Google Apps Premier and Education editions offer limited security and policy controls over some ActiveSync-enabled mobile devices, allowing companies that standardize on Google's mail services to enforce a little bit of control over devices in the field. The management control is limited in scope and function, but it works adequately and the features are available for free.
Google Apps Premier and Education editions now offer limited security and
policy controls for some mobile devices, allowing companies standardized on
Google's mail services to enforce a little bit of control over devices in the
field. While the scope of that control is extremely limited and doesn't stack
up well against complete mobile device management solutions, what is in there
works adequately and the price is right.
While Google in 2009 introduced Google Apps Connector for BlackBerry
Enterprise Server to allow BlackBerry smartphones to synchronize content
between Google Apps and a BES implementation, the actual mobile device
management was still performed via BES. But now, Google has turned the Exchange
ActiveSync protocol on its head, utilizing Microsoft's technology not only to
synchronize Android devices with an Exchange server but to allow other ActiveSync-enabled
devices to synchronize with Gmail for mail, calendar and contacts delivery as
well as a limited subset of device management capabilities.
For a look at Google Apps Premier's mobile device management features, click here.
Google's MDM features come free as part of either Google Apps Premier or
Education domains. For my tests, I upgraded our Google Apps Standard domain to
Premier, which would cost $50 per user account (although I took advantage of
Google's free 30-day trial for Premier) and includes other features like increased
mailbox size and an uptime guarantee.
Upgrading the domain unlocked new configuration options for Google Sync
services. Whereas with a Standard domain I could only enable or disable
GoogleSync for mobile devices, with a Premier domain I could now restrict
Google Sync access, extending support only to devices that support Exchange
ActiveSync policy settings in addition to the standard e-mail, contact and
calendar content delivery.
I tested Google's device management capabilities with a variety of
ActiveSync-enabled handsets including an iPhone 3GS and an original iPod Touch,
an HTC Fuze running Windows Mobile 6.1 and
an HTC Pure running Windows 6.5, plus a
Nokia N97 with Mail for Exchange installed.
Google's device management capabilities are fairly limited. I found that I-as
a Google Apps administrator-could define a few security parameters that would
apply uniformly to every mobile device that syncs to the domain (provided I
restricted sync services to ActiveSync policy-supporting devices).
Specifically, I could define a policy that required users to create a device
lock password on their smartphones and also defined the minimum length of the
password and the inactivity timeout before the screen automatically locks. The
only other requirement I could set was the password strength, and I could only
select from two options here: standard (any characters) or strong (minimum one
letter, one number and one punctuation mark each).
These complexity settings are uniform across all users, so I could not set
different policies dictating more stringent requirements for certain user
With those parameters set, upon each attempt to synchronize a device to a
user account I was presented with a dialog box on the device screen prompting
me to create a password. The device would not successfully synchronize the first
time until a password meeting the complexity requirements was created on the
Devices joined to the Google domain prior to the upgrade to Premier were
also forced to prompt users to create a passcode the next time they attempted