cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exchange 2007 ActiveSync policies
By
The_Exchange_Team
Published May 23 2007 09:32 AM 28.9K Views
The_Exchange_Team
Microsoft
‎May 23 2007 09:32 AM

Exchange 2007 ActiveSync policies

‎May 23 2007 09:32 AM

A lot of Exchange Administrators would like to enforce certain settings on all or a few of their mobile users who make use of the Exchange 2007 ActiveSync feature to sync their e-mails, contacts and tasks to their PDA's or Windows Mobile phones. Well, the wait is now over! Exchange 2007 introduces ActiveSync Mailbox Policies, these can be used to enforce and configure various settings on Mobile devices. Settings like requiring a password, the password length, the password complexity, enabling the download of attachments, access to UNC and Windows SharePoint Server Shares can now all be configured using Mailbox Policies for ActiveSync.

Exchange ActiveSync policies can be created using the Exchange Management Shell or Exchange Management Console. While the management console gives you the ability to configure only a subset of the settings, the rest of the settings can be configured using the management shell.

The table below summarizes the available settings and their description:

Setting

Description

Allow non-provisionable devices

Allows older devices (those that do not support EAS Policies, for example, Windows Mobile 5.0 without the Messaging and Security Feature Pack applied) to connect to Exchange 2007 by using Exchange ActiveSync.

Allow simple password

Enables or disables the ability to use a simple password such as 1234.

Alphanumeric password required

Requires that a password contains numeric and non-numeric characters.

Attachments enabled

Enables attachments to be downloaded to the mobile device.

Device encryption enabled

For Windows Mobile 6.0 Devices this controls the storage card encryption on the device

Password enabled

Enables the device password.

Password expiration

Enables the administrator to configure a length of time after which a device password must be changed.

Password history

The number of unique passwords a user must use before an old password can be reused.  

Policy refresh interval

Defines how frequently the device checks the Exchange Server for changes to the Exchange ActiveSync policy. 

Maximum attachment size

Specifies the maximum size of attachments that are automatically downloaded to the device.

Maximum failed password attempts

Specifies how many times an incorrect password can be entered before the device performs a wipe of all data.

Maximum inactivity time lock

Specifies the length of time a device can go without user input before it locks.

Minimum password length

Specifies the minimum password length.

Password recovery

Enables the device password to be recovered from the server.

UNC file access

Enables access to files stored on Universal Naming Convention (UNC) shares or Windows File Shares as commonly known

WSS file access

Enables access to files stored on Microsoft Windows SharePoint Services sites

You do not need to specify all the policy settings; any policy setting that is not explicitly set will retain its default value. Further, a user does not need to be added to a policy, with SP1 for Exchange 2007, all users who are not assigned a policy and use ActiveSync will be applied with the default policy and settings, the same are summarized below:

Setting

Value

Allow non-provisionable devices

True

Allow simple password

False

Alphanumeric password required

False

Attachments enabled

True

Device encryption enabled

False

Password enabled

False

Password expiration

Unlimited

Password history

0

Policy refresh interval

Unlimited

Document browsing enabled

True

Maximum attachment size

Unlimited

Maximum failed password attempts

4

Maximum inactivity time lock

15 minutes

Minimum password length

4

Password recovery

Disabled

UNC file access

Enabled

WSS file access

Enabled

Policies can be applied to specific users or could be applied to a set of users, thus giving administrators the flexibility of having separate policies and settings for different users. A user can be assigned to only one ActiveSync Mailbox Policy. If you add a user to an Exchange ActiveSync mailbox policy and that user is a member of another Exchange ActiveSync mailbox policy, that user is removed from the original Exchange ActiveSync mailbox policy and added to the new Exchange ActiveSync mailbox policy

To be able to create a mailbox Policy for Exchange 2007 Active Sync, the user account would need to be delegated at least the Exchange Recipient Administrator Role. To create a policy using the management console:

1. In the console tree, expand the Organization Configuration node, and then click Client Access.

2. In the action pane, click New ActiveSync mailbox policy.

3. On the New ActiveSync Mailbox Policy wizard page, enter a name in the Mailbox policy name box.

4. Select one or more of the optional check boxes.

5. Click New to finish creating your mailbox policy.

6. Click Finish to close the New ActiveSync Mailbox Policy Wizard.

To do the same using the management shell, run the following command:

New-ActiveSyncMaiboxPolicy -Name PolicyName -DevicePasswordEnabled:$false -AlphanumericDevicePasswordRequired:$false -MaxInactivityTimeDeviceLock:'unlimited' -MinDevicePasswordLength:$null -PasswordReciveryEnabled:$false -DeviceEncryptionEnabled:$false -AttachmentsEnabled:$true

That will create a policy with the default settings discussed above.

To add a user to a policy using the management console, the following steps need to be completed:

1. In the console tree, expand the Recipient Configuration node, and then click Mailbox.

2. In the work pane, right-click the user who you want to assign to a policy, and then click Properties.

3. In the user's Properties dialog box, click Mailbox Features.

4. Click ActiveSync, and then click Properties.

5. Select the Apply an ActiveSync mailbox policy check box.

6. Click Browse to view the Select Exchange ActiveSync Mailbox Policy dialog box.

7. Select an available policy, and then click OK three times to apply your changes.

To add a user to a policy using the management shell, run the following command

Set-CASMailbox UserName -ActiveSyncMailboxPolicy(Get-ActiveSyncMailboxPolicy "Policy Name").Identity

To add all users to a policy using the management shell, run the following command

Get-Mailbox | Set-CASMailbox -ActiveSyncMailboxPolicy(Get-ActiveSyncMailboxPolicy "Policy Name").Identity

To add users with a specific custom attribute set to a policy, run the following command

Get-Mailbox | where { $_.CustomAttribute1 -match "Manager" } | Set-CASMailbox -activesyncmailboxpolicy(Get-ActiveSyncMailboxPolicy "Policy Name").Identity

To modify a policy using the management console, complete the following steps. You will need to ensure that the user account performing the actions below has been delegated the Exchange Organization Administrator Role. This is because Exchange ActiveSync policies are configured at the Exchange Organizational level.

1. In the console root of the Exchange Management Console, expand the Organization Configuration node.

2. In the result pane, click Client Access.

3. In the work pane, click the Exchange ActiveSync mailbox policy that you want to change.

4. In the action pane, click Properties.

5. In the Exchange ActiveSync mailbox policy properties window, configure the settings for the Exchange ActiveSync mailbox policy, and then click OK to accept your changes.

To use the management shell, run the following command:

Set-ActiveSyncMailboxPolicy -Identity MyPolicy -AllowNonProvisionableDevices $true -AllowSimpleDevicePassword $true -AlphanumericDevicePasswordRequired $true -AttachmentsEnabled $true -DeviceEncryptionEnabled $false -DevicePasswordEnabled $true -DevicePasswordExpiration 12 -DevicePasswordHistory 20 -DevicePolicyRefreshInterval 00:60:00 -MaxAttachmentSize 4 -MaxDevicePasswordFailedAttempts 5 -MaxInactivityTimeDeviceLock 00:15:00 -MinDevicePasswordLength 4 -PasswordRecoveryEnabled $true -UNCAccessEnabled $false -WSSAccessEnabled $false

I hope the above would be useful in getting a basic understanding of the use of policies, configuration and settings of the same. Exchange 2007 ActiveSync also includes the feature to remote wipe a device and Direct Push ROCKS! No more SMS based AUTD notifications and that $20 a month for unlimited text messages...

- Sachin Shah

0 Likes
Like
17 Comments
Not applicable
‎May 23 2007 05:53 PM
‎May 23 2007 05:53 PM
exhange2007 and DNS external!
0 Likes
Like
Not applicable
‎May 23 2007 09:31 PM
‎May 23 2007 09:31 PM
How would one change the default policy, such that newly created users would be given a site-wide settings without further action?
0 Likes
Like
Not applicable
‎May 23 2007 09:42 PM
‎May 23 2007 09:42 PM
Hi Lee,

Can you clarify what you mean by "site-wide settings"

0 Likes
Like
Not applicable
‎May 23 2007 10:19 PM
‎May 23 2007 10:19 PM
During the BETA there were rumours that WM 6 will also support Autodiscover for device provisioning... What's the "truth"? Thx, Christian
0 Likes
Like
Not applicable
‎May 24 2007 02:51 AM
‎May 24 2007 02:51 AM
Christian: Windows Mobile 6.0 does NOT support Autodiscover for provisioning.
0 Likes
Like
Not applicable
‎May 24 2007 12:31 PM
‎May 24 2007 12:31 PM
Thanks Patricia! Pitty, that's a missing pice in the puzzle to compete with blackberry... Christian
0 Likes
Like
Not applicable
‎May 24 2007 07:00 PM
‎May 24 2007 07:00 PM
I really wish these were not called "Policies", because they aren't. They're a group of common settings that must be manually re-applied to every mailbox you create. In Active Directory, "group policy" is automatically applied to the users it is scoped to. Why wasn't a similar approach used in Exchange?

For example, one of my pet peeves is that ActiveSync is automatically enabled for every new mailbox that gets created, and (as far as I can tell) this behavior cannot be changed. Don't get me wrong, I love ActiveSync, too, but in my organization not everyone should be permitted to use it. If I only have a small handful of users that use ActiveSync, I have to remember, each and every time I create a new user, to go back into the mailbox and disable ActiveSync. This is the kind of thing that a real "Policy" should address.

Moreover, these "policies" themselves need to be MANUALLY re-applied to every new mailbox. So even if it is appropriate for all new mailboxes to have ActiveSync enabled (my "pet peeve" from the paragraph above), I still have to remember to go back to each new mailbox and manually apply the appropriate policy. Wouldn't it make sense to be able to set an appropriate ActiveSync "policy" to apply, by default and automatically, to all new mailboxes? Why can't this be done?

This whole "policy" mess extends beyond ActiveSync -- Managed Folder "policies" suffer from the same problem. And it is really very counter-intuitive to what Microsoft administrators have come to enjoy about true policy-based administration available in other Microsoft products (like Group Policies in Active Directory).

Is there a plan to address these shortcomings? Please don't say PowerShell. PowerShell is great for what it is, but a script is not a substitute for a well-conceived policy application framework.
0 Likes
Like
Not applicable
‎May 25 2007 02:34 AM
‎May 25 2007 02:34 AM
@Mike
By site-wide i mean applies to all users who do not have a specific policy applied.
0 Likes
Like
Not applicable
‎May 25 2007 04:05 AM
‎May 25 2007 04:05 AM
Lee:
In Exchange 2007 SP1, the Exchange ActiveSync default policy will do just that.  If a user does not have an EAS policy explicitly assigned to their mailbox, then they will inherit the default policy.  

Let me know if you have any further questions.
0 Likes
Like
Not applicable
‎May 30 2007 02:28 AM
‎May 30 2007 02:28 AM
What about allowing outbound phone calls when the device is password locked?  This is a frequent request to which we currently have to reply 'Buy a BlackBerry". :(
0 Likes
Like
Not applicable
‎May 30 2007 02:29 AM
‎May 30 2007 02:29 AM
One other setting I'd like to see - Automatic Updates on/off remotely.
0 Likes
Like
Not applicable
‎Jun 04 2007 03:09 PM
‎Jun 04 2007 03:09 PM
Can you please confirm what policies will be avaliable for users that have their mailboxes hosted on Exchange 2003 with an Exchange 2007 CAS server as the front end. Also what policies require you to have Windows Mobile 6.
0 Likes
Like
Not applicable
‎Jun 04 2007 08:54 PM
‎Jun 04 2007 08:54 PM
Mario:
For mailboxes that are still on Exchange 2003 SP2, the SP2 policies will apply even though Exchange ActiveSync requests may be first hitting an Exchange 2007 CAS box.

In this type of topology, the EAS request is being "proxied" to the Exchange 2003 SP2 server (and that server is running IIS 6 w/ the Microsoft-Server-ActiveSync virtual directory).
0 Likes
Like
Not applicable
‎Jun 20 2007 09:59 PM
‎Jun 20 2007 09:59 PM
this list of policies is missing a description of "Document browsing enabled".  It's in the table of default values, but not in the general list.  What does it do?
0 Likes
Like
Not applicable
‎Jul 02 2007 03:25 AM
‎Jul 02 2007 03:25 AM

I noticed with WM5 and Exchange 2007, Junk E-mail folder is not available to sync, this was an option with WM5 and Exchange 2003 sp2. Is this an inbuilt policy in Ex 2007?
0 Likes
Like
Not applicable
‎Jul 02 2007 09:05 PM
‎Jul 02 2007 09:05 PM
J:
WM5 with MSFP does allow you to sync the Junk E-mail folder
0 Likes
Like
Not applicable
‎Aug 13 2008 02:43 AM
‎Aug 13 2008 02:43 AM
I noticed that Exchange 2007 SP1 has two encryption policies:

1. Require encryption on the device
2. Require encryption on the storage card

What does the first policy do?  What does it encrypt on the device?
0 Likes
Like
Version history
Last update:
‎Jul 01 2019 03:28 PM
Updated by: