Zimbra Mobile provides over-the-air synchronization of mail, contacts, calendar and task data and device security policy enforcement between the mobile device and an account on the mailbox server.
|
Note
|
Zimbra also has the Touch Client available. For more information, go to https://www.zimbra.com for the latest revision of this guide and see the Zimbra Web Client User Guide. |
The ActiveSync protocol is used to configure and sync the Zimbra mailbox server with the native client that is used on a user’s device.
Zimbra Mobile is compatible with iPhone, iPod Touch, Windows Mobile 5 (WM5), and 6 (WM6) devices, and many other phones that support the ActiveSync protocol.
The administrator can configure mobile security policies to enforce security rules on compliant mobile devices that sync with {product-name} accounts.
The following features can be configured to enhance the security of mobile devices.
-
Remote wipe to erase all data from the device if the mobile device is lost or stolen.
-
Device password policies to set up strong password enforcement including minimum password length, inactivity time, enforce password history, and wipe device after configured failed sign in attempts
-
S/MIME encryption policies to enable S/MIME usage and set the policies for sending and signing encrypted messages.
In addition, you can manage the following device usage options.
-
Sync settings for past calendar and email items, message size, formatting.
-
Device settings, such as cameras, desktop sync, bluetooth, use of removable storage can be disabled.
|
Note
|
Only WM6 devices and IPhones support security policies set by the server. Older devices do not respond to security policies. |
You can manage mobile device policies from the Administration Console as a Class of Service or for individual accounts.
- Admin Console:
-
Home > Configure > Class of Service → COS → Mobile Access → General
Home > Manage > Accounts → account → Mobile Access → General-
To set mobile policies for an Account or COS, open the desired object and select Mobile Access in the left hand pane.
-
To enable mobile devices to sync to {product-abbrev}, check General → Enable Mobile Sync.
-
To set up mobile security policies that enforce security rules, check General → Enable Mobile Policy.
-
Configure other desired settings. See Mobile Device Security Policies for a description of the settings you can configure.
-
Click Save.
-
The following attributes can be configured from the Administration Console to establish mobile policies.
| Setting | Description |
|---|---|
General |
|
Enable Mobile Sync |
In order for mobile devices to sync to {product-name} Server, Enable Mobile Sync must be checked. Users have two-way, over the air synchronization of mail, contacts, and calendar data between mobile devices and the Zimbra server. |
Enable Mobile Policy |
Check this box to set up mobile security policies that enforce security rules on compliant mobile devices. You can enforce general security policies including password rules and set up local wipe capability on compliant devices. After the mobile policy is set up, the next time a mobile device sends a request to the server, mobile devices that are capable of enforcing security policies automatically set up the rules you implement and immediately enforces them. |
Allow non-provisionable devices |
If this is enabled, old devices that do not support device security policy enforcement can still access the server. |
Allow partial policy enforcement on device |
If a device does not acknowledges all policies that are downloaded, {product-abbrev} still allows the device to continue downloading messages. |
Refresh Interval (hours) |
Specifies the amount of time in minutes before {product-abbrev} enforces the policy
refresh on the device by sending "449 Retry after Provision" response to
Sync request. |
Password Settings |
|
Require password |
User must create a password on the mobile device. |
Minimum password length |
Minimum number of characters for the password. Default is 4. The maximum length is 16 characters. |
Require alphanumeric password |
Requires that the password include both numeric and alpha characters. |
Minimum complex characters required |
Minimum number of complex characters that must be in the password. This is any character that is not a letter. Default is 0 (none). |
Allow simple password |
Simple passwords can be created. A simple device password is a password that has a specific pattern, such as 2468, 1111. Not enabled by default. |
Enable password recovery |
Device password is stored n the server and can be recovered. Enabled by default. |
Allow device encryption |
If enabled, device encryption is enabled on the mobile phone. Enabled by default |
Require device encryption |
If enabled, encryption must be implement on the device to synchronize with the server. Not enabled by default. |
Password re-entry required after inactivity (min) |
Length of time the device remains inactive before the password must be entered to reactivate the device. Default is 15 minutes. |
Failed attempts allowed |
Specifies the number of failed log in attempts to the device before the device automatically initiates a local wipe. The device does not need to contact the server for this to happen. Default is 4. |
Expiration (days) |
Length of time in days that a password can be used. After this number of days, a new password must be created. Default is 0, the password does not expire. |
Passwords stored to prevent reuse |
Number of unique passwords that a user must create before an old password can be used. Default is 8. |
S/MIME Settings |
|
Enable S/MIME public key encryption and signing |
In order to use S/MIME encryption on a mobile device this must be checked. The S/MIME feature must also be enabled in the COS Features page. |
Require device to send signed messages |
Device must send signed S/MIME messages. Not enabled by default. |
Require S/MIME algorithm for signing |
Algorithm must be used when signing a message. Not enabled by default. |
Require device to send encrypted messages |
Specifies whether S/MIME messages must be encrypted. Not enabled by default. |
Require S/MIME algorithm for encrypting |
A required algorithm must be used when signing a message. Not enabled by default. |
Algorithm negotiation |
How a messaging application on the device can negotiate the encryption algorithm if a recipient’s certificate does not support the specified encryption algorithm. Select from Block Negotiation; Strong Algorithm Only, or Allow Any Algorithm. Default is Allow Any Algorithm. |
Allow S/MIME software certificates |
Allow S/MIME software certificates. Default is to allow. |
Sync Settings |
|
Past calendar items sync’d |
Maximum range of calendar days that can be synchronized to the device. Default is two weeks. |
Past email items sync’d |
Maximum number of days of email items to synchronize to the device. Default is 3 days. |
Limit plain text message size (KB) |
Maximum size at which email messages are truncated when synchronized to the device. Default is to not set a maximum size. |
Allow direct push while roaming |
Mobile device must synchronize manually while roaming. Default is not to. |
Allow HTML formatted messages |
Enables HTML email on the device. If this is disabled, all email is converted to plain text before synchronization occurs. Default is to enable HTML formatting. |
Limit HTML message size (KB) |
Maximum size at which HTML-formatted email messages are synchronized to the devices. The value is specified in KB. Default is to not set a maximum size. |
Device Settings |
|
Allow removable storage |
Mobile device can access information stored on a storage card. Default is TRUE. |
Allow camera |
Specifies that the camera on the device can be used. Default is TRUE. |
Allow Wi-Fi |
Specifies that wireless Internet access is allowed on the device. Default is TRUE. |
Allow Infrared |
Specifies that an infrared connection is allowed on the device. Default is TRUE. |
Allow sharing |
Specifies that the mobile device can be used as a modem to connect a computer to the Internet. Default is TRUE. |
Allow remote desktop |
Specifies that the mobile device can initiate a remote desktop connection. Default is TRUE. |
Allow desktop sync |
Specifies that the mobile device can synchronize with a desktop computer through a cable. Default is TRUE. |
Allow bluetooth |
By default Bluetooth capabilities are allowed on the device. Select from Allow, Disable, Hands-Free Only. |
Device Applications |
|
Allow browser |
Microsoft® Pocket Internet Explorer is allowed on the mobile device by default. This does not affect third-party browsers. |
Allow consumer mail |
Users can configure a personal email account on the mobile device. This parameter does not control access to emails using third-party mobile device email programs. |
Allow POP or IMAP mail |
Users can configure a POP3 or IMAP4 email account on the device. This parameter doe not control access by third-party email programs. |
Allow text messaging |
Allow users to use text messaging on the device. |
Allow unsigned applications |
Allows unsigned applications to be used on the device. |
Allow unsigned install packages |
Allows unsigned installation packages on the device. |
Approved Application Lists |
|
Approved Applications |
This setting stores a list of approved applications that can be run on the mobile device. |
Blocked Applications |
This setting specifies a list of applications that cannot be run. |
After the mobile policy is set up, the next time a mobile device sends a request to the server, mobile devices that are capable of enforcing security policies automatically set up the rules and immediately enforces them.
For example, if a password has not been set up on the device or the password is not as strong as required by the mobile policy, the user must fix the password before syncing with the server. Once the server confirms that the policy is enforced on the mobile device, the device can sync.
If a mobile device is lost or stolen, the device is protected by the following policy rules:
-
When the Password re-entry required after inactivity (min) is configured, after the number of minutes configured, the device is locked. To unlock the device, users must re enter their password.
-
When the Failure attempts allowed is configured, after the password is entered incorrectly more than the specified number of times, a locally (generated by the device) initiated wipe of the device is performed. This erases all data on the device.
In addition to the rules set up from the Administration Console to perform a local device wipe, users can initiate a remote wipe from their ZWC account to erase all data on lost, stolen, or retired devices.
{product-abbrev} supports the Autodiscover service so that users can provision mobile devices for their Zimbra accounts without having to know the server settings. Autodiscover returns the required server settings after users enter their email address and password.
Autodiscover is enabled by default. For autodiscover to work, you must configure a valid SSL certificate from a certification authority.
The recommended type of certificate to use is a Unified Communications Certificate or UCC. This certificate lets you add multiple host names in the Subject Alternative Name field. For autodiscover to work, the Subject Alternative Name field must include the hostnames users are connecting to.
You must have a valid domain name service (DNS SRV record) for
autodiscover.<domain>.com so that the client devices can locate and
connect to the autodiscover service.
Use the Install Certificates wizard on the Administration Console to generate the certificate signing request and to install the signed certificate when received. Unified Communications Certificates can be issued by many certification authorities.
When you complete the request you must have a valid domain name service
(DNS SRV record) for autodiscover.<domain>.com. Configure the Subject
Alternative Name (SAN) field with the valid domain names that you use.
Thealternative name should include the domain
autodiscover.<company>.com. Include all the domain names required for
your environment in the Subject Alternative Name field.
|
Note
|
Make sure that the web server mode is https, both, redirect, or mixed as the autodiscover and other communications from devices is HTTPS. |
Mobile sync is enabled either in the COS profiles for the account or on individual accounts. In most cases, no additional plug-ins are required.
Users might need to configure the following on their in the mobile device to sync to their Zimbra account if they don’t have auto discover.
-
Server name (address) — Enter the fully qualified host name of the user’s{product-name} mailbox server.
-
User name — Enter the user’s primary {product-name} account name.
-
Domain — Enter the user’s {product-name} domain name (DNS).
-
SSL certificate — the server might have to be added to the device as trusted if TLS is used when the certification is self-signed.
Users can sync their {product-abbrev} account to their mobile device. They can send email, create appointments, and add contacts to their address book.
For details about specific device setup, see the Mobile Device Setup pages on the Zimbra Wiki.
If a mobile device is locked by the {product-name} mobile password policy, the PIN requirement must be removed to resync the device.
- Admin Console:
-
Home > Manage > Accounts → account → Mobile Access
-
Open the user account to be modified.
-
On the Mobile Access page, uncheck Force pin on device.
-
After the password policy has been disabled, the user must resync the device:
-
If the device is a WM6 device, the user syncs to the account. After the sync has completed, instruct the user to go to the Lock setting on the device and turn off the device PIN.
-
If the device is an iPhone/iPod Touch 3.0 or above, the user syncs to the account. After the sync, instruct the user to go to the Settings > General properties and turn off Passcode Lock.
-
-
|
Note
|
If the iPhone/iPod Touch is prior to 3.0, there is an Apple software bug that prevents downloading new device policies to take effect. The user must delete the {product-name} account from the iPhone/iPod Touch, turn the PIN off, and then re-setup sync with the {product-name}. Because the password requirement was turned off, a PIN is not asked for. |
Users can directly manage the following device functions.
-
Perform a remote wipe of a device.
If a mobile device is lost, stolen, or no longer being used, users can initiate a remote wipe from their ZWC account to erase all data from the mobile device. The device is returned to its original factory settings.
-
Suspend a sync that has been initiated from the mobile device and resume the sync to the device.
-
Delete the device from their list.
If a device is deleted from the list and the device attempts to sync after that, the server forces the device to fetch the the policy again on the next sync.