Exchange Mobility Provider::SetUserPolicy

  • Article

The SetUserPolicy method sets a mobile policy on a user's Active Directory object. The existing policy is stored for rollback. If a user does not have the salt attribute, one is generated. If one already exists, it is not modified. Because of the sensitivity involved around the salt attribute, this is not rolled back. The policy is stored in the msExchOmaExtendedProperties attribute collection and starts with "PolicData:".

The policy refresh interval value is stored in the msExchOmaExtendedProperties attribute collection and starts with "PolicyDataRefreshInterval:".

The policy salt value is stored in the msExchOmaExtendedProperties attribute collection and starts with "PolicyDataSalt:". Once the salt value is created, it is never deleted or changed. The salt value is created using a random number that is base64 encoded.

The policy key value is stored in the msExchOmaExtendedProperties attribute collection and starts with "PolicyKey:". Every time the policy is changed, this key is changed with a new string of random numbers.

Arguments

Input argument Required Description

<preferredDomainController>

Yes

The name of the preferred domain controller in the Service Provider domain. Type=string.

Path

Yes

The Lightweight Directory Access Protocol (LDAP) path of the user. Type=string.

aeFrequencyType

Yes

Values for this string typed parameter are:

  • 0 = The device will not lock itself after inactivity.

  • 1 = The device will lock itself after X minutes of inactivity (X determined by AEFrequencyValue).

aeFrequencyValue

Yes

The number of minutes of inactivity before the device locks itself (meaningless if AEFrequencyType=0). Type=string.

deviceWipeThreshold

Yes

The number of failed personal identification number (PIN) entry attempts before the device wipes itself. If set to "-1", this feature is disabled. Type=string.

codewordFrequency

Yes

To prevent accidental button presses from accidentally triggering the local wipe feature enabled by "DeviceWipeThreshold", the device will prompt for a specific codeword every "X" number of attempts. This parameter sets the number of failed attempts before prompting for the codeword. ESM does not have a UI for this setting; it is set to half of the "DeviceWipeThreshold" value. Type=string.

minimumPasswordLength

Yes

Sets the minimum PIN length the user can enter. Type=string.

passwordComplexity

Yes

Sets the complexity of the PIN for this string typed parameter as follows:

  • 0 = Requires alpha-numeric.

  • 1 = Requires numeric.

  • 2 = Anything goes.

Dd279107.note(en-us,TechNet.10).gifNote
ESM only sets "0" or "2".

Remarks

Rollback

For the SetUserPolicy method, the previously applied policy and policy key are restored upon rollback.

Example Policy

The following is an example of a mobile security policy defined in XML:

<wap-provisioningdoc> 
    <characteristic type="SecurityPolicy"> 
        <parm name="4131" value="0"/> 
    </characteristic> 
    <characteristic type="Registry"> 
        <characteristic type="HKLM\Comm\Security\Policy\LASSD\AE\{50C13377-C66D-400C-889E-C316FC4AB374}"> 
            <parm name="AEFrequencyType" value="1"/> 
            <parm name="AEFrequencyValue" value="5"/> 
        </characteristic> 
        <characteristic type="HKLM\Comm\Security\Policy\LASSD"> 
            <parm name="DeviceWipeThreshold" value="20"/> 
        </characteristic> 
        <characteristic type="HKLM\Comm\Security\Policy\LASSD"> 
            <parm name="CodewordFrequency" value="5"/> 
        </characteristic> 
        <characteristic type="HKLM\Comm\Security\Policy\LASSD\LAP\lap_pw"> 
            <parm name="MinimumPasswordLength" value="8"/> 
        </characteristic> 
        <characteristic type="HKLM\Comm\Security\Policy\LASSD\LAP\lap_pw"> 
            <parm name="PasswordComplexity" value="0"/> 
        </characteristic> 
    </characteristic> 
</wap-provisioningdoc>

Sample Code

Example XML Request

The following is an example of an XML request for the SetUserPolicy method of the Exchange Mobility Provider:

<request> 
        <procedure> 
                <execute namespace="Exchange Mobility Provider" procedure="SetUserPolicy" impersonate="1"> 
                        <executeData> 
                                <preferredDomainController>ad01.fabrikam.com</preferredDomainController> 
                                <pathLDAP://CN=user@alpineskihouse.com, OU=AlpineSkiHouse,OU=ConsolidatedMessengerOU=Hosting,DC=Fabrikam,DC=Com</path> 
                                <properties> 
                        <property name="AEFrequencyValue">2</property> 
                        <property name="DeviceWipeThreshold">4</property> 
                        <property name="CodeWordFrequency">2</property> 
                        <property name="MinimumPasswordLength">6</property> 
                        <property name="PasswordComplexity">0</property> 
                        <property name="AEFrequencyType">1</property> 
                        <property name="RefreshInterval">100</property> 
                        </properties> 
                        </executeData> 
                        <after source="executeData" destination="data" mode="merge"/> 
                </execute> 
        </procedure> 
</request>

Applies To

Exchange Mobility Provider API for:

  • Hosted Messaging and Collaboration version 3.5

See also

Tasks

Exchange Mobility Provider::ClearUsersPolicy