Exchange Mobility Provider::SetUserPolicy
The SetUserPolicy method sets a mobile policy on a user's Active Directory object. The existing policy is stored for rollback. If a user does not have the salt attribute, one is generated. If one already exists, it is not modified. Because of the sensitivity involved around the salt attribute, this is not rolled back. The policy is stored in the msExchOmaExtendedProperties attribute collection and starts with "PolicData:".
The policy refresh interval value is stored in the msExchOmaExtendedProperties attribute collection and starts with "PolicyDataRefreshInterval:".
The policy salt value is stored in the msExchOmaExtendedProperties attribute collection and starts with "PolicyDataSalt:". Once the salt value is created, it is never deleted or changed. The salt value is created using a random number that is base64 encoded.
The policy key value is stored in the msExchOmaExtendedProperties attribute collection and starts with "PolicyKey:". Every time the policy is changed, this key is changed with a new string of random numbers.
Arguments
Input argument | Required | Description |
---|---|---|
<preferredDomainController> |
Yes |
The name of the preferred domain controller in the Service Provider domain. Type=string. |
Path |
Yes |
The Lightweight Directory Access Protocol (LDAP) path of the user. Type=string. |
aeFrequencyType |
Yes |
Values for this string typed parameter are:
|
aeFrequencyValue |
Yes |
The number of minutes of inactivity before the device locks itself (meaningless if AEFrequencyType=0). Type=string. |
deviceWipeThreshold |
Yes |
The number of failed personal identification number (PIN) entry attempts before the device wipes itself. If set to "-1", this feature is disabled. Type=string. |
codewordFrequency |
Yes |
To prevent accidental button presses from accidentally triggering the local wipe feature enabled by "DeviceWipeThreshold", the device will prompt for a specific codeword every "X" number of attempts. This parameter sets the number of failed attempts before prompting for the codeword. ESM does not have a UI for this setting; it is set to half of the "DeviceWipeThreshold" value. Type=string. |
minimumPasswordLength |
Yes |
Sets the minimum PIN length the user can enter. Type=string. |
passwordComplexity |
Yes |
Sets the complexity of the PIN for this string typed parameter as follows:
Note
ESM only sets "0" or "2".
|
Remarks
Rollback
For the SetUserPolicy method, the previously applied policy and policy key are restored upon rollback.
Example Policy
The following is an example of a mobile security policy defined in XML:
<wap-provisioningdoc>
<characteristic type="SecurityPolicy">
<parm name="4131" value="0"/>
</characteristic>
<characteristic type="Registry">
<characteristic type="HKLM\Comm\Security\Policy\LASSD\AE\{50C13377-C66D-400C-889E-C316FC4AB374}">
<parm name="AEFrequencyType" value="1"/>
<parm name="AEFrequencyValue" value="5"/>
</characteristic>
<characteristic type="HKLM\Comm\Security\Policy\LASSD">
<parm name="DeviceWipeThreshold" value="20"/>
</characteristic>
<characteristic type="HKLM\Comm\Security\Policy\LASSD">
<parm name="CodewordFrequency" value="5"/>
</characteristic>
<characteristic type="HKLM\Comm\Security\Policy\LASSD\LAP\lap_pw">
<parm name="MinimumPasswordLength" value="8"/>
</characteristic>
<characteristic type="HKLM\Comm\Security\Policy\LASSD\LAP\lap_pw">
<parm name="PasswordComplexity" value="0"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>
Sample Code
Example XML Request
The following is an example of an XML request for the SetUserPolicy method of the Exchange Mobility Provider:
<request>
<procedure>
<execute namespace="Exchange Mobility Provider" procedure="SetUserPolicy" impersonate="1">
<executeData>
<preferredDomainController>ad01.fabrikam.com</preferredDomainController>
<pathLDAP://CN=user@alpineskihouse.com, OU=AlpineSkiHouse,OU=ConsolidatedMessengerOU=Hosting,DC=Fabrikam,DC=Com</path>
<properties>
<property name="AEFrequencyValue">2</property>
<property name="DeviceWipeThreshold">4</property>
<property name="CodeWordFrequency">2</property>
<property name="MinimumPasswordLength">6</property>
<property name="PasswordComplexity">0</property>
<property name="AEFrequencyType">1</property>
<property name="RefreshInterval">100</property>
</properties>
</executeData>
<after source="executeData" destination="data" mode="merge"/>
</execute>
</procedure>
</request>
Applies To
Exchange Mobility Provider API for:
- Hosted Messaging and Collaboration version 3.5