Exchange 2007 ActiveSync policies

A lot of Exchange Administrators would like to enforce certain settings on all or a few of their mobile users who make use of the Exchange 2007 ActiveSync feature to sync their e-mails, contacts and tasks to their PDA's or Windows Mobile phones. Well, the wait is now over! Exchange 2007 introduces ActiveSync Mailbox Policies, these can be used to enforce and configure various settings on Mobile devices. Settings like requiring a password, the password length, the password complexity, enabling the download of attachments, access to UNC and Windows SharePoint Server Shares can now all be configured using Mailbox Policies for ActiveSync.

Exchange ActiveSync policies can be created using the Exchange Management Shell or Exchange Management Console. While the management console gives you the ability to configure only a subset of the settings, the rest of the settings can be configured using the management shell.

The table below summarizes the available settings and their description:

You do not need to specify all the policy settings; any policy setting that is not explicitly set will retain its default value. Further, a user does not need to be added to a policy, with SP1 for Exchange 2007, all users who are not assigned a policy and use ActiveSync will be applied with the default policy and settings, the same are summarized below:

Policies can be applied to specific users or could be applied to a set of users, thus giving administrators the flexibility of having separate policies and settings for different users. A user can be assigned to only one ActiveSync Mailbox Policy. If you add a user to an Exchange ActiveSync mailbox policy and that user is a member of another Exchange ActiveSync mailbox policy, that user is removed from the original Exchange ActiveSync mailbox policy and added to the new Exchange ActiveSync mailbox policy

To be able to create a mailbox Policy for Exchange 2007 Active Sync, the user account would need to be delegated at least the Exchange Recipient Administrator Role. To create a policy using the management console:

1. In the console tree, expand the Organization Configuration node, and then click Client Access.

2. In the action pane, click New ActiveSync mailbox policy.

3. On the New ActiveSync Mailbox Policy wizard page, enter a name in the Mailbox policy name box.

4. Select one or more of the optional check boxes.

5. Click New to finish creating your mailbox policy.

6. Click Finish to close the New ActiveSync Mailbox Policy Wizard.

To do the same using the management shell, run the following command:

New-ActiveSyncMaiboxPolicy -Name PolicyName -DevicePasswordEnabled:$false -AlphanumericDevicePasswordRequired:$false -MaxInactivityTimeDeviceLock:'unlimited' -MinDevicePasswordLength:$null -PasswordReciveryEnabled:$false -DeviceEncryptionEnabled:$false -AttachmentsEnabled:$true

That will create a policy with the default settings discussed above.

To add a user to a policy using the management console, the following steps need to be completed:

1. In the console tree, expand the Recipient Configuration node, and then click Mailbox.

2. In the work pane, right-click the user who you want to assign to a policy, and then click Properties.

3. In the user's Properties dialog box, click Mailbox Features.

4. Click ActiveSync, and then click Properties.

5. Select the Apply an ActiveSync mailbox policy check box.

6. Click Browse to view the Select Exchange ActiveSync Mailbox Policy dialog box.

7. Select an available policy, and then click OK three times to apply your changes.

To add a user to a policy using the management shell, run the following command

Set-CASMailbox UserName -ActiveSyncMailboxPolicy(Get-ActiveSyncMailboxPolicy "Policy Name").Identity

To add all users to a policy using the management shell, run the following command

Get-Mailbox | Set-CASMailbox -ActiveSyncMailboxPolicy(Get-ActiveSyncMailboxPolicy "Policy Name").Identity

To add users with a specific custom attribute set to a policy, run the following command

Get-Mailbox | where { $_.CustomAttribute1 -match "Manager" } | Set-CASMailbox -activesyncmailboxpolicy(Get-ActiveSyncMailboxPolicy "Policy Name").Identity

To modify a policy using the management console, complete the following steps. You will need to ensure that the user account performing the actions below has been delegated the Exchange Organization Administrator Role. This is because Exchange ActiveSync policies are configured at the Exchange Organizational level.

1. In the console root of the Exchange Management Console, expand the Organization Configuration node.

2. In the result pane, click Client Access.

3. In the work pane, click the Exchange ActiveSync mailbox policy that you want to change.

4. In the action pane, click Properties.

5. In the Exchange ActiveSync mailbox policy properties window, configure the settings for the Exchange ActiveSync mailbox policy, and then click OK to accept your changes.

To use the management shell, run the following command:

Set-ActiveSyncMailboxPolicy -Identity MyPolicy -AllowNonProvisionableDevices $true -AllowSimpleDevicePassword $true -AlphanumericDevicePasswordRequired $true -AttachmentsEnabled $true -DeviceEncryptionEnabled $false -DevicePasswordEnabled $true -DevicePasswordExpiration 12 -DevicePasswordHistory 20 -DevicePolicyRefreshInterval 00:60:00 -MaxAttachmentSize 4 -MaxDevicePasswordFailedAttempts 5 -MaxInactivityTimeDeviceLock 00:15:00 -MinDevicePasswordLength 4 -PasswordRecoveryEnabled $true -UNCAccessEnabled $false -WSSAccessEnabled $false

I hope the above would be useful in getting a basic understanding of the use of policies, configuration and settings of the same. Exchange 2007 ActiveSync also includes the feature to remote wipe a device and Direct Push ROCKS! No more SMS based AUTD notifications and that $20 a month for unlimited text messages...

- Sachin Shah