At my company, we are a large Exchange shop and have a lot of WM devices.  We have an internal support team of Exchange admins, but the Exchange Activesync (EAS) and Windows Mobile support work is enough that we'd like to carve out the duties to a separate team. From an internal point of view, this means a separate department doing only "EAS" work.  We are at Exch 2003 today and moving to Exch 2007 later this year.

I realize Exchange Activesync is tightly integrated into the whole of Exchange, but is there a way to separate out these support roles?  My goal would be to have an "EAS Team" that has all the necessary permissions to administer EAS, and maintain our existing regular "Exchange Team" as a separate team.  Can I perhaps use server roles or some other mechanism to let the "EAS Team" only have access to EAS-related tasks?

Some scenarios:

- Security policies for the WM devices.  Can I set up Exchange in such a way that my Exchange Team has view-only to handheld security policies, but "EAS Team" has full permissions?

- System Center Mobile Device Manager. I'm also looking at deploying SCMDM -- can my EAS Team have full permissions to administer SCMDM, but Exchange Team cannot (or maybe just has view-only)?

- Onboarding a new "EAS Team admin" -- what permissions within Exchange does a new admin need?  Does he need full Exchange permissions, or is there a subset I can grant?

I realize the easy answer here is give all the admins on both teams the same set of permissions, and just have one team agree not to touch the other team's turf, but I'm not sure where to draw that line.

Welcome to the Connection, applejack99 - and thanks for the really interesting question! I don't personally have a lot of Exchange experience, but there are others here who do. Also, I don't know if you've come across Jason Langridge's WebLog yet, but he's the guy for all things mobile in the enterprise. He's got a contact form, and I'm sure he'd have at least an opinion for you...

 Thank you Bill.  I'm a fan of Jason's blog, but I've never tried contacting him before.  I'll use the contact form.

And here's another resource you may or may not know of: the SCMDM Forum on MS TechNet. It's SCMDM-centric, obviously, but there are sure to be some experts there who can chime in. There's also a post there that lists several other SCMDM blogs.

applejack99:

At my company, we are a large Exchange shop and have a lot of WM devices.  We have an internal support team of Exchange admins, but the Exchange Activesync (EAS) and Windows Mobile support work is enough that we'd like to carve out the duties to a separate team. From an internal point of view, this means a separate department doing only "EAS" work.  We are at Exch 2003 today and moving to Exch 2007 later this year.

I realize Exchange Activesync is tightly integrated into the whole of Exchange, but is there a way to separate out these support roles?  My goal would be to have an "EAS Team" that has all the necessary permissions to administer EAS, and maintain our existing regular "Exchange Team" as a separate team.  Can I perhaps use server roles or some other mechanism to let the "EAS Team" only have access to EAS-related tasks?

Some scenarios:

- Security policies for the WM devices.  Can I set up Exchange in such a way that my Exchange Team has view-only to handheld security policies, but "EAS Team" has full permissions?

- System Center Mobile Device Manager. I'm also looking at deploying SCMDM -- can my EAS Team have full permissions to administer SCMDM, but Exchange Team cannot (or maybe just has view-only)?

- Onboarding a new "EAS Team admin" -- what permissions within Exchange does a new admin need?  Does he need full Exchange permissions, or is there a subset I can grant?

I realize the easy answer here is give all the admins on both teams the same set of permissions, and just have one team agree not to touch the other team's turf, but I'm not sure where to draw that line.

I think the setting up the EAS team to only have access to the mobile side of things would be easy enough by only allowing rights to alter and apply pre-setup group policy objects that apply. You'll also need to assign users to specific AD groups to grant different levels of access. By the same process you should be able to lock out the Exchange admins to a certain extent but you might need to look at locking down the Enterprise admin group etc and using permission delegation for your Exchange team rather than using the default admin groups.

It all boils down to drawing the line you are talking about and then making your AD and group policy enforce it for you.  I'm pretty sure it's possible but it'll take some strong AD and GPO skills.

Scott,

Both EAS and SCMDM provide role based administration so using AD you can get as granular as you want in terms of what functionality each person/role can perform.

It's really your decision as to how complex/granular you wish to make that.

Jason 

Welcome, Jason! And thanks to both you and Dave for your expert advice. applejack99 - please let us know what route you decide to go. I'm sure we'd all benefit from hearing about your solution...