3. Understanding and Using Exchange ActiveSync Mailbox Policy
Exchange ActiveSync Mailbox Policy makes it possible to enhance the
security of mobile devices used to access your Exchange servers. For
example, you can use policy to require a password of a specific length
and to configure devices to automatically prompt for a password after a
period of inactivity.
Each mailbox policy you create has a name and a specific set of rules
with which it is associated. Because you can apply policies separately
to mailboxes when you create or modify them, you can create different
policies for different groups of users. For example, you can have one
policy for users and another policy for managers. You can also create
separate policies for departments within the organization. For example,
you can have separate policies for Marketing, Customer Support, and
Technology.
3.1 Viewing Existing Exchange Active Sync Mailbox Policies
When the Client Access server role is installed on an Exchange
server, the setup process creates a default Exchange ActiveSync policy.
This default policy allows ActiveSync to be used without restrictions or
password requirements. All users with mailboxes have this policy
applied by default. You can modify the settings of this policy to change
the settings for all users or create new policies for specific groups
of users.
In the Exchange Management Console, you can view the currently
configured Exchange ActiveSync Mailbox policies by expanding the
Organization Configuration node, selecting the Client Access node, and
then selecting the Exchange ActiveSync Mailbox Policies node. In the
details pane, you'll see a list of current policies.
In the Exchange Management Shell, you can list policies using the Get-ActiveSyncMailboxPolicy cmdlet. Example 5
provides the syntax, usage, and sample output. If you do not provide an
identity with this cmdlet, all available Exchange ActiveSync Mailbox
policies are listed.
Example 5. Get-ActiveSyncMailboxPolicy cmdlet syntax and usage
Syntax
Get-ActiveSyncMailboxPolicy [-Identity PolicyIdentity]
[-DomainController DCName] [-Organization OrgId]
Usage
Get-ActiveSyncMailboxPolicy
Get-ActiveSyncMailboxPolicy
-Identity "Primary ActiveSync Mailbox Policy"
Output
RunspaceId :
AllowNonProvisionableDevices : True
AlphanumericDevicePasswordRequired : False
AttachmentsEnabled : True
DeviceEncryptionEnabled : False
RequireStorageCardEncryption : False
DevicePasswordEnabled : False
PasswordRecoveryEnabled : False
DevicePolicyRefreshInterval : unlimited
AllowSimpleDevicePassword : True
MaxAttachmentSize : unlimited
WSSAccessEnabled : True
UNCAccessEnabled : True
MinDevicePasswordLength : 4
MaxInactivityTimeDeviceLock : 00:15:00
MaxDevicePasswordFailedAttempts : 8
DevicePasswordExpiration : unlimited
DevicePasswordHistory : 0
IsDefaultPolicy : True
AllowStorageCard : True
AllowCamera : True
RequireDeviceEncryption : False
AllowUnsignedApplications : True
AllowUnsignedInstallationPackages : True
AllowWiFi : True
AllowTextMessaging : True
AllowPOPIMAPEmail : True
AllowIrDA : True
RequireManualSyncWhenRoaming : False
AllowDesktopSync : True
AllowHTMLEmail : True
RequireSignedSMIMEMessages : False
RequireEncryptedSMIMEMessages : False
AllowSMIMESoftCerts : True
AllowBrowser : True
AllowConsumerEmail : True
AllowRemoteDesktop : True
AllowInternetSharing : True
AllowBluetooth : Allow
MaxCalendarAgeFilter : All
MaxEmailAgeFilter : All
RequireSignedSMIMEAlgorithm : SHA1
RequireEncryptionSMIMEAlgorithm : TripleDES
AllowSMIMEEncryptionAlgorithmNegotiati : AllowAnyAlgorithmNegotiation
MinDevicePasswordComplexCharacters : 3
MaxEmailBodyTruncationSize : unlimited
MaxEmailHTMLBodyTruncationSize : unlimited
UnapprovedInROMApplicationList : {}
ApprovedApplicationList : {}
AllowExternalDeviceManagement : False
MobileOTAUpdateMode : MinorVersionUpdates
AllowMobileOTAUpdate : False
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default
DistinguishedName : CN=Default,CN=Mobile Mailbox
Policies,CN=First Organization,CN=Microsoft Exchange,CN=Services,
CN=Configuration,DC=cpandl,DC=com
Identity : Default
Guid :
ObjectCategory : cpandl.com/Configuration/
Schema/ms-Exch-Mobile-Mailbox-Policy
ObjectClass : {top, msExchRecipientTemplate,
msExchMobileMailboxPolicy}
WhenChanged : 12/17/2009 10:21:15 PM
WhenCreated : 12/17/2009 10:21:15 PM
WhenChangedUTC : 12/18/2009 5:21:15 AM
WhenCreatedUTC : 12/18/2009 5:21:15 AM
OrganizationId :
OriginatingServer : CORPSERVER45.cpandl.com
IsValid : True
3.2 Creating Exchange ActiveSync Mailbox Policies
The Exchange ActiveSync Mailbox policies you create apply to your
entire organization.
You can create a new policy by completing the following steps:
-
Start the Exchange Management Console. Expand the Organization Configuration node, and then select Client Access.
-
In the details pane, select the Exchange ActiveSync Mailbox Policies
tab. Right-click an open area of the details pane, and select New
Exchange ActiveSync Mailbox Policy.
-
As shown in Figure 1, type a descriptive name for the policy, and then use the following options to configure the policy:
-
Allow Non-Provisionable Devices
Nonprovisionable devices are older devices that do not support all
policy settings. If you select this option, these older devices can
connect to Exchange 2010 by using Exchange ActiveSync.
-
Allow Attachments To Be Downloaded To Devic
Enables attachments to be downloaded to mobile devices. If you do not
select this option, message attachments are not downloaded with user
messages.
-
Require Alphanumeric Passwords
Requires that a password contain numeric and alphanumeric characters.
If you do not select this option, users can use simple passwords, which
might not be as secure.
-
Enable Password Recovery
Enables the device password to be recovered from the server. If you do
not select this option and the user forgets his or her password, you
will not be able to reset the device password and the user will be
unable to access his or her mailbox using the device.
-
Require Encryption On Device
Requires mobile devices to use encryption. Because encrypted data
cannot be accessed without the appropriate password, this helps to
protect the data on the device. If you select this option, Exchange
allows devices to download data only if they use encryption.
-
Allow Simple Password Allows the user to use a noncomplex password instead of a password that meets the minimum complexity requirements.
-
Minimum Password Length
Allows you to set a minimum password length. You must select the
related check box to set the minimum password length, such as eight
characters. The longer the password, the more secure it is. A good
minimum password length is between 8 and 12 characters. This length is
sufficient in most cases.
-
Time Without User Input Before Password Must Be Re-Entered (in minutes)
Allows you to specify the length of time that a device can go without
user input before it locks. You must select the related check box to set
the time interval, such as 15.
-
Password Expiration (days)
Allows you to specify the maximum length of time users can keep a
password before they have to change it. You can use this option to
require users to change their passwords periodically. A good password
expiration value is between 30 and 90 days. This period is sufficient to
allow use of the password without requiring overly frequent changes.
-
Enforce Password History
Allows you to specify how frequently old passwords can be reused. You
can use this option to discourage users from changing back and forth
between a common set of passwords. To disable this option, set the size
of the password history to zero. To enable this option, set the desired
size of the password history. A good value is between 3 andThis helps to
deter users from switching between a small list of common passwords.
-
Click New to create the policy, and then click Finish. Optimize the configuration.
In the Exchange Management Shell, you can create new Exchange ActiveSync Mailbox policies using the New-ActiveSyncMailboxPolicy cmdlet. Example 6
provides the syntax and usage. There are additional policy settings you
can access in the shell that you cannot access in the Exchange
Management Console. Some of the policy settings are available only with
an enterprise client access license.
Example 6. New-ActiveSyncMailboxPolicy cmdlet syntax and usage
Syntax
New-ActiveSyncMailboxPolicy -Name Name
[-AllowBluetooth <Disable | HandsfreeOnly | Allow>]
[-AllowBrowser <$true | $false>]
[-AllowCamera <$true | $false>]
[-AllowConsumerEmail <$true | $false>]
[-AllowDesktopSync <$true | $false>]
[-AllowExternalDeviceManagement <$true | $false>]
[-AllowHTMLEmail <$true | $false>]
[-AllowInternetSharing <$true | $false>]
[-AllowIrDA <$true | $false>]
[-AllowMobileOTAUpdate <$true | $false>]
[-AllowNonProvisionableDevices <$true | $false>]
[-AllowPOPIMAPEmail <$true | $false>]
[-AllowRemoteDesktop <$true | $false>]
[-AllowSimpleDevicePassword <$true | $false>]
[-AllowSMIMEEncryptionAlgorithmNegotiation <BlockNegotiation |
OnlyStrongAlgorithmNegotiation | AllowAnyAlgorithmNegotiation>]
[-AllowSMIMESoftCerts <$true | $false>]
[-AllowStorageCard <$true | $false>]
[-AllowTextMessaging <$true | $false>]
[-AllowUnsignedApplications <$true | $false>]
[-AllowUnsignedInstallationPackages <$true | $false>]
[-AllowWiFi <$true | $false>]
[-AlphanumericDevicePasswordRequired < $true | $false>]
[-ApprovedApplicationList AppList]
[-AttachmentsEnabled <$true | $false>]
[-DeviceEncryptionEnabled <$true | $false>]
[-DevicePasswordEnabled <$true | $false>]
[-DevicePasswordExpiration <dd.hh.mm:ss | Unlimited>]
[-DevicePasswordHistory NumPasswords]
[-DomainController <Fqdn>]
[-IsDefaultPolicy <$true | $false>]
[-MaxAttachmentSize <SizeKB | Unlimited>]
[-MaxCalendarAgeFilter <All | TwoWeeks | OneMonth | ThreeMonths
| SixMonths>]
[-MaxDevicePasswordFailedAttempts <Unlimited>]
[-MaxEmailAgeFilter <All | OneDay | ThreeDays | OneWeek | TwoWeeks
| OneMonth>]
[-MaxEmailBodyTruncationSize <Unlimited>]
[-MaxEmailHTMLBodyTruncationSize <MaxSizeKB | Unlimited>]
[-MaxInactivityTimeDeviceLock <hh.mm:ss | Unlimited>]
[-MinDevicePasswordComplexCharacters MinNumberOfComplexCharacters]
[-MinDevicePasswordLength MinPasswordLength]
[-MobileOTAUpdateMode <MajorVersionUpdates | MinorVersionUpdates |
BetaVersionUpdates>] [-Organization OrganizationId]
[-PasswordRecoveryEnabled <$true | $false>]
[-RequireDeviceEncryption <$true | $false>]
[-RequireEncryptedSMIMEMessages <$true | $false>]
[-RequireEncryptionSMIMEAlgorithm <TripleDES | DES | RC2128bit
| RC264bit | RC240bit>]
[-RequireManualSyncWhenRoaming <$true | $false>]
[-RequireSignedSMIMEAlgorithm <SHA1 | MD5>]
[-RequireSignedSMIMEMessages <$true | $false>]
[-RequireStorageCardEncryption <$true | $false>]
[-TemplateInstance Instance]
[-UnapprovedInROMApplicationList AppList]
[-UNCAccessEnabled <$true | $false>]
[-WSSAccessEnabled <$true | $false>]
Usage
New-ActiveSyncMailboxPolicy -Name "Primary ActiveSync Mailbox Policy"
-AllowNonProvisionableDevices $true
-DevicePasswordEnabled $true
-AlphanumericDevicePasswordRequired $true
-MaxInactivityTimeDeviceLock "00.15:00"
-MinDevicePasswordLength "8"
-PasswordRecoveryEnabled $true
-DeviceEncryptionEnabled $true
-AttachmentsEnabled $true
