Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-11-16

Use the Set-ActiveSyncMailboxPolicy cmdlet to apply a variety of mailbox policy settings to a server. You can set any of the parameters by using one command.

Syntax

set-ActiveSyncMailboxPolicy -Identity <MailboxPolicyIdParameter> [-AllowBluetooth <Disable | HandsfreeOnly | Allow>] [-AllowBrowser <$true | $false>] [-AllowCamera <$true | $false>] [-AllowConsumerEmail <$true | $false>] [-AllowDesktopSync <$true | $false>] [-AllowExternalDeviceManagement <$true | $false>] [-AllowHTMLEmail <$true | $false>] [-AllowInternetSharing <$true | $false>] [-AllowIrDA <$true | $false>] [-AllowMobileOTAUpdate <$true | $false>] [-AllowNonProvisionableDevices <$true | $false>] [-AllowPOPIMAPEmail <$true | $false>] [-AllowRemoteDesktop <$true | $false>] [-AllowSimpleDevicePassword <$true | $false>] [-AllowSMIMEEncryptionAlgorithmNegotiation <BlockNegotiation | OnlyStrongAlgorithmNegotiation | AllowAnyAlgorithmNegotiation>] [-AllowSMIMESoftCerts <$true | $false>] [-AllowStorageCard <$true | $false>] [-AllowTextMessaging <$true | $false>] [-AllowUnsignedApplications <$true | $false>] [-AllowUnsignedInstallationPackages <$true | $false>] [-AllowWiFi <$true | $false>] [-AlphanumericDevicePasswordRequired <$true | $false>] [-ApprovedApplicationList <ApprovedApplicationCollection>] [-AttachmentsEnabled <$true | $false>] [-Confirm [<SwitchParameter>]] [-DeviceEncryptionEnabled <$true | $false>] [-DevicePasswordEnabled <$true | $false>] [-DevicePasswordExpiration <Unlimited>] [-DevicePasswordHistory <Int32>] [-DevicePolicyRefreshInterval <Unlimited>] [-DomainController <Fqdn>] [-IrmEnabled <$true | $false>] [-IsDefaultPolicy <$true | $false>] [-MaxAttachmentSize <Unlimited>] [-MaxCalendarAgeFilter <All | TwoWeeks | OneMonth | ThreeMonths | SixMonths>] [-MaxDevicePasswordFailedAttempts <Unlimited>] [-MaxEmailAgeFilter <All | OneDay | ThreeDays | OneWeek | TwoWeeks | OneMonth>] [-MaxEmailBodyTruncationSize <Unlimited>] [-MaxEmailHTMLBodyTruncationSize <Unlimited>] [-MaxInactivityTimeDeviceLock <Unlimited>] [-MinDevicePasswordComplexCharacters <Int32>] [-MinDevicePasswordLength <Int32>] [-MobileOTAUpdateMode <MajorVersionUpdates | MinorVersionUpdates | BetaVersionUpdates>] [-Name <String>] [-PasswordRecoveryEnabled <$true | $false>] [-RequireDeviceEncryption <$true | $false>] [-RequireEncryptedSMIMEMessages <$true | $false>] [-RequireEncryptionSMIMEAlgorithm <TripleDES | DES | RC2128bit | RC264bit | RC240bit>] [-RequireManualSyncWhenRoaming <$true | $false>] [-RequireSignedSMIMEAlgorithm <SHA1 | MD5>] [-RequireSignedSMIMEMessages <$true | $false>] [-RequireStorageCardEncryption <$true | $false>] [-UnapprovedInROMApplicationList <MultiValuedProperty>] [-UNCAccessEnabled <$true | $false>] [-WhatIf [<SwitchParameter>]] [-WSSAccessEnabled <$true | $false>]

Detailed Description

With the Set-ActiveSyncMailboxPolicy cmdlet, you can set each parameter in a mailbox policy.

Note:
Some Microsoft Exchange ActiveSync policy settings require the mobile phone to have certain built-in features that enforce these security and device management settings. If your organization allows all devices, you must set the AllowNonProvisionableDevices parameter to $true. This applies to devices that can't enforce all policy settings.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Exchange ActiveSync mailbox policy settings" entry in the Client Access Permissions topic.

Parameters

Parameter Required Type Description

Identity

Required

Microsoft.Exchange.Configuration.Tasks.MailboxPolicyIdParameter

The Identity parameter specifies the Exchange ActiveSync mailbox policy.

AllowBluetooth

Optional

Microsoft.Exchange.Data.Directory.SystemConfiguration.BluetoothType

The AllowBluetooth parameter specifies whether the Bluetooth capabilities are allowed on the mobile phone. The available options are Disable, HandsfreeOnly, and Allow. The default value is Allow.

AllowBrowser

Optional

System.Boolean

The AllowBrowser parameter indicates whether Microsoft Pocket Internet Explorer is allowed on the mobile phone. The default value is $true. This parameter doesn't affect third-party browsers.

AllowCamera

Optional

System.Boolean

The AllowCamera parameter specifies whether the mobile phone's camera is allowed. The default value is $true.

AllowConsumerEmail

Optional

System.Boolean

The AllowConsumerEmail parameter specifies whether the mobile phone user can configure a personal e-mail account on the mobile phone. The default value is $true. This parameter doesn't control access to e-mails using third-party mobile phone e-mail programs.

AllowDesktopSync

Optional

System.Boolean

The AllowDesktopSync parameter specifies whether the mobile phone can synchronize with a desktop computer through a cable. The default value is $true.

AllowExternalDeviceManagement

Optional

System.Boolean

The AllowExternalDeviceManagement parameter specifies whether an external device management program is allowed to manage the mobile phone.

AllowHTMLEmail

Optional

System.Boolean

The AllowHTMLEmail parameter specifies whether HTML e-mail is enabled on the mobile phone. The default value is $true. If set to $false, all e-mail will be converted to plain text before synchronization occurs.

AllowInternetSharing

Optional

System.Boolean

The AllowInternetSharing parameter specifies whether the mobile phone can be used as a modem to connect a computer to the Internet. The default value is $true.

AllowIrDA

Optional

System.Boolean

The AllowIrDA parameter specifies whether infrared connections are allowed to the mobile phone. The default value is $true.

AllowMobileOTAUpdate

Optional

System.Boolean

The AllowMobileOTAUpdate parameter specifies whether the Exchange ActiveSync mailbox policy can be sent to the mobile phone over a cellular data connection.

AllowNonProvisionableDevices

Optional

System.Boolean

The AllowNonProvisionableDevices parameter specifies whether all mobile phones can synchronize with the server running Exchange. When set to $true, the AllowNonProvisionableDevices parameter enables all mobile phones to synchronize with the Exchange server, regardless of whether the phone can enforce all the specific settings established in the Exchange ActiveSync policy. This also includes mobile phones managed by a separate device management system. When set to $false, this parameter blocks mobile phones that aren't provisioned from synchronizing with the Exchange server. The default value is $false.

AllowPOPIMAPEmail

Optional

System.Boolean

The AllowPOPIMAPEmail parameter specifies whether the user can configure a POP3 or IMAP4 e-mail account on the mobile phone. The default value is $true. This parameter doesn't control access by third-party e-mail programs.

AllowRemoteDesktop

Optional

System.Boolean

The AllowRemoteDesktop parameter specifies whether the mobile phone can initiate a remote desktop connection. The default value is $true.

AllowSimpleDevicePassword

Optional

System.Boolean

The AllowSimpleDevicePassword parameter specifies whether a simple device password is allowed. A simple device password is a password that has a specific pattern, such as 1111 or 1234. The default value is $true.

AllowSMIMEEncryptionAlgorithmNegotiation

Optional

Microsoft.Exchange.Data.Directory.SystemConfiguration.SMIMEEncryptionAlgorithmNegotiationType

The AllowSMIMEEncryptionAlgorithmNegotiation parameter specifies whether the messaging application on the mobile phone can negotiate the encryption algorithm if a recipient's certificate doesn't support the specified encryption algorithm.

AllowSMIMESoftCerts

Optional

System.Boolean

The AllowSMIMESoftCerts parameter specifies whether S/MIME software certificates are allowed. The default value is $true.

AllowStorageCard

Optional

System.Boolean

The AllowStorageCard parameter specifies whether the mobile phone can access information stored on a storage card. The default value is $true.

AllowTextMessaging

Optional

System.Boolean

The AllowTextMessaging parameter specifies whether text messaging is allowed from the mobile phone. The default value is $true.

AllowUnsignedApplications

Optional

System.Boolean

The AllowUnsignedApplications parameter specifies whether unsigned applications can be installed on the mobile phone. The default value is $true.

AllowUnsignedInstallationPackages

Optional

System.Boolean

The AllowUnsignedInstallationPackages parameter specifies whether unsigned installation packages can be executed on the mobile phone. The default value is $true.

AllowWiFi

Optional

System.Boolean

The AllowWiFi parameter specifies whether wireless Internet access is allowed on the mobile phone. The default value is $true.

AlphanumericDevicePasswordRequired

Optional

System.Boolean

The AlphanumericDevicePasswordRequired parameter specifies whether the password for the mobile phone must be alphanumeric. The default value is $false.

ApprovedApplicationList

Optional

Microsoft.Exchange.Data.Directory.SystemConfiguration.ApprovedApplicationCollection

The ApprovedApplicationList parameter specifies a list of approved applications for the mobile phone.

AttachmentsEnabled

Optional

System.Boolean

The AttachmentsEnabled parameter specifies whether attachments can be downloaded. When set to $false, the AttachmentsEnabled parameter blocks the user from downloading attachments. The default value is $true.

Confirm

Optional

System.Management.Automation.SwitchParameter

The Confirm switch causes the command to pause processing and requires you to acknowledge what the command will do before processing continues. You don't have to specify a value with the Confirm switch.

DeviceEncryptionEnabled

Optional

System.Boolean

The DeviceEncryptionEnabled parameter specifies whether encryption is enabled. The DeviceEncryptionEnabled parameter, when set to $true, enables device encryption on the mobile phone. The default value is $false.

DevicePasswordEnabled

Optional

System.Boolean

The DevicePasswordEnabled parameter specifies whether a password is required. When set to $true, the DevicePasswordEnabled parameter requires that the user set a password for the mobile phone. The default value is $false.

DevicePasswordExpiration

Optional

Microsoft.Exchange.Data.Unlimited

The DevicePasswordExpiration parameter specifies the length of time, in days, that a password can be used. After this length of time, a new password must be created. The format of the parameter is dd.hh.mm:ss, for example, 24.00:00 = 24 hours.

DevicePasswordHistory

Optional

System.Int32

The DevicePasswordHistory parameter specifies the number of previously used passwords to store. When a user creates a new password, the user can't reuse a stored password that was previously used.

DevicePolicyRefreshInterval

Optional

Microsoft.Exchange.Data.Unlimited

The DevicePolicyRefreshInterval parameter specifies how often the policy is sent from the server to the mobile phone.

The value for this parameter is in the format of dd.hh:mm:ss. For example, 24 hours is formatted as 24:00:00. By default, the value is set to Unlimited.

DomainController

Optional

Microsoft.Exchange.Data.Fqdn

The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that writes this configuration change to Active Directory.

IrmEnabled

Optional

System.Boolean

The IrmEnabled parameter specifies whether IRM is enabled for the mailbox policy.

IsDefaultPolicy

Optional

System.Boolean

The IsDefaultPolicy parameter specifies whether this policy is the default Exchange ActiveSync mailbox policy. The default value is $false. If another policy is currently set as the default, setting this parameter replaces the old default policy with this policy.

MaxAttachmentSize

Optional

Microsoft.Exchange.Data.Unlimited

The MaxAttachmentSize parameter specifies the maximum size of attachments that can be downloaded to the mobile phone. The default value is Unlimited.

MaxCalendarAgeFilter

Optional

Microsoft.Exchange.Data.Directory.SystemConfiguration.CalendarAgeFilterType

The MaxCalendarAgeFilter parameter specifies the maximum range of calendar days that can be synchronized to the device. The value is specified in days.

MaxDevicePasswordFailedAttempts

Optional

Microsoft.Exchange.Data.Unlimited

The MaxDevicePasswordFailedAttempts parameter specifies the number of attempts a user can make to enter the correct password for the mobile phone. You can enter any number from 4 through 16. The default value is 8.

MaxEmailAgeFilter

Optional

Microsoft.Exchange.Data.Directory.SystemConfiguration.EmailAgeFilterType

The MaxEmailAgeFilter parameter specifies the maximum number of days of e-mail items to synchronize to the mobile phone. The value is specified in days or by entering one of the following values.

  • All

  • OneDay

  • ThreeDays

  • OneWeek

  • TwoWeeks

  • OneMonth

MaxEmailBodyTruncationSize

Optional

Microsoft.Exchange.Data.Unlimited

The MaxEmailBodyTruncationSize parameter specifies the maximum size at which e-mail messages are truncated when synchronized to the mobile phone. The value is specified in kilobytes (KB).

MaxEmailHTMLBodyTruncationSize

Optional

Microsoft.Exchange.Data.Unlimited

The MaxEmailHTMLBodyTruncationSize parameter specifies the maximum size at which HTML-formatted e-mail messages are synchronized to the mobile phone. The value is specified in KB.

MaxInactivityTimeDeviceLock

Optional

Microsoft.Exchange.Data.Unlimited

The MaxInactivityTimeDeviceLock parameter specifies the length of time that the mobile phone can be inactive before the password is required to reactivate it. You can enter any interval between 30 seconds and 1 hour. The default value is 15 minutes. The format of the parameter is hh.mm:ss, for example, 15:00 = 15 minutes.

MinDevicePasswordComplexCharacters

Optional

System.Int32

The MinDevicePasswordComplexCharacters parameter specifies the minimum number of complex characters required in a mobile phone password. A complex character isn't a letter.

MinDevicePasswordLength

Optional

System.Int32

The MinDevicePasswordLength parameter specifies the minimum number of characters in the device password. You can enter any number from 1 through 16. The maximum length a password can be is 16 characters. The default value is 4.

MobileOTAUpdateMode

Optional

Microsoft.Exchange.Data.Directory.SystemConfiguration.MobileOTAUpdateModeType

This parameter is available for multi-tenant deployments. It isn't available for on-premises deployments. For more information about multi-tenant deployments, see Multi-Tenant Support.

The MobileOTAUpdateMode parameter specifies the Mobile OTA Update mode.

Name

Optional

System.String

The Name parameter specifies the friendly name of the Exchange ActiveSync mailbox policy.

PasswordRecoveryEnabled

Optional

System.Boolean

The PasswordRecoveryEnabled parameter specifies whether the recovery password for the mobile phone is stored on an Exchange server. When set to $true, the PasswordRecoveryEnabled parameter enables you to store the recovery password for the mobile phone on an Exchange server. The default value is $false. The recovery password can be viewed from either Microsoft Office Outlook Web App or the Exchange Management Console.

RequireDeviceEncryption

Optional

System.Boolean

The RequireDeviceEncryption parameter specifies whether encryption is required on the device. The default value is $false.

RequireEncryptedSMIMEMessages

Optional

System.Boolean

The RequireEncryptedSMIMEMessages parameter specifies whether you must encrypt S/MIME messages. The default value is $false.

RequireEncryptionSMIMEAlgorithm

Optional

Microsoft.Exchange.Data.Directory.SystemConfiguration.EncryptionSMIMEAlgorithmType

The RequireEncryptionSMIMEAlgorithm parameter specifies what required algorithm must be used when encrypting a message.

RequireManualSyncWhenRoaming

Optional

System.Boolean

The RequireManualSyncWhenRoaming parameter specifies whether the mobile phone must synchronize manually while roaming. The default value is $false.

RequireSignedSMIMEAlgorithm

Optional

Microsoft.Exchange.Data.Directory.SystemConfiguration.SignedSMIMEAlgorithmType

The RequireSignedSMIMEAlgorithm parameter specifies what required algorithm must be used when signing a message.

RequireSignedSMIMEMessages

Optional

System.Boolean

The RequireSignedSMIMEMessages parameter specifies whether the mobile phone must send signed S/MIME messages.

RequireStorageCardEncryption

Optional

System.Boolean

The RequireStorageCardEncryption parameter specifies whether storage card encryption is enabled for the mailbox policy.

UnapprovedInROMApplicationList

Optional

Microsoft.Exchange.Data.MultiValuedProperty

The UnapprovedInROMApplicationList parameter contains a list of applications that can't be run in ROM.

UNCAccessEnabled

Optional

System.Boolean

The UNCAccessEnabled parameter specifies whether access to Microsoft Windows file shares is enabled. Access to specific shares is configured on the Exchange ActiveSync virtual directory.

WhatIf

Optional

System.Management.Automation.SwitchParameter

The WhatIf switch instructs the command to simulate the actions that it would take on the object. By using the WhatIf switch, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf switch.

WSSAccessEnabled

Optional

System.Boolean

The WSSAccessEnabled parameter specifies whether access to Microsoft Windows SharePoint Services is enabled. Access to specific shares is configured on the Exchange ActiveSync virtual directory.

Input Types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

Return Types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.

Examples

EXAMPLE 1

This example sets several policy settings for the Exchange ActiveSync policy SalesPolicy.

Copy Code
Set-ActiveSyncMailboxPolicy -Identity:SalesPolicy -DevicePasswordEnabled:$true -AlphanumericDevicePasswordRequired:$true -PasswordRecoveryEnabled:$true -AttachmentsEnabled:$true -MaxInactivityTimeDeviceLock:15:00 -IsDefaultPolicy:$false

EXAMPLE 2

This example sets several policy settings for the Exchange ActiveSync policy Management. The Management policy requires mailboxes have an Exchange Server Enterprise client access license (CAL).

Copy Code
Set-ActiveSyncMailboxPolicy -Identity:Management -DevicePasswordEnabled:$true -AlphanumericDevicePasswordRequired:$true -PasswordRecoveryEnabled:$true -AllowCamera:$true -MaxEmailAgeFilter:5 -AllowWiFi:$false -AllowStorageCard: $true -AllowPOPIMAPEmail:$false

EXAMPLE 3

This example sets several policy settings for the Exchange ActiveSync policy Default and requires confirmation before applying the settings.

Copy Code
Set-ActiveSyncMailboxPolicy -Identity:Default -DevicePasswordEnabled:$true -AlphanumericDevicePasswordRequired:$true -PasswordRecoveryEnabled:$true -MaxEmailAgeFilter:5 -AllowWiFi:$false -AllowStorageCard: $true -AllowPOPIMAPEmail:$false -IsDefaultPolicy:$true -AllowTextMessaging:$true -Confirm:$true