To support Lync for mobile devices, Microsoft first introduced Mobility Service and Autodiscover Service as add-on...
features for Lync Server 2010 in November 2011. The mobility service enabled Lync Server organizations to support iPhone, iPad, Android, Windows Phone and Nokia devices. The Autodiscover Service allowed mobile devices to locate Lync Server from internal or external networks.
Microsoft then built these features into Lync Server 2013 when it introduced its Unified Communications Web API (UCWA) to support the Lync 2013 mobile client’s enhanced features -- like VoIP and video for meetings.
In conjunction with the release of the mobility service, Microsoft launched Lync mobile client applications for the devices. The features and capabilities vary across different mobile client versions and devices. Mobile device capabilities are grouped together in the following areas: archiving/compliance, conferencing, contacts, enhanced presence, external users, instant messaging, Lync-to-Lync A/V, sign-in/out and push notifications, and telephony.
Microsoft offers a detailed comparison of its mobile clients and the Lync 2013 desktop client. Another key component in extending Lync to a mobile device is the Push Notification Service, which is hosted by Microsoft and is required by the Lync 2010 mobile client for iOS devices and the 2010 and 2013 Windows Phone mobile clients. Without the Microsoft Push Notification Service and Apple Push Notification Service, inactive devices would not be able to receive and respond to IM invitations and other events. The Apple Push Notification Service is no longer required for iOS devices running the Lync 2013 mobile client.
Ensuring Lync is secure on mobile
To make sure Lync is secure on mobile devices, administrators must properly configure their public and private domain name system (DNS) to support the Autodiscover Service. The Autodiscover Service is not only used by mobile clients, but by Lync 2013 desktop clients to configure the clients with the information they need to connect to the server. If a client is external, it will look for the lyncdiscover.sipdomain.tld record in the public DNS. If the client is internal, it will need to resolve to the lyncdiscoverinternal.sipdomain.tld record in the private DNS. In both cases, Lync clients depend on a reverse proxy server to connect them to the mobility service, which is only enabled in the external Web services directories on the Lync servers.
One of the keys to securing mobile clients is through the proper deployment of certificates on the Lync servers. Another aspect of mobile device security is determining which users will be able to have access to the mobility features. Using Lync's mobility policy, an administrator can govern the use of features. These policies are managed within the Lync Server Management Shell Policy. Policy options include: AllowExchangeConnectivity, AllowSaveCallLogs, AllowSaveCredentials, AllowSaveIMHistory, EnableMobility, EnableOutsideVoice, EnableIPAudioVideo, RequireWiFiForIPAudio, RequireWiFiForIPVideo, RequireWiFiForSharing.
Two policy options pertain directly to the security of the mobile clients. When a mobile client authenticates with Lync Server, it will potentially use an NT LAN Manager. To reduce the exposure of these credentials, it is possible to prevent a device from storing the credentials by setting AllowSaveCredentials to $False. To prevent multiple authentication attempts from a mobile client to the Exchange server, it is possible to disable the Exchange Web Services (EWS) from the mobile client by setting the AllowExchangeConnectivity to $False. Just beware that this will disable voicemail in email and meeting links in the calendar, which may not be what you want. For more on this topic see Securing external and mobile access in Lync 2013.
Do you have a question for Richard Luckett or any of our other experts? Ask your enterprise-specific questions today. (All questions are treated anonymously.)
Cisco and Microsoft's mobile market battle
How Lync measures up in the marketplace
Dig Deeper on Mobile Unified Communications Applications
Related Q&A from Richard Luckett
Some folders in a mailbox on Exchange Server 2013 are not showing up on the folder list in the OWA virtual directory but do appear in other views. Continue Reading
We have a Client Access Server and Mailbox Server on Exchange 2013 and we want to install an Edge Transport role on another machine. I joined the ... Continue Reading
How can I enable Outlook Anywhere to allow internal use for all users and external use for only some users in Exchange 2013? Continue Reading