Exchange Server 2007: ActiveSync Policies

A lot of Exchange Administrators would like to enforce certain settings on all or a few of their mobile users who make use of the Exchange 2007 ActiveSync feature to sync their e-mails, contacts and tasks to their PDA's or Windows Mobile phones. Well, the wait is now over! Exchange 2007 introduces ActiveSync Mailbox Policies, […]

A lot of Exchange Administrators would like to enforce certain settings on all or a few of their mobile users who make use of the Exchange 2007 ActiveSync feature to sync their e-mails, contacts and tasks to their PDA's or Windows Mobile phones. Well, the wait is now over! Exchange 2007 introduces ActiveSync Mailbox Policies, these can be used to enforce and configure various settings on Mobile devices. Settings like requiring a password, the password length, the password complexity, enabling the download of attachments, access to UNC and Windows SharePoint Server Shares can now all be configured using Mailbox Policies for ActiveSync.

Exchange ActiveSync policies can be created using the Exchange Management Shell or Exchange Management Console. While the management console gives you the ability to configure only a subset of the settings, the rest of the settings can be configured using the management shell.

The table below summarizes the available settings and their description:

Setting

Description

Allow non-provisionable devices

Allows older devices (those that do not support EAS Policies, for example, Windows Mobile 5.0 without the Messaging and Security Feature Pack applied) to connect to Exchange 2007 by using Exchange ActiveSync.

Allow simple password

Enables or disables the ability to use a simple password such as 1234.

Alphanumeric password required

Requires that a password contains numeric and non-numeric characters.

Attachments enabled

Enables attachments to be downloaded to the mobile device.

Device encryption enabled

For Windows Mobile 6.0 Devices this controls the storage card encryption on the device

Password enabled

Enables the device password.

Password expiration

Enables the administrator to configure a length of time after which a device password must be changed.

Password history

The number of unique passwords a user must use before an old password can be reused.

Policy refresh interval

Defines how frequently the device checks the Exchange Server for changes to the Exchange ActiveSync policy.

Maximum attachment size

Specifies the maximum size of attachments that are automatically downloaded to the device.

Maximum failed password attempts

Specifies how many times an incorrect password can be entered before the device performs a wipe of all data.

Maximum inactivity time lock

Specifies the length of time a device can go without user input before it locks.

Minimum password length

Specifies the minimum password length.

Password recovery

Enables the device password to be recovered from the server.

UNC file access

Enables access to files stored on Universal Naming Convention (UNC) shares or Windows File Shares as commonly known

WSS file access

Enables access to files stored on Microsoft Windows SharePoint Services sites

You do not need to specify all the policy settings; any policy setting that is not explicitly set will retain its default value. Further, a user does not need to be added to a policy, with SP1 for Exchange 2007, all users who are not assigned a policy and use ActiveSync will be applied with the default policy and settings, the same are summarized below:

Setting

Value

Allow non-provisionable devices

True

Allow simple password

False

Alphanumeric password required

False

Attachments enabled

True

Device encryption enabled

False

Password enabled

False

Password expiration

Unlimited

Password history

0

Policy refresh interval

Unlimited

Document browsing enabled

True

Maximum attachment size

Unlimited

Maximum failed password attempts

4

Maximum inactivity time lock

15 minutes

Minimum password length

4

Password recovery

Disabled

UNC file access

Enabled

WSS file access

Enabled

Policies can be applied to specific users or could be applied to a set of users, thus giving administrators the flexibility of having separate policies and settings for different users. A user can be assigned to only one ActiveSync Mailbox Policy. If you add a user to an Exchange ActiveSync mailbox policy and that user is a member of another Exchange ActiveSync mailbox policy, that user is removed from the original Exchange ActiveSync mailbox policy and added to the new Exchange ActiveSync mailbox policy

To be able to create a mailbox Policy for Exchange 2007 Active Sync, the user account would need to be delegated at least the Exchange Recipient Administrator Role. To create a policy using the management console:

1. In the console tree, expand the Organization Configuration node, and then click Client Access.
2. In the action pane, click New ActiveSync mailbox policy.
3. On the New ActiveSync Mailbox Policy wizard page, enter a name in the Mailbox policy name box.
4. Select one or more of the optional check boxes.
5. Click New to finish creating your mailbox policy.
6. Click Finish to close the New ActiveSync Mailbox Policy Wizard.

Continue to read full article....

Microsoft, Exchange 2007, Server, ActiveSync, Policies, Knowledgebase, Mobility, Client Access