Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2011-03-19

You can create an Exchange ActiveSync mailbox policy to configure a variety of security options for users. In addition to password requirements and settings, you can use the General tab to specify the types of mobile phones that can connect to the Exchange server and whether attachments can be synchronized.

Looking for other management tasks related to Exchange ActiveSync mailbox policies? Check out Managing Exchange ActiveSync with Policies.

Important:
Windows Phone 7 mobile phones only support a subset of all Exchange ActiveSync mailbox policy settings. For more information, see Understanding Exchange ActiveSync Mailbox Policies.

What Do You Want To Do?

Use the EMC to view or configure mailbox user properties

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Exchange ActiveSync mailbox policy settings" entry in the Client Access Permissions topic.

  1. In the console tree, navigate to Organization Configuration > Client Access.

  2. In the result pane, click the Exchange ActiveSync Mailbox Policies tab, and then select the policy you want to view or configure.

  3. In the action pane, click Properties.

  4. Use the General tab to specify the types of mobile phones that can connect to the Exchange server and whether attachments can be synchronized.

    • Allow non-provisionable devices   Select this check box to allow mobile phones that can't be provisioned automatically. These mobile phones may be unable to enforce all the Exchange ActiveSync policy settings. By selecting this box, you're allowing these mobile phones to synchronize even though some policy settings may not be applied.

    • Refresh interval   Select this check box to force the server to resend the policy to clients at a fixed interval defined in the number of hours between policy refresh events.

  5. Use the Password tab to set password requirements for Exchange ActiveSync clients.

    • Require password   Select this checkbox to require a password for the mobile phone. If passwords are required, the following options become available.

    • Require alphanumeric password   Select this check box to specify that the mobile phone password must include non-numeric characters. Requiring non-numeric characters in passwords increases the strength of password security.

    • Minimum number of character sets   Use this text box to specify the complexity of the alphanumeric password and force users to use a number of different sets of characters from among the following: lower case letters, upper case letters, symbols and numbers.

    • Enable password recovery   Select this check box to enable password recovery for the mobile phone. Users can use Outlook Web App to look up their recovery password and unlock their mobile phone. Administrators can use the EMC to look up a user's recovery password.

    • Require encryption on device   Select this check box to require encryption on the mobile phone. This increases security by encrypting all information on the mobile phone.

    • Require encryption on storage cards   Select this check box to require encryption on the mobile phone’s removable storage card. This increases security by encrypting all information on the storage cards for the mobile phone.

    • Allow simple password   Select this check box to allow users to lock their mobile phones with simple passwords such as 1111 or 1234. If you clear this check box, users will be required to use more secure password sequences.

    • Number of failed attempts allowed   Use this text box to limit the number of failed password attempts a mobile phone accepts before all information on the mobile phone is deleted and the mobile phone is automatically returned to the original factory settings. This reduces the chance of an unauthorized user accessing information on a lost or stolen mobile phone that has a password.

    • Minimum password length   Use this text box to specify a minimum password length for the mobile phone password. Long passwords can provide increased security. However, long passwords can decrease mobile phone usability. A moderate password length of four to six characters is recommended.

    • Time without user input before password must be re-entered (in minutes)   When a mobile phone password is required, you can use this text box to prompt the user for the password after the mobile phone has been inactive for a specified period of time. For example, if this setting is set to 15 minutes, the user must enter the mobile phone password every time that the mobile phone is idle for 15 minutes. If the mobile phone is idle for 10 minutes, the user won't have to re-enter the password.

    • Password expiration (days)  Use this text box to force users to reset their mobile phone’s password at a given interval. The interval is set in a number of days.

    • Enforce password history   Select this check box to force the mobile phone to prevent the user from re-using their previous passwords. The number you set determines how many past passwords the user won't be allowed to reuse.

  6. Use the Sync Settings tab to specify a variety of synchronization-specific settings.

    • Include past calendar items   Use this drop-down list to select the date range of calendar items to synchronize to the mobile phone. The available options include the following: All, Two Weeks, One Month, Three Months, and Six Months. If you have to specify other options, use the Shell to configure this setting.

    • Include past e-mail items   Use this drop-down list to select the date range of e-mail items to synchronize to the mobile phone. The available options include the following: All, One Day, Three Days, One Week, Two Weeks, and One Month. If you have to specify other options, use the Shell to configure this setting.

    • Limit e-mail size to (KB)   Select this check box to limit the message size that can be downloaded to the mobile phone. After you've selected the check box, use the text box to specify a maximum message size, in kilobytes (KB).

    • Allow Direct Push when roaming   Select this check box to enable the mobile phone to synchronize as new items arrive when you're roaming with your phone. You're roaming when you're outside your normal service area. Check with your mobile service provider to determine your normal service area. Clearing this check box forces you to manually launch synchronization when you're roaming with the phone and data rates are traditionally higher.

    • Allow HTML-formatted e-mail   Select this check box to enable e-mail messages that are formatted in HTML to be synchronized to the mobile phone. If this check box isn't selected, all e-mail messages will be converted to plain text before synchronization. Use of this check box doesn't affect whether or not messages are received on the mobile phone.

    • Allow attachments to be downloaded to device   Select this check box to enable attachments to be downloaded to the mobile phone. If this check box is cleared, the name of the attachment is visible within the e-mail message but can't be downloaded to the mobile phone.

    • Maximum attachment size (KB)   Select this check box to specify a maximum size for attachments that are downloaded to the mobile phone. After you select the check box, use the text box to enter a maximum attachment size, in KB. If this check box is selected, attachments that are larger than the specified size can't be downloaded to the device.

  7. Use the Device tab to specify a variety of device-specific settings. All settings that you access on the Device tab of the Exchange ActiveSync policy Properties page are premium features of Exchange ActiveSync. For these features to be implemented on a mobile phone, the mailbox requires an Exchange Enterprise client access license (CAL).

    • Allow removable storage   Select this check box to allow storage cards to be accessed from a mobile phone. If this check box isn't selected, storage cards can't be accessed from a mobile phone.

    • Allow camera   Select this check box to allow the mobile phone camera to be used.

    • Allow Wi-Fi   Select this check box to allow the mobile phone to use a Wi-Fi connection for Internet access. Direct Push isn't supported over Wi-Fi.

    • Allow infrared   Select this check box to allow the mobile phone to establish an infrared connection with other devices or computers.

    • Allow Internet sharing from device   Select this check box to allow another device to share the Internet connection of the mobile phone. Internet sharing is frequently used when the device functions as a modem for a laptop or desktop computer.

    • Allow remote desktop from device   Select this check box to allow the mobile phone to establish a remote desktop connection to another computer.

    • Allow desktop synchronization   Select this check box to allow the mobile phone to synchronize with a desktop computer through desktop ActiveSync or the Windows Mobile Device Center.

    • Allow Bluetooth   Use this drop-down list to control the Bluetooth functionality of the mobile phone. You can choose to Allow, Disable, or enable Bluetooth for Handsfree only.

  8. Use the Device Applications tab to enable or disable specific features on a mobile phone. All settings that you access on the Device Applications tab of the Exchange ActiveSync policy Properties pages are premium features of Exchange ActiveSync. For these features to be implemented on a mobile phone, the mailbox requires an Exchange Enterprise client access license (CAL).

    • Allow browser   Select this check box to allow mobile phones to use Pocket Internet Explorer.

      Note:
      This check box doesn't control access to third-party mobile phone browsers.
    • Allow consumer mail   Select this check box to allow the mobile phone to access e-mail accounts other than Microsoft Exchange accounts. Consumer e-mail accounts include accounts that are accessed through POP3 and IMAP4.

      Note:
      This check box doesn't control access to third-party mobile phone e-mail applications.
    • Allow unsigned applications   Select this check box to allow unsigned applications to be installed on the mobile phone.

    • Allow unsigned installation packages   Select this check box to allow unsigned installation packages to be run on the mobile phone.

  9. Use the Other tab to specify allowed and blocked applications. All settings that you access on the Other tab of the Exchange ActiveSync policy Properties pages are premium features of Exchange ActiveSync. For these features to be implemented on a mobile phone, the mailbox requires an Exchange Enterprise client access license (CAL).

    • Allowed Applications   You can add applications to or remove them from the Allowed Applications list. Allowed applications can be installed and run on the mobile phone. Click Add to add an application, and click Delete to remove an application.

    • Blocked Applications   You can add applications to or remove them from the Blocked Applications list. Blocked applications are prohibited from running on the mobile phone. Click Add to add an application, and click Delete to remove an application.

Use the Shell to view Exchange ActiveSync mailbox policy settings

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Exchange ActiveSync mailbox policy settings" entry in the Client Access Permissions topic.

This example returns all the settings for the Exchange ActiveSync mailbox policy named Sales Policy.

Copy Code
Get-ActiveSyncMailboxPolicy -Identity "SalesPolicy"

For more information about syntax and parameters, see Get-ActiveSyncMailboxPolicy.

Use the Shell to configure Exchange ActiveSync mailbox policy settings

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Exchange ActiveSync mailbox policy settings" entry in the Client Access Permissions topic.

This example sets a variety of settings for the Exchange ActiveSync mailbox policy named MyPolicy. The settings that are configured include the following:

  • Allowing non-provisionable devices

  • Requiring an alphanumeric password

  • Setting the device password to expire every 12 days

  • Allowing password recovery

  • Locking the device after 15 minutes of inactivity

Copy Code
Set-ActiveSyncMailboxPolicy -Identity MyPolicy -AllowNonProvisionableDevices $true -AllowSimpleDevicePassword $true -AlphanumericDevicePasswordRequired $true -AttachmentsEnabled $true -DeviceEncryptionEnabled $false -DevicePasswordEnabled $true -DevicePasswordExpiration 12 -DevicePasswordHistory 20 -DevicePolicyRefreshInterval 00:60:00 -MaxAttachmentSize 4 -MaxDevicePasswordFailedAttempts 5 -MaxInactivityTimeDeviceLock 00:15:00 -MinDevicePasswordLength 4 -PasswordRecoveryEnabled $true -UNCAccessEnabled $false -WSSAccessEnabled $false

For more information about syntax and parameters, see Set-ActiveSyncMailboxPolicy.

Other Tasks

After you configure Exchange ActiveSync mailbox policies, you may also want to Perform a Remote Wipe on a Mobile Phone.