Exchange Server 2007 : Configure the Client Access Server - Create and Apply ActiveSync Mailbox Policies

2/6/2011 9:50:36 AM
Problem : Your company has quite a number of different mobile devices being used. How do you control the different devices and to what degree can you control them? Also, what do you do if a device is lost or stolen?

Solution : With the use of more mobile devices, some obviously will work more smoothly with ActiveSync, such as those that are created by Microsoft and use the ActiveSync protocol implemented on the device. For example, devices that have an underlying operating system as Mobile 6 or later are going to be more manageable than earlier Mobile devices or other devices from other vendors.

What about BlackBerry devices? Those require their own BlackBerry servers that connect with Exchange 2007, pull the mail from Exchange, and push it down to clients. What about the iPhone? The first version of iPhones had no way of connecting with Exchange. You could use the web interface to perform an OWA connection, but the screen was small and hard to work with. With the more recent releases of the iPhone, there is support for EAS.

Exchange ActiveSync allows for control over mobile devices using policies. You create the policies in the EMC and apply the policy to users.


If you have an Exchange 2007 RTM system and an Exchange 2007 SP1 system, you will be amazed at how different the ActiveSync policy settings are. This is one area that has been improved upon greatly in terms of more settings and more powerful control options.

To view the default ActiveSync policy (which is applied to all users with mobile connectivity by default) as well as create a new policy, perform the following:

Open the EMC.

From the Navigation Tree, expand the Organization Configuration work center and click Client Access.

Note that there is only one tab here, the Exchange ActiveSync Mailbox Policies tab. Within the tab is a Default policy. You can double-click the policy to open it.

If you want to create a new policy, you can choose New Exchange ActiveSync Mailbox Policy from the Actions pane to open the wizard.

From within the wizard, you can configure the following items, as shown in Figure 1.

Figure 1. Creating a new EAS policy.

  • Mailbox Policy Name— Provides a unique policy name.

  • Allow Non-provisionable Devices— Selecting this checkbox enables older devices that do not have the EAS support for policies to still connect to their mailboxes in Exchange 2007.

  • Allow Attachments To Be Downloaded to Device— Selected by default, this allows the device to download attachments from emails.

  • Require Password— Deselected by default, but if checked, you are presented with a collection of options, including the following:

    • Require Alphanumeric Password

    • Enable Password Recovery

    • Require Encryption on the Device

    • Allow Simple Password

    • Minimum Password Length (default: 4)

    • Time Without User Input Before Password Must be Re-entered (In Minutes) (default: 15)

    • Password Expiration (Days)

    • Enforce Password History (default: 0)

When you finish making your selections, click New to create the policy.

When complete, click Finish.


If you want to take a policy you’ve created and set it as the default, you can right-click the policy and choose Set as Default or select the policy and choose Set as Default from the Actions pane.

Creating the policy is only part of the configuration process. To ensure the policy is designed the way you prefer, you have to select the policy and choose Properties from the Actions pane. Note that many options are available to configure, including the following five tabs: General, Password, Sync Settings, Device, and Advanced. Let’s consider these one step at a time.

The General Tab of the ActiveSync Policy

The General tab shows you the name of the policy. It indicates whether it is the default policy and when it was last modified. The setting to allow nonprovisionable devices is available for you to change the setting from when you first created the policy. Next we have the Refresh Interval (Hours) checkbox, which establishes the number of times a device updates the policy from the server (in hours). Two checkboxes relate to file access through SharePoint or a file server. You can select or deselect the Windows File Shares or Windows SharePoint Services checkboxes.

The Password Tab of the ActiveSync Policy

When creating the policy, you noted that there were several settings that make up the password side to the policy. Well, only on the Password tab can you find some of the additional settings available.

For example, under Require Alphanumeric Password is another setting: Minimum Number of Complex Characters (default is set to 3).

Another extra setting is Require Encryption on the Storage Card, which enforces encryption on the storage card. Note that because this is not a supported option on all mobile devices, make sure the device allows for this before enabling this as a requirement.

The Sync Settings Tab of the ActiveSync Policy

This tab has a group of synchronization settings we can configure, including the following:

  • Include Past Calendar Items— Here you can determine a date range of calendar items to sync with devices. The default is All, but you can select the drop-down and choose All, Two Weeks, One Month, Three Months, and Six Months.

  • Include Past Email Items— Similar to the calendar items, you can determine a date range of email to sync with devices. You can choose All (the default), One Day, Three Days, One Week, Two Weeks, and One Month.

  • Limit Message Size To (KB)— Establishes a maximum download size for messages to the mobile device. Select the checkbox and configure a maximum message size in KB.

  • Allow Synchronization When Roaming— Enabling this can be a bit expensive because when the device is roaming, charges tend to be higher. However, if you do enable it, the device will sync even when in roaming mode.

  • Allow HTML Formatted Email— Whether you have this option selected or not, email that has been formatted as HTML will still be delivered. It is converted to plain text first. However, you can select this checkbox to allow HTML formatted email.

  • Allow Attachments To Be Downloaded to This Device— A simple one-click checkbox to enable/disable if users with this policy can download attachments from within their email. Note that you were able to configure this setting when you first created the policy. However, you weren’t provided the next option.

  • Maximum Attachment Size (KB)— From within the policy, you can configure the maximum file size you want to allow to be downloaded to the device. If you leave this blank, users are allowed downloads of all sizes.

The Device Tab of the ActiveSync Policy

The options on the Device tab are specifically SP1 advancements (as are many of the settings we’ve discussed thus far). Obviously with newer mobile devices having items like cameras, it was decided that administrators should be able to control the use of those devices. Note in Figure 2 that you can turn the following devices on/off with the click of a checkbox:

Figure 2. The Device tab of the EAS policy.

  • Allow Removable Storage

  • Allow Camera

  • Allow Wi-Fi

  • Allow Infrared

  • Allow Internet Sharing From the Device

  • Allow Remote Desktop From the Device

  • Allow Synchronization From a Desktop

  • Allow Bluetooth: Select the down arrow and choose: Disable, Handsfree Only, or Allow


The settings on the Device tab and the Advanced tab we discuss in the next section are called premium features. There is an Exchange note directly on the tab at the bottom that says, “Properties on the Advanced tab are premium features of Exchange ActiveSync. Each mailbox that has these premium features enabled requires and Exchange Enterprise Client Access License (CAL).” Before purchasing this extended CAL, make sure your mobile devices can support the policy application of these settings. If not, there is no point to spending the extra money if the devices will not be able to be controlled through the policy settings.

The Advanced Tab of the ActiveSync Policy

The Advanced tab (shown in Figure 3) includes the remaining premium features that do not involve devices but applications. For example, you have the following settings:

Figure 3. The Advanced tab of the EAS policy.

  • Allow Browser

  • Allow Consumer Mail

  • Allow Unsigned Applications

  • Allow Unsigned Installation Packages

You can also configure allowed and blocked applications by clicking the Add button and selecting the applications that apply.

Assign an ActiveSync Policy to Users

After you have the policies you need for your ActiveSync mobile devices, you need to apply those policies to users. To accomplish this for an individual user, perform the following steps:

Open the EMC.

From the Navigation Tree, expand the Recipient Configuration work center.

From the Results pane, select the user you want to apply the policy toward. Then from the Actions pane, select Properties.

Select the Mailbox Features tab.

Select the Exchange ActiveSync feature and click the Properties button.

You are presented with the option to leave the default EAS policy or select Browse and choose a new policy. After you select the policy, click OK, and the new policy is applied to that user.

PS Note

The cmdlet through the EMS to assign the policy is Set-CASMailbox. You would type in the following: Set-CASMailbox ‘UserName’ -ActiveSyncMailboxPolicy (Get-ActiveSyncMailboxPolicy “Policy Name”). If you want to apply the policy to multiple users, perhaps within a distribution group, you can stack the commands using the pipeline (|) to allow for a greater application of policies.

Manage a Mobile Device

You might think that you can give your users a mobile device, set up a policy, and you are done. Not quite. Passwords will be forgotten, devices will be lost or stolen, and so on. There are several ways to manage the mobile device after it has been released.

Users can manage their own devices through the OWA settings. (You can disable this, but you might want to leave it alone because you might want users to handle their own problems. This creates less stress for you as an administrator.)

You can manage the device by locating the recipient in the EMC, right-clicking the user, and choosing Manage Mobile Device, which opens the wizard. (This setting appears only if the user has a mobile device associated with that person. When users initially synchronize their mobile devices with their mailboxes using Exchange ActiveSync, Exchange 2007 creates a partnership with that device. After this partnership has been established, the option to manage mobile devices will appear.) As an administrator, this is the quickest way to wipe a device or recover a password.

You can also use the Exchange Management Shell to manage mobile devices.

For OWA Users: Wipe a Device or Recover a Password

The most important aspect of mobile management is the capability to clear a device of all data (wipe its memory) in the event it is lost or stolen. Who knows what data is on that device? With ActiveSync, it doesn’t matter. The moment it’s turned on and checks in, the data is cleared out.

For users, Outlook Web Access provides the capability to wipe all data from a device and display the recovery password. To accomplish this, they need to perform the following:

Log onto Outlook Web Access.

Select the Options link in the upper right-hand corner.

From the Navigation pane of options, scroll down until you find Mobile Devices and select that link.

Notice you can see your device, the last sync time, and the status. There are also links for Wipe All Data from Device and Display Recovery Password, as you can see in Figure 4.

Figure 4. Remote wipe and password recovery of your mobile device through OWA.

After you clear a device, in SP1 there is now a link for cancelling the request. If you decide to cancel (let’s say you find your phone), you should do it quickly because after that phone connects and the device begins the process of wiping, there is no cancel process.

Another new SP1 feature is that after the remote process has completed, users receive an email to let them know it has completed.

Most View
Windows Server 2003 : Specifics of the Windows Implementation
The LTEdge (Part 2)
Samsung Galaxy Note 8.0 - Powerful Performance And Vivid Screen (Part 2)
Club 3D Radeon HD 7990 6GB - Dual GPU Monster
Windows Phone 7 : Understanding Matrix Transformations (part 3) - Drawing Multiple Objects at Different Positions
Toshiba Satellite P855 - Seriously Smart-Looking Laptop.
Entry-level Programming Resources (Part 1)
The Most Hi-end Compacts : Leica D-Lux 5 Titanium, Leica D-Lux 5 Titanium
Samsung Galaxy Camera Review – Part2
Headphone Varieties – What Do You Need?
Top 10
Tecdesk Smart 5500 (Part 2)
Tecdesk Smart 5500 (Part 1)
Thunderstruck ASUS Brings Thunderbolt 2 To Your PC (Part 3)
Thunderstruck ASUS Brings Thunderbolt 2 To Your PC (Part 2)
Thunderstruck ASUS Brings Thunderbolt 2 To Your PC (Part 1)
Toshiba BDX5400KB Smart 3D Bluray Player With Built-in Wifi
Samsung BD-F7500 Smart Bluray Player
Samsung Galaxy Note 10.1 2014 Edition
Samsung Galaxy NotePro 12.2 (Part 2)
Samsung Galaxy NotePro 12.2 (Part 1)