What’s New for Exchange ActiveSync Mailbox Policies in Exchange Server 2007 SP1?


Exchange 2007 Service Pack 1 is coming soon to a server near you. As you’ve read here before, there are a lot of new mobility features coming in Service Pack 1 and I hope I can provide you with some of the juicy details you’ve been waiting for.


Note As wonderful as these new features are, currently we do not know of any mobile phones that currently support them. We’re pretty sure that eventually, you’ll be able to get a device that supports them, but for now, just keep watching this blog for updates.


Here’s some of what you can look forward to.


Default Exchange ActiveSync Mailbox Policies


Exchange 2007 shipped with a wide variety of Exchange ActiveSync mailbox policy settings. You could enforce a password, require that password be a certain length, prohibit the downloading of attachments, prevent users from reusing past passwords, and specify whether users could access information stored in Windows SharePoint Services document libraries. However, all of these policy settings don’t do much good unless you assign your users to a policy. In Exchange 2007 RTM, all users had to be explicitly assigned to a policy. You could do this one at a time, or use an Exchange PowerShell one-liner to do it for you. In case you were wondering, here’s the PowerShell cmdlet to assign all existing users to a policy.



Get-Mailbox | Set-CASMailbox –ActiveSyncMailboxPolicy (Get-ActiveSyncMailboxPolicy “Sales Policy”).Identity


That’s really pretty simple, but wouldn’t you like it to be even easier? Well, now it is. Exchange 2007 Service Pack 1 allows Administrators to designate an existing policy as the default policy. When a policy is marked as default, all new users will automatically be assigned the policy. You can switch the default policy at any time through the Exchange Management Console or the Exchange Management Shell.


New and Enhanced Policy Settings


In addition to the default policy, there are a significant number of new policy settings available in Exchange 2007 Service Pack 1. Now for a little bit of legal text: the ability to use many of the new policy settings is a premium feature of Exchange ActiveSync and requires an Exchange Enterprise Client Access License for each mailbox on which the policies are implemented. As I mentioned previously, the new policy features are available in Exchange ActiveSync Protocol version 12.1 (Exchange 2007 RTM ships with Exchange ActiveSync protocol version 12.0). Windows Mobile 6.0 is compatible with Exchange ActiveSync Protocol version 12.0. It’s a reasonably safe bet that a future device operating system will support Exchange ActiveSync version 12.1, but I can’t make any guarantees.


Policy Settings for Exchange ActiveSync:
















































































































































































































































Settings


Ex2007 RTM


Ex2007 SP1
STANDARD CAL


Ex2007 SP1
ENTERPRISE CAL


Password Required


x


X


X


Min Password Length


X


X


X


Alphanumeric Password


X


X


X


Inactivity Timeout


X


X


X


Max Failed Password Attempts


X


X


X


Policy Refresh Interval


X


X


X


Allow non-provisionable devices


X


X


X


Attachments Enabled


X


X


X


Storage Card Encryption


X


X


X


Password Recovery Enabled


X


X


X


Allow Simple Device Password


X


X


X


Max Attachment Size


X


X


X


WSS Access Enabled


X


X


X


UNC Access Enabled


X


X


X


Password Expiration


X


X


X


Password History


X


X


X


Require Manual Sync When Roaming


 


X


X


Min Device Pwd Complex Characters


 


X


X


Max Calendar Age Filter


 


X


X


Allow HTML Email


 


X


X


Max Email Age Filter


 


X


X


Max Email Body Truncation Size


 


X


X


Max Email HTML Body Truncation Size


 


X


X


Require Signed SMIME Messages


 


X


X


Require Encrypted SMIME Messages


 


X


X


Require Signed SMIME Algorithm


 


X


X


Require Encryption SMIME Algorithm


 


X


X


Allow SMIME Encryption Algorithm Negotiation


 


X


X


Allow SMIME Soft Certs


 


X


X


Require Device Encryption


 


X


X


Allow Storage Card


 


 


X


Allow Camera


 


 


X


Allow Unsigned Applications


 


 


X


Allow Unsigned Installation Packages


 


 


X


Allow Wi-Fi


 


 


X


Allow Text Messaging


 


 


X


Allow POP/IMAP Email


 


 


X


Allow Bluetooth


 


 


X


Allow IrDA


 


 


X


Allow Desktop Sync


 


 


X


Allow Browser


 


 


X


Allow Consumer Email


 


 


X


Allow Remote Desktop


 


 


X


Allow Internet Sharing


 


 


X


Unapproved InROM Application List


 


 


X


Approved Application List


 


 


X


Many of the new policy settings are intended to help administrators control the features their users can access on their mobile devices. Settings such as allow camera, allow text messaging, allow POP/IMAP email and allow wifi are intended to address some common device management problems. For example, many corporations do not allow the use of camera phones for confidentiality reasons. An administrator in this type of organization could deploy mobile devices designed to fully implement Exchange ActiveSync version 12.1 and feel confident that once the device accepted the Exchange ActiveSync mailbox policy, the device camera would be disabled.


Remote Wipe Confirmation


One last new feature that I want to mention is the addition of a remote wipe confirmation message. Remote wipe allows a user or an administrator to clear the device data in case that device is lost or stolen. The user can initiate the remote wipe process from Outlook Web Access and the administrator can initiate a remote wipe from the Exchange Management Console or the Exchange Management Shell.


In Exchange 2007 RTM, however, once the user or administrator initiated the remote wipe, they were often left wondering whether it completed. The remote wipe process is very reliable. If the device is still connected to the Internet, and the Microsoft Exchange Server computer is reachable, the next time a device initiates a connection to the Exchange Server, the remote wipe will be initiated. However, a little confirmation and reassurance is rarely a bad thing. So now, once a remote wipe has been initiated and received by the device, a confirmation email is received by the Administrator and the user.


Bring on the Service Pack 1


I hope this post has answered some of your Exchange 2007 Service Pack 1 questions. You can be sure that we’ll have a lot more information on Exchange Server Service Pack 1 in the future.


Patricia DiGiacomo
























Share this post :

Comments (17)
  1. Magnus Göransson says:

    Great article!

    However… one question still remains. When should i expect SP1 to arrive?

    /Magnus

  2. Fredrik Thorsen says:

    At IT Forum last week the Exchange team was still working with RTM dates from mid to late November for SP1

  3. Mark King says:

    Help docs were posted to download center last week, rumors were that MS would release it during IT Forum, looks like they backed off a bit.  Still crossing my fingers for this week!

  4. Kevin S. says:

    Currently, we are running Blackberrys within our Exchange ’07 rollout, and they work fine. Two admins (myself and another chap) are concurrently running BB and SmartPhone – he an i730 and me the i760. Since the i760 is brand spanking new (released November 1) what patch(es) do we need to install on it to make it do the new voodoo that we would want it to do? What is so different about SP1 that we have to change / upgrade the phones?

    The SmartPhones work just as fast as the Blackberrys without the risk of having RIM go down. Cost for the phones is comparable at the enterprise level, and you don’t need a BES running. At this point, it is a no-brainer, both from a business standpoint as well as a technical support / maintenance view.

  5. manitou says:

    last inside rumor I heard was it was delayed from the 15th to the 28th.  Could next wednesday be the day?  let’s hope.

  6. Frank says:

    So does SP1 ship with ActiveSync Protocol version 12.1 or is it another install that we have to perform?

  7. bday says:

    Is there a quick and easy way on (most) WM5.0 and WM6.0 devices to find what version of EAS protocol is being run? What version of WAS protocol does WM5.0 (w/Messaging & Security Feature Pack installed) support?

    I would love to see a comparison chart of what features are supported with Exhange 2007 + WM5.0. For the time being WM6.0 devices seem to be few and far between at this time with the cell companies we deal with (Verizon/Sprint/AT&T).

    Thank you very much!

  8. Andrew says:

    Come on SP1!!  Give a gentle clue, so we can get our test labs booked and ready to deploy!  Does ‘soon’ mean this week, this month, this year, something else?  It’ll be our little secret.  :)

  9. Exchange says:

    Andrew:

    "Does ‘soon’ mean this week, this month, this year, something else?"

    Yes, this year. As we have mentioned before, the "Q4 calendar year 2007" is it.

  10. easy1ndian says:

    so it could also be December 31 2007 considering your "Q4 calendar year 2007" slogan. TEASERSSSSSSSSSSSSSSSSS!!!

  11. waltz says:

    I think its ready and they’re just delaying it to generate hype in the industry.

    I imagine for every person who actually posts something here there are 000s who actually wana know. Great marketing tactic and clearly working.

    personally though – tired of waiting so sp1 or no service pack our shiny new ex2007 box is going in this weekend!

  12. Petri says:

    About the remote wipe, somehow I liked the web based wipe on E2003, because that is much more easier to teach to Helpdesk than EMC or from shell.

    OWA does not help, because there are so many possibilities for mistakes and mobile device users are using less and less laptops.

  13. ehatem says:

    Please some assistance : ) I just prepared ad

    for e2k7.  I am now planning to install E2K7 in the

    next month but, I will wait if I know the E2K7 SP1

    is coming.  Does this not make sense? and if so

    will I have to do more ad and schema preparation

    for E2K7 SP1?

  14. Exchange says:

    ehatem,

    Yes – it is coming within a month and yes it will require a small schema update (if you already extended the schema for E2007 RTM).

  15. bday says:

    My Technet Flash Newsletter was delivered via email a couple minutes ago and the first paragrph is:

    Volume 9, Issue 24: November 28, 2007

    Note from the Editor

    Greetings <my name>,

    On November 30, you will be able to download Exchange Server 2007 with Service Pack 1. The list of new features in SP1 is long, including new deployment options, new features and improvements for each server role, improved integration with other applications, and even a new, third type of continuous replication. There are also general updates to almost all of the high availability topics for SP1, as well as significant updates in other content areas, such as those related to the Mailbox, Client Access, Hub Transport and Edge Transport, and the Unified Messaging server roles. You can find documentation on the new features by browsing or searching the Exchange Server TechCenter Library. If you’re in evaluation mode, you can now download the Exchange Server 2007 with Service Pack 1 trial software and see how secure, anywhere access can enhance operational efficiency.

  16. Mark King says:

    FYI, your email was a day off…  SP1 now available for download in 64-bit and 32-bit flavors.

    http://www.microsoft.com/downloads/details.aspx?FamilyId=44C66AD6-F185-4A1D-A9AB-473C1188954C&displaylang=en

  17. Frank says:

    I got the same Technet, and it’s already available for download. It says it was posted today. The link for the download is here:

    http://www.microsoft.com/downloads/details.aspx?FamilyId=44C66AD6-F185-4A1D-A9AB-473C1188954C&displaylang=en

Comments are closed.