Supported Exchange ActiveSync policy settings

  • Article

June 25, 2014

Similar to Group Policy settings for PC operating systems, Exchange ActiveSync (EAS) mailbox policies allow an administrator to apply a common set of policy and security settings to a group of users. Windows Phone 8.1 supports the use of the Exchange ActiveSync protocol for synchronizing email, calendar, task, and contact information with Exchange Server or Microsoft Office 365.

Exchange Server versions supported

The following table lists the service pack versions that are supported for each version of exchange server.

Server Version

Service pack

Exchange Server 2003

  • Service Pack 2

Exchange Server 2007

  • All service packs

Exchange Server 2010

  • All service packs

Small business Server 2008

  • All service packs

Exchange Server 2013

  • All service packs

Microsoft Office 365

  • Current Exchange Online version

Supported Exchange ActiveSync policy settings

EAS security-related configuration policy settings that can be managed by using the Exchange Management Console include those shown in the following table.

Policy

Description

AllowSimpleDevicePassword

  • Specifies whether a simple device password is allowed. A simple password is a password that has only repeated "2222" or sequential “abcd" characters. The default is $true.

AlphanumericDevicePasswordRequired

  • Specifies whether the password for the phone must be alphanumeric. The default is $false.

DevicePasswordEnabled

  • Specifies whether a password is required. When set to $true, DevicePasswordEnabled requires that the user set a password for the phone. The default is $false.All service packs

DevicePasswordExpiration

  • Specifies the length of time, in days, that a password can be used. After this length of time, a new password must be created. The format of the setting is dd.hh.mm:ss; for example, 24.00:00 = 24 hours.

DevicePasswordHistory

  • Specifies the number of previously used passwords to store. When a user creates a new password, the user can't reuse a stored password that was previously used.

IrmEnabled

  • Specifies whether IRM is enabled for the mailbox policy.

IrmEnabled

  • Specifies whether IRM is enabled for the mailbox policy.

MaxDevicePasswordFailedAttempts

  • Specifies the number of attempts a user can make to enter the correct password for the phone before a device reset to factory settings is initiated. You can specify any number from 4 through 16. The default is 8.

MaxInactivityTimeDeviceLock

  • Specifies the length of time that the phone can be inactive before the password is required to reactivate it. You can specify any interval between 30 seconds and 1 hour. The default is 15 minutes. The format of the setting is hh.mm:ss; for example, 15:00 = 15 minutes.

MinDevicePasswordComplexCharacters

  • Specifies the number of character groups that are required to be present in the password. The character groups are defined as:

    • Lowercase alphabetical characters

    • Uppercase alphabetical characters

    • Numbers

    • Non-alphanumeric characters

For example, if the value of MinDevicePasswordComplexCharacters is 2, a password with both uppercase and lowercase alphabetical characters would be sufficient, as would a password with lowercase alphabetical characters and numbers.

MinDevicePasswordLength

  • Specifies the minimum number of characters in the device password. You can specify any number from 1 through 16. The maximum length a password can be is 16 characters. The default is 4.

RequireDeviceEncryption

  • Specifies whether encryption is required on the device. Once set, device encryption automatically begins on the internal storage of the phone. The default is $false.

RemoteWipe

  • Deletes data on the user data partition and resets the phone to default settings.

AllowNonProvisionableDevices

  • Specifies with the server running Exchange. When set to $true, it enables all phones to synchronize with the Exchange server, regardless of whether the phone can enforce all the specific settings established in the Exchange ActiveSync policy. This policy also includes phones that are managed by a separate device management system. When set to $false, this setting blocks phones that aren't provisioned from synchronizing with the Exchange server. The default is $false.

AllowStorageCard

  • Specifies whether the phone can access information stored on a storage card. The default is $true.

AllowBluetooth

  • Specifies whether a device allows Bluetooth connections. The default is $true.

AllowInternetSharing

  • This setting specifies whether the device can be used as a portable hotspot for providing internet to other devices. The default is $true.

AllowCamera

  • Specifies whether a device’s camera can be used. The default is $true.

AllowSMIMEEncryptionAlgorithmNegotiation

  • Specifies whether negotiation of the encryption algorithm is permitted.

AllowSMIMESoftCerts

  • Specifies whether the client can use soft certificates to sign outgoing messages.

RequireEncryptedSMIMEMessages

  • If this policy is set, then the email application will encrypt all outgoing messages.

RequireEncryptedSMIMEAlgorithm

  • If this policy is set and a message is encrypted, then the email application will require the specified algorithm for encryption for all outgoing messages.

RequireSignedSMIMEAlgorithm

  • If this policy is set and a message is encrypted, then the email application will require the specified algorithm for encryption for all outgoing messages.

RequireSignedSMIMEMessages

  • If this policy is set, then all outgoing messages are signed.