White Paper: Anytime, anywhere secure email access with Samsung mobile devices

Anytime, anywhere secure email access with Samsung mobile devices

Helping business users increase efficiency with best-in-class email and PIMS

Anytime, anywhere secure email access with Samsung mobile devices

Contents

Executive summary 3

Introduction 4

Protect corporate data and information by enabling anytime, anywhere secure access 6

Get the most from Exchange Server and Office 365 with a comprehensive mobile implementation of Exchange ActiveSync 7

Provide device management and provisioning with Exchange Server and Office 365 features and policies 9

Use case: Using basic device management 9

Increase users’ productivity by improving the user experience with new features 10

Appendix 14

Appendix 1: Comparing Exchange ActiveSync implementations 14

Appendix 2: Samsung security features for email 18

Appendix 3: Supported feature and policy lists by Exchange Server version 19

Appendix 4: Supported Exchange ActiveSync Feature and Policy Descriptions 21

Acronyms 32

References and links 32

Legal disclaimer

This material is intended only for SAMSUNG’s customers and provided for information purpose only. Nothing in this material shall be construed as an advertisement of SAMSUNG’s products and services. The contents in this material are delivered on an “as-is” basis, and SAMSUNG does not warrant that the products, services, features and contents set forth in this material will be error-free. SAMSUNG disclaims all warranties, express or implied, including any warranties of accuracy, completeness and non-infringement. Samsung further disclaims any and all liability for the acts, omissions and conduct of any third party in connection with the use of this material. Samsung reserves the right to make changes to its products and services and the contents of this material at any time, without prior notice.

Please do not i) disseminate this material to third parties, or ii) use this material for your own advertisement purpose.

3Anytime, anywhere secure email access with Samsung mobile devices

Executive summary CIOs and IT professionals recognize that business users increasingly rely on personal smartphones and tablets to do their work—both on the job and during off-hours. Recent studies show that email is the most widely used mobile client application in businesses and users increasingly expect the same level of features and functionality that they get on their PCs. The challenge for IT is how to improve the user experience while protecting corporate data. Just as the huge Bring-Your-Own-Device (BYOD) and Corporate-Owned-Personally-Enabled (COPE) device trends represent potential business productivity gains, use of personal devices can also expose enterprises to security risks.

Samsung smartphones and tablets are designed to meet enterprise productivity and security needs in today’s increasingly mobile business environment. Samsung offers best-in-class email and Personal Information Management Services (PIMS) applications for Microsoft Exchange Server and Office 365 Exchange infrastructures by building on Microsoft Exchange ActiveSync (EAS) protocols.

Security. The Samsung KNOX platform provides robust mobile security options for devices, which can be configured specifically for business use. Organizations can support email encryption and signing, Sensitive Data Protection in the KNOX Workspace container, and content management via EAS in email and PIMS.

Comprehensive EAS implementation. Samsung delivers one of the most comprehensive sets of features and policies for email and PIMS mobile applications available to enterprise users.

Simple device management. Samsung mobile devices are a good option for enterprises that have Exchange Server or Office 365 Exchange licenses and need security and basic Mobile Device Management (MDM). EAS can be easily configured to perform basic MDM functions for Samsung mobile devices.

Superb user experience. Samsung devices are perfectly suited for business environments. With a user experience that matches or exceeds industry-leading email interface functionality, Samsung smartphones and tablets can help users increase productivity.

With this finely-tuned set of features and functionality, Samsung email can help improve employees’ work efficiency, enable IT to perform basic device management and provisioning, and give enterprises the assurance they need in the growing mobile environment.

Samsung’s enhanced email and PIMS features work seamlessly with Samsung KNOX security protection, MDM solutions, and Microsoft EAS to increase users’ productivity on mobile devices and maintain security. Samsung’s defense-grade mobile security platform built into its Galaxy devices protects corporate data and information.

As a result, IT can:

• Protect corporate data and information by enabling anytime, anywhere secure access.

• Take advantage of Samsung’s comprehensive mobile implementation of EAS for Exchange Server and Office 365 Exchange infrastructures.

• Provide device management and provisioning with Exchange Server and Office 365 Exchange features and policies.

• Increase users’ productivity by improving the user experience.

Note: This whitepaper covers the Exchange ActiveSync features, policies, and user experience with Samsung Galaxy S6 phones running Android 5.0. Samsung smartphones and tablets running Android 4.1 and higher support Exchange ActiveSync features and policies, which can be configured for each model and Android OS version.


Introduction Business users expect their mobile devices to deliver the same rich email, contacts, and calendar experience as a PC. But enterprises need to make sure all the data moving across mobile devices stays secure. With powerful smartphones and tablets, Samsung delivers mobile solutions that protect enterprise data and keep mobile workers productive.

A 2015 study by IDC showed that email is the most widely used mobile client applications in businesses. Tablet users in 65 percent of U.S. small businesses and in 71 percent of U.S. medium-size businesses use mobile email, according to the IDC survey. In fact, email is the most popular business application on tablets, with more than twice the usage when compared to applications for productivity, financial management, and Enterprise Resource Planning (ERP).

Email on smartphones is also more widely used than other business applications in both small and medium-size organizations. The same IDC survey showed that 66 percent of U.S. small business workers and 68 percent of U.S. medium business workers access mobile email applications on smartphones.1 A similar survey by Strategy Analytics in 2014 showcased the value of corporate email, finding that business use of email on smartphones has surpassed voice calls. Personal Information Management Services (PIMS), such as calendaring and scheduling applications, are also valued. According to the Strategic Analytics survey, 34.5 percent of business smartphone users and 24.4 percent of business tablet users regularly access these applications, while 25.4 percent of smartphone users and 22.1 percent of business tablet users take advantage of contact management applications.2

Mobile security

The advent of smartphones and tablets has meant round-the-clock access to business email, making it easier for employees to respond to work-related demands anytime, anywhere. While enterprise employees enjoy the freedom and productivity that comes from always being connected, IT administrators have to deal with the added complexity of protecting corporate intellectual property on mobile devices that may or may not be corporate owned and controlled.

This challenge has become a mission critical imperative for IT regardless of industry or organization size. Most are adopting Bring-Your-Own-Device (BYOD) and Corporate-Owned-Personally-Enabled (COPE) device policies that give them the measure of control they need. But while BYOD and COPE are a growing trend, a recent Gartner report3 found that many CIOs doubt the effectiveness of security measures that are currently in place. Indeed, security is the most important factor when enterprise decision makers are determining which mobility solution to adopt, according to another IDC study.4

The Samsung KNOX platform helps address these security concerns, providing robust mobile security options for Android-enabled mobile devices. Samsung enterprise-ready devices meet rigorous security criteria and are configured specifically for business use, providing features such as email encryption and signing, Sensitive Data Protection (SDP) with Samsung KNOX Workspace, and content management for email and PIMS using Exchange ActiveSync.

1 2015 U.S. Small and Medium Business (SMB) Mobile Application Usage Survey: How Industry Apps and Tablets Drive SMB Productivity, IDC, April, 2015.

2 The State of the Business Mobility Market: Key Findings from the 2014 Mobile Workforce Strategies Survey, Strategy Analytics, December, 2014.

3 Nick Jones, “CIO Attitudes Toward Consumerization of Mobile Devices and Applications,” Gartner, Inc., May 25, 2011. Cited in the Samsung report, “Samsung Mobile Security: Offering Enhanced Core Capabilities for Enterprise Mobility”

4 The State of Mobile Enterprise Software in 2014: An IDC Survey of Applications, Platforms, Decisions, and Deployments, IDC, June, 2014.

http://www.samsung.com/ru/business-images/resource/case-study/2013/03/EBT_1208_EBT_MobileSecurity_BR-0-0.pdf


Microsoft Exchange ActiveSync implementation and reinforcement

Microsoft Exchange is by far the most widely used business email system. It’s not surprising then, that Microsoft Exchange ActiveSync is one of the most widely used methods for managing mobile email. According to a 2014 IDC survey, 53.2 percent of respondents say their organizations use Exchange ActiveSync.5

Samsung mobile devices support and reinforce the standard Microsoft Exchange ActiveSync protocol by providing enhanced features and policies, ensuring they are perfectly suited for business environments. With a user experience that matches or exceeds industry-leading email interface functionality, Samsung mobile devices help users increase productivity.

Samsung’s enhanced email and PIMS features work seamlessly with Samsung KNOX security protection, Mobile Device Management (MDM) solutions, and Microsoft Exchange ActiveSync to increase users’ productivity on Samsung Galaxy mobile devices and maintain security.

As a result, IT can:

• Protect corporate data and information by enabling anytime, anywhere secure access.

• Take advantage of Samsung’s comprehensive mobile implementation of Exchange ActiveSync with Exchange Server and Office 365 Exchange.

• Provide device management and provisioning with Exchange Server and Office 365 Exchange features and policies.

• Increase users’ productivity by improving the user experience.

5 The State of Mobile Enterprise Software in 2014: An IDC Survey of Applications, Platforms, Decisions, and Deployments, IDC, June, 2014.


Protect corporate data and information by enabling anytime, anywhere secure accessTo meet the need for secure mobile email and to make it safer and easier to do business, Samsung has strengthened its security capabilities and enhanced the user experience. Samsung’s essential security technologies ensure that email and PIMS on Samsung mobile meet enterprise requirements.

Samsung designed its mobile device platform’s email and PIMS functionality to provide a high level of security, full implementation capabilities with Exchange ActiveSync, and improved user experience.

Table 1 summarizes Samsung’s comprehensive security features.

Table 1: Samsung security features

Security Capability Implemented with

Email encryption and certificate signing

Key encryption and digital signing through:• Pretty Good Privacy• Secure/Multipurpose Internet Mail Extensions (S/MIME)

Enforces encryption and protects encrypted communications between Exchange Server/Microsoft Office 365 and mobile clients.

Sensitive Data Protection (SDP)*

available with KNOX Workspace and My KNOX:

Protects email and attachments from hacking.

“Sensitive” designation provides additional security:• SDP Chamber directory automatically marks files as sensitive• Remains encrypted while Workspace is locked

o Recoverable only if user enters Workspace password, PIN, or pattern.o Recover by using Mobile Device Management (MDM) to unlock data

to prevent total data loss if users forget passwords.

SmartCard Framework* on the KNOX Platform:

Supports smart cards (microUSB, Bluetooth, virtual) to authenticate users, unlock devices, sign/encrypt/decrypt emails, set up VPN tunnels, and access high security apps (e.g., government, military).

Standards-based Public Key Cryptography Standards APIs: • Allow access to hardware certificates. • Enable app developers to select from multiple smart card readers.

Reinforced Exchange ActiveSync Security:

Adds Samsung security to enhance Exchange ActiveSync security.

Account management:• Disable POP3/IMAP4 email.• Allow consumer email.

Attachment file management:• Allow attachment download.• Configure email body and attachment file size.

Content management:• Support for Information Rights Management (IRM)6. • Include past email and calendar items (days).• Configure format and size.

1

* Samsung proprietary functionality.

6 Enable persistent protection for messaging content (prohibit ability to print, forward, extract, reply, and reply all).


The Samsung email app supports email encryption and signing through Pretty Good Privacy and Secure/Multipurpose Internet Mail Extensions (S/MIME), enabling secure communication between enterprise users’ devices. Figure 1 shows Samsung’s security interface. Also see Appendix 2 for more details.

Figure 1: How Samsung enables security on email client.

Get the most from Exchange Server and Office 365 with a comprehensive mobile implementation of Exchange ActiveSync

Organizations using Exchange Server and Office 365 can manage and configure Exchange ActiveSync for Samsung mobile devices to reinforce security-related features and polices. In the area of account management, Samsung supports the ability to disable POP3/IMAP4 email and allow consumer email. In the area of attachment file management, organizations can decide to allow downloads and can configure file size. For content management, IT can use Information Rights Management (IRM) to apply persistent protection to messaging content and configure format and size.

How Samsung implements Exchange ActiveSync

Samsung smartphones and tablets that run on Android 4.1 and higher support Exchange ActiveSync features and policies that are appropriate for each model and Android OS version. Organizations gain the benefits of EAS without middleware, IT integration, or monthly service fees.

Figure 2: Samsung implementation of Exchange ActiveSync.

Table 2 details the standard, enhanced and customized features that Samsung provides as part of its EAS implementation.

Sending option Inbox list Encrypt mail Signed mail

Microsoft Exchange Servers

Corporate Network

Corporate Firewall

Carrier Network

Secure Samsung client on

Touch/QWERTY


Table 2: Samsung support for Exchange ActiveSync features and policies

Basic Functionality Enhanced FunctionalitySamsung-enhanced functionality (built on EAS and other custom protocols)

Email Basic Features Enhanced Features Samsung-enhanced Features

Configuration• Email Sync and Direct Push• Sync multiple folders• AutoDiscover

Email body• HTML email

Transmission• SSL Encrypted Transmission

Inbox• Follow-up flags• Reply state

Inbox• Server search• SMS Sync

Email body• Conversation view• Information Rights

Management (IRM) Support• Link Access• Set Out of Facility/Office

(OOF)• UM card

Transmission• S/MIME• Bandwidth reduction

Configuration• Peak/Off-peak sync

schedule• Draft folder sync• Sync options for each folder

Inbox• Spam filter

Transmission• Nested S/MIME

User settings• Certificate-based

authentication• Empty server trash• User configurable resolution

Enhanced Policies

Attachment file management:• Allow attachment download• Maximum attachment size

Personal email account management:• Disable POP3/IMAP4 email• Allow consumer email

Email encryption and signing management:• S/MIME messages,

SoftCerts, and algorithm

Email content management:• Configure message format• Email and HTML email body

truncation size• Include past email items

(days)• Require manual sync while

roaming• Allow IRM over EAS

Calendar and Tasks

Basic Features Enhanced Features Samsung-enhanced Features

Configuration• Calendar sync

Meeting Schedule• Meeting attendee

information

Configuration• Task sync

Meeting Schedule• Free/busy lookup

Meeting Schedule• Edit response• Propose new time

Enhanced Policy

Content management• Include past calendar items

(days)

Contacts Basic Features Enhanced Features Samsung-enhanced Features

Configuration• Contacts sync

Contact list• GAL lookup

Contact list• Nickname cache• GAL photo

Configuration• Contact sub-folder sync


Provide device management and provisioning with Exchange Server and Office 365 features and policies

Samsung fully supports Exchange ActiveSync features and policies to increase employees’ work efficiency with email and PIMS applications and give corporate IT basic device management and provisioning capabilities. Using Exchange ActiveSync may be a good option for managing your Samsung mobile devices if you already own Exchange Server or Office 365 Exchange licenses and need only basic Mobile Device Management (MDM) and security. Exchange ActiveSync can be easily configured to perform basic MDM. This gives you the capability, for example, to wipe devices remotely, manage the lock-screen password requirements, disable and enable functions such as Wi-Fi and camera, and allow or disallow applications.

Samsung smartphones and tablets that run on Android 4.1 and higher support Exchange ActiveSync features and policies. These can be configured for each model and Android OS version. Table 3 shows the basic and enhanced functionality provided.

Table 3: Exchange Active Server functionality that can be configured for basic MDM

Basic Functionality Enhanced Functionality

Basic Features Enhanced Features

Remote wipe Block/Allow/Quarantine list

Basic Policies Enhanced Policies

Lock screen password management• Require password• Require alphanumeric password• Maximum failed password attempts• Minimum password length• Maximum inactivity time lock

Device management• Allow non-provisionable devices• Policy refresh interval

Device function management• Camera• SMS text• Wi-Fi• Bluetooth• Browser• Desktop ActiveSync• Internet sharing• Removable storage

Applications management• Allow unsigned applications• Approved application List• Allow unsigned CABs• Unapproved InROM application list

Lock screen password management• Allow simple password• Enable password recovery• Password expiration (days)• Enforce password history• Minimum number of complex

characters

Device management• Require device encryption

Use case: Using basic device management

Samsung has partnered with industry-leading MDM and Virtual Private Network (VPN) vendors to support enterprise-grade security capabilities that reinforce the Samsung Android platform and address the regulatory concerns of governments, large enterprises and SMBs. The Samsung KNOX Workspace protects corporate data with a secure solution that includes hardware security and multiple levels of protection for the operating system and applications.

With Samsung’s support for Exchange ActiveSync features, users have a mobile business environment that matches or exceeds industry-standard email functionality. In addition, IT can deploy Exchange ActiveSync policies to manage employees’ mobile devices with light MDM capabilities.

Companies that want to enable email on their employees’ devices, but don’t use an MDM, can simply use the basic management controls available through Exchange ActiveSync. While these do not offer the granularity of control of an MDM solution, Exchange ActiveSync integrates with Microsoft Active Directory to provide functionality such as setting and enforcing password policies, remotely wiping a device, and determining whether a device can connect to a network.


Increase users’ productivity by improving the user experience with new features

Samsung has enhanced the user experience of its email and PIMS applications to improve usability. By simplifying the interface, Samsung has reduced complexity and thus decreased workflow steps. Samsung’s intuitive and easy-to-use interface and user experience help make enterprise communication more efficient. Redesigned email and PIMS applications for Android 5.0 devices now appear clearer and better organized. The new design has reduced the number of menu items and replaced the texting icon. The ability to assign specific colors to different email and PIMS applications adds to the clarity and simplicity of the interface. Table 4 shows the supported features.

Table 4: Improved user experience features with email, calendar, and contacts

Basic Features Differentiated Features and Policies

Email

Samsungbasic native app

Receive email simultaneously on device and computer by email sync and direct push.

Configure spam filtering.

Supports multiple attachment types:• Camera• Gallery• Audio• Files• Integration with third-party cloud storage

applications (Box, Dropbox, OneDrive) for image and video attachments.

Snap View function: Preview an email without opening it and reply, remind, mark as read or unread, and delete email directly from the preview pane.

Identify most recent messages and related responses by selecting the conversation view.

Enabled with Exchange ActiveSync

Set up accounts with certificate authentication instead of basic authentication.

Reply status: View icon in email inbox to see if an email has been replied to or forwarded.

Apply persistent protection to messaging content, including using Information Rights Management to prohibit:• printing• forwarding• extracting• replying

Include past email items (days).

Calendar


Calendar and Task Sync Respond to invitations to events or accept tasks by simply entering the title of the desired event and task.


Meeting attendee information. Free/busy lookup.

Edit response.

Include past calendar items (days).

Propose new meeting times in a response to an invitation.

Contacts


Contacts Sync. Access accounts for third-party applications and call logs to use contact applications more efficiently.


Global Address List (GAL) lookup and photo. Nickname cache.


Email

Samsung’s email application is optimized to make it easy for users to check email in the inbox. Users can filter emails as read, unread, starred and flagged, high priority and whether or not there’s an attachment. In addition, users can change view modes—to switch to conversation view mode, for example. Users can preview emails and set reminder notifications without opening the email body. Users can manage emails in separate account inboxes or merge accounts to show all emails in one inbox. These options provide users with control and a clear overview of all emails.

As shown in Figure 3, users can preview the first five lines of email content by using a two-finger flick down gesture, which makes it easy to reply, remind, mark as unread, and delete email from the inbox. In addition, users can set when they want to receive a reminder notice on a received email.

Figure 3: Snap view and reminder functions on email client.

Using the continue composing feature shown in Figure 4, users can temporarily save and minimize email drafts. The user can continue composing by simply touching the button and multitask between composer and inbox viewer.

Figure 4: Continue composing function on email client.


Calendar and tasks

Samsung provides a well-organized calendar application that is completely tailored for business. The calendar application is designed to enable users to create, edit, and view information about invitations and schedules. Users can combine several calendars and schedules and synchronize status. Events and tasks can be registered and modified by taking advantage of the simplified process steps and menus.

Samsung email includes a well-organized calendar view and smart composer app. Users can simply enter an event’s title to register for that event, as shown in Figure 5. They can add information by tapping the repeat, invitees, notes, and time zone icons.

Figure 5: Register an event and task.

Figure 6 shows how users can select their preferred view mode for seamless interaction. The calendar application provides a simplified view mode and an intuitive user interface.

Figure 6: View mode in the calendar.

Month Week Day Tasks


Contacts

Samsung’s contacts application is designed to present an intuitive and easy-to-use interface and user experience. Users can view contacts from multiple user accounts in one contact list, or users can apply filtering to separate contact lists. Users can make a call or send an SMS text message from their favorites menu and check call and SMS logs in their contact application. In addition, users can see account information for third-party applications such as LinkedIn and Skype.

Figure 7 shows the easy-to-use contacts application.

Figure 7: Basic user interface and menu in contacts.

The contacts application supports consolidated sync, import, and export functions for the contact list, as shown in Figure 8. A vCard format file (*.vcf) can be imported from device storage, for example. Duplicates display automatically.

Figure 8: Sync, import, and export contact list and duplicated contact view in contacts.

Galaxy smartphone Galaxy tablet

1

† Screen images are provided by Android 5, Lollipop TouchWiz on Samsung Galaxy mobile smartphones and tablets.


Appendix 1: Comparing Exchange ActiveSync implementations

[Table 1] Email: Samsung mobile devices provide 16 policies and 25 features

1

† Reference: Exchange ActiveSync Client Comparison Table at Microsoft TechNet, Comparison of Exchange ActiveSync clients at Wikipedia, and Samsung research. Results are based on information available at time of publication, and are subject to change.

Policy Samsung Android 5

Apple IOS 8.4

Google Android 5.1

Microsoft Windows 7

Allow attachment download • • •Maximum attachment size •Disable POP3/IMAP4 email •Allow consumer email • •Require signed S/MIME messages •Require encrypted S/MIME messages •Require signed S/MIME algorithm •Require encrypted S/MIME algorithm •Allow S/MIME algorithm negotiation •Allow S/MIME SoftCerts • •Configure message formats (HTML or plain text) • •Include past email items (days) • • •Email body truncation size (bytes) •HTML email body truncation size (bytes) •Require manual sync while roaming • •Allow IRM over EAS •


1


˚ These features are developed by Samsung in ways of utilizing Exchange server protocols and applying a control in Samsung mobile device.

1 Samsung supports this capability at the device-level only. Samsung email provides a conversation view when IT admin sets a rule to always move messages in a conversation using local-conversation ID from device side instead of conversation ID from server.

Feature Samsung Android 5

Apple IOS 8.4

Google Android 5.1

Microsoft Windows 7

Direct Push • • • •Email sync • • • •Sync multiple folders • • • •SSL encrypted transmission • • • •HTML email • • • •AutoDiscover • • • •Server Search • • •Follow-up flags • • • •Bandwidth reduction • • •Link Access • • •Set Out of Facility/Office (OOF) • • •S/MIME • •Conversation View • • •Reply status • • • •UM card • •SMS sync • • •IRM support •Peak/off-peak sync schedule˚ • •Empty server trash˚ • •Certificate based authentication˚ • • •Draft folder sync˚ • • •Sync options for each folder˚ • • •Spam Filter˚ • • •Move always1 •

The Samsung EAS implementation includes two additional features for email: User configurable resolution and Nested S/MIME.


[Table 2] Calendar: Samsung mobile devices provide 6 features and 1 policy

Feature and policy Samsung Android 5

Apple IOS 8.4

Google Android 5.1

Microsoft Windows 7

Feature

Calendar sync • • • •Tasks sync •Meeting attendee information • • • •Free/Busy lookup • •Edit response˚ • • •Propose new time˚ • •

Policy Include past calendar items (days) • •

[Table 3] Contacts and tasks: Samsung mobile devices provide 5 features

Feature Samsung Android 5

Apple IOS 8.4

Google Android 5.1

Microsoft Windows 7

Feature

Contact sync • • • •GAL lookup • • • •GAL photo • •Nickname cache • •

The Samsung EAS implementation also includes this additional contacts feature: Contact sub-folder sync.

1


˚ These features are developed by Samsung in ways of utilizing Exchange server protocols and applying a control in Samsung mobile device.


[Table 4] Device: Samsung mobile devices provide 25 policies and 3 features

Feature and policy Samsung Android 5

Apple IOS 8.4

Google Android 5.1

Microsoft Windows 7

Policy

Allow non-provisionable devices • • • •Policy refresh interval • • • •Require password • • • •Require alphanumeric password • • • •Maximum failed password attempts • • • •Minimum password length • • • •Maximum inactivity time lock • • • •Allow simple password • • •Enable password recovery • •Password expiration (days) • • •Enforce password history • • •Disable desktop ActiveSync • •Disable removable storage • •Disable camera • • •Disable SMS text messaging •Disable Wi-Fi •Disable Bluetooth •Allow internet sharing from device • •Allow browser • •Allow unsigned applications •Allow unsigned CABs •Approved application list •Unapproved InROM application list •Minimum number of complex characters • • •Require device encryption • • •Disable IrDA2 •Allow mobile OTA update3 •Mobile OTA update mode4 •

Feature

Remote wipe • • • •User started remote wipe • • • •Block/Allow/Quarantine List (device info) • •

1


2 Samsung provides not IrDA hardware chipset but IrLED hardware chipset.

3 Samsung will update to provide this policy next firmware update.

4 Samsung will update to provide this policy next firmware update.


Appendix 2: Samsung security features for emailThe SmartCard Framework on the KNOX platform enables applications access to the hardware certificates on the Common Access Card (CAC) via standards-based Public Key Cryptography Standards (PKCS) APIs. This access process enables the use of the CAC by the browser, email application, and VPN client, as well as custom government applications. Third-party smart card and reader providers can install their solutions into the framework, as shown in Figure 1.

Figure 1: SmartCard Framework on Samsung KNOX platform.

IT can further strengthen security by enabling email encryption and digital signing between users’ devices using the widely accepted S/MIME protocols. Figure 2 shows how to set the screen lock and install certificates to enable email encryption.

JCA/JCE/Open SSL (PKCS #11) APIs

LockScreen

Vendor 1 Plugin(Bluetooth or USB)

Vendor 2 Plugin(Bluetooth or USB)

Email Browser VPN Client 3rd PartyApps

Bluetooth or USB Reader

KNOX SmartcardFramework

Figure 2: Enabling S/MIME certification.


Appendix 3: Supported feature and policy lists by Exchange Server versionTo enable connection to a Microsoft Exchange server, Samsung mobile devices support:

• EAS 14.2 with Exchange Server 2010 SP2 • EAS 12.1 with Exchange Server 2007 SP1

• EAS 14.1 with Exchange Server 2010 SP1 • EAS 12.0 with Exchange Server 2007

• EAS 14.0 with Exchange Server 2010 • EAS 2.5 with Exchange Server 2003 SP2

[Table 5] Features classified by Exchange Server version on Samsung mobile devices

Feature Exchange Server2003 SP2

Exchange Server2007 SP1


Exchange Server2013

Direct Push • • • •Email sync • • • •Calendar sync • • • •Contacts sync • • • •Tasks Sync • • • •Remote wipe • • • •Sync multiple folders • • • •GAL lookup • • • •SSL encrypted transmission • • • •Peak/off-peak sync schedule • • • •User Configurable Resolution • • • •Certificate Based Authentication • • • •Draft Folder Sync • • • •Sync options for each folder • • • •Nested S/MIME • • • •Edit Response • • • •Propose New Time • • • •Spam Filter • • • •Contact sub-folder sync • • • •User started remote wipe • • •Link Access • • •HTML email • • •Server Search • • •Set Out of Facility/Office (OOF) • • •Follow-up flags • • •Meeting attendee information • • •AutoDiscover • • •Bandwidth reduction • • •S/MIME • • •Empty server trash • • •Conversation View • •Reply status • •UM card (client side only) • •Free/Busy lookup • •Nickname cache • •SMS sync • •GAL photo • •IRM support • •Block/Allow/Quarantine List • •Move always5

1

5 Samsung supports this capability at the device-level only. Samsung email provides a conversation view when IT admin sets a rule to always move messages in a conversation using local-conversation ID from device side instead of conversation ID from server.


[Table 6] Policies classified by Exchange Server version on Samsung mobile devices

Policy Exchange Server2003 SP2



Exchange Server2013

Allow non-provisionable devices • • • •Policy refresh interval • • • •Require password • • • •Require alphanumeric password • • • •Maximum failed password attempts • • • •Minimum password length • • • •Maximum inactivity time lock • • • •Allow attachment download • • •Maximum attachment size • • •Enable password recovery • • •Allow simple password • • •Password expiration (days) • • •Enforce password history • • •Disable desktop ActiveSync • • •Disable removable storage • • •Disable camera • • •Disable SMS text messaging • • •Disable Wi-Fi • • •Disable Bluetooth • • •Allow internet sharing from device • • •Disable POP3/IMAP4 email • • •Allow consumer email • • •Allow browser • • •Allow unsigned applications • • •Allow unsigned CABs • • •Approved application list • • •Unapproved InROM application list • • •Require signed S/MIME messages • • •Require encrypted S/MIME messages • • •Require signed S/MIME algorithm • • •Require encrypted S/MIME algorithm • • •Allow S/MIME encrypted • • •algorithm negotiation • • •Allow S/MIME SoftCerts • • •Require device encryption • • •Minimum number of complex characters • • •Configure message formats (HTML or plain text) • • •Include past email items (days) • • •Email body truncation size (bytes) • • •HTML email body truncation size (bytes) • • •Include past calendar items (days) • • •Require manual sync while roaming • • •Disable IrDA

Allow mobile OTA update

Mobile OTA update mode

Allow IRM over EAS • •


Appendix 4: Supported Exchange ActiveSync Feature and Policy Descriptions

[Table 7] Feature and policy descriptions

Feature Description

Sync multiple folders

Synchronizes multiple folders across devices.

Global Address List (GAL) lookup

Enables users to look up a coworker in their company directory to find an email address.

SSL encrypted trans-mission

Enables mobile devices to send and receive encrypted email over an Exchange ActiveSync connection by using Secure Sockets Layer (SSL).

Feature Description

Direct Push

Keeps a mobile device up to date over a cellular network connection.

Email sync

Synchronized email across devices.

Calendar sync

Synchronizes calendars across devices.

Contacts sync

Synchronizes contacts across devices.

Tasks Sync

Synchronizes tasks across devices.

Remote wipe

Enables administrators to remotely wipe a device to remove company data from a device that is lost or stolen, or after an employee has left the company.

Exchange ActiveSync 2.5 Exchange Server 2003 SP2


Policy Description

Allow non-provision-able devices

Enables IT to specify whether older phones that may not support application of all policy settings are allowed to connect to Exchange 2010 by using Exchange ActiveSync.

Policy refresh interval

Defines how frequently the mobile device updates the Exchange ActiveSync policy from the server.

Require password

Requires users to enable the mobile device password feature.

Require Alpha-numeric password

Determines password strength by enforcing usage of numeric and non-numeric characters.

Policy Description

Maximum failed password attempts

Specifies how many times the device user can enter an incorrect password before the device performs a wipe of all data.

Minimum password length

Specifies the length of the password for the device. The default is four (which is also the minimum length). IT can specify up to 18 characters.

Maximum inactivity time lock

Determines how long the device can be inactive before the user is prompted for the password.

Exchange ActiveSync 2.5 Exchange Server 2003 SP2


Feature Description

User-started remote wipe

Sends a command to a mobile device that will perform a wipe of that device.

Link Access

Enables user to access documents remotely from a mobile device through email by using Exchange Server. If a user receives an email message that contains a link to a supported document type (e.g., Microsoft Word or Microsoft Excel on a Windows SharePoint Services or Windows file share path), the user can follow the link and access the document.

HTML email

Enables HTML display via Exchange ActiveSync so users can view email with tables, graphics, fonts, and colors displayed similar to a PC-based Outlook client.

Server Search

Enables users to store as much of their mailbox as they like, and enables easy access to every message in the mailbox. If the information they want is not synced with the mobile device, users can easily search the server to find the message anywhere in the mailbox, including subfolders, and return that message to the device.

Set Out of Facility/Office (OOF)

Enables users to set or edit out-of-office status.

Exchange ActiveSync 12.0 - Exchange Server 2007

Feature Description

Follow-up flags

Enables users to mark messages with follow-up flags, as on the PC with Outlook.

Meeting attendee informa-tion

Enables users to see who was invited to a meeting.

Auto-Discover

Allows devices to automatically configure the EAS connection with just a user login and password.

Band-width reduction

Reduces number of round trips and amount of data transferred, while maintaining functionality. Reduction is the same as the compression rate of Gzip.


Policy Description

Allow attach-ment download

Enables or disables the ability to download the attachment

Maximum attach-ment size

Specifies the maximum file size that can be attached.

Enable password recovery

Enables the mobile device to generate a recovery password that’s sent to the server. If users forget their mobile device password, the recovery password can be used to unlock the mobile device and enable the user to create a new mobile device password.

Allow simple password

Enables or disables the ability to use a simple password such as 1234.

Policy Description

Password expiration (days)

Enables the administrator to configure a length of time after which a mobile device password must be changed.

Enforce password history

Specifies the number of past passwords that can be stored in a user’s mailbox. A user can’t reuse a stored password.



Feature Description

S/MIME Enables email encryption and digital signing using the widely accepted S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol.

Policy Description Image

Disable desktop Active-Sync

Specifies whether the mobile device can synchronize with a computer through a cable, Bluetooth, or IrDA connection; requires an Exchange Enterprise Client Access License. On Android devices, it disables the MTP function of KIES6.

Disable removable storage

Specifies whether the mobile device can access information that’s stored on a storage card.

Disable camera

Determines whether the mobile device’s camera is allowed; the default value is $true.

Disable SMS text messaging

Specifies whether text messaging is allowed from the mobile device; requires an Exchange Enterprise Client Access License.

Disable Wi-Fi

Specifies whether wireless Internet access is allowed on the mobile device; requires an Exchange Enterprise Client Access License.

Exchange ActiveSync 12.1 - Exchange Server 2007 SP1

Policy Description

Disable Bluetooth

Specifies whether the Bluetooth capabilities of the mobile device are allowed. The available options are Disable, Handsfree Only, and Allow; the default value is Allow.

Disable IrDA

Determines whether the mobile device’s IrDA is allowed.

Allow internet sharing from device

Specifies whether the mobile device can be used as a modem for a desktop or a portable computer; requires an Exchange Enterprise Client Access License.

Disable POP3/IMAP4 email

Specifies whether the user can configure a POP3 or an IMAP4 e-mail account on the mobile device.

Allow consumer email

Determines whether the mobile device user can configure a personal email account on the device; the default value is $true.

1

6 KIES is a freeware software application used to communicate between Windows or Macintosh operating systems and recently manufactured Samsung mobile devices, usually over a USB connection (wireless LAN KIES connectivity is now possible for some devices). See http://www.samsung.com/us/kies

http://www.samsung.com/us/kies


Policy Description

Allow browser

Determines whether Pocket Internet Explorer is allowed on the mobile device; the default value is $true. This parameter does not affect third-party browsers.

Allow unsigned applica-tions

Specifies whether unsigned applications can be installed on the mobile device; requires an Exchange Enterprise Client Access License.

Allow unsigned CABs

Specifies whether unsigned packages can be installed on the mobile device; requires an Exchange Enterprise Client Access License.

Approved applica-tion list

Stores a list of approved applications that can be run on the mobile device; Exchange Enterprise Client Access License is required to change the values of this setting.

Un-approved InROM application list

Specifies a list of applications that cannot be run InROM; Exchange Enterprise Client Access License is required to change the values of this setting.

Require signed S/MIME messages

Specifies whether the mobile device must send signed S/MIME messages.

Policy Description

Require encrypted S/MIME messages

Specifies whether S/MIME messages must be encrypted.

Require signed S/MIME algorithm

Specifies what required algorithm must be used when signing a message.

Require encrypted S/MIME algorithm

Specifies what required algorithm must be used when encrypting a message.

Allow encrypted S/MIME algorithm negotia-tion

Specifies whether the messaging application on the mobile device can negotiate the encryption algorithm if a recipient’s certificate doesn’t support the specified encryption algorithm.

Allow S/MIME SoftCerts

Specifies whether S/MIME software certificates are allowed on the mobile device.



Policy Description

Require device encryption

Enables encryption on the mobile device. Not all mobile devices can enforce encryption.

Minimum number of complex characters

Specifies the minimum number of complex characters required in a mobile device password: A complex character is any character that is not a letter.

Configure message formats (HTML or plain text)

Specifies whether email synchronized to the mobile device can be in HTML format. If this setting is set to false, all email is converted to plain text.

Policy Description

Include past email items (days)

Specifies the maximum number of days’ worth of email items to synchronize to the mobile device; the value is specified in days.

Email body truncation size (bytes)

Specifies the size beyond which email messages are truncated when they are synchronized to the mobile device; the value is specified in bytes.

HTML email body truncation size (bytes)

Include past calendar items (days)

Specifies the maximum range of calendar days that can be synchronized to the mobile device; the value is specified in days.

Require manual sync while roaming

Specifies whether the mobile device must synchronize manually while roaming. Allowing automatic synchronization while roaming will frequently lead to larger-than-expected data costs for the mobile device plan.


Specifies the size beyond which HTML-formatted email messages are truncated when they are synchronized to the mobile device; the value is specified in kilobytes (KB).


Feature Description

Conver-sation View

Enables users to quickly and easily identify the most recent messages and related responses. By treating multiple messages as a single conversation, the conversation can be managed, ignored, moved, and deleted as a whole, so users don’t have to deal with each email individually. New replies to old conversations are automatically placed in the same folder as previous messages, even if a user has ignored or deleted a conversation.

Move always

Enables setting a server-side rule to always move messages in a conversation.

Reply status

Displays an icon to remind users whether they replied to or forwarded an email.

UM card (client side only)

Enables users to read an automatically generated speech-to-text preview of voicemail that has been stored in Exchange 2010. One click enables users to hear the voicemail audio or call the person who left the message.


Feature Description

Free/Busy lookup

Enables users to view a contact’s calendar availability from within the contact information; a free/busy timeline shows when contacts are available for a call or meeting.

Nickname cache

Shares the names of commonly used contacts between Outlook Web App (OWA) and Exchange ActiveSync

SMS sync Enables users to see their SMS messages in their email inbox and reply to them from their inbox instead of on their device.

Policy Description Image

Allow mobile OTA update

Specifies whether over-the-air Exchange ActiveSync software updates are allowed.

Mobile OTA update mode

Available for multi-tenant deployments; not available for on-premises deployments.


Feature Description

GAL photo

Provides images, which are stored in an Active Directory server, of the user who sent an email.

IRM support

Enables Information Rights Management (IRM) to email messages that are sent and received for digital rights management control and encryption..


Feature Description

Block/Allow/ Quaran-tine List (device info)

Enables administrators to create allow and block lists for devices that connect using Exchange ActiveSync; provides control over which devices can connect to an Exchange Server. Administrators can create approved device lists and block specific devices; set exceptions at the individual level; and quarantine any device not on the block or allow lists for additional evaluation.

Policy Description

Allow IRM over EAS

Enables Information Rights Management (IRM) to EAS email messages that are sent and received for digital rights management control and encryption.


Feature Description

Peak/off-peak sync schedule

Enables the user to configure sync schedule on a daily and time basis.

Empty server trash

Enables users to empty the account’s trash .

User Config-uration Resolution

Enables the user to configure preference when a conflict occurs during sync.

Certificate Based Authen-tication

Enables the user to set up an account with a certificate instead of basic authentication.

New features added from Samsung

Feature Description

Draft Folder Sync

Enables the user to sync draft folder (down sync only).

Sync options for each folder

Enables the user to configure sync option for each folder, including user-created folders.

Nested S/MIME

Enables the user to forward S/MIME messages with original certificate.

Edit Response

Enables user to edit response to meeting invitation.

Propose New Time

Enables a user to propose a new time when responding to a meeting invitation.


Feature Description

Spam Filter

Enables a user to configure filtering of spam messages.

Contact sub-folder sync

Enables a user to sync contact subfolders.

New features added from Samsung


AcronymsPIMS Personal Information Management Services

ERP Enterprise resource planning

BI Business Intelligence

BYOD Bring-Your-Own-Device

COPE Corporate-Owned-Personally-Enabled

SDP Sensitive Data Protection

CAC Common Access Card

PKCS Public key Cryptography Standards

GAL Global Address List

S/MIME Secure/Multipurpose Internet Mail Extensions

MDM Mobile Device Management

VPN Virtual Private Network

API Application Programming Interface

PGP Pretty Good Privacy

IRM Information Rights Management

SSL Secure Socket Layer

POP3 Post Office Protocol version 3

IMAP4 Internet Message Access Protocol version 4

OWA Outlook Web App

References and linksExchange ActiveSync Client Comparison Table at Microsoft TechNet

Exchange Mailbox Policy Support (Windows Embedded Compact 7) at Microsoft TechNet

Comparison of Exchange ActiveSync clients at Wikipedia

http://social.technet.microsoft.com/wiki/contents/articles/1150.exchange-activesync-client-comparison-table.aspx

http://social.technet.microsoft.com/wiki/contents/articles/2611.exchange-mailbox-policy-support-windows-embedded-compact-7.aspx

https://en.wikipedia.org/wiki/Comparison_of_Exchange_ActiveSync_clients

About Samsung Electronics Co., Ltd. Samsung Electronics Co., Ltd. is a global leader in technology, opening new possibilities for people everywhere. Through relentless innovation and discovery, we are transforming the worlds of TVs, smartphones, tablets, PCs, cameras, home appliances, printers, LTE systems, medical devices, semiconductors, and LED solutions. We employ 286,000 people across 80 countries with annual sales of US $216.7 billion. To discover more, please visit www.samsung.com.

For more informationFor more information about Samsung Enterprise Mobility and Samsung KNOX, visit: www.samsung.com/business

Copyright © 2015 Samsung Electronics Co. Ltd. All rights reserved. Samsung and Samsung KNOX are either trademarks or registered trademarks of Samsung Electronics Co. Ltd. Specifications and designs are subject to change without notice. Non-metric weights and measurements are approximate. All data were deemed correct at time of creation. Samsung is not liable for errors or omissions. All brand, product, service names and logos are trademarks and/or registered trademarks of their respective owners and are hereby recognized and acknowledged.

http://www.samsung.com

http://www.samsung.com/business