Applies to: Exchange Server 2007
Topic Last Modified: 2007-06-11

Use the Password page in the Exchange ActiveSync mailbox policy properties to set password requirements for Microsoft Exchange ActiveSync clients.

To use Exchange ActiveSync to synchronize mailbox data requires that the user authenticate to the server that is running the Client Access server role over HTTPS. After the connection is established, all information passes between the mobile device and a user's mailbox through the Client Access server.

You can create an Exchange ActiveSync mailbox policy to configure a variety of security options for users. In addition to password requirements and settings, you can specify the types of devices that can connect to the server that is running Microsoft Exchange Server, whether attachments can be synchronized, and whether users can access information that is on Windows SharePoint Services sites from their mobile devices.

Require password

Select this option to require a password for the device. If passwords are required, select from the following options:

  • Require alphanumeric password   Select this option to specify that the device password must include non-numeric characters. Requiring non-numeric characters in passwords increases the strength of password security.

  • Enable password recovery   Select this option to enable password recovery for the mobile device. Users can use Outlook Web Access to look up their recovery password and unlock their device. Administrators can use the Exchange Management Console to look up a user's recovery password.

  • Require encryption on device   Select this option to require device encryption. This increases security by encrypting all information on the storage cards for the device.

  • Number of failed attempts allowed   Select this option to limit the number of failed password attempts a device accepts before all information on the device is deleted and the device is automatically returned to the original factory settings. This reduces the chance of an unauthorized user accessing information on a lost or stolen device that has a device password.

  • Minimum password length   Select this option to specify a minimum password length for the device password. Long passwords can provide increased security. However long passwords can decrease device usability. A moderate password length of four to six characters is recommended.

  • Time without user input before password must be entered   When a device password is required, you can select this option to prompt the user for the password after the device has been inactive for a specified period of time. For example, if this setting is set to 15 minutes, the user must enter the device password every time that the device is idle for 15 minutes. If the device is idle for 10 minutes, the user would not have to re-enter the password.

For More Information

For more information about Exchange ActiveSync, see the following topics: