[commits] [Wiki] changed: ActiveSync
Wiki Guest
wikiguest at horde.org
Mon Feb 25 21:30:05 UTC 2019
guest [31.223.0.156] Mon, 25 Feb 2019 21:30:05 +0000
Modified page: https://wiki.horde.org/ActiveSync
New Revision: 288
Change log: YouHaveBeedHacked
@@ -1,421 +1 @@
-[[toc]]
-+ !ActiveSync
-
-Exchange !ActiveSync (EAS) is a protocol designed for client
synchronization of Email, Contacts, Calendar, Tasks, and Memo data
with a groupware/messaging server. EAS is a
[http://en.wikipedia.org/wiki/WBXML WAP Binary XML (WBXML)] based
protocol and is communicated over HTTP/HTTPS. It was originally
developed by Microsoft for synchronizing !PocketPC devices with
Microsoft Exchange servers, but has since become widely adopted as the
preferred synchronization method. Just about every modern device
capable of synchronization includes out of the box support for EAS.
Android, iOS, Windows Phone, Blackberry, even current versions of
Microsoft Outlook and Windows Mail include support for EAS.
-
-In addition to synchronization, the protocol provides some device
management and security related features.
-
-++ People
-
-[MichaelRubinsky Michael Rubinsky]
-
-++ Bugs
-
-See the [http://bugs.horde.org/queue/sync bug tracker] and the list
of ((ActiveSync/KnownIssues|known issues)) and the list of
((ActiveSync/BrokenClientBehavior|broken client behavior)).
-
-++ Description
-
-The Horde_ActiveSync library provides the framework for synchronizing
a groupware server with an EAS client. This page describes the use of
this library for synchronizing a Horde Groupware stack. For the
specific versions and features supported in different Horde versions,
see the ((ActiveSync/FeatureGrid|ActiveSync Feature Grid)).
-
-As of Horde 5, !ActiveSync support passes
[https://www.testexchangeconnectivity.com Microsoft's Remote
Connectivity Analyzer] - though you must disable provisioning on the
account you use for testing since the analyzer doesn't respond to the
449 Header that is sent when Provisioning is required.
-
-For information on using this library in your own groupware stack,
see the [http://dev.horde.org/api/master/lib/ActiveSync developer
documentation].
-
-++ Server Setup
-
-To activate the server, it needs to be enabled in Horde's
configuration, on the !ActiveSync tab. The SQL tables that horde uses
are created as usual from the Horde configuration screen.
-
-+++ Webserver
-
-You will need to configure your webserver to redirect the URL
/Microsoft-Server-ActiveSync to your horde/rpc.php file. How you do
this depends on your webserver and it's configuration. For Apache,
something like:
-<code>
-Alias /Microsoft-Server-ActiveSync /var/www/horde/rpc.php
-</code>
-// Note: // It has been reported that when running PHP via mod_fcgid
on Apache that the Alias directive will not pass the correct URL to
the fcgid-script handler. This can be worked around by using a
!RewriteRule instead (adapted from
http://maurus.net/weblog/2010/10/26/running-z-push-1-4-2-with-apache-and-fastcgifcgid/):
-<code>
- RewriteEngine On
- RewriteRule ^/Microsoft-Server-ActiveSync /horde/rpc.php [PT,L,QSA]
-</code>
-
-There has also been a report from that the Authorization headers are
not correctly passed when using mod_php with Apache. These are known
issues and are should actually already be taken care of by the
Horde_Controller_Request object. However, if you are still having
issues with !ActiveSync complaining about no Authorization errors, you
can try the following configuration:
-<code>
-RewriteRule .* - [E=HTTP_MS_ASPROTOCOLVERSION:%{HTTP:Ms-Asprotocolversion}]
-RewriteRule .* - [E=HTTP_X_MS_POLICYKEY:%{HTTP:X-Ms-Policykey}]
-RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
-</code>
-None of these issues have been reported using lighttpd/fastcgi or
Apache+mod_fastcgi+php-fpm.
-
-For Apache + PHP-FPM using mod_proxy_fcgi
-<code>
-ProxyPassMatch ^/Microsoft-Server-ActiveSync$
unix:/usr/local/php55/sockets/webapps.sock|fcgi://127.0.0.1:9000/var/www/html/horde/rpc.php$1
-</code>
-// Note: // Sockets are only available from Apache 2.4.8 or if the
appropriate patch has been applied. In all other case, use a tcp
connection.
-// Note: // If setting // !ProxyErrorOverride On // then when testing
the !ActiveSync endpoint via a browser you may not see the expected
activesync error message - as it would be replaced by the overridden
Apache error message.
-
-Since Horde !ActiveSync connections are held open for a period of
time up to 3540 seconds (depending on client and
$conf[activesync][ping][heartbeatmax] setting, if using a proxy server
you need to ensure it does not time out before the request is
complete. Add this to your virtualhost:
-<code>
-ProxyTimeout 5400
-</code>
-+++ Autodiscover
-
-In order for the Autodiscovery service to work, a request to
/autodiscover/autodiscover.xml needs to reach rpc.php. How it does
this depends on your specific server setup. Below are a few examples
to point you in the right direction. Note that for autodiscovery to
work, the final endpoint MUST be over SSL. Autodiscover requests will
NOT work without a valid SSL certificate.
-
-The easiest example is when Horde is running on the same domain, with
NO subdomain as the email address domain. Example, for
user at example.com and Horde is reachable at https://example.com/horde.
For this, you simply create an Alias pointing
/autodiscover/autodiscover.xml to /rpc.php. Note that the
documentation specifies different case for the URL in different parts.
You should allow the following URLs to be redirected:
-<code>
-Alias /autodiscover/autodiscover.xml /var/www/horde/rpc.php
-Alias /Autodiscover/Autodiscover.xml /var/www/horde/rpc.php
-Alias /AutoDiscover/AutoDiscover.xml /var/www/horde/rpc.php
-</code>
-
-For Apache + PHP-FPM using mod_proxy_fcgi
-<code>
-ProxyPassMatch ^/autodiscover/autodiscover.xml$
unix:/usr/local/php55/sockets/webapps.sock|fcgi://127.0.0.1:9000/var/www/html/horde/rpc.php$1
-ProxyPassMatch ^/Autodiscover/Autodiscover.xml$
unix:/usr/local/php55/sockets/webapps.sock|fcgi://127.0.0.1:9000/var/www/html/horde/rpc.php$1
-ProxyPassMatch ^/AutoDiscover/AutoDiscover.xml$
unix:/usr/local/php55/sockets/webapps.sock|fcgi://127.0.0.1:9000/var/www/html/horde/rpc.php$1
-</code>
-
-A more common example is when Horde is running on something like
mail.example.com while the email addresses are simply @example.com.
For this, there are two options. First, if example.com is an existing
site, already runs over HTTPS and is on the same physical server as
mail.example.com, you could simply use the Alias example above in the
configuration for the example.com site. Note again, this MUST ALL BE
OVER SSL.
-
-If the ActiveSync client fails to find an acceptable autodiscover
response at https://example.com, it will then send a request to
http://autodiscover.example.com. Note that this is NOT over SSL. This
request MUST respond with a 302 redirect to a SSL endpoint that will
answer the autodiscover request:
-
-<code>
-<VirtualHost *:80>
- ServerName autodiscover.example.com
- DocumentRoot /var/www/html
- RedirectMatch 302 (?i)/autodiscover/autodiscover.xml
https://mail.example.com/autodiscover/autodiscover.xml
-</VirtualHost>
-
-# Obviously, you can't use a wildcard 443 here, but you get the
idea...basically you
-# need to set these Alias entries for
https://mail.example.com/autodiscover/autodiscover.xml
-<VirtualHost *:443>
- ServerName mail.example.com
- Alias /autodiscover/autodiscover.xml /var/www/html/groupware/rpc.php
- Alias /Autodiscover/Autodiscover.xml /var/www/html/groupware/rpc.php
- Alias /AutoDiscover/AutoDiscover.xml /var/www/html/groupware/rpc.php
-
- ## Rest of config....
-</VirtualHost>
-</code>
-
-+++ Basic example for lighttpd:
-
-<code>
-$HTTP["host"] =~ "(^|www\.)example\.com$" {
- url.redirect = ("^/(?i)autodiscover/autodiscover.xml$" =>
"https://horde.example.com/autodiscover/autodiscover.xml")
-}
-
-alias.url = ("/Microsoft-Server-ActiveSync" => "/var/www/horde/rpc.php",
- "/autodiscover/autodiscover.xml" => "/var/www/horde/rpc.php");
-</code>
-
-It should also be noted that the protocol documentation explicitly
lists the autodiscover url as all lowercase, some clients actually
request it as //!AutoDiscover/!AutoDiscover.xml// so if you are having
problems, you should adjust your alias/rewrite rules accordingly.
-
-+++ Setting up Horde !ActiveSync behind a Reverse Proxy Server
-
-Since Horde !ActiveSync connections are held open for a period of
time up to 3540 seconds (depending on client and
$conf[activesync][ping][heartbeatmax] setting, if using a proxy server
you need to ensure it does not time out before the request is
complete. Failure to do this will result in errors like this in your
proxy server's web server log:
-
-<code>
-[Mon Jun 10 22:24:56 2013] [error] [client 101.169.127.248]
(70007)The timeout specified has expired: proxy: error reading status
line from remote server 192.168.1.230
-[Mon Jun 10 22:24:56 2013] [error] [client 101.169.127.248] proxy:
Error reading from remote server returned by
/Microsoft-Server-ActiveSync
-</code>
-
-For an Apache proxy:
-
-<code>
- ProxyPass / https://192.168.1.230/ connectiontimeout=600
timeout=4000
- ProxyPassReverse / https://192.168.1.230/
-</code>
-
-That allows for up to 600 seconds for a connection to be established
(should cover ALL possibilities) and then holds that connection open
for up to 4000 seconds. This should be adjusted for you specific
needs/environment.
-
-+++ Horde
-
-You should make sure that the max_execution time is either set to 0
or at least twice the maximum heartbeat interval. This can be set in
Horde's general configuration tab.
-
-
-++ Application Configuration
-No additional steps are normally necessary for synchronization of the
supported applications. However, each application that supports
synchronization also has user preferences to determine which shares
will be synchronized. For example, in Kronolith the user's default
calendar is **always** synchronized, but the user can choose to add
any additional calendars he/she owns.
-
-+++ Multiple sources in the same collection
-
-Prior to Horde 5.2, all non-email sources would be "multiplexed"
together so they appear as a single source on the client. For example,
all user calendars would appear as a single, combined calendar on the
client and any new events would always be added to the user's default
calendar. Starting with Horde 5.2, applications can be configured to
provide all user sources as discrete sources on the client. Since not
all EAS clients support this, there are a number of ways to control
this.
-* By enabling/disabling the discrete sources preference per
application. This, of course, affects all of a user's devices, so must
be set to the lowest common denominator. If it is desired to always
force the multiplexed collections, you can lock the preference. When
this pref is activated, the ActiveSync library a tries to sniff out
the client's capability and disables this if the client is unable to
honor it.
-* By implementing the activesync_device_modify hook (see
//horde/config/hooks.php.dist//). There is a sample hook already
defined that performs some basic device sniffing to determine which
collections do not support discrete sources.
-
-Note: that all sync-able sources **MUST** be writable by the user.
-
-The following chart is meant to provide a general idea of what device
class supports this, not a listing of all devices and capabilities:
-||~ Device ||~ Calendars ||~ Contacts ||~ Tasks ||~ Memos ||~
Creating new sources ||~ Notes ||
-|| Android || || || || || || ||
-|| Blackberry || Yes || Yes || Yes || Yes || Yes, for Tasks and Notes
|| Creating a new Notes source from 10.3.x only||
-|| iOS || Yes || Yes || Yes || || Yes, for Calendars and Tasks || ||
-|| Outlook || Yes || No || Yes || n/a || || ||
-|| Windows Phone || || || Yes || || || ||
-
-Users can also view all their paired !ActiveSync devices by visiting
their //!ActiveSync Devices// preferences. This is located within
Horde's //Global Preferences//. From here, it is possible to force a
complete re-sync, or to request a remote wipe of a provisioned device
(see below).
-
-++ Email Support
-
-Email synchronization has been added in Horde 5. Since in some
installs this may be undesirable, it is possible to deactivate email
support via Horde's configuration, on the !ActiveSync tab.
-
-!ActiveSync email support requires an IMAP server. POP3 is not
supported. When used in the Horde groupware stack, it will use the
same server that IMP is configured to connect to. It is recommended
that this server support the QRESYNC server extension for performance
reasons, though it will work without this. It can also help
performance if an IMAP proxy is used. Some IMAP servers like older
Cyrus versions (< 2.4) might support QRESYNC but do not enable per
mailbox MODSEQ by default. Enabling this on these servers will greatly
improve performance.
-
-The only flags supported by !ActiveSync are the //seen// and
//flagged for follow up// flags. Flag changes will be synchronized,
but flag changes alone will only trigger a SYNC if per mailbox MODSEQ
is supported on the server. Otherwise, the only thing that will
trigger a SYNC is the arrival of a new message (technically, an
increase in the NEXTUID value). Once this SYNC is triggered though,
all message changes are taken into account - including any flag changes.
-
-Since !ActiveSync does not support the //deleted// flag, messages in
a mailbox with this flag are ignored when syncing. Deleting a message
will produce the following actions:
-
-* Deleting on the //device// will do one of two things; If the user
has enabled a Trash mailbox then the message will be moved to that
mailbox. Otherwise, the message is immediately expunged.
-* Deleting from a MUA: If the MUA is not configured to move messages
to the trash, and instead just flags them as deleted, these message
deletions will NOT be synched to the !ActiveSync client, as there is
no equivalent command in the protocol. These messages will only be
removed from the !ActiveSync client once expunged from the mailbox.
This is in accordance with the !ActiveSync protocol specs. If you wish
to ensure all message deletions are synched quickly to the device, you
should configure the use of a Trash folder.
-
-Forwarding a message will always attempt to put the main message text
body in-line and keep any original attachments. It seems that a number
of devices cannot view message/rfc822 attachments, so any messages
that have been forwarded as an attachment may not be viewable in the
!ActiveSync mail client.
-
-++ S/MIME Support
-
-||~ Client ||~ S/MIME support ||
-|| iOS || Can sign and encrypt outgoing email and successfully
validate/decrypt received email. Some issues with validating
certificates on emails sent from iOS > 6.1. ||
-|| Android || Most clients do not support this AT ALL. Some, such as
Samsung's proprietary client, can send encrypted/signed email but
cannot decrypt or validate received email. The third party client
Touchdown supports this well. ||
-|| BlackBerry 10 || Can sign and encrypt outgoing email, but has
trouble validating/decrypting received and sent emails. Some issues
with validating chained certificates ||
-
-++ Autodiscover
-
-Some devices attempt to use Exchange's Autodiscover service to make
it easier for both the user to setup the account and for the
administrator to make drastic changes like moving the server to a new
URL. Horde attempts to support this as best it can. For this to work,
you must create the URL alias as described above, and Horde must be
able to figure out the Horde username based on the email address the
user provided to the device. The configuration screen provides
multiple options for this. In the worst case, if Horde cannot
authenticate based on the provided information from the Autodiscover
request, the device will fall back to requiring manual configuration.
See the notes in the compatibility grid for any known information
regarding device support for this feature.
-
-++ !ActiveSync Versions
-
-See also: ((ActiveSync/FeatureGrid|Supported ActiveSync Features)).
-Horde 5 adds support for !ActiveSync versions 12.0 and 12.1 - the
version shipped with Exchange Server 2007 and 2007sp1. This adds among
other things: HTML email support, flagged for followup, more atomic
policy settings, additional search sources, local wipe rules, and
WBXML based provisioning (instead of the XML used in 2.5).
-
-Horde 5.1 adds support for !ActiveSync versions 14.0 and 14.1. These
versions are shipped with Exchange Server 2010sp1 and 2010sp2. This
allows MS Outlook synchronization (with Outlook 2013 or newer), since
Outlook requires at least !ActiveSync protocol version 14.0. See the
((ActiveSync/FeatureGrid|Supported ActiveSync Features)) for the full
list of features.
-
-++ Administration
-Administrators can view all of the !ActiveSync devices paired with
the server. This is the //!ActiveSync Devices// link located under the
Administration menu. From here an administrator can request a remote
wipe, or force a re-provisioning of any device.
-
- at TODO: Explain various setup configuration options and security
policies (heartbeat etc...)
-
-[http://technet.microsoft.com/en-us/library/bb123484%28v=exchg.141%29.aspx An
explanation of the EAS security policies.]
-
-++ Provisioning/!RemoteWipe
-Provisioning allows devices to be more tightly registered with a
particular server. It enables the server to be able to send policy
settings to the device. These policy settings include things like
requiring a PIN to unlock the device, the complexity of the PIN
required, the number of failed login attempts allowed etc...
Additionally, it enables devices to be remotely wiped so that if a
device is lost or stolen, the user or administrator can request the
device to be wiped.
-
-As of Horde 5, provisioning is enabled via the permissions interface.
You must first add the //!ActiveSync// permission as a child of the
//Horde// permission. The //Provisioning// permission is a child of
//!ActiveSync// and all policies are children of //Provisioning//.
-
-In order to enforce any security policies on a device, it must be
provisioned. However, not all devices support this and some will
downright refuse to work if it's enabled. There are three choices for
provisioning support. //None//, //Force//, and //Allow//. Choosing
//None// will disable provisioning and any enforcement of security
polices or remote wipe. //Force// will only allow devices that are
successfully provisioned to connect to the server. This means devices
that don't properly support provisioning, such as some older Android
versions, will simply not work. The third choice, //Allow// will
enforce provisioning on the devices that support it, but will also
allow devices that don't support it to connect to the server. Once
provisioning support is added, security policies can also be added via
the permissions interface.
-
-Users can initiate a remote wipe, as well as view/manage their
partnered devices in the !ActiveSync user preference.
-
-Clicking //Wipe// in the Horde interfaces for device management flags
the server to send the wipe command to the device the next time it
synchronizes. The next time the device attempts to request a command
other then PING or OPTIONS, it will be wiped. The !ActiveSync
preference page shows the status of all the user's devices. If the
status is listed as //Pending//, and you wish to cancel the wipe
request, you may do this by clicking the //Cancel Wipe// button. You
should see the status be reset to //Provisioned//. After it is wiped,
the status will be shown as //Wiped//, if you wish to allow the device
to connect to your server again, you need to explicitly remove the
device as a sync partner by clicking the //Remove// button. If you do
not remove this entry, the device will continue to be wiped each time
it reconnects to the server.
-
-++ What works
-
-Contacts, Calendar, Task, Notes and Email syncing are all working.
Note that not all devices support Tasks or Notes. Of the tested
devices, iOS (versions < 5.0) and Android are lacking native Task
applications. The !TouchDown client, Moxier Mail, and Windows Mobile
both support Tasks. Windows Mobile, and iOS 7+ are the only clients
I've found so far that support Notes.
-
-For the complete feature set, sorted by ActiveSync version, see
((ActiveSync/FeatureGrid|Supported ActiveSync Features)).
-
-This following devices have been tested:
-||~ Device ||~ Version(s) ||~ Provisioning ||~ GAL Searching ||~
Notes ||~ Verified EAS Versions ||~ Autodiscover ||
-|| Android Emulator || 6.0.0 || Yes, **required** || ? || Android 6.0
seems to **require** provisioning to be enforced on the server.
Otherwise, it enters into a FOLDERSYNC loop, where it keeps resetting
the sync state. There also appears to be **major** issues with the
native ActiveSync implementation which leads to the client constantly
resetting the state making it pretty much unusable. || 14.1 || ? ||
-|| !BlackBerry !PlayBook || 2.1.0.1088 || ? || ? || Emails, contacts
and calendars are synced, but the !PlayBook often resets the sync when
connecting to 2 accounts || 12.1 || ||
-|| !BlackBerry 10 (Simulator) || 10.1 || Yes || Yes || Email,
Contacts, Calendars, Tasks, Notes || 14.1 || ? ||
-|| !BlackBerry Z10, Q5, Q10, Z30 || 10.0, 10.1, 10.2, 10.2.1 || Yes
|| Yes || Email, Contacts, Calendars, Tasks, Notes || 14.1 || Yes ||
-|| Google Nexus 4 || 4.2, 4.3 || ? || ? || Emails, contacts and
calendars. Android 4.4.2 has broken EAS support. || 14.1 || ||
-|| Google Nexus 7 || 4.2, 4.3 || ? || ? || Emails, contacts and
calendars. Android 4.4.2 has broken EAS support.|| 14.1 || ||
-|| HP !WebOS || 2.1.0 || Yes || ? || Contacts, Calendar, Tasks are
working, for SSL with a private certificate you have to trust the
certificate in the browser || 2.5 || ||
-|| HTC Desire Z / HTC Desire HD || 2.2 || Yes || Yes || Contacts and
Calendar via native !ActiveSync, SSL ok || 2.5 || ||
-|| HTC Desire S || 2.3.3 || ? || ? || Contacts and Calendar via
native !ActiveSync, SSL ok || 2.5 || ||
-|| HTC Magic || Android 2.2.1 unbranded || ? || ? || Contacts,
Calendars || 2.5 || ||
-|| iOS Devices (iPhone, iPad, iPod) || 3.1.3 -> 4.3.5 || Yes, with
Bugs. Certain versions of iOS - 4.3(8F190) for one, go into a
provisioning loop due to a bug in iOS (it continues to send the OLD
X-Ms-Policykey value after it receives a new one). || Yes || Contacts,
Calendar and Email || 2.5, 12.1 || ||
-|| iOS Devices (iPhone, iPad, iPod) || 5.x || Yes || Yes || Contacts,
Calendar, Email, and basic support for Tasks via the Reminders App. ||
2.5, 12.1 || Yes. ||
-|| iOS Devices (iPhone, iPad, iPod) || 6.0 || Yes || Yes || Broken
email push, issues with meeting invitations and responses. These have
been reported fixed in 6.0.1. Major issues with recurring events and
exceptions. See ((ActiveSync/KnownIssues|known issues)) for more info.
|| 2.5, 12.1 || Yes. ||
-|| iOS Devices || 7.0.x || Yes || Yes || Contacts, Calendar, Email,
Tasks, and Notes. Major issues with recurring events and exceptions.
See ((ActiveSync/KnownIssues|known issues)) for more info.|| 2.5,
12.0, 12.1, 14.0, 14.1 || Yes ||
-|| iOS Devices || 8.1.x || ? || ? || Contacts, Calendar, Email (?),
Tasks, and Notes. Major issues with recurring events and exceptions.
See ((ActiveSync/KnownIssues|known issues)) for more info.|| ?,?,?,?,
14.1 || Yes ||
-|| Motorola Moto G || Android 4.4.4 || Yes || Yes || Mail, contacts,
calendar and remote wipe work. SSL works as well. || ? || ||
-|| Motorola Razr i XT890 || Android 4.1.2 || Yes || Yes || Mail,
contacts, calendar and remote wipe work. SSL works as well. || ? || ||
-|| Motorola Razr XT910 || Android 2.3.6, 4.1.2 || Yes || Yes || Mail,
contacts, calendar data tasks and remote wipe work. SSL works as well.
|| ? || ||
-|| Motorola Droid || 2.0.1, 2.1, 2.2, 2.3 || Broken support before
2.2, works with 2.2 and above. || Native support in 2.2 and later,
earlier versions can use the //Corporate Directory// app in the
Marketplace. || Contacts, Calendar and Email. On Froyo/2.2 SSL
connections will NOT work with a self signed certificate even if the
"Accept All Certificates" checkbox is selected. See
http://www.google.com/support/forum/p/android/thread?tid=45e6836618212fdf&hl=en (A (Free) Level One certificate from http://www.startssl.com/ seems to work well here).|| 2.5, 12.0 ||
||
-|| Motorola Milestone || 2.1, 2.2 || See Motorola Droid above. || See
Motorola Droid above. || Contacts, Calendar, and Email || 2.5, 12.0 ||
||
-|| Moxier Mail || 2.15.1 (Android) || Yes || Yes || Contacts,
Calendar with minimal recurrence support and Email. DOES NOT RESPECT
SERVER SIDE STATE RESETS - so changing sync prefs, clearing state on
server will require a manual resync on the device! || 2.5, 12.0 || ||
-|| Nine || 1.5.0 || Yes || Yes || Mail, Contacts, Calendar, Tasks and
Notes. || 2.5 - 14.1 || Yes - As of 2019, Nine strictly needs
autodiscover and will not work without it. ||
-|| Nokia E5-00 || ? || ? || ? || Contacts & calendar via !RoadSync.
Calendar works native client but contacts do not seem to work. || 2.5
|| ||
-|| Nokia E90 || !MfE 3.0 || ? || ? || Contacts verified to work. || 2.5 || ||
-|| Nokia N900 || Maemo 1.3 || No || Yes, in the "contacts" app ||
Emails, events, contacts and tasks work. Earlier versions of firmware
are either broken, or only support !ActiveSync version 12.1. Sent
messages are only stored locally. The device always "pings" all
folders by default on the server, it might cause higher server load
with a lot of folders. You can adjust which folders to sync with the
mfefolders (http://mfefolders.garage.maemo.org/) app. || 2.5, 12.1 || ||
-|| Samsung Galaxy Gio || 2.3.6 || Yes || Yes || Contacts and calendar
data works. SSL works as well. || 2.5 || ||
-|| Samsung Galaxy Nexus || 4.0.2 (ICS), 4.1.2, 4.2.x, 4.3.x (Jelly
Bean) || Yes, full support. || Yes, native support via the search
functionality. || Calendar, Contacts, and Email works. Be sure to
ENABLE email syncing. Disabling email syncing - even if enabling
calendar and contacts - seems to prevent the initial folder sync
required for the account to be initially set up on the phone. || 2.5,
12.0, 12.1 || Yes, though the device defaults to using the email
address as the horde login and must be changed by the user if this is
not the case. ||
-|| Samsung Galaxy S2 || 2.3.4 || ? || ? || GT-I9100 - Contacts and
calendar data works. SSL works as well (self-signed certificates
also). || 2.5 || ||
-|| Samsung Galaxy S2 || 4.0.3 (ICS) || Yes, full support. || Yes,
native support via the search functionality. || GT-I9100 - Calendar,
Contacts and Email works. Be sure to ENABLE email syncing. Disabling
email syncing - even if enabling calendar and contacts - seems to
prevent the initial folder sync required for the account to be
initially set up on the phone. SSL works as well (self-signed
certificates also). || 2.5, 12.0 || ||
-|| Samsung Galaxy S2 || 4.1.2 (JB) || Yes, full support. || Yes,
native support via the search functionality. || GT-I9100 - Calendar,
Tasks, Contacts and Email works. Be sure to ENABLE email syncing.
Disabling email syncing - even if enabling calendar, tasks and
contacts - seems to prevent the initial folder sync required for the
account to be initially set up on the phone. SSL works as well
(self-signed certificates also). || 2.5, 12.1 || ||
-|| Samsung Galaxy S3 LTE || 4.3 || Yes || ? || GT-I9305 - Calendar
and Email works. || 14.1 || ||
-|| Samsung Galaxy Note 3 || 4.3 || Yes || Yes || Calendar, Contacts,
Email, Notes. || 14.1 || ||
-|| Samsung Galaxy S4 || 4.3 || Yes || Yes || GT-I9505 - Calendar,
Contacts, Email, Notes. || 14.1 || ||
-|| "Tasks and Notes" for Android || ? || ? || N/A || Requires Horde
>= 5.1.0. Available via the Android App store:
https://play.google.com/store/apps/details?id=org.myklos.inote ||
12.0, 12.1, 14.1 || No ||
-|| !TouchDown for Android || Version 6.5.0002 || Yes || Yes ||
Contacts, Calendar (recurrence/exceptions mostly work - minor bugs
still being worked out), Tasks, and Email. || 2.5, 12.1 || ||
-|| Windows 8 Mail || 8.1 || **required** (see notes) || Yes ||
Contacts, Calendar, Email. Will not work if provisioning is completely
disabled. || 14.1 || Yes ||
-|| Windows Mobile || 6.1 || ? || ? || Contacts, Email || 2.5 || ||
-|| Windows Mobile || 6.5 || Yes, full support. || Yes || Contacts,
Calendar, Tasks, Email. || 2.5, 12.0, 12.1 || ||
-|| Windows Phone || 7.0 || Yes, with limited security policy support.
|| Yes || Contacts, Calendar, Tasks, Email || 2.5, 12.0, 12.1 || ||
-|| Windows Phone || 7.5 || Yes, with limited security policy support.
|| Yes || Contacts, Calendar, Tasks, Email. Some devices may require a
Deleted items folder to be enabled. If error 8004010F is displayed on
the device, this is the likely culprit. See
http://social.msdn.microsoft.com/Forums/en/os_exchangeprotocols/thread/86e10e2d-bc4d-43dc-b6b7-f02630ff052b for more info. || 2.5, 12.0, 12.1 ||
||
-|| Windows Phone || 8 || Yes || Yes || Contacts, Calendar, Tasks,
Email || 12.1, 14.0, 14.1 || Yes ||
-
-++ Setting up the device
-
-It's beyond the scope of this page to go into detail for each
individual device. In general, you will need to create a new account
on the device. The account type should be something like //Microsoft
Exchange// or //!ActiveSync//. Some devices use //Corporate//. You
will need to enter your normal Horde username and password in the
appropriate fields. In the field for the server address, you should
enter the **root** of the webserver or virtual host that hosts Horde.
For example, if you host horde at http://host.example.com/horde then
you should enter //host.example.com//. You can ignore any reference to
a //domain// entry. If the device **requires** the domain entry (some
Windows Mobile devices do this) you may safely enter any value.
-
-A special note for the iPhone/iPod (and possibly others) - if you do
not use a SSL enabled site you may receive errors about not being able
to find the !ActiveSync server. If this happens, just continue, or
save, or whatever your option is to continue. On the iPhone, after
everything is completely set up, you must go back into the account
settings and disable SSL.
-
-After the connection particulars are entered, you should choose to
enable the folders that you want synchronized.
-
-++ Outlook Connectivity
-
-Starting with Outlook 2013, Outlook has the ability to synchronize
via Exchange !ActiveSync. This requires at least version 14.0 of the
EAS protocol, which Horde supports starting with Horde 5.1 (the
ActiveSync library supports this starting with 2.4.0 if you are not
using it with Horde). It's important to remember that connecting via
ActiveSync does not provide all the same functionality of Outlook as
you would get when connecting directly to an Exchange server.
-
-If you have correctly setup your server to handle Autodiscover
requests, you should be able to create the Outlook account using the
basic "Email Account" screen. If you have trouble, or you don't have
Autodiscover setup, you should select manual setup and then
"Outlook.com or Exchange !ActiveSync compatible service". Do **NOT**
select "Microsoft Exchange Server or compatible service".
-
-+++ Issues/Workarounds
-
-For some reason, Outlook 2013 doesn't use EAS to provide Free/Busy
lookup, even though the version of the EAS protocol it uses supports
it. If you want Outlook to be able to lookup Free/Busy information
using Horde/Kronolith you need to provide it with the Free/Busy URL.
Under //File -> Options -> Calendar Options// select the "Free/Busy
Options" button. Enter Kronolith's Free/Busy URL:
http://example.com/horde/kronolith/fb.php?u=%NAME%. The %NAME% string
will be replaced by the user portion of the SMTP mailing address used
in the meeting request.
-
-++ What to do if you have problems (or How to help us help you)
-
-**First off, you should check the list of
((ActiveSync/KnownIssues|known issues)) to see if your problem is
expected or not**. You can also check the Horde bug tracker to see if
your issue has been reported already.
-
-**If you are not even able to get past the initial setup page on your
phone**: you should first check to be sure you do not have SSL enabled
on the phone when you're server is not serving SSL. The iPhone/iPod
will not let you turn this off until after you save the configuration,
so you must continue through all the errors and go back into the
settings to disable SSL. You should also make sure that you have not
enabled Provisioning support if your phone does not support it.
-
-**If the configuration went well, but you are not seeing any
contacts/calendar items appear on the device:** Some clients require a
manual refresh or folder selection after setup when not using the
"Automatic Discovery" facility of Exchange. With !TouchDown, for
example, after setup you must select the folders you want sync'd under
the Advanced settings tab.
-
-If all else fails and you can't figure out the issue, we will be
happy to try to help you work it out, but you should be able to
check/provide us with the following:
-
-* Be sure to check the notes in the chart above for your specific
device. This might be a known issue, or a workaround may be known.
-* Check the web server error logs and see if there are any PHP errors
being logged.
-* **Configure Horde to send !ActiveSync log messages to a separate
logfile. This is configured on the !ActiveSync tab of Horde's
configuration screen.**
-* If you are able to, it would also be useful to run a wireshark
session to capture the network communication.
-* In some cases, it might be useful for us to see the affected
device's state records in the database.
-
-++++ Using tshark (command line wireshark) to obtain a network capture
-
-If you want to sniff the traffic on your server, and wireshark is not
available becuase there is no windowing system, you can use the tshark
application instead. The following command will capture http traffic
on port 80, and will ignore most requests we are not interested in.
It's worth mentioning that for the capture to be useful, you MUST not
setup SSL on the device. Depending on your user's rights, you may need
to run this as sudo:
-
-<code>
-tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) -
((tcp[12]&0xf0)>>2)) != 0)' -w /path/to/capture/file
-</code>
-
-**A note to developers attempting to use wireshark/tshark over ssl
connections**: Some clients (like Outlook) REQUIRE a SSL connection
and as such, make it more difficult to trace. Wireshark is able to
dissect SSL communication if it is given the server's private RSA key.
The only caveat here is that it will NOT work with so called
forward-secure ciphers like Diffie-Hellman since the server's key is
not enough to decode the data. If you find yourself needing to trace
ActiveSync traffic over SSL connections you must make sure you
configure the webserver to use a less secure cipher. Obviously you
only want to do this on test systems with non-production private keys.
For lighttpd, this can be done using something like:
-
-<code>
-ssl.cipher-list = "AES256-SHA AES128-SHA RC4-SHA RC4-MD5"
-</code>
-
-++++ Debug logging on device.
-
-On Android devices, it is possible to enable debug level logging of
the !ActiveSync conversation as well:
-
-To reach the Debug logging screen:
-pre-Honeycomb: Go to the Account screen in the Email application and
type //debug//.
-Honeycomb (tablet): Go to the //Account Settings// screen using the
action bar, then tap //Email Preferences// repeatedly until //Debug//
appears in the account list. Tap //Debug//.
-All phones: From the dialer, dial *#*#36245#*#* (the numbers
correspond to //EMAIL//)
-All devices: Go to the account creation screen (method differs
depending on OS version) and enter //d at d.d// for email address and
//debug// for password.
-All devices (adb): $ adb shell am broadcast -a
android.provider.Telephony.SECRET_CODE android_secret_code://36245
-
-Here's what the checkboxes mean:
-* "Enable extra debug logging" - If checked, this turns on basic
logging (no passwords or other content is logged); most useful for
debugging crashes.
-* "Enable sensitive information debugging" - If checked, this causes
POP/IMAP passwords to be logged. Exchange passwords are NEVER logged.
-* "Enable Exchange parser logging" - If checked, logs a great deal of
the CONTENT of mail, contacts, and calendar entries (excluding the
text of emails other than perhaps the first line). This information
helpful for debugging things like missing folders, missing calendar
entries, etc.
-* "Enable Exchange SD card logging" - If checked, puts all of the
Exchange related logging onto SD card in a file named emaillog.txt.
This file grows continuously until deleted (or the checkbox is
unchecked). This can be helpful in finding issues that are sporadic,
as the log is essentially unlimited in size.
-
-++ Roadmap
-+++ Horde 5.1
-||~ Feature ||~ Status ||
-|| EAS 14(.1) support.|| Complete. ||
-|| Improved device management via hooks. || Complete. ||
-|| Support for SOFTDELETE || Complete. ||
-
-+++ Horde 5.2
-||~ Feature ||~ Status ||
-|| Improved email identity support.|| Complete. ||
-|| Support for multiple sources per collection. E.g., Multiple
calendars, addressbooks etc... || Complete. ||
-|| Improved device management GUI. || Complete. ||
-
-+++ Horde 6.0
-||~ Feature ||~ Status ||
-|| Ability for admin to toggle sync log on/off per device from GUI
and view via GUI. || Planned ||
-|| CLI admin tool. || If sponsored. ||
-|| SMS Synchronization - probably via a small separate app. ||
Planned, but sponsoring would hasten. ||
-|| EAS 16.0 support in applications. || In progress. ||
-
-//EAS 16.0 support is being added to the ActiveSync library prior to
Horde 6, but in order to make full use of any new features in the
Horde Groupware stack, Horde 6 will be required. See the
((ActiveSync/EAS16|EAS 16.0)) page for progress and further
information.//
-
-++ Horde_ActiveSync vs. Z-Push
-
-The protocol handling in Horde_ActiveSync was based on Z-Push. The
code that handles the protocol level is essentially the same, though
it has been heavily refactored and cleaned.
-
-Z-Push comes out of the box with a number of backends. The only one
that is really //fully// functional is the "ICS" backend which
connects to a Zarafa server. In addition to the ICS backend, Z-Push
also provides a number of other backends - all of which extend what
they call the "Diff" backend.
-
-The diff backend is a very inefficient way of determining what needs
to be synched. It uses file based storage - depending on the Z-Push
version it uses either a single file or a directory of files for each
device. These files contain, along with some basic device state
information, a list of every UID that is on the device.
-
-To determine what has changed, Z-Push essentially polls whatever
storage backend e.g., the IMAP server, every $timeout seconds to get
the **full** list of message IDs on the server. It then iterates over
all the UIDs that are known to be on the device and stats every single
one of these UIDs against the server to get the modification time,
flags etc.
-
-Like mentioned above, a number of backends are based on this Diff
backend. Out of the box, if you are not using a Zarafa server you have
the following options:
-
-* An IMAP backend - obviously only for syncing emails. This uses the
PHP IMAP functions for fetching the complete list of message IDs and
stating each and every UID - on each and every PING loop - by default
something like every 10 seconds or so.
-* A vCard backend that syncs contacts against a directory of vCards
on the server.
-* A Kolab backend - I'm not sure how complete this is, but this may
be the backend that's used by Kolab's !ActiveSync support.
-* A Maildir backend that - from what I can tell - syncs email by
using filesystem based commands instead of going through an IMAP server.
-* A !SearchLdap backend that - from what I can tell - is used as a
Global Address Book source for searching for individual contacts (not
for syncing the entire address book).
-
-As of the time Horde_ActiveSync was written, you could only use
//one// backend at a time - so, unless you were using Zarafa (or maybe
Kolab) you could sync email //or// contacts. Since then they have
started a "combined" backend that is supposed to wrap any number of
backends. Last I checked it wasn't complete yet.
-
-The main differences between 1.5.x and 2 are the versions of EAS that
are supported. 1.5.x supports only up to Exchange 2003sp1 (same as
Horde 4). Version 2 is supposedly going to support up to EAS 14
(Exchange 2010) - though I believe only up to 12.1 (Exchange 2007) is
working...and I don't believe that is even fully functional.
-
-+++The main differences
-
-Some of these are specific to using Horde data as a backend to
Horde_ActiveSync:
-
-# Modularity. Separate classes for maintaining device state and for
obtaining message diffs. If not using Horde as a backend, all that is
needed is to write a new class that extends
Horde_ActiveSync_Driver_Base. This allows the backend, itself, to
determine the best way to calculate diffs...like using Horde's History
system. In Z-Push, diff generation and state management are tightly
coupled.
-# Efficiency. The history based diff engine is orders of magnitude
more efficient than Z-Push's file based diff backend.
-# Unless using Zarafa, Z-Push contained no message-specific logic.
For example, no code for dealing with appointment related issues such
as timezones, recurrence series etc. Horde_ActiveSync contains support
for these things out of the box.
-# Horde's ActiveSync library supports a larger set of available EAS
security policies.
-# At least at the time of writing, Horde allowed better configuration
of things such as heartbeat/timeout intervals. We also actually allow
configuring available security policies. Z-Push had basic support for
provisioning and for turning on or off the requirement for a device
PIN - but contained no facility for configuring any of the other
options without editing code. Also, if using Horde_ActiveSync as part
of a typical Horde install you get all the ease of configuration that
our administration interface provides.
-# I don't have hard data on device compatibility as it compares to
Z-Push, but I do know that we have fixed some device specific issues
in the past that - at least at the time of this writing - were not
working with Z-Push. Certain Nokia devices come to mind that use !MfE.
Z-Push lists these as "unknown" compatibility but they work, at least
for contacts/calendar with Horde. Remote wiping iOS devices is also
problematic in Z-Push.
-# Email sync with Horde_ActiveSync uses the vastly more efficient
Horde_Imap_Client library and takes full advantage of IMAP servers
with QRESYNC capabilities. Z-Push uses the very poor performing
c-client PHP extension.
-# Horde's email support is more complete than Z-Push's IMAP based
implementation - with support for version 12.0 style email store
searching, follow-up flag synchronization, reply,forward history
synchronization, S/Mime signatures and encryption, and more.
-# Horde_ActiveSync currently supports almost the full feature set up
to Exchange 2010sp2 - Z-Push 2 works with Exchange 2007 has code in
development that works to some extent with 2010.
-# Horde_ActiveSync supports multiple users per device - when the
device supports it. AFAIK, Z-Push only supports a single user account
per device.
-
-++ Resources
-
-+++ Other implementations
-http://z-push.sourceforge.net
-https://developer.berlios.de/project/showfiles.php?group_id=8963
-http://www.tine20.org/wiki/index.php/Developers/Getting_Started/Working_with_GIT
-http://code.google.com/p/libeas/
-
-+++ Documentation
-http://www.scribd.com/doc/6601589/W11-Server-Active-Sync
-http://en.wikipedia.org/wiki/Exchange_ActiveSync - Good description
of differences between AS versions.
-http://paulrobichaux.wordpress.com/2011/08/09/advice-to-exchange-activesync-developers/
-http://blogs.msdn.com/b/exchangedev/
-http://msdn.microsoft.com/en-us/library/dn144954%28v=exchg.140%29.aspx
-
-+++ Clients
-[http://www.nitrodesk.com/dk_touchdownFeatures.aspx TouchDown]
-[https://play.google.com/store/apps/details?id=com.ninefolders.hd3
Nine] - currently the best third party client available for Android,
in my opinion.
-++++ Outlook 2013
-
-[http://forums.smartertools.com/threads/eas-and-outlook-2013-issues.37079/
Some links to articles describing issues with OL2013]
-[http://social.msdn.microsoft.com/Forums/en-US/75562e26-158c-45d3-b114-b2b82928c3a7/undocumented-activesync-codepage?forum=os_exchangeprotocols Undocumented
Codepage]
-++++ Android:
-http://developer.android.com/sdk/index.html
-https://android.googlesource.com/platform/packages/apps/Email/
-https://android.googlesource.com/platform/packages/apps/Exchange/
-https://android.googlesource.com/platform/packages/apps/Calendar/
-
-++++ iOS
-[http://images.apple.com/ie/iphone/business/docs/Enterprise_Deployment_Guide.pdf Enterprise Deployment
Guide].
-[http://support.apple.com/kb/DL1465 iPhone configuration utility].
-
-++++ Windows Mobile (very old, probably of little value):
-[http://www.microsoft.com/downloads/info.aspx?na=47&p=2&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=38c46aa8-1dd7-426f-a913-4f370a65a582&u=details.aspx%3ffamilyid%3dA6F6ADAF-12E3-4B2F-A394-356E2C2FB114%26displaylang%3den Cellular Network
Emulator]
-[http://www.microsoft.com/downloads/details.aspx?familyid=38C46AA8-1DD7-426F-A913-4F370A65A582&displaylang=en Device
Images]
-[http://www.devx.com/wireless/Article/40981/1954 Setup]
-
-++++ !BlackBerry simulators:
-[http://us.blackberry.com/sites/developers/resources/simulators.html
Blackberry simulators]
More information about the commits
mailing list