Export (0) Print
Expand All

Step 5: Configure and Manage Windows Phone Access on the Exchange Server

7/2/2010

With the Microsoft Exchange Server 2010 installation, Exchange ActiveSync features are enabled for all client phones at the organizational level. If your security setup accepts the trusted certificates that are shipped on the phones, all you need to do is instruct your users who have phones that run the Windows Mobile 6.5 operating system to sign in using the Exchange ActiveSync application on the device.

Ff459605.note(en-us,TechNet.10).gifNote:
If you want to establish a central security policy, use the Exchange Management Console to configure it for all users; follow the instructions in Configuring Security Settings for Phones later in this topic.

You can perform the following management functions on your Exchange Server:

  • Create Exchange ActiveSync mailbox policies
  • Configure security settings for phones with mailbox policy
  • Apply a mailbox policy to a user
  • Initiate a remote device wipe
  • Disable Exchange ActiveSync

All Exchange ActiveSync features are enabled during a default installation of Microsoft Exchange Server 2010. You can modify the feature settings at the Exchange server level with Exchange Management Console, and enable or disable Exchange ActiveSync features for individual users or groups of users with Active Directory.

You can create Exchange ActiveSync mailbox policies to simplify management of your Exchange ActiveSync devices. These policies can be applied to each Exchange ActiveSync user and can help you apply specific settings to a user's phone. A mailbox policy holds a group of settings for Microsoft Exchange ActiveSync. These settings include password, encryption, and attachment settings. You can use default mailbox policies when you install the Client Access server role on a computer running Microsoft Exchange Server 2010. You can create multiple mailbox policies and assign users to these policies.

Ff459605.f0258b8c-7625-498a-9851-cc44b815f6b4(en-us,TechNet.10).jpg

To perform the following procedures on a computer that has the Client Access Server role installed, you must log on using a domain account that has the permissions assigned to the Exchange Recipient Administrators group. The account must also be a member of the local Administrators group on that computer.

To use the Exchange Management Console to create an Exchange ActiveSync mailbox policy

  1. In the console tree, expand the Organization Configuration node, click Client Access, and then click the Exchange ActiveSync Mailbox Policies tab.
    Ff459605.9e379ceb-6205-4b07-8923-41ecac2211d0(en-us,TechNet.10).jpg
  2. In the Actions pane, click New Exchange ActiveSync mailbox policy.
  3. On the New Exchange ActiveSync Mailbox Policy wizard page, enter a name in the Mailbox policy name box.
  4. Click the Require password check box and elect one or more of the optional check boxes.
  5. Click New.
  6. Click Finish to close the New Exchange ActiveSync Mailbox Policy wizard.

You can specify security options for Windows® phone users who connect to your Exchange server. With the Exchange Management Console, you can set the length and strength of the password, the amount of inactivity time, and the number of failed attempts that can occur before the mobile device is wiped.

For more information about understanding and setting mailbox policies, see Managing Exchange ActiveSync with Policies on the Microsoft TechNet Web site.

Ff459605.note(en-us,TechNet.10).gifNote:
The term password in this topic refers to the password that a user enters to unlock his or her phone. It is not the same as a network user password.

The following table presents the options you can use to set your security policies.

Exchange Security Policies or Mailbox Policies Exchange Server 2007 Exchange Server 2010

Require a password to access and configure the device

X

X

Set a minimum password length

X

X

Require an alphanumeric password

X

X

Specify how many minutes of inactivity before the device locks

X

X

Wipe the device remotely

X

X

Wipe the storage card remotely

X

X

Allow access to non-provisional (pre-Messaging and Security Feature Pack) phones

X

X

Set the policy refresh interval

X

X

Allow or disallow attachments to be downloaded

X

X

Set maximum attachment size

X

X

Enable encryption on the removable storage card

X

X

Set password expiration date

X

X

Enable password recovery

X

X

Prevent patterned PIN (1111 or 1234) on device

X

X

Specify how many failed password attempts before device wipe

X

X

Specify how many failed password attempts before storage card wipe

X

X

Allow or disallow access to files on Universal Naming Convention (UNC) shares

X

X

Allow or disallow access to files on SharePoint Services sites

X

X

After you create an Exchange ActiveSync mailbox policy, you can add users to it. By default, users are assigned to a mailbox policy. You can add a user to only one mailbox policy at a time. If you add a user to an Exchange ActiveSync mailbox policy and that user is already a member of another Exchange ActiveSync mailbox policy, that user is removed from the original Exchange ActiveSync mailbox policy and added to the new Exchange ActiveSync mailbox policy. You can add users individually or add a filtered group of users to an Exchange ActiveSync mailbox policy.

To apply a mailbox policy to a user

  1. In the console tree, expand the Recipient Configuration node, and then click Mailbox.
  2. In the work pane, right-click the user who you want to assign to a policy, and then click Properties.
  3. In the user's Properties dialog box, click Mailbox Features.
  4. Click Exchange ActiveSync, and then click Properties.
  5. Select the Apply an Exchange ActiveSync mailbox policy check box.
    Ff459605.6fbd2072-294a-4e94-991d-2146560f094e(en-us,TechNet.10).jpg
  6. Click Browse to view the Select Exchange ActiveSync Mailbox Policy dialog box.
  7. Select an available policy, and then click OK to apply the policy.

Procedures for performing a device wipe are detailed in this section.

Remote Device Wipe vs. Local Device Wipe

Local device wipe is the mechanism by which a device wipes itself without the request coming from the server. If your organization has implemented Exchange ActiveSync policies that specify a maximum number of password attempts and that maximum is exceeded, the device will perform a local device wipe. The result of a local device wipe is the same as that of a remote device wipe. The device is returned to its factory default condition. No confirmation is sent to the Exchange Server when a device performs a local device wipe.

Ff459605.note(en-us,TechNet.10).gifNote:
In addition to resetting the phone to factory default condition, a remote device wipe also deletes all data on any storage card in the phone. If you are performing a remote device wipe on a phone in your possession and want to retain the data on the storage card, remove the storage card before you initiate the remote device wipe.

To use the Exchange Management Console or Outlook Web Access to perform a remote device wipe

  1. Open the Exchange Management Console.
  2. Under Recipient Configuration, select Mailbox.
    Ff459605.d19fc813-8a2c-46fe-8d93-e3f5fb3dbe95(en-us,TechNet.10).jpg
  3. Select the user from the Mailbox window.
  4. In the Actions pane, click Manage mobile device, or right-click the user's mailbox, and then click Manage mobile device.
  5. Select the Windows® phone to be wiped.
  6. In the Action section, select Perform a remote wipe to clear mobile phone data.
    Ff459605.50c19279-d8af-4ae8-8431-5ed60d7fa0d2(en-us,TechNet.10).jpg
  7. Click Clear at the bottom of the window to finish.

To use Outlook Web Access to perform a remote device wipe

  1. Open Outlook Web Access.
  2. Log on to the phone owner's mailbox.
  3. Click Options.
  4. In the Navigation pane, select Mobile Phones.
  5. Select the ID of the phone that you want to wipe and remove from the list.
  6. Click Wipe all data from device.
  7. Click OK.
  8. Click Remove device from list.

This section describes how to disable Microsoft Exchange ActiveSync. When you disable Exchange ActiveSync on a computer that is running Microsoft Exchange Server 2010 that has the Client Access Server role installed, you disable the application pool that Exchange ActiveSync uses. An application pool is a group of processes used by Internet Information Services (IIS) to perform a task.

Ff459605.note(en-us,TechNet.10).gifNote:
Although this guide focuses on the implementation of a mobile messaging system with Exchange ActiveSync enabled, it may be necessary at times to disable this functionality during maintenance of your network infrastructure or mobile messaging system, and for testing.

To perform the following procedures on a computer that has the Client Access Server role installed, you must log on by using a domain account that has the permissions assigned to the Exchange Organization Administrators group. The account must also be a member of the local Administrators group on that computer.

Also, before you perform these procedures, confirm the following:

  • You have installed the Microsoft Internet Information Services (IIS) component Microsoft ASP.NET.
  • The ASP.NET Web service extension status is set to Allowed. You can verify the status of the ASP.NET Web service extension in IIS Manager by expanding the server name, and then clicking Web Service Extensions. If the ASP.NET Web service extension is not set to Allowed, right-click the Web service extension to change the status.

To use IIS Manager to disable Microsoft Exchange Server 2010 Exchange ActiveSync

  1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Double-click to expand the server name, and then double-click to expand the Application Pools folder.
    Ff459605.4997573d-a8bc-40f6-8293-cf9c1ae1376b(en-us,TechNet.10).jpg
  3. Right-click MSExchangeSyncAppPool, and then click Stop to disable Exchange ActiveSync.
    Ff459605.note(en-us,TechNet.10).gifNote:
    If the Stop command is unavailable, Exchange ActiveSync is already disabled on this server.

For more information about how to enable Exchange ActiveSync, see Managing Exchange ActiveSync on the Microsoft TechNet Web site.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft