Share via


Understanding Exchange ActiveSync Mailbox Policies

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

This topic discusses Microsoft Exchange ActiveSync mailbox policies and how they can be used in your Microsoft Exchange Server 2007 environment.

Overview

Exchange ActiveSync mailbox policies let you apply a common set of policy or security settings to a user or group of users. The following tables summarize the settings that you can specify by using Exchange ActiveSync mailbox policies. The first table summarizes the settings that are available with an Exchange 2007 Standard client access license (CAL). The second table summarizes the settings that are available with an Exchange 2007 Enterprise CAL.

Exchange ActiveSync mailbox policy settings with a standard CAL

Setting Description

Allow HTML E-mail

This setting specifies whether e-mail synchronized to the device can be in HTML format. If this setting is set to $false, all e-mail is converted to plain text.

Allow non-provisionable devices

This setting specifies whether older devices that may not support application of all policy settings are allowed to connect to Exchange 2007 by using Exchange ActiveSync.

Allow simple password

This setting enables or disables the ability to use a simple password such as 1234. The default value is $true.

Allow S/MIME software certificates

This setting specifies whether S/MIME software certificates are allowed on the mobile device.

Alphanumeric password required

This setting requires that a password contains numeric and non-numeric characters.

Attachments enabled

This setting enables attachments to be downloaded to the mobile device.

Device encryption enabled

This setting enables encryption on the device. Not all devices can enforce encryption. For more information, see the device and mobile operating system documentation.

Password enabled

This setting enables the device password.

Password expiration

This setting enables the administrator to configure a length of time after which a device password must be changed.

Password history

This setting specifies the number of past passwords that can be stored in a user's mailbox. A user cannot reuse a stored password.

Policy refresh interval

This setting defines how frequently the device updates the Exchange ActiveSync policy from the server.

Maximum attachment size

This setting specifies the maximum size of attachments that are automatically downloaded to the device.

Maximum calendar age filter

This setting specifies the maximum range of calendar days that can be synchronized to the device. The value is specified in days.

Maximum failed password attempts

This setting specifies how many times an incorrect password can be entered before the device performs a wipe of all data.

Maximum inactivity time lock

This setting specifies the length of time that a device can go without user input before it locks.

Minimum password length

This setting specifies the minimum password length.

Maximum e-mail age filter

This setting specifies the maximum number of days' worth of e-mail items to synchronize to the device. The value is specified in days.

Maximum HTML e-mail body truncation size

This setting specifies the size beyond which HTML-formatted e-mail messages are truncated when they are synchronized to the device. The value is specified in kilobytes (KB).

Minimum device password complex characters

This setting specifies the minimum number of complex characters required in a device password. A complex character is any character that is not a letter.

Maximum e-mail body truncation size

This setting specifies the size beyond which e-mail messages are truncated when they are synchronized to the device. The value is specified in kilobytes (KB).

Password recovery

When this setting is enabled, the device generates a recovery password that is sent to the server. If the user forgets their device password, the recovery password can be used to unlock the device and enable the user to create a new device password.

Require Device Encryption

This setting specifies whether device encryption is required. If set to $true, the device must be able to support and implement encryption to synchronize with the server.

Require encrypted S/MIME messages

This setting specifies whether S/MIME messages must be encrypted.

Require manual synchronization while roaming

This setting specifies whether the device must synchronize manually while roaming. Allowing automatic synchronization while roaming will frequently lead to larger-than-expected data costs for the mobile device plan.

Require storage card encryption

This setting specifies whether the storage card must be encrypted. Not all mobile device operating systems support storage card encryption. For more information, see your device and mobile operating system for more information.

UNC file access

This setting enables access to files that are stored on Windows file share (UNC) shares.

WSS file access

This setting enables access to files that are stored in Microsoft Windows SharePoint Services document libraries.

Exchange ActiveSync mailbox policy settings with an enterprise CAL

Setting Description

Allow Bluetooth

This setting specifies whether a mobile device allows Bluetooth connections. The available options are Disable, HandsFree Only, and Allow.

Allow Browser

This setting specifies whether Pocket Internet Explorer is allowed on the mobile device. This setting does not affect third-party browsers installed on the device.

Allow Camera

This setting specifies whether the mobile device camera can be used.

Allow Consumer Email

This setting specifies whether the mobile device user can configure a personal e-mail account (either POP3 or IMAP4) on the device.

Allow Desktop Sync

This setting specifies whether the mobile device can synchronize with a computer through a cable, Bluetooth, or IrDA connection.

Allow Internet Sharing

This setting specifies whether the mobile device can be used as a modem for a desktop or portable computer.

AllowIrDA

This setting specifies whether infrared connections are allowed to and from the mobile device.

Allow POPIMAPEmail

This setting specifies whether the user can configure a POP3 or an IMAP4 e-mail account on the device.

Allow Remote Desktop

This setting specifies whether the mobile device can initiate a remote desktop connection.

Allow storage card

This setting specifies whether the mobile device can access information that is stored on a storage card.

Allow text messaging

This setting specifies whether text messaging is allowed from the device.

Allow unsigned applications

This setting specifies whether unsigned applications can be installed on the device.

Allow unsigned installation packages

This setting specifies whether an unsigned installation package can be run on the device.

Allow Wi-Fi

This setting specifies whether wireless Internet access is allowed on the device.

Approved Application List

This setting stores a list of approved applications that can be run on the device.

Unapproved InROM application list

This setting specifies a list of applications that cannot be run in ROM.

For example, you can create a policy that you apply to all users in your Exchange organization. The following table lists possible settings for this policy.

Sample Exchange ActiveSync mailbox policy settings for all users

Setting Value

Allow non-provisionable devices

False

Allow POPIMAPEmail

True

Allow Remote Desktop

True

Allow simple password

True

Allow S/MIME software certificates

True

Allow storage card

False

Allow text messaging

True

Allow unsigned applications

False

Allow unsigned installation packages

True

Allow Wi-Fi

False

Alphanumeric password required

True

Approved Application List

Null

Attachments enabled

True

Device encryption enabled

True

Maximum calendar age filter

15

Maximum attachment size

500 kilobytes (KB)

Maximum failed password attempts

4

Minimum password length

4

Maximum e-mail age filter

10

Maximum e-mail body truncation size

3 KB

Minimum device password complex characters

2

Maximum HTML e-mail body truncation size

7 KB

Password enabled

True

Password expiration

10 days

Password history

8 passwords stored

Require manual synchronization while roaming

True

UNC file access

Disabled

WSS file access

Disabled

Note

You do not have to specify all policy settings when you create a new Exchange ActiveSync mailbox policy. Any policy setting that you do not explicitly set will keep its default value.

Exchange ActiveSync mailbox policies can be created in the Exchange Management Console or the Exchange Management Shell. If you create a policy in the Exchange Management Console, you can configure only a subset of the available settings. You can configure the rest of the settings by using the Exchange Management Shell.

When you install Exchange 2007 Service Pack 1 (SP1), a default Exchange ActiveSync mailbox policy is created. If you have installed the original release (RTM) version of Exchange 2007, you must specify a policy as the default policy after you install Exchange 2007 SP1. The default policy is automatically applied when a new user is created through the Exchange Management Console or the Exchange Management Shell.

You do not have to assign a user to an Exchange ActiveSync mailbox policy. The following table summarizes the policy settings that are used if you do not assign a user to a policy.

Default Exchange ActiveSync settings

Setting Value

Allow Bluetooth

Allow

Allow Browser

True

Allow Camera

True

Allow Consumer Email

True

Allow Desktop Sync

True

Allow HTML E-mail

True

Allow Internet Sharing

True

AllowIrDA

True

Allow non-provisionable devices

True

Allow simple password

False

Allow POPIMAPEmail

True

Allow Remote Desktop

True

Alphanumeric password required

False

Allow S/MIME software certificates

True

Allow storage card

True

Allow text messaging

True

Allow unsigned applications

True

Allow unsigned installation packages

True

Allow Wi-Fi

True

Attachments enabled

True

Device encryption enabled

False

Maximum calendar age filter

7

Password enabled

False

Password expiration

Unlimited

Password history

0

Policy refresh interval

Unlimited

Document browsing enabled

True

Maximum attachment size

Unlimited

Maximum failed password attempts

4

Maximum inactivity time lock

15 minutes

Minimum password length

4

Maximum e-mail age filter

3

Maximum e-mail body truncation size

3 KB

Minimum device password complex characters

0

Maximum HTML e-mail body truncation size

3 KB

Require Device Encryption

False

Require encrypted S/MIME messages

False

Require manual synchronization while roaming

False

Require storage card encryption

False

Unapproved InROM application list

Null

Password recovery

Disabled

UNC file access

Enabled

WSS file access

Enabled

Exchange ActiveSync Mailbox Policy Examples

The following figure shows how Exchange ActiveSync mailbox policies can be created to control various settings for three groups of users.

Example of Exchange ActiveSync mailbox policies

Exchange ActiveSync Mailbox Policies

For More Information

For more information about how to manage Exchange ActiveSync by using policies, see Managing Exchange ActiveSync with Policies.