Step 5: Configure and Manage Mobile Device Access on the Exchange Server

  • Article

6/2/2010

With the Microsoft Exchange Server 2007 installation, Exchange ActiveSync features are enabled for all client mobile devices at the organizational level. If your security setup accepts the trusted certificates that are shipped on the mobile devices, all you need to do is instruct your users who have Windows Mobile devices that run Windows Mobile 6 to sign in using the ActiveSync application on the device.

Note

If you want to establish a central security policy, use the Exchange Management Console to configure it for all users; follow the instructions in Configuring Security Settings for Mobile Devices in this chapter.

  • You can perform the following management functions on your Exchange Server:
  • Create Exchange ActiveSync mailbox policies
  • Configure security settings for mobile devices with mailbox policy
  • Apply a mailbox policy to a user
  • Initiate a remote device wipe
  • Disable Exchange ActiveSync

All Exchange ActiveSync features are enabled during a default installation of Exchange 2007. You can modify the feature settings at the Exchange server level with Exchange Management Console, and enable or disable Exchange ActiveSync features for individual users or groups of users with Active Directory.

Create Exchange ActiveSync Mailbox Policies

You can create Exchange ActiveSync mailbox policies to simplify management of your Exchange ActiveSync devices. These policies can be applied to each Exchange ActiveSync user and can help you apply specific settings to a user's device. A mailbox policy holds a group of settings for Microsoft Exchange ActiveSync. These settings include password, encryption, and attachment settings. When you install the Client Access server role on a computer that is running Microsoft Exchange Server 2007, no mailbox policies exist. You can create multiple mailbox policies and assign users to these policies.

To perform the following procedures on a computer that has the Client Access Server role installed, you must log on using a domain account that has the permissions assigned to the Exchange Recipient Administrators group. The account must also be a member of the local Administrators group on that computer.

Use the Exchange Management Console to create an Exchange ActiveSync mailbox policy

  1. In the console tree, expand the Organization Configuration node, and then click Client Access.

  2. In the action pane, click New ActiveSync mailbox policy.

  3. On the New ActiveSync Mailbox Policy wizard page, enter a name in the Mailbox policy name box.

  4. Click the Require password check box and elect one or more of the optional check boxes.

  5. Click New.

  6. Click Finish to close the New ActiveSync Mailbox Policy Wizard.

Configure Security Settings for Mobile Devices with a Mailbox Policy

You can specify security options for mobile device users who connect to your Exchange server. With the Exchange Management Console, you can set the length and strength of the password, the amount of inactivity time, and the number of failed attempts that can occur before the mobile device is wiped.

For more information about understanding and setting mailbox policies, see "Managing Exchange ActiveSync with Policies,” at https://go.microsoft.com/fwlink/?LinkID=87196.

Note

The term password in this chapter refers to the password that a user enters to unlock his or her mobile device. It is not the same as a network user password.

The following table presents the options you can use to set your security policies.

Exchange Security Policies or Mailbox Policies Exchange Server 2003 SP2 Exchange Server 2007

Require a password to access and configure the device

X

X

Set a minimum password length

X

X

Require an alphanumeric password

X

X

Specify how many minutes of inactivity before the device locks

X

X

Wipe the device remotely

X

X

Wipe the storage card remotely

 

X

Allow access to non-provisionable (pre-Messaging and Security Feature Pack) devices

X

X

Set the policy refresh interval

X

X

Allow or disallow attachments to be downloaded

 

X

Set maximum attachment size

 

X

Enable encryption on the removable storage card

 

X

Set password expiration date

 

X

Enable password recovery

 

X

Prevent patterned PIN (1111 or 1234) on device

 

X

Specify how many failed password attempts before device wipe

X

X

Specify how many failed password attempts before storage card wipe

 

X

Allow or disallow access to files on Universal Naming Convention (UNC) shares

 

X

Allow or disallow access to files on SharePoint Services sites

 

X

Apply a Mailbox Policy to a User

After you create an Exchange ActiveSync mailbox policy, you can add users to it. By default, users are not assigned to a mailbox policy. You can add a user to only one mailbox policy at a time. If you add a user to an Exchange ActiveSync mailbox policy and that user is already a member of another Exchange ActiveSync mailbox policy, that user is removed from the original Exchange ActiveSync mailbox policy and added to the new Exchange ActiveSync mailbox policy. You can add users individually or add a filtered group of users to an Exchange ActiveSync mailbox policy.

To apply a mailbox policy to a user

  1. In the console tree, expand the Recipient Configuration node, and then click Mailbox.

  2. In the work pane, right-click the user who you want to assign to a policy, and then click Properties.

  3. In the user's Properties dialog box, click Mailbox Features.

  4. Click ExchangeActiveSync, and then click Properties.

  5. Select the Apply an ActiveSync mailbox policy check box.

  6. Click Browse to view the Select Mobile Mailbox Policy dialog box.

  7. Select an available policy, and then click OK three times to apply the policy.

Initiate a Remote Device Wipe

Procedures for performing a device wipe are detailed in this section.

Remote Device Wipe vs. Local Device Wipe

Local device wipe is the mechanism by which a device wipes itself without the request coming from the server. If your organization has implemented Exchange ActiveSync policies that specify a maximum number of password attempts and that maximum is exceeded, the device will perform a local device wipe. The result of a local device wipe is the same as that of a remote device wipe. The device is returned to its factory default condition. No confirmation is sent to the Exchange Server when a device performs a local device wipe.

Note

In addition to resetting the device to factory default condition, a remote device wipe also deletes all data on any storage card in the device. If you are performing a remote device wipe on a device in your possession and want to retain the data on the storage card, remove the storage card before you initiate the remote device wipe.

To use the Exchange Management Console or Outlook Web Access to perform a remote device wipe

  1. Open the Exchange Management Console.

  2. Under Recipient Configuration, select Mailbox.

  3. Select the user from the Mailbox window.

  4. In the action pane, click Manage mobile device, or right-click the user's mailbox, and then click Manage mobile device.

  5. Select the mobile device to be wiped.

  6. In the Action section, click the Clear option button.

  7. Click Clear at the bottom of the window to finish.

To use Outlook Web Access to perform a remote device wipe:

  1. Open Outlook Web Access.
  2. Log on to the device owner's mailbox.
  3. Click Options.
  4. In the Navigation pane, select Mobile Devices.
  5. Select the ID of the device that you want to wipe and remove from the list.
  6. Click Wipe all data from device.
  7. Click OK.
  8. Click Remove Device from List.

Disable Exchange ActiveSync

This section describes how to disable Microsoft Exchange ActiveSync. When you disable Exchange ActiveSync on a computer that is running Microsoft Exchange Server 2007 that has the Client Access Server role installed, you disable the application pool that Exchange ActiveSync uses. An application pool is a group of processes used by Internet Information Services (IIS) to perform a task.

Note

Although this guide focuses on the implementation of a mobile messaging system with Exchange ActiveSync enabled, it may be necessary at times to disable this functionality during maintenance of your network infrastructure or mobile messaging system, and for testing.

To perform the following procedures on a computer that has the Client Access Server role installed, you must log on by using a domain account that has the permissions assigned to the Exchange Organization Administrators group. The account must also be a member of the local Administrators group on that computer.

Also, before you perform these procedures, confirm the following:

  • You have installed the Microsoft Internet Information Services (IIS) component Microsoft ASP.NET.
  • The ASP.NET Web service extension status is set to Allowed. You can verify the status of the ASP.NET Web service extension in IIS Manager by expanding the server name, and then clicking Web Service Extensions. If the ASP.NET Web service extension is not set to Allowed, right-click the Web service extension to change the status.

To use IIS Manager to disable Exchange 2007 ActiveSync

  1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Double-click to expand the server name, and then double-click to expand the Application Pools folder.

  3. Right-click MSExchangeSyncAppPool, and then click Stop to disable Exchange ActiveSync.

Note

If the Stop command is unavailable, Exchange ActiveSync is already disabled on this server.

For more information about how to enable Exchange ActiveSync, see Managing Exchange ActiveSync.