Configuring Exchange ActiveSync Policies, Part 1
If you have been using Exchange Server for a while, then you probably remember when Microsoft introduced ActiveSync policies in Exchange Server 2003 SP2. The policies that were available in that version of Exchange Server were a good start, but there were a bit lacking. For starters, you only have the option of creating a single ActiveSync policy, and that policy would apply globally to all mobile users. Furthermore, there were only a few security settings available. You could enforce password usage, set a device timeout period, or perform a remote wipe, but there wasn’t a whole lot else.
Creating a New ActiveSync Policy
For the sake of demonstration, I want to start out by showing you how to create a basic ActiveSync policy in Exchange Server 2007. After I do, I will go back and show you how to incorporate some of the new security settings into the policy, and how to assign the policy to a specific mailbox.
Begin the configuration process by opening the Exchange Management Console, and navigating through the console tree to Organization Configuration | Client Access. Next, click the New Exchange ActiveSync Mailbox Policy link, found in the Actions pane. When you do, Exchange will launch the New Exchange ActiveSync Mailbox Policy wizard.
The first thing that you have to do is to enter a name for the policy that you are creating. You can call the policy anything that you want, but I recommend using a name that is at least somewhat descriptive.
After you enter a policy name, you can begin filling in some of the initial security settings for the new policy. As you can see in Figure A, the first decision that you will have to make is whether or not you want to allow non provisionable devices. This setting allows you to decide whether or not you want to allow devices that do not fully support the security policy that you’re creating. Just beneath this check box is another check box that you can use to control whether or not you want to allow attachments to be downloaded to the mobile device to which the policy applies.
Figure A The New Exchange ActiveSync Mailbox Policy screen gives you the opportunity to provide some initial security settings.
The third check box from the top is that Require Password check box. By default, mobile devices do not require users to use passwords. If you select this check box, then there are a number of additional check boxes beneath it that you can use to specify the type of password that must be used on the mobile device. For example, you can allow a simple password, or you can require an alphanumeric password. You can also specify the amount of time without user input after which the user must reenter their password. Another handy option is the option to set a password expiration period. You can also retain a password history to prevent users from reusing previously used passwords.
As you can see in the figure, the wizard also contains some options to enable password recovery, and to require encryption on the device. I will be talking more about these options later on in the series.
When you finish entering the various security settings, click the New button to create the policy. When you do, the new policy should be displayed on the Exchange ActiveSync Mailbox Policies tab, as shown in Figure B.
Figure B The new ActiveSync policy should be displayed on the Exchange ActiveSync Mailbox Policies tab.
In this article, I have shown you how to create a basic ActiveSync policy. In Part 2, I will continue the discussion by showing you how to add some of the new security settings to the policy, and how to assign the policy to a mailbox.
Got a question? Post it on our Exchange Server Forums!