Blog Post

Exchange Team Blog
4 MIN READ

What's New for Exchange ActiveSync Mailbox Policies in Exchange Server 2007 SP1?

The_Exchange_Team's avatar
Nov 20, 2007

Exchange 2007 Service Pack 1 is coming soon to a server near you. As you've read here before, there are a lot of new mobility features coming in Service Pack 1 and I hope I can provide you with some of the juicy details you've been waiting for. Note As wonderful as these new features are, currently we do not know of any mobile phones that currently support them. We're pretty sure that eventually, you'll be able to get a device that supports them, but for now, just keep watching this blog for updates. Here's some of what you can look forward to. Default Exchange ActiveSync Mailbox Policies Exchange 2007 shipped with a wide variety of Exchange ActiveSync mailbox policy settings. You could enforce a password, require that password be a certain length, prohibit the downloading of attachments, prevent users from reusing past passwords, and specify whether users could access information stored in Windows SharePoint Services document libraries. However, all of these policy settings don't do much good unless you assign your users to a policy. In Exchange 2007 RTM, all users had to be explicitly assigned to a policy. You could do this one at a time, or use an Exchange PowerShell one-liner to do it for you. In case you were wondering, here's the PowerShell cmdlet to assign all existing users to a policy.

Get-Mailbox | Set-CASMailbox –ActiveSyncMailboxPolicy (Get-ActiveSyncMailboxPolicy "Sales Policy").Identity
That's really pretty simple, but wouldn't you like it to be even easier? Well, now it is. Exchange 2007 Service Pack 1 allows Administrators to designate an existing policy as the default policy. When a policy is marked as default, all new users will automatically be assigned the policy. You can switch the default policy at any time through the Exchange Management Console or the Exchange Management Shell. New and Enhanced Policy Settings In addition to the default policy, there are a significant number of new policy settings available in Exchange 2007 Service Pack 1. Now for a little bit of legal text: the ability to use many of the new policy settings is a premium feature of Exchange ActiveSync and requires an Exchange Enterprise Client Access License for each mailbox on which the policies are implemented. As I mentioned previously, the new policy features are available in Exchange ActiveSync Protocol version 12.1 (Exchange 2007 RTM ships with Exchange ActiveSync protocol version 12.0). Windows Mobile 6.0 is compatible with Exchange ActiveSync Protocol version 12.0. It's a reasonably safe bet that a future device operating system will support Exchange ActiveSync version 12.1, but I can't make any guarantees. Policy Settings for Exchange ActiveSync:

Settings

Ex2007 RTM

Ex2007 SP1 STANDARD CAL

Ex2007 SP1 ENTERPRISE CAL

Password Required

x

X

X

Min Password Length

X

X

X

Alphanumeric Password

X

X

X

Inactivity Timeout

X

X

X

Max Failed Password Attempts

X

X

X

Policy Refresh Interval

X

X

X

Allow non-provisionable devices

X

X

X

Attachments Enabled

X

X

X

Storage Card Encryption

X

X

X

Password Recovery Enabled

X

X

X

Allow Simple Device Password

X

X

X

Max Attachment Size

X

X

X

WSS Access Enabled

X

X

X

UNC Access Enabled

X

X

X

Password Expiration

X

X

X

Password History

X

X

X

Require Manual Sync When Roaming

 

X

X

Min Device Pwd Complex Characters

 

X

X

Max Calendar Age Filter

 

X

X

Allow HTML Email

 

X

X

Max Email Age Filter

 

X

X

Max Email Body Truncation Size

 

X

X

Max Email HTML Body Truncation Size

 

X

X

Require Signed SMIME Messages

 

X

X

Require Encrypted SMIME Messages

 

X

X

Require Signed SMIME Algorithm

 

X

X

Require Encryption SMIME Algorithm

 

X

X

Allow SMIME Encryption Algorithm Negotiation

 

X

X

Allow SMIME Soft Certs

 

X

X

Require Device Encryption

 

X

X

Allow Storage Card

 

 

X

Allow Camera

 

 

X

Allow Unsigned Applications

 

 

X

Allow Unsigned Installation Packages

 

 

X

Allow Wi-Fi

 

 

X

Allow Text Messaging

 

 

X

Allow POP/IMAP Email

 

 

X

Allow Bluetooth

 

 

X

Allow IrDA

 

 

X

Allow Desktop Sync

 

 

X

Allow Browser

 

 

X

Allow Consumer Email

 

 

X

Allow Remote Desktop

 

 

X

Allow Internet Sharing

 

 

X

Unapproved InROM Application List

 

 

X

Approved Application List

 

 

X

Many of the new policy settings are intended to help administrators control the features their users can access on their mobile devices. Settings such as allow camera, allow text messaging, allow POP/IMAP email and allow wifi are intended to address some common device management problems. For example, many corporations do not allow the use of camera phones for confidentiality reasons. An administrator in this type of organization could deploy mobile devices designed to fully implement Exchange ActiveSync version 12.1 and feel confident that once the device accepted the Exchange ActiveSync mailbox policy, the device camera would be disabled. Remote Wipe Confirmation One last new feature that I want to mention is the addition of a remote wipe confirmation message. Remote wipe allows a user or an administrator to clear the device data in case that device is lost or stolen. The user can initiate the remote wipe process from Outlook Web Access and the administrator can initiate a remote wipe from the Exchange Management Console or the Exchange Management Shell. In Exchange 2007 RTM, however, once the user or administrator initiated the remote wipe, they were often left wondering whether it completed. The remote wipe process is very reliable. If the device is still connected to the Internet, and the Microsoft Exchange Server computer is reachable, the next time a device initiates a connection to the Exchange Server, the remote wipe will be initiated. However, a little confirmation and reassurance is rarely a bad thing. So now, once a remote wipe has been initiated and received by the device, a confirmation email is received by the Administrator and the user. Bring on the Service Pack 1 I hope this post has answered some of your Exchange 2007 Service Pack 1 questions. You can be sure that we'll have a lot more information on Exchange Server Service Pack 1 in the future. - Patricia DiGiacomo
Updated Jul 01, 2019
Version 2.0