New-DeviceConditionalAccessRule
This cmdlet is available only in Security & Compliance PowerShell. For more information, see Security & Compliance PowerShell.
Use the New-DeviceConditionalAccessRule cmdlet to create mobile device conditional access rules in Basic Mobility and Security in Microsoft 365.
For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.
Syntax
New-DeviceConditionalAccessRule
-Policy <PolicyIdParameter>
-TargetGroups <MultiValuedProperty>
[-AccountName <String>]
[-AccountUserName <String>]
[-AllowAppStore <Boolean>]
[-AllowAssistantWhileLocked <Boolean>]
[-AllowConvenienceLogon <Boolean>]
[-AllowDiagnosticSubmission <Boolean>]
[-AllowiCloudBackup <Boolean>]
[-AllowiCloudDocSync <Boolean>]
[-AllowiCloudPhotoSync <Boolean>]
[-AllowJailbroken <Boolean>]
[-AllowPassbookWhileLocked <Boolean>]
[-AllowScreenshot <Boolean>]
[-AllowSimplePassword <Boolean>]
[-AllowVideoConferencing <Boolean>]
[-AllowVoiceAssistant <Boolean>]
[-AllowVoiceDialing <Boolean>]
[-AntiVirusSignatureStatus <Int64>]
[-AntiVirusStatus <Int64>]
[-AppsRating <CARatingAppsEntry>]
[-AutoUpdateStatus <CAAutoUpdateStatusEntry>]
[-BluetoothEnabled <Boolean>]
[-CameraEnabled <Boolean>]
[-Confirm]
[-DomainController <Fqdn>]
[-EmailAddress <String>]
[-EnableRemovableStorage <Boolean>]
[-ExchangeActiveSyncHost <String>]
[-FirewallStatus <Required>]
[-ForceAppStorePassword <Boolean>]
[-ForceEncryptedBackup <Boolean>]
[-MaxPasswordAttemptsBeforeWipe <Int32>]
[-MaxPasswordGracePeriod <TimeSpan>]
[-MoviesRating <CARatingMovieEntry>]
[-PasswordComplexity <Int64>]
[-PasswordExpirationDays <Int32>]
[-PasswordHistoryCount <Int32>]
[-PasswordMinComplexChars <Int32>]
[-PasswordMinimumLength <Int32>]
[-PasswordQuality <Int32>]
[-PasswordRequired <Boolean>]
[-PasswordTimeout <TimeSpan>]
[-PhoneMemoryEncrypted <Boolean>]
[-RegionRatings <CARatingRegionEntry>]
[-RequireEmailProfile <Boolean>]
[-SmartScreenEnabled <Boolean>]
[-SystemSecurityTLS <Boolean>]
[-TVShowsRating <CARatingTvShowEntry>]
[-UserAccountControlStatus <CAUserAccountControlStatusEntry>]
[-WhatIf]
[-WLANEnabled <Boolean>]
[-WorkFoldersSyncUrl <String>]
[<CommonParameters>] Description
The cmdlets in Basic Mobility and Security are described in the following list:
- DeviceTenantPolicy and DeviceTenantRule cmdlets: A policy that defines whether to block or allow mobile device access to Exchange Online email by unsupported devices that use Exchange ActiveSync only. This setting applies to all users in your organization. Both allow and block scenarios allow reporting for unsupported devices, and you can specify exceptions to the policy based on security groups.
- DeviceConditionalAccessPolicy and DeviceConditionalAccessRule cmdlets: Policies that control mobile device access to Microsoft 365 for supported devices. These policies are applied to security groups. Unsupported devices are not allowed to enroll in Basic Mobility and Security.
- DeviceConfigurationPolicy and DeviceConfigurationRule cmdlets: Policies that control mobile device settings for supported devices. These policies are applied to security groups.
- Get-DevicePolicy: Returns all Basic Mobility and Security policies regardless of type (DeviceTenantPolicy, DeviceConditionalAccessPolicy or DeviceConfigurationPolicy).
For more information about Basic Mobility and Security, see Overview of Basic Mobility and Security for Microsoft 365.
To use this cmdlet in Security & Compliance PowerShell, you need to be assigned permissions. For more information, see Permissions in the Microsoft Defender portal or Permissions in the Microsoft Purview compliance portal.
Examples
Example 1
New-DeviceConditionalAccessRule -Policy "Secure Email" -TargetGroups 5bff73eb-0ba7-461b-b7c9-9b4c173cc266This example creates a new mobile device conditional access rule with the following settings:
- Policy: Secure Email
- TargetGroups:5bff73eb-0ba7-461b-b7c9-9b4c173cc266
Parameters
-AccountName
The AccountName parameter specifies the account name. Valid values for this parameter are:
- A text value.
- $null (blank): The setting isn't configured. This is the default value.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AccountUserName
The AccountUserName parameter specifies the account user name. Valid values for this parameter are:
- A text value.
- $null (blank): The setting isn't configured. This is the default value.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AllowAppStore
The AllowAppStore parameter specifies whether to allow access to the app store on devices. Valid values for this parameter are:
- $true: Access to the app store is allowed.
- $false: Access to the app store isn't allowed.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available on the following types of devices:
- Windows Phone 8.1
- Apple iOS 6+
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AllowAssistantWhileLocked
The AllowAssistantWhileLocked parameter specifies whether to allow the use of the voice assistant while devices are locked. Valid values for this parameter are:
- $true: The voice assistant can be used while devices are locked.
- $false: The voice assistant can't be used while devices are locked.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Apple iOS 6+ devices.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AllowConvenienceLogon
The AllowConvenienceLogon parameter specifies whether to allow convenience logons on devices. Valid values for this parameter are:
- $true: Convenience logons are allowed.
- $false: Convenience logons aren't allowed.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Windows 8.1 RT devices.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AllowDiagnosticSubmission
The AllowDiagnosticSubmission parameter specifies whether to allow diagnostic submissions from devices. Valid values for this parameter are:
- $true: Diagnostic submissions are allowed.
- $false: Diagnostic submissions aren't allowed.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available on the following types of devices:
- Windows Phone 8.1
- Windows 8.1 RT
- Apple iOS 6+
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AllowiCloudBackup
The AllowiCloudBackup parameter specifies whether to allow Apple iCloud Backup from devices. Valid values for this parameter are:
- $true: iCloud Backup is allowed.
- $false: iCloud Backup isn't allowed.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available on the following types of devices:
- Apple iOS 6+
- Android 4+
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AllowiCloudDocSync
The AllowiCloudDocSync parameter specifies whether to allow Apple iCloud Documents & Data sync on devices. Valid values for this parameter are:
- $true: iCloud Documents & Data sync is allowed.
- $false: iCloud Documents & Data sync isn't allowed.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available on the following types of devices:
- Apple iOS 6+
- Android 4+
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AllowiCloudPhotoSync
The AllowiCloudPhotoSync parameter specifies whether to allow Apple iCloud Photos sync on devices. Valid values for this parameter are:
- $true: iCloud Photos sync is allowed.
- $false: iCloud Photo sync isn't allowed.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available on the following types of devices:
- Apple iOS 6+
- Android 4+
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AllowJailbroken
The AllowJailbroken parameter specifies whether to allow access to your organization by jailbroken or rooted devices.
- $true: Jailbroken devices are allowed.
- $false: Jailbroken devices aren't allowed.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available on the following types of devices:
- Apple iOS 6+
- Android 4+
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AllowPassbookWhileLocked
The AllowPassbookWhileLocked parameter specifies whether to allow the use of Apple Passbook while devices are locked. Valid values for this parameter are:
- $true: Passbook is available while devices are locked.
- $false: Passbook isn't available while devices are locked.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Apple iOS 6+ devices.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AllowScreenshot
The AllowScreenshot parameter specifies whether to allow screenshots on devices. Valid values for this parameter are:
- $true: Screenshots are allowed.
- $false: Screenshots aren't allowed.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available on the following types of devices:
- Windows Phone 8.1
- Apple iOS 6+
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AllowSimplePassword
The AllowSimplePassword parameter specifies whether to allow simple or non-complex passwords on devices. Valid values for this parameter are:
- $true: Simple passwords are allowed.
- $false: Simple passwords aren't allowed.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available on the following types of devices:
- Windows Phone 8.1
- Windows 8.1 RT
- Apple iOS 6+
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AllowVideoConferencing
The AllowVideoConferencing parameter specifies whether to allow video conferencing on devices. Valid values for this parameter are:
- $true: Video conferencing is allowed.
- $false: Video conferencing isn't allowed.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Apple iOS 6+ devices.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AllowVoiceAssistant
The AllowVoiceAssistant parameter specifies whether to allow using the voice assistant on devices. Valid values for this parameter are:
- $true: The voice assistant is allowed.
- $false: The voice assistant isn't allowed.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Apple iOS 6+ devices.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AllowVoiceDialing
The AllowVoiceDialing parameter specifies whether to allow voice-activated telephone dialing. Valid values for this parameter are:
- $true: Voice dialing is allowed.
- $false: Voice dialing isn't allowed.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Apple iOS 6+ devices.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AntiVirusSignatureStatus
The AntiVirusSignatureStatus parameter specifies the antivirus signature status. Valid values for this parameter are:
- An integer.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Windows 8.1 RT devices.
| Type: | Int64 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AntiVirusStatus
The AntiVirusStatus parameter specifies the antivirus status. Valid values for this parameter are:
- An integer.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Windows 8.1 RT devices.
| Type: | Int64 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AppsRating
The AppsRating parameter species the maximum or most restrictive rating of apps that are allowed on devices. Valid values for this parameter are:
- AllowAll
- DontAllow
- Rating9plus
- Rating12plus
- Rating17plus
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Apple iOS 6+ devices.
| Type: | CARatingAppsEntry |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-AutoUpdateStatus
The AutoUpdateStatus parameter specifies the update settings for devices. Valid values for this parameter are:
- AutomaticCheckForUpdates
- AutomaticDownloadUpdates
- AutomaticUpdatesRequired
- DeviceDefault
- NeverCheckUpdates
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Windows 8.1 RT devices.
| Type: | CAAutoUpdateStatusEntry |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-BluetoothEnabled
The BluetoothEnabled parameter specifies whether to enable or disable Bluetooth on devices. Valid values for this parameter are:
- $true: Bluetooth is enabled.
- $false: Bluetooth is disabled.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Windows Phone 8.1 devices.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-CameraEnabled
The CameraEnabled parameter specifies whether to enable or disable cameras on devices. Valid values for this parameter are:
- $true: Cameras are enabled.
- $false: Cameras are disabled.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available on the following types of devices:
- Windows Phone 8.1
- Apple iOS 6+
- Android 4+
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Confirm
The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.
- Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax:
-Confirm:$false. - Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-DomainController
This parameter is reserved for internal Microsoft use.
| Type: | Fqdn |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-EmailAddress
The EmailAddress parameter specifies the email address. Valid values are:
- An email address: For example, julia@contoso.com.
- $null (blank): The setting isn't configured. This is the default value.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-EnableRemovableStorage
The EnableRemovableStorage parameter specifies whether removable storage can be used by devices. Valid values for this parameter are:
- $true: Removable storage can be used.
- $false: Removable storage can't be used.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Windows Phone 8.1 devices.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-ExchangeActiveSyncHost
The ExchangeActiveSyncHost parameter specifies the Exchange ActiveSync host. Valid values for this parameter are:
- A text value.
- $null (blank): The setting isn't configured. This is the default value.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-FirewallStatus
The FirewallStatus parameter specifies the acceptable firewall status values on devices. Valid values for this parameter are:
- Required
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Windows 8.1 RT devices.
| Type: | Required |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-ForceAppStorePassword
The ForceAppStorePassword parameter specifies whether to require a password to use the app store on devices. Valid values for this parameter are:
- $true: App store passwords are required.
- $false: App store passwords aren't required.
- $null (blank): The feature isn't allowed or blocked by the rule. This is the default value.
This setting is available only on Apple iOS 6+ devices.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-ForceEncryptedBackup
The ForceEncryptedBackup parameter specifies whether to force encrypted backups for devices. Valid values for this parameter are:
- $true: Encrypted backups are required.
- $false: Encrypted backups aren't required.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available on the following types of devices:
- Apple iOS 6+
- Android 4+
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-MaxPasswordAttemptsBeforeWipe
The MaxPasswordAttemptsBeforeWipe parameter specifies the number of incorrect password attempts that cause devices to be automatically wiped. Valid values for this parameter are:
- An integer.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available on the following types of devices:
- Windows Phone 8.1
- Windows 8.1 RT
- Apple iOS 6+
- Android 4+
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-MaxPasswordGracePeriod
The MaxPasswordGracePeriod parameter specifies the length of time users are allowed to reset expired passwords on devices.
This setting is available only on Apple iOS 6+ devices.
To specify a value, enter it as a time span: dd.hh:mm:ss where dd = days, hh = hours, mm = minutes, and ss = seconds.
| Type: | TimeSpan |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-MoviesRating
The MoviesRating parameter species the maximum or most restrictive rating of movies that are allowed on devices. You specify the country/region rating system to use with the RegionRatings parameter.
Valid values for the MoviesRating parameter are:
- AllowAll: All movies are allowed, regardless of their rating.
- DontAllow: No movies are allowed, regardless of their rating.
- $null (blank): The setting isn't configured. This is the default value.
Australia
- AURatingG
- AURatingPG
- AURatingM
- AURatingMA15plus
- AURatingR18plus
Canada
- CARatingG
- CARatingPG
- CARating14A
- CARating18A
- CARatingR
Germany
- DERatingab0Jahren
- DERatingab6Jahren
- DERatingab12Jahren
- DERatingab16Jahren
- DERatingab18Jahren
France
- FRRating10minus
- FRRating12minus
- FRRating16minus
- FRRating18minus
United Kingdom
- GBRatingU
- GBRatingUc
- GBRatingPG
- GBRating12
- GBRating12A
- GBRating15
- GBRating18
Ireland
- IERatingG
- IERatingPG
- IERating12
- IERating15
- IERating16
- IERating18
Japan
- JPRatingG
- JPRatingPG12
- JPRatingRdash15
- JPRatingRdash18
New Zealand
- NZRatingG
- NZRatingPG
- NZRatingM
- NZRatingR13
- NZRatingR15
- NZRatingR16
- NZRatingR18
- NZRatingR
United States
- USRatingG
- USRatingPG
- USRatingPG13
- USRatingR
- USRatingNC17
This setting is available only on Apple iOS 6+ devices.
| Type: | CARatingMovieEntry |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-PasswordComplexity
The PasswordComplexity parameter specifies the password complexity. Valid values for this parameter are:
- An integer.
- $null (blank): The setting isn't configured. This is the default value.
| Type: | Int64 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-PasswordExpirationDays
The PasswordExpirationDays parameter specifies the number of days that the same password can be used on devices before users are required to change their passwords . Valid values for this parameter are:
- An integer.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available on the following types of devices:
- Windows Phone 8.1
- Windows 8.1 RT
- Apple iOS 6+
- Android 4+
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-PasswordHistoryCount
The PasswordHistoryCount parameter specifies the minimum number of unique new passwords that are required on devices before an old password can be reused. Valid values for this parameter are:
- An integer.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available on the following types of devices:
- Windows Phone 8.1
- Windows 8.1 RT
- Apple iOS 6+
- Android 4+
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-PasswordMinComplexChars
The PasswordMinComplexChars parameter specifies the minimum number of complex characters that are required for device passwords. A complex character isn't a letter. Valid values for this parameter are:
- An integer.
- $null (blank): The setting isn't configured. This is the default value.
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-PasswordMinimumLength
The PasswordMinimumLength parameter specifies the minimum number of characters that are required for device passwords. Valid values for this parameter are:
- An integer.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available on the following types of devices:
- Windows Phone 8.1
- Windows 8.1 RT
- Apple iOS 6+
- Android 4+
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-PasswordQuality
The PasswordQuality parameter specifies the minimum password quality rating that's required for device passwords. Password quality is a numeric scale that indicates the security and complexity of the password. A higher quality value indicates a more secure password.
Valid values for this parameter are:
- An integer.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Android 4+ devices.
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-PasswordRequired
The PasswordRequired parameter specifies whether a password is required to access devices. Valid values for this parameter are:
- $true: Device passwords are required.
- $false: Device passwords aren't required.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available on the following types of devices:
- Windows Phone 8.1
- Apple iOS 6+
- Android 4+
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-PasswordTimeout
The PasswordTimeout parameter specifies the length of time that devices can be inactive before a password is required to reactivate them.
This setting is available on the following types of devices:
- Windows Phone 8.1
- Windows 8.1 RT
- Apple iOS 6+
- Android 4+
To specify a value, enter it as a time span: dd.hh:mm:ss where dd = days, hh = hours, mm = minutes, and ss = seconds.
| Type: | TimeSpan |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-PhoneMemoryEncrypted
The PhoneMemoryEncrypted parameter specifies whether to encrypt the memory on devices. Valid values for this parameter are:
- $true: Memory is encrypted.
- $false: Memory isn't encrypted.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available on the following types of devices:
- Windows Phone 8.1 (already encrypted and can't be unencrypted)
- Android 4+
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Policy
The Policy parameter specifies the mobile device conditional access policy that this rule is associated with. You can use any value that uniquely identifies the policy. For example:
- Name
- Distinguished name (DN)
- GUID
| Type: | PolicyIdParameter |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-RegionRatings
The RegionRatings parameter specifies the rating system (country/region) to use for movie and television ratings with the MoviesRating and TVShowsRating parameters.
Valid values for the RegionRating parameter are:
- $null (blank): The setting isn't configured. This is the default value.
- au: Australia
- ca: Canada
- de: Germany
- fr: France
- gb: United Kingdom
- ie: Ireland
- jp: Japan
- nz: New Zealand
- us: United States
This setting is available only on Apple iOS 6+ devices.
| Type: | CARatingRegionEntry |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-RequireEmailProfile
The RequireEmailProfile parameter specifies whether an email profile is required on devices. Valid values for this parameter are:
- $true: An email profile is required. This value is required for selective wipe on iOS devices.
- $false: An email profile isn't required.
- $null (blank): The setting isn't configured. This is the default value.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-SmartScreenEnabled
The SmartScreenEnabled parameter specifies whether to requireWindows SmartScreen on devices. Valid values for this parameter are:
- $true: SmartScreen is enabled.
- $false: SmartScreen is disabled.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Windows 8.1 RT devices.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-SystemSecurityTLS
The SystemSecurityTLS parameter specifies whether TLS encryption is used on devices. Valid values for this parameter are:
- $true: TLS encryption is used.
- $false: TLS encryption isn't used.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Apple iOS 6+ devices.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-TargetGroups
The TargetGroups parameter specifies the security groups that this rule applies to. This parameter uses the GUID value of the group. To find this GUID value, run the command Get-Group | Format-Table Name,GUID.
You can specify multiple groups separated by commas.
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-TVShowsRating
The TVShowsRating parameter species the maximum or most restrictive rating of television shows that are allowed on devices. You specify the country/region rating system to use with the RegionRatings parameter.
Valid values for the TVShowsRating parameter are:
- AllowAll: All television shows are allowed, regardless of their rating.
- DontAllow: No televisions shows are allowed, regardless of their rating.
- $null (blank): The setting isn't configured. This is the default value.
Australia
- AURatingP
- AURatingC
- AURatingG
- AURatingPG
- AURatingM
- AURatingMA15plus
- AURatingAv15plus
Canada
- CARatingC
- CARatingC8
- CARatingG
- CARatingPG
- CARating14plus
- CARating18plus
Germany
- DERatingab0Jahren
- DERatingab6Jahren
- DERatingab12Jahren
- DERatingab16Jahren
- DERatingab18Jahren
France
- FRRating10minus
- FRRating12minus
- FRRating16minus
- FRRating18minus
United Kingdom
- GBRatingCaution
Ireland
- IERatingGA
- IERatingCh
- IERatingYA
- IERatingPS
- IERatingMA
Japan
- JPRatingExplicitAllowed
New Zealand
- NZRatingG
- NZRatingPGR
- NZRatingAO
United States
- USRatingTVY
- USRatingTVY7
- USRatingTVG
- USRatingTVPG
- USRatingTV14
- USRatingTVMA
This setting is available only on Apple iOS 6+ devices.
| Type: | CARatingTvShowEntry |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-UserAccountControlStatus
The UserAccountControlStatus parameter specifies how User Account Control messages are presented on devices. Valid values for this parameter are:
- $null (blank): The setting isn't configured. This is the default value.
- AlwaysNotify
- NeverNotify
- NotifyAppChanges
- NotifyAppChangesDoNotDimdesktop
This setting is available only on Windows 8.1 RT devices.
| Type: | CAUserAccountControlStatusEntry |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-WhatIf
The WhatIf switch doesn't work in Security & Compliance PowerShell.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-WLANEnabled
The WLANEnabled parameter specifies whether Wi-Fi is enabled devices. Valid values for this parameter are:
- $true: Wi-Fi is enabled.
- $false: Wi-Fi is disabled.
- $null (blank): The setting isn't configured. This is the default value.
This setting is available only on Microsoft Windows Phone 8.1 devices.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-WorkFoldersSyncUrl
The WorkFoldersSyncUrl parameter specifies the URL that's used to synchronize company data on devices.
Valid input for this parameter a URL. For example, https://workfolders.contoso.com.
This setting is available only on Windows 8.1 RT devices.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |