Exchange Server 2007
Exchange ActiveSync Info > Security Settings
With Exchange Server 2007, you are now able to create multiple Exchange ActiveSync (EAS) policies, which can give you more control over your mobile deployment. Exchange ActiveSync policies were first introduced in Exchange Server 2003 SP2; however you were limited to a single global policy what was applied to all users unless you specifically added them to an exception list.
This article will walk you through creating, configuring and applying users to an Exchange ActiveSync policy using the Exchange Management Shell in Exchange Server 2007.
1. Create an EAS Policy
For this step, you will use the New-ActiveSyncMailboxPolicy command (formerly known as New-MobileMailboxPolicy in Exchange Server 2007 Beta 2). In this example we will create a policy called “Corporate Mobile Policy” by running the following command from the Exchange Management Shell.
New-ActiveSyncMailboxPolicy “Corporate Mobile Policy”
After successfully creating the policy “Corporate Mobile Policy” the command will return the complete output of the policy, showing the specific settings for that newly created policy.
The most salient setting to be aware of include:
|
AllowNonProvisionableDevices
|
True = Legacy devices (pre-Windows Mobile 5.0 MSFP), such as Windows Mobile 2003, or Windows Mobile 5.0 will be allowed to sync with your exchange server. NOTE: These older devices are more vulnerable because you cannot enforce that the device have a PIN or other security settings.
False = Pre-Windows Mobile 5.0 MSFP devices will not be allowed to sync with Exchange.
|
AlphanumericDevicePasswordRequired
|
True = Windows Mobile 5.0 MSFP and above will require the user to have a mix of alphabets and numbers in the device PIN.
False = Alphabets and numbers are not required.
|
AttachmentsEnabled
|
Whether you will allow Attachments to be downloaded to the mobile device.
|
DeviceEncryptionEnabled*
|
True = Crossbow devices will encrypt the data on the storage card.
False = No encryption.
|
DevicePasswordEnabled*
|
True = Windows Mobile 5.0 MSFP devices and above will require the user to have a device PIN.
False = Device PIN is not required.
|
PasswordRecoveryEnabled*
|
Specify whether you will allow your Exchange Server to store your user's "Recovery Password" which they can access from OWA or your IT staff can access if from the Exchange Management Console or the Exchange Management Shell. |
DevicePolicyRefreshInterval
|
Used to specify how often you want the device to check with the Exchange server for changes in the mobile policy. This is a timespan property, so the format is as followed… HH.MM:SS:mm
Example: if you wanted a policy refresh interval of 24 hours, you would specify: 24.00:00:00 |
AllowSimpleDevicePassword*
|
This setting will block users from creating a device password that has a simple pattern, such as 1111 or 1234.
|
MaxAttachmentSize*
|
This setting will enforce the max size that an attachment can be downloaded to the mobile device.
|
WSSAccessEnabled*
|
Allows you to block access to Windows SharePoint sites.
|
UNCAccessEnabled*
|
Allows you to block access to documents stored at a UNC path.
|
MinDevicePasswordLength
|
Minimum allowable device PIN length.
|
MaxInactivityTimeDeviceLock
|
The amount of time the device can remain inactive before the device locks and requires PIN to unlock. This property is also a timespan format.
Example: If you wanted to have an inactivity time of 15 minutes, then you would specify: 00:15:00
|
MaxDevicePasswordFailedAttempts
|
Set the number of allowable failed password attempts before the device will perform a local wipe.
|
DevicePasswordExpiration*
|
The number of days that a device password can be valid before the user is forced to change their device password.
|
DevicePasswordHistory*
|
The number of previously used passwords that are remembered, so they cannot be reused.
|
* Features are supported with the next version of Windows Mobile.
NOTE: All of these settings can only be enforced by devices that understand the Exchange ActiveSync PROVISION command, such as Windows Mobile 5.0 MSFP devices and above.
2. Configure your EAS Policy
For this step, you will use the Set-ActiveSyncMailboxPolicy command to configure the “Corporate Mobile Policy” that you created above.
Set-ActiveSyncMailboxPolicy “Corporate Mobile Policy” –AllowNonProvisionableDevices:$True –DevicePasswordEnabled:$True –MinDevicePasswordLength:4 –MaxInactivityTimeDeviceLock: 00:20:00
This example sets the “Corporate Mobile Policy” to:
§ AllowNonProvisionableDevices = True (Legacy Devices allowed to sync)
§ DevicePassEnabled = True (Password Required)
§ MinDevicePasswordLength = 4
§ MaxInactivityTimeDeviceLock = 20 minutes
3. Assign users to that EAS Policy
Your last step is to assign users to this corporate policy by using the Set-CASMailbox command. We will assign the user “Mark” to the “Corporate Mobile Policy” by running this command…
Set-CASMailbox Mark -ActiveSyncMailboxPolicy(Get-ActiveSyncMailboxPolicy “Corporate Mobile Policy”).Identity
One step further (w/ Monad)…
Being that this is corporate mobile policy that we created, we want to apply it to all users in a single command. You can do this by running this command
Get-Mailbox | Set-CASMailbox –ActiveSyncMailboxPolicy(Get-ActiveSyncMailboxPolicy “Corporate Mobile Policy”).Identity
What this command does is it is getting all mailboxes and piping (feeding) the results into our Set-CASMailbox command and setting the ActiveSyncMailboxPolicy.
