Understanding Exchange ActiveSync Mailbox Policies
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
This topic discusses Microsoft Exchange ActiveSync mailbox policies and how they can be used in your Microsoft Exchange Server 2010 environment.
Overview
Exchange ActiveSync mailbox policies let you apply a common set of policy or security settings to a user or group of users. The following table summarizes the settings you can specify by using Exchange ActiveSync mailbox policies.
Important
Windows Phone 7 mobile phones only support a subset of all Exchange ActiveSync mailbox policy settings. For a complete list, see Windows Phone 7 Synchronization later in this topic.
Exchange ActiveSync mailbox policy settings
Setting | Description |
---|---|
Allow Bluetooth |
This setting specifies whether a mobile phone allows Bluetooth connections. The available options are Disable, HandsFree Only, and Allow. The Exchange Enterprise Client Access License is required to change the values of this setting. |
Allow Browser |
This setting specifies whether Pocket Internet Explorer is allowed on the mobile phone. This setting doesn't affect third-party browsers installed on the phone. The Exchange Enterprise Client Access License is required to change the values of this setting. |
Allow Camera |
This setting specifies whether the mobile phone camera can be used. The Exchange Enterprise Client Access License is required to change the values of this setting. |
Allow Consumer Mail |
This setting specifies whether the mobile phone user can configure a personal e-mail account (either POP3 or IMAP4) on the mobile phone. The Exchange Enterprise Client Access License is required to change the values of this setting. |
Allow Desktop Sync |
This setting specifies whether the mobile phone can synchronize with a computer through a cable, Bluetooth, or IrDA connection. The Exchange Enterprise Client Access License is required to change the values of this setting. |
Allow HTML E-mail |
This setting specifies whether e-mail synchronized to the mobile phone can be in HTML format. If this setting is set to |
Allow Internet Sharing |
This setting specifies whether the mobile phone can be used as a modem for a desktop or a portable computer. The Exchange Enterprise Client Access License is required to change the values of this setting. |
AllowIrDA |
This setting specifies whether infrared connections are allowed to and from the mobile phone. The Exchange Enterprise Client Access License is required to change the values of this setting. |
Allow non-provisionable devices |
This setting specifies whether older phones that may not support application of all policy settings are allowed to connect to Exchange 2010 by using Exchange ActiveSync. |
Allow POPIMAPEmail |
This setting specifies whether the user can configure a POP3 or an IMAP4 e-mail account on the mobile phone. |
Allow Remote Desktop |
This setting specifies whether the mobile phone can initiate a remote desktop connection. The Exchange Enterprise Client Access License is required to change the values of this setting. |
Allow simple password |
This setting enables or disables the ability to use a simple password such as 1234. The default value is |
Allow S/MIME software certificates |
This setting specifies whether S/MIME software certificates are allowed on the mobile phone. |
Allow storage card |
This setting specifies whether the mobile phone can access information that's stored on a storage card. The Exchange Enterprise Client Access License is required to change the values of this setting. |
Allow text messaging |
This setting specifies whether text messaging is allowed from the mobile phone. The Exchange Enterprise Client Access License is required to change the values of this setting. |
Allow unsigned applications |
This setting specifies whether unsigned applications can be installed on the mobile phone. The Exchange Enterprise Client Access License is required to change the values of this setting. |
Allow unsigned installation packages |
This setting specifies whether an unsigned installation package can be run on the mobile phone. The Exchange Enterprise Client Access License is required to change the values of this setting. |
Allow Wi-Fi |
This setting specifies whether wireless Internet access is allowed on the mobile phone. The Exchange Enterprise Client Access License is required to change the values of this setting. |
Alphanumeric password required |
This setting requires that a password contains numeric and non-numeric characters. |
Approved Application List |
This setting stores a list of approved applications that can be run on the mobile phone. The Exchange Enterprise Client Access License is required to change the values of this setting. |
Attachments enabled |
This setting enables attachments to be downloaded to the mobile phone. |
Device encryption enabled |
This setting enables encryption on the mobile phone. Not all mobile phones can enforce encryption. For more information, see the phone and mobile operating system documentation. |
Password enabled |
This setting enables the mobile phone password. |
Password expiration |
This setting enables the administrator to configure a length of time after which a mobile phone password must be changed. |
Password history |
This setting specifies the number of past passwords that can be stored in a user's mailbox. A user can't reuse a stored password. |
Policy refresh interval |
This setting defines how frequently the mobile phone updates the Exchange ActiveSync policy from the server. |
Maximum attachment size |
This setting specifies the maximum size of attachments that are automatically downloaded to the mobile phone. |
Maximum calendar age filter |
This setting specifies the maximum range of calendar days that can be synchronized to the mobile phone. The value is specified in days. |
Maximum failed password attempts |
This setting specifies how many times an incorrect password can be entered before the mobile phone performs a wipe of all data. |
Maximum inactivity time lock |
This setting specifies the length of time that a mobile phone can go without user input before it locks. |
Minimum password length |
This setting specifies the minimum password length. |
Maximum e-mail age filter |
This setting specifies the maximum number of days' worth of e-mail items to synchronize to the mobile phone. The value is specified in days. |
Maximum HTML e-mail body truncation size |
This setting specifies the size beyond which HTML-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in kilobytes (KB). |
Minimum device password complex characters |
This setting specifies the minimum number of complex characters required in a mobile phone password. A complex character is any character that is not a letter. |
Maximum e-mail body truncation size |
This setting specifies the size beyond which e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in kilobytes (KB). |
Password recovery |
When this setting is enabled, the mobile phone generates a recovery password that's sent to the server. If the user forgets their mobile phone password, the recovery password can be used to unlock the mobile phone and enable the user to create a new mobile phone password. |
Require Device Encryption |
This setting specifies whether device encryption is required. If set to |
Require encrypted S/MIME messages |
This setting specifies whether S/MIME messages must be encrypted. |
Require manual synchronization while roaming |
This setting specifies whether the mobile phone must synchronize manually while roaming. Allowing automatic synchronization while roaming will frequently lead to larger-than-expected data costs for the mobile phone plan. |
Require storage card encryption |
This setting specifies whether the storage card must be encrypted. Not all mobile phone operating systems support storage card encryption. For more information, see your mobile phone and mobile operating system for more information. |
Unapproved InROM application list |
This setting specifies a list of applications that cannot be run in ROM. The Exchange Enterprise Client Access License is required to change the values of this setting. |
Return to top
Modifying the following mailbox policies from their default settings requires an Exchange Enterprise Client Access License for each affected mailbox:
Allow Bluetooth
Allow Browser
Allow Camera
Allow Consumer Mail
Allow Desktop Sync
Allow Internet Sharing
Allow IrDA
Allow Remote Desktop
Allow storage card
Allow text messaging
Allow unsigned applications
Allow unsigned application packages
Allow Wi-Fi
Approved Application List
Unapproved InROM application list
For example, you can create a policy that you apply to all users in your Exchange organization. The following table lists possible settings for this policy.
Sample Exchange ActiveSync mailbox policy settings for all users
Setting | Value |
---|---|
Allow non-provisionable devices |
False |
Allow POPIMAPEmail |
True |
Allow Remote Desktop |
True |
Allow simple password |
True |
Allow S/MIME software certificates |
True |
Allow storage card |
False |
Allow text messaging |
True |
Allow unsigned applications |
False |
Allow unsigned installation packages |
True |
Allow Wi-Fi |
False |
Alphanumeric password required |
True |
Approved Application List |
Null |
Attachments enabled |
True |
Device encryption enabled |
True |
Maximum calendar age filter |
15 |
Maximum attachment size |
500 kilobytes (KB) |
Maximum failed password attempts |
4 |
Minimum password length |
4 |
Maximum e-mail age filter |
10 |
Maximum e-mail body truncation size |
3 KB |
Minimum device password complex characters |
2 |
Maximum HTML e-mail body truncation size |
7 KB |
Password enabled |
True |
Password expiration |
10 days |
Password history |
8 passwords stored |
Require manual synchronization while roaming |
True |
UNC file access |
Disabled |
WSS file access |
Disabled |
Note
You don't have to specify all policy settings when you create a new Exchange ActiveSync mailbox policy. Any policy setting you don't explicitly set will keep its default value.
Exchange ActiveSync mailbox policies can be created in the Exchange Management Console or the Exchange Management Shell. If you create a policy in the EMC, you can configure only a subset of the available settings. You can configure the rest of the settings using the Shell.
When you install Exchange 2010, a default Exchange ActiveSync mailbox policy is created. The default policy is automatically applied when a new user is created through the EMC or the Shell.
Return to top
You don't have to assign a user to an Exchange ActiveSync mailbox policy. The following table summarizes the policy settings used if you don't assign a user to a policy.
Default Exchange ActiveSync settings
Setting | Value |
---|---|
Allow Bluetooth |
Allow |
Allow Browser |
True |
Allow Camera |
True |
Allow Consumer Email |
True |
Allow Desktop Sync |
True |
Allow HTML E-mail |
True |
Allow Internet Sharing |
True |
AllowIrDA |
True |
Allow non-provisionable devices |
True |
Allow simple password |
False |
Allow POPIMAPEmail |
True |
Allow Remote Desktop |
True |
Alphanumeric password required |
False |
Allow S/MIME software certificates |
True |
Allow storage card |
True |
Allow text messaging |
True |
Allow unsigned applications |
True |
Allow unsigned installation packages |
True |
Allow Wi-Fi |
True |
Attachments enabled |
True |
Device encryption enabled |
False |
Maximum calendar age filter |
7 |
Password enabled |
False |
Password expiration |
Unlimited |
Password history |
0 |
Policy refresh interval |
Unlimited |
Document browsing enabled |
True |
Maximum attachment size |
Unlimited |
Maximum failed password attempts |
4 |
Maximum inactivity time lock |
15 minutes |
Minimum password length |
4 |
Maximum e-mail age filter |
3 |
Maximum e-mail body truncation size |
3 KB |
Minimum device password complex characters |
0 |
Maximum HTML e-mail body truncation size |
3 KB |
Require Device Encryption |
False |
Require encrypted S/MIME messages |
False |
Require manual synchronization while roaming |
False |
Require storage card encryption |
False |
Unapproved InROM application list |
Null |
Password recovery |
Disabled |
UNC file access |
Enabled |
WSS file access |
Enabled |
Windows Phone 7 Synchronization
If you have Windows Phone 7 mobile phones in your organization, these phones will experience synchronization problems if certain Exchange ActiveSync mailbox policy properties are configured. To allow Windows Phone 7 mobile phones to synchronize with an Exchange mailbox, either set the AllowNonProvisionableDevices property to true or only configure the following Exchange ActiveSync mailbox policy properties:
PasswordRequired
MinPasswordLength
IdleTimeoutFrequencyValue
DeviceWipeThreshold
AllowSimplePassword
PasswordExpiration
PasswordHistory
DisableRemovableStorage
DisableIrDA
DisableDesktopSync
BlockRemoteDesktop
BlockInternetSharing
Exchange ActiveSync Mailbox Policy Examples
The following figure shows how Exchange ActiveSync mailbox policies can be created to control different settings for three groups of users.
Example of Exchange ActiveSync mailbox policies
Return to top
© 2010 Microsoft Corporation. All rights reserved.