- More than 5 Exchange Databases – requires the Enterprise License for Exchange Server
- Personal Archives – requires an enterprise CAL for the end user
- Unified Messaging – requires an enterprise CAL for the end user
- Data Loss Protection (DLP) – requires an enterprise CAL for the end user
- In Place Hold holds – requires an enterprise CAL for the end user
A Quick Summary from Microsoft on Enterprise vs Standard CAL features:
Examining the list, note the that certain features do not have Yes or No, but have conditions for the license type. For example, ‘Exchange ActiveSync mobile management policies’ has ‘Standard’ and ‘Advanced’, ‘Retention Policies’ has ‘Default’ and ‘Custom’, and Journaling has ‘Per database’ and ‘Per user/Distribution List’. Let’s examine these three in more detail below:
Active Sync
For ActiveSync there is a list of possible features that can be enabled or configured for SmartPhones. The first list is what is allowed with a Standard CAL:
| Feature | Enterprise | Standard |
| AllowApplePushNotifications | X | |
| AllowBluetooth | X | |
| AllowBrowser | X | |
| AllowCamera | X | |
| AllowConsumerEmail | X | |
| AllowDesktopSync | X | |
| AllowExternalDeviceManagement | X | |
| AllowHTMLEmail | X | |
| AllowInternetSharing | X | |
| AllowIrDA | X | |
| AllowMobileOTAUpdate | X | |
| AllowNonProvisionableDevices | X | |
| AllowPOPIMAPEmail | X | |
| AllowRemoteDesktop | X | |
| AllowSimpleDevicePassword | X | |
| AllowSMIMEEncryptionAlgorithmNegotiation | X | |
| AllowSMIMESoftCerts | X | |
| AllowStorageCard | X | |
| AllowTextMessaging | X | |
| AllowUnsignedApplications | X | |
| AllowUnsignedInstallationPackages | X | |
| AllowWiFi | X | |
| AlphanumericDevicePasswordRequired | X | |
| ApprovedApplicationList | X | |
| AttachmentsEnabled | X | |
| DeviceEncryptionEnabled | X | |
| DevicePasswordEnabled | X | |
| DevicePasswordExpiration | X | |
| DevicePasswordHistory | X | |
| DevicePolicyRefreshInterval | X | |
| IrmEnabled | X | |
| MaxAttachmentSize | X | |
| MaxCalendarAgeFilter | X | |
| MaxDevicePasswordFailedAttempts | X | |
| MaxEmailAgeFilter | X | |
| MaxEmailBodyTruncationSize | X | |
| MaxEmailHTMLBodyTruncationSize | X | |
| MaxInactivityTimeDeviceLock | X | |
| MinDevicePasswordComplexCharacters | X | |
| MinDevicePasswordLength | X | |
| MobileOTAUpdateMode | X | |
| PasswordRecoveryEnabled | X | |
| RequireDeviceEncryption | X | |
| RequireEncryptedSMIMEMessages | X | |
| RequireEncryptionSMIMEAlgorithm | X | |
| RequireManualSyncWhenRoaming | X | |
| RequireSignedSMIMEAlgorithm | X | |
| RequireSignedSMIMEMessages | X | |
| RequireStorageCardEncryption | X | |
| UnapprovedInROMApplicationList | X | |
| UNCAccessEnabled | X | |
| WSSAccessEnabled | X |
There are a few options that cannot be changed without an Enterprise CAL. One of the most interesting conflicting licenses features applies to POP3 email. Why is the AllowPOPIMAPEmail feature a Standard CAL while AllowConsumerEmail (which is POP3 or IMAP) an enterprise CAL? If an organization would like to block Consumer email (Hotmail, Gmail, an end users ISP) and POP3 to the Exchange server settings would need to be set as follows (requires Enterprise CAL):
If the desired result is to allow only POP3 connections to the Exchange Server, set the following settings (requires Enterprise CAL):
If the desired result is to allow only POP3 connections to the consumer email provides, set the following settings (requires Standard CAL):
In practical terms, if an organization wants to control what goes on a mobile device an Enterprise CAL would be needed to restrict consumer POP3 email from going on the device. Of note, if a connection is restricted and a user tries to sync it to their phone, they will receive an error like this:
Concerning Information Rights Management a feature that enterprises (not a typical consumer feature) generally turn on to control the flow of information in their environment. Why does this option not require and Enterprise CAL to use? Other features like Approve Applications, Text Messaging, Storage Cards, Camera, etc all make sense. These are settings an enterprise might like to lock down for all users. However, in doing so, a premium must be paid for this control. If you are looking to modify your Mobile Device Policy for Exchange 2013, be wary of what requires an Enterprise license, as you may not realize what requires a premium CAL vs the Standard CAL.
Retention Policies
Retention policies in Exchange Server 2013 are a replacement for Managed Folders from 2003, 2007 and 2010. While Retention Policies were put into Exchange 2010, Managed folders were also under the hood (read PowerShell only) if so needed. However, Exchange Server 2013 removes many of the features provided in Managed Folders when it transitioned to pure Retention Policies.
Default Policy
Default Tags
Simply put for Retention Policies in Exchange 2013 is that if the default Tags/Policies are left as is, then a Standard CAL applies. If any modification is applied (read Custom), then an Enterprise CAL is needed. For 90+% of the Managed Folder to Retention Policy conversions I have done this means an Enterprise CAL is needed. the rare case is the one that just uses the default settings provided in Exchange 2013. From creating new Tags to apply different retention levels to default folders to creating different levels for emails that need to be archived (90 Days or 180 days for an example).
Journaling
Microsoft’s take on licensing levels:
“Standard journaling – Standard journaling is configured on a mailbox database. It enables the Journaling agent to journal all messages sent to and from mailboxes located on a specific mailbox database. To journal all messages to and from all recipients and senders, you must configure journaling on all mailbox databases on all Mailbox servers in the organization.
Premium journaling – Premium journaling enables the Journaling agent to perform more granular journaling by using journal rules. Instead of journaling all mailboxes residing on a mailbox database, you can configure journal rules to match your organization’s needs by journaling individual recipients or members of distribution groups. You must have an Exchange Enterprise client access license (CAL) to use premium journaling.”
Pretty self-explanatory and it follows the pattern of ActiveSync and Retention Policies. Customization requires an Enterprise CAL.
Brief Summary
The takeaway from this blog post should be that during an Exchange 2013 design careful consideration must be given for what could potentially require an Enterprise CAL. For some customers an Enterprise CAL requirement could be a deal breaker. Thus any feature that requires an Enterprise CAL will be ignored and not used. Review the links included in the article so that an informed decision can be made in the design process, this will prevent any surprises down the road.
Further Reading
ActiveSync CAL Requirements
General Licensing Options
Great post on when you need Enterprise over Standard when configuring ActiveSync.
This is one of the main areas I see Microsoft auditors catching out company’s when it comes to Exchange licensing.
Answered my question re DLP. I just now need to figure out how to apply a enterprise cal.
Thanks
With Exchange there is no CAL to apply. Simply purchase one to keep your usage of extra features like this legal. If you get audited by Microsoft or go through a true up process with them, then you can account for the usage of these features with the CAL you purchased. The only key that gets applied is the main one for Exchange. Hope that helps.