KU's email service is Microsoft Outlook, which uses ActiveSync to configure email and calendars on mobile devices. ActiveSync was designed for a corporate environment where organizations provide phones and other mobile devices to employees, and gives organizations the option of controlling certain mobile device features. Because KU is providing email and calendar access on personal devices owned by KU students, faculty and staff, we have not activated any controls over mobile devices.
When configuring your mobile device to your KU email and calendar, you may receive a pop-up alert message* with the terms of service and features that could be managed remotely, if authorized. The alert message varies on different mobile devices and operating systems, and may include:
*Some mobile devices, notably Apple (iPhone, iPad), do not show a pop-up message.
To connect your KU email and calendar on your mobile device, you will need to accept the terms of service. The remote access controls mentioned are typically used where organizations provide mobile devices to their employees. KU has not activated these settings for faculty, staff and student personal devices.
What is ActiveSync and why are we using it at KU?
KU provides email and calendar services through Microsoft Exchange. In Exchange, ActiveSync is the protocol by which some applications connect to Exchange. It consists of software on the Exchange servers and client software on the user’s device. Most mobile devices have chosen this protocol to connect to Exchange to get email, calendars, contacts etc. ActiveSync allows KU faculty, staff and students to connect with KU email and calendars on their mobile devices.
Why did KU IT choose ActiveSync?
ActiveSync is native to Microsoft Exchange and is not a technology that KU has chosen.
Did KU IT consider other options?
ActiveSync really only has one other mobile competitor, Blackberry, which, by default, provides far more potential for violating privacy of users. (See “What controls does ActiveSync not provide on customer devices?” below.)
What about other email providers, such as Google?
Except in rare cases, users already have ceded the full control of their devices to other entities. Google device manager comes preinstalled on many Android Devices and provides the same controls as ActiveSync. Apple maintains the ability to completely control every Apple device. Verizon tools are installed with these rights unless the user makes a series of careful choices during activation. The Lookout Mobile security suite that many users install requires full rights as well.
Will everyone get the alert message on their mobile device?
The alert message is dependent on the brand and model of mobile device, operating system and version. The alert message varies on different devices, and some people will not receive the alert message on their mobile device.
What controls does ActiveSync provide KU IT on customer devices?
ActiveSync has a very long list of mobile device management capabilities. These were developed for corporations managing company-owned devices and cannot be separated for the education environment.
Some of the controls are: Erase all data; Set password rules; Monitor screen-unlock attempts; Lock the screen; Set lock-screen password expiration; Set storage encryption; Disable cameras; Disable functions on lock screen; Set SD card encryption; Password recovery; Turn off POP and IMAP emails; Turn off SD card; Turn off Wi-Fi; Turn off text/multimedia messaging; Turn off Internet; Turn off Internet sharing; Turn off Bluetooth; Turn off desktop sync; Turn off IrDA; Turn off 3rd party applications; Turn off native applications; Turn off unknown applications; Prevent the installation of unknown applications.
What controls does ActiveSync not provide on customer devices?
While the list of possible controls is somewhat ominous, from a privacy standpoint, it’s important to look at what is not possible:
- KU cannot see what applications are installed on the device, how/when they are used, etc.
- KU cannot see text messages unless the user syncs them to the server (this is not common or the default).
- KU cannot see call data, web traffic, app traffic or any other device use statistics.
- KU cannot see location even if location services are enabled.
- KU can see the IP address assigned to the device by the phone carrier. This is needed in order to deliver traffic to the device.
- Other than email messages, contacts and calendar entries created by the user, no data from the device is uploaded to the servers.
Why does ActiveSync provide any control over mobile devices?
When Microsoft first rolled out Exchange it was developed as a business tool, but has emerged as the premier productivity suite in use for many different entities. The remote access controls are used in organizations that have both the right and the responsibility to manage data security on company-owned mobile devices provided to their employees for work purposes. The reality is that mobile devices get lost and stolen at a far higher rate than personal computers. All mobile devices and management platforms/protocols are being designed to mitigate the additional risks associated with carrying around a small, portable, expensive, resalable, untraceable device that is laden with potentially sensitive data.
What is KU policy regarding these controls?
KU doesn’t currently have a policy that governs these controls. The Acceptable Use of Electronic Resources policy
does give KU IT the responsibility in specific circumstances to “monitor the activities and inspect and record the files of such users(s) on their computers and networks…” There is not a policy, however, that addresses controls on personally-owned mobile devices. KU IT supports the adoption of a policy and would actively participate in writing a policy at the direction of the Provost. It should be made clear that this is a change in the technical architecture of Exchange and not a policy decision by the University of Kansas. Even though there is not an established KU policy addressing control of personally-owned mobile devices, there are clearly significant legal and personnel issues that protect our faculty, staff and students.
What if I don’t accept the terms of service?
If you choose not to accept the terms of service, please go to technology.ku.edu/email
for other options to access your KU email/calendar on mobile devices.
Why does the service allow control over all these phone features?
The remote access controls mentioned are typically used in organizations that need to manage company-owned mobile devices provided to their employees. KU has not activated these settings for faculty, staff and student personal devices.
How often will I get this activation alert?
You should only get the message the first time you configure a mobile device to connect to KU email and calender. If you add a new Exchange email account, you will receive the activation alert again during the set up process.
I accidentally agreed to the terms of service during setup. How do I remove the service from my device?
To remove the service from your device, just delete the email account from your mobile device. Keep in mind that this will stop syncing your KU email and calendar on your mobile device.
I initially declined the terms of service, but now I want it back. How do I re-install the service on my device?
Please visit technology.ku.edu/mobile-email
for easy step-by-step instructions to reconnect your email and calendar to your mobile device. Please note that when you install the service as a new user, you will again receive the terms of service activation alert message.