Use Gmail to support Exchange ActiveSync

Organizations using Exchange ActiveSync (EAS) can set up email accounts and enforce basic password policies on Android devices through Gmail.

Set up Exchange accounts with managed configurations

Managed configurations are available in Gmail version 6.4 and later.

Gmail's managed configurations provide a way to set up Exchange accounts on Android devices. As an IT admin, use your enterprise mobility management (EMM) console to configure the following Gmail settings for each user.

exchange_device_id

Enter a string that the EMM proxy or gateway can use to identify the device. It should contain the device identifier that's part of the Microsoft® Exchange ActiveSync® (EAS) protocol that some EMM gateways use for device correlation.

email_address

Enter a specific email address or a string that contains wildcards that the EMM provider uses to pull the user's email address from Microsoft® Active Directory®.

Examples:

  • %emailaddress%
  • janedoe@altostrat.com
default_signature

Enter the default email signature that you want to be automatically added at the bottom of all sent emails.

Example:

Jane Doe, President
Altostrat, Inc.

exchange_host

Enter the URL of the Exchange ActiveSync (EAS) email server. This might be an EMM on-site proxy server, a load-balanced virtual internet protocol address in front of several EAS email servers, a public client access server (CAS). You don't need to use HTTP:// or HTTPS:// in front of the URL.

The port number is optional. If not specified, the default port number is 443.

Examples:

  • corp.exchange.com
  • corp.exchange.com:443
exchange_login_certificate_alias

Enter the string alias that represents a certificate with a private key stored in the work profile keystore. The certificate is often a user certificate for authenticating to the Exchange ActiveSync (EAS) servers.  

If you enabled and defined a Certificate Authority (CA) in the EMM console, you'll be able to choose an alias from a drop-down list that the EMM provider populates when the device is enrolled.

exchange_ssl_required

Specifies Secure Sockets Layer (SSL) communication to the server port that you specified in the Host field. This setting is ignored if port 443 is specified in the Host field.

Set to true to use SSL, or set to false.

If not specified, the default setting is true.

default_exchange_sync_window

Enter an integer, from 1 to 5, for the default time window when the Exchange ActiveSync (EAS) servers synchronize mail items to Gmail.    

The start of the time window is determined by subtracting the period of time represented by the filter type from the current time.

Value Default time window
1 1 day
2 3 days
3 1 week
4 2 weeks
5 1 month

If not specified, the default setting is 3.

exchange_trust_all_certificates

Specifies validation checks on Secure Sockets Layer (SSL) certificates that are used on Exchange ActiveSync (EAS) servers, proxies, or gateways in front of email servers.    

Set to false to perform checks, or set to true.

Tip: Performing a check is useful if certificates are self-signed.

If not specified, the default setting is false.

exchange_username

Enter a specific username or a string that contains wildcards that the EMM provider uses to pull the username from Active Directory. It might be different from their email address.  

Examples:

  • %username%
  • janedoe
  • altostrat\janedoe
exchange_authentication_type

Available in Gmail versions released after November 15, 2019.

Sets the type of authentication used to verify a user's email credentials with Microsoft® Active Directory®. Set to allow_modern_authentication (recommended) or allow_basic_authentication.

  • allow_modern_authentication: Uses modern authentication, a token-based method of identity management that offers more secure user authentication and authorization. If modern authentication isn't possible, basic authentication is used.
  • allow_basic_authentication: Uses basic authentication, an older method of authentication that prompts users for their password and stores this password for future use.

If not specified, the default setting is allow_modern_authentication.

Configure mobile device mailbox policies

In 2019, Android 10 introduced changes to the way some Exchange ActiveSync (EAS) password policies are handled. These changes apply to all Android devices. The table below details how Exchange mobile device mailbox policy password settings are interpreted and applied by Android devices.

Exchange mobile device mailbox policy setting

Android password complexity level Password requirements
Password enabled = false None No password requirements are configured.

Allow simple password = true

Min password length < 4

Low Password can be a pattern or a PIN with either repeating (4444) or ordered (1234, 4321, 2468) sequences.

Allow simple password = true

Min password length = 4

Medium

Passwords that meet one of the following criteria:

  • PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences with a minimum length of 4 characters 
  • Alphabetic passwords with a minimum length of 4 characters
  • Alphanumeric passwords with a minimum length of 4 characters

Allow simple password = false

Alphanumeric password required = true

Min password length <= 4

Allow simple password = true

Min password > 4

High

Passwords that meet one of the following criteria:

  • PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences with a minimum length of 8 characters
  • Alphabetic passwords with a minimum length of 6 characters
  • Alphanumeric passwords with a minimum length of 6 characters

Allow simple password = false

Alphanumeric password required = true

Min password length > 4

Policies supported by default

Android supports some EAS policies by default. As a result, the following EAS policies aren't directly configurable:

  • Password expiration
  • Password history
  • Max password failed attempts
  • Max inactivity time lock
  • Require device encryption

Wipe a device remotely

If a wipe command is sent from Exchange Server, Gmail will remove the EAS account from the device (or work profile) rather than wiping the entire device (or work profile). If you have an EMM provider, you can wipe a device or a work profile in your EMM console.

What should my organization do to handle these changes?

You don't need to take any action. The changes to the way Gmail handles wipe commands and certain EAS password policies will not disrupt device functionality, though you may want to review your current device password policies to ensure they're suitable for your organization.

Was this helpful?
How can we improve it?