Designing and Implementing Mobility in Exchange Server 2010 : Working with ActiveSync Policies

ActiveSync in Exchange Server 2010 allows for an unprecedented level of control over the security and management of devices. It allows an administrator to create ActiveSync mailbox policies that force devices to comply with specific restrictions, such as requiring a complex password, or requiring file encryption.

In addition, Exchange Server 2010 ActiveSync now allows an administrator to create multiple policies in an organization. This enables specific types of users to have more restrictive policies placed on their handheld devices, whereas other users are not as restricted. For example, a hospital could stipulate that all the devices that have confidential patient data on them be forced to be encrypted and password protected, while other users are not forced to the same standards.

Creating ActiveSync Mailbox Policies

Creating a new ActiveSync mailbox policy in Exchange Server 2010 is not a complex task. To do so, follow this procedure:

1.	From Exchange Management Console, expand Organization Configuration in the console pane, and click Client Access.
2.	In the tasks pane, click the New Exchange ActiveSync Mailbox Policy link.
3.	Enter a descriptive name for the policy, such as Manager’s ActiveSync Mailbox Policy. Set password settings, such as that shown in Figure 1, and click New. Figure 1. Creating an ActiveSync mailbox policy.
4.	Click Finish.

Applying Mailbox Policies to Users

After a specific policy has been created, it can be added to mailboxes, either during the provisioning process or after the mailbox has already been created. For existing mailboxes, perform the following steps:

1.	From the Exchange Management Console, expand Recipient Configuration, and then click Mailbox.
2.	Right-click on the mailbox to be added, and click Properties.
3.	Select the Mailbox Features tab, click Exchange ActiveSync, and then click the Properties button.
4.	Check the Apply an Exchange ActiveSync Mailbox Policy check box, and then click the Browse button.
5.	Select the policy from the list, such as that shown in Figure 2, and then click OK. Figure 2. Applying an ActiveSync mailbox policy to a mailbox.
6.	Click OK two more times to save the changes.

Adding multiple mailboxes to a specific mailbox policy is best done from the PowerShell console.

Wiping and Resetting ActiveSync Devices

One of the advantages to Exchange Server 2010’s ActiveSync is the optimized management capabilities available. With ActiveSync and the proper Windows Mobile devices, passwords can be reset remotely, and devices can be wiped clean of data in the event that they are lost or stolen. This concept—combined with the encryption capabilities of the Messaging Security Feature Pack—allows an organization to deploy ActiveSync without fear of data compromise.

Invoking this function is as simple as right-clicking on a mailbox user under the Mailbox area of the Recipient Configuration node and choosing Manage Mobile Device. In addition, users can remotely wipe their own devices via Outlook Web App.