Exploring Windows Mobile 6.1 and Exchange ActiveSync Mailbox Policies
By Patricia DiGiacomo Eddy
Microsoft Exchange Server 2007 Service Pack 1 (SP1) introduced many new mailbox policy settings for Exchange ActiveSync devices. These policy settings control various settings on the mobile devices in your organization. Unfortunately, until recently, no mobile device operating system supported these new policy settings.
On April 1, 2008, Microsoft announced the release of Windows Mobile 6.1. All the new policy settings in Exchange 2007 SP1 are fully supported by Windows Mobile 6.1. Although there were no Windows Mobile 6.1 devices available at the time this article was written, they should be hitting the marketplace soon.
This article summarizes the various enhancements to Exchange ActiveSync in Exchange 2007 SP1, and also gives you information about the supported policy settings for the different versions of the Windows Mobile operating system.
Default Exchange ActiveSync Mailbox Policies
The original release (RTM) version of Exchange 2007 included various Exchange ActiveSync mailbox policy settings. You could enforce a password, require that passwords be a certain length, prohibit downloading of attachments, prevent users from reusing past passwords, and specify whether users could access information that is stored in Microsoft Windows SharePoint Services document libraries. However, all users had to be explicitly assigned to a policy. You could do this one at a time, or use an Exchange cmdlet to do it for you. The following cmdlet will assign all users to a policy named Sales Policy.
Get-Mailbox | Set-CASMailbox -ActiveSyncMailboxPolicy (Get-ActiveSyncMailboxPolicy "Sales Policy").Identity
Although the cmdlet is straightforward, Exchange 2007 SP1 makes this process even easier. Administrators can designate an existing policy as the default policy. When a policy is marked as default, all new users will automatically be assigned to this policy. You can switch the default policy at any time by using the Exchange Management Console or the Exchange Management Shell.
New and Enhanced Policy Settings
There are a significant number of new policy settings available in Exchange 2007 SP1.
Note
The ability to use many of the new policy settings is a premium feature of Exchange ActiveSync. An Exchange Enterprise client access license (CAL) is required for each mailbox that the policies are implemented on.
The following table lists all the Exchange ActiveSync mailbox policy settings that are available in Exchange 2007 RTM and Exchange 2007 SP1.
Policy Settings for Exchange ActiveSync
| Setting | Exchange 2007 RTM and Windows Mobile 6.0 | Exchange 2007 SP1 Standard or Enterprise CAL and Windows Mobile 6.0 | Exchange 2007 SP1 Standard CAL and Windows Mobile 6.1 | Exchange 2007 SP1 Enterprise CAL and Windows Mobile 6.1 |
|---|---|---|---|---|
Password Required |
X |
X |
X |
X |
Minimum Password Length |
X |
X |
X |
X |
Alphanumeric Password Required |
X |
X |
X |
X |
Inactivity Timeout |
X |
X |
X |
X |
Maximum Failed Password Attempts |
X |
X |
X |
X |
Policy Refresh Interval |
X |
X |
X |
X |
Allow Non-Provisionable Devices |
X |
X |
X |
X |
Attachments Enabled |
X |
X |
X |
X |
Storage Card Encryption |
X |
X |
X |
X |
Password Recovery Enabled |
X |
X |
X |
X |
Allow Simple Device Password |
X |
X |
X |
X |
Maximum Attachment Size |
X |
X |
X |
X |
Windows SharePoint Services Access Enabled |
X |
X |
X |
X |
Windows File Share Access Enabled |
X |
X |
X |
X |
Password Expiration |
X |
X |
X |
X |
Password History |
X |
X |
X |
X |
Require Manual Synchronization When Roaming |
X |
X |
||
Minimum Device Password Complex Characters |
X |
X |
||
Maximum Calendar Age Filter |
X |
X |
||
Allow HTML E-mail |
X |
X |
||
Maximum E-mail Age Filter |
X |
X |
||
Maximum E-mail Body Truncation Size |
X |
X |
||
Maximum HTML Body Truncation Size |
X |
X |
||
Require Signed S/MIME Messages |
X |
X |
||
Require Signed S/MIME Algorithm |
X |
X |
||
Allow S/MIME Soft Certs |
X |
X |
||
Require Device Encryption |
X |
X |
||
Allow Storage Card |
X |
|||
Allow Camera |
X |
|||
Allow Unsigned Applications |
X |
|||
Allow Unsigned Installation Packages |
X |
|||
Allow Wi-Fi |
X |
|||
Allow Text Messaging |
X |
|||
Allow POP/IMAP E-mail |
X |
|||
Allow Bluetooth |
X |
|||
Allow IrDA |
X |
|||
Allow Desktop Sync |
X |
|||
Allow Browser |
X |
|||
Allow Consumer E-mail |
X |
|||
Allow Remote Desktop |
X |
|||
Allow Internet Sharing |
X |
|||
Unapproved InROM Application List |
X |
|||
Approved Application List |
X |
Many of these new policy settings are intended to help administrators control the features their users can access on their mobile devices.
Settings such as allow camera, allow text messaging, and allow POP/IMAP e-mail are intended to address some common device management problems. For example, many corporations do not allow using camera phones for confidentiality reasons. An administrator in this kind of organization could deploy mobile devices with Windows Mobile 6.1 and disable the camera functionality.
Remote Device Wipe Confirmation
One additional new feature is a remote device wipe confirmation message. Remote device wipe enables a user or an administrator to clear the data on a mobile device when that device is lost or stolen. The user can start the remote device wipe process from Microsoft Office Outlook Web Access. The administrator can start a remote device wipe from the Exchange Management Console or the Exchange Management Shell.
However, in Exchange 2007 RTM, when the user or administrator initiated a remote device wipe, they were frequently left wondering whether it completed. The remote device wipe process is very reliable. If the device is still connected to the Internet, and the server that is running Microsoft Exchange is reachable, the next time that the device tries to connect to the Exchange server, the remote device wipe will be initiated. However, the confirmation message that is displayed after the remote device wipe occurs provides reassurance that the process did complete correctly.
For More Information
For more information about Exchange 2007 SP1, see What's New in Exchange Server 2007 Service Pack 1.
For more information about Windows Mobile 6.1, see the Windows Mobile Home page.
.jpg "Patricia DiGiacomo Eddy")
Patricia DiGiacomo Eddy - Senior Technical Writer, Microsoft Exchange Server