability to sync the content of their mailbox to their mobile device. When BYOD will be introduced in a company you might see an explosion of the number of ActiveSync/BlackBerry devices that connect to your Exchange environment.

So before allowing BYOD mobile devices you should do some investigation. There are two parameters which will be affected:

  • IOPS
  • Megacycles

IOPS

Let’s start with looking at the impact a mobile device has on the IOPS Exchange needs to deliver.

Both Activesync and BlackBerry devices will generate additional IOPS per device. RIM did publish a nice document which describes the impact on the IOPS, which depends on the mailbox profile.

Email messages sent or received per mailbox per day Estimated IOPS per BlackBerry device

50

0.06

100

0.12

150

0.18

200

0.24

250

0.30

300

0.35

The numbers above are applicable on an active mailbox copy (DAG) or standalone mailbox copy. The strange thing although is that when you use the HP Sizer for Microsoft Exchange Server 2010 it will multiply the needed IOPS with 2. So it looks like HP did build in some reserves or is using previous values from an earlier Performance Bench Guide from RIM. This because RIM did made some improvements which dramatically decrease the needed IOPS.

I’ve searched for a table which describes the needed IOPS for ActiveSync devices but as far as I know Microsoft did not publish one. When looking at the available sizing tools, for example the HP Sizer for Microsoft Exchange Server 2010, you will see that it multiplies the amount of IOPS with 2. The Exchange 2010 Mailbox Role Requirements calculator will not provide an easy option such as the HP Sizer. The tool from Microsoft does have an option to use a multiplication factor to influence the needed IOPS.

Megacycles

As discussed before the second parameter will be the amount of megacycles needed. In the document mentioned earlier RIM did also publish the megacycles per BlackBerry device which are needed.

Email messages sent or received per mailbox per day Estimated megacycles per BlackBerry device

50

1.5

100

3.0

150

4.5

200

6.0

250

7.5

300

9.0

As you can see the needed megacycles will depend on the amount of messages send/received per day. Compared to the IOPS it has a greater impact. RIM does mention in their document that if you use the sizing recommendations of Microsoft it shouldn’t have a big impact on the CAS Servers. The recommendations RIM points to can be found on this page.

Microsoft also did perform some tests to see the impact on the megacycles when ActiveSync is used. In this case they only did some testing with a specific user mailbox profile.

Client Access

Hub Transport

Mailbox

CPU(MHz/user)

1,60

0,22

1,25

As you can see Microsoft did divide it per Exchange Role. If you use the Exchange 2010 Mailbox Role Requirements calculator you will need the value as listed in the Mailbox column and use the megacycles multiplication factor to increase the megacycles to an additional 1,25 megacycles per mailbox .

What if users will use multiple mobile devices?

Well the answer is quite easy although it is hard to estimate in advance how many users will use multiple devices. When allowing BYOD mobile devices people may use both their mobile phone and their tablet to sync their mailbox content. But it is not limited to two devices.

Throttling policy

Exchange 2010 will allow a maximum of 10 devices which sync via ActiveSync per user. So in worst case users can setup 10 partnerships with devices to your Exchange environment.

The 10 devices limit may be a little bit high. 3 or 4 devices is a reasonable amount. But what if you want to limit the maximum allowed ActiveSync devices per user?

If you want to limit the amount of ActiveSync devices per user you will need to modify the throttling policy settings. Depending on your environment you might decide to create additional throttling policies which will allow more ActiveSync devices for example for the management.

To modify the throttling policy you will need to use the Exchange Management Shell (EMS). The output below is the result of the Get-ThrottlingPolicy:

As you can see the EASMaxDevices is the parameter which will need to be modified to limit the amount of ActiveSync devices which can be used.

To do this you will need to run the Set-ThrottlingPolicy cmdlet:

Set-ThrottlingPolicy Default* -EASMaxDevices 1

The example above will limit the maximum amount of ActiveSync devices to one per user.

Quarantine new devices

By default new users will be allowed to connect to Exchange using ActiveSync. Excluded are users which are a member of a protected group such as administrators. To prevent this you can set the action to quarantine new devices.

Using this option all new devices will be placed in quarantine till an administrator approves the device.

There are two ways to place a device in quarantine:

  • Create a rule for each family
  • Modify the default

Create a rule for each family:

The option can be found in the Exchange Control Panel (ECP) in the Phone & Voice section:

On the ActiveSync Access page scroll down till you see the Device Access Rules and klik on New to create a new rule:

Using the Browse _buttons select a family and/or model and select the _Quarantine – Let me decide to block or allow later option

Unknown devices

The disadvantage of the rule per family is that not all devices may hit this rule. In this case the default settings are used. These can be changed by pressing the Edit button on top of the page:

This will bring up a new window which gives you the following options:

  • What is the default action taken when an unknown device tries to connect
  • Which user or distribution group must be notified when an unknown device is quarantined
  • Which text needs to be send to the user which tries to connect with an unknown device

How about BlackBerry can this be limited also?

Well in most organizations a BlackBerry Express/Enterprise server is installed which is connected to Exchange. Since the BlackBerry server doesn’t use ActiveSync to sync the EASMaxDevices changed earlier doesn’t have any effect.

A user will need an activation password to connect their device to the BES environment. Administrators will have the option to configure the time a password is valid using the password expiration. Since the password is only valid to activate one device it will prevent the user from connecting multiple devices.  If they want to connect another device they will need to ask their administrator for another activation code.

Monitoring the ActiveSync usage

When allowing BYOD mobile devices to sync with your Exchange environment it might be usefull to perform some kind of monitoring. Using the monitoring features you can see how many ActiveSync devices are syncing with your Exchange environment.

Since the mobile devices will connect to an HTTPS service offered by the CAS most things are logged in the IIS logs.

By default all Exchange related HTTP/HTTPS traffic is logged in the same IIS log. This will cause ActiveSync, EWS, OWA and Powershell traffic to be logged in the same IIS log.

The cause of this is that the default setting is to only have one log file per site:

Since all virtual directories of Exchange are created in the default web site by default all this setting will be applied to these virtual directories to. So reading the log is a little bit difficult although it is possible.

To filter out only the ActiveSync related things you will have to use Export-ActiveSyncLog cmdlet, for example:

Export-ActiveSyncLog –FileName “C:\Windows\System32\LogFiles\W2SVC1\ex12607.log” –UseGMT:$true –OutputPath “C:\ActiveSync Report

__This will create a separate file containing only the ActiveSync related stuff.  The example above will only work for one log. If you want to search all the logs for ActiveSync use this:

_Get-ChildItem “C:\Windows\System32\LogFiles\W3SVC1” Export-ActiveSyncLog –UseGMT:$true –OutputPath “C:\Temp\EASReports“_

__There are some useful scripts that can be found on the internet to perform some additional actions on the logs:

Here ends my blog about the impact BYOD mobile device can have on your Exchange environment. More information about the specific cmdlets can be found on the following sites:

Technet: Export-ActiveSyncLog open

Technet: Set-ThrottlingPolicy open


Comments


Johan Veldhuis