Exchange 2013 – Configure Your Mobile Device Mailbox Policy

Now that Exchange 2013 is RTM and some deployments are being planned, designed and even deployed in some corporations, I am going to have a series of How To’s on configuring some settings that may not be as easy as it once was. Take for example your Mobile Device policies. If we take a look at what is available in the Exchange Administration Console we see that there are only a few settings in the new GUI for Exchange Server:

MailboxPolicy02

Now, if we look back at Exchange 2010, we can see that things have changed quite a bit in the GUI:

MailboxPolicy01

So how do we configure a more robust and feature rich policy in Exchange Server 2013?

PowerShell

Configuring the Mobile Policies via Powershell in Exchange 2013 is almost exactly the same as in Exchange Server 2010 and the options that can be configured are essentially the same as well.

Below is a comparison of the options for Exchange 2010 and Exchange 2013 when it comes to configuring the ActiveSync or Mobile Device policies (depending on the Exchange version). Differences are noted by the blue text. Some that are highlighted are just named differently in the versions:

Exchange Server 2013

Exchange Server 2010

-AllowBrowser -AllowBluetooth
-AllowCamera -AllowBrowser
-AllowConsumerEmail -AllowCamera
-AllowDesktopSync -AllowConsumerEmail
-AllowExternalDeviceManagement -AllowDesktopSync
-AllowHTMLEmail -AllowExternalDeviceManagement
-AllowInternetSharing -AllowHTMLEmail
-AllowIrDA -AllowInternetSharing
-AllowMobileOTAUpdate -AllowIrDA
-AllowNonProvisionableDevices -AllowMobileOTAUpdate
-AllowPOPIMAPEmail -AllowNonProvisionableDevices
-AllowRemoteDesktop -AllowPOPIMAPEmail
-AllowSimplePassword -AllowRemoteDesktop
-AllowSMIMEEncryptionAlgorithmNegotiation -AllowSimpleDevicePassword
-AllowSMIMESoftCerts -AllowSMIMEEncryptionAlgorithmNegotiation
-AllowStorageCard -AllowSMIMESoftCerts
-AllowTextMessaging -AllowStorageCard
-AllowUnsignedApplications -AllowTextMessaging
-AllowUnsignedInstallationPackages -AllowUnsignedApplications
-AllowWiFi -AllowUnsignedInstallationPackages
-AlphanumericPasswordRequired -AllowWiFi
-ApprovedApplicationList -AlphanumericDevicePasswordRequired
-AttachmentsEnabled -ApprovedApplicationList
-Confirm -AttachmentsEnabled
-DeviceEncryptionEnabled -Confirm
-DevicePolicyRefreshInterval -DeviceEncryptionEnabled
-DomainController -DevicePasswordEnabled
-Identity -DevicePasswordExpiration
-IrmEnabled -DevicePasswordHistory
-IsDefault -DevicePolicyRefreshInterval
-MaxAttachmentSize -DomainController
-MaxCalendarAgeFilter -Identity
-MaxEmailAgeFilter -IrmEnabled
-MaxEmailBodyTruncationSize -IsDefaultPolicy
-MaxEmailHTMLBodyTruncationSize -MaxAttachmentSize
-MaxInactivityTimeLock -MaxCalendarAgeFilter
MaxPasswordFailedAttempts -MaxDevicePasswordFailedAttempts
MinPasswordComplexCharacters -MaxEmailAgeFilter
-MinPasswordLength -MaxEmailBodyTruncationSize
-MobileOTAUpdateMode -MaxEmailHTMLBodyTruncationSize
-Name -MaxInactivityTimeDeviceLock
-PasswordEnabled -MinDevicePasswordComplexCharacters
-PasswordExpiration -MinDevicePasswordLength
-PasswordHistory -MobileOTAUpdateMode
-PasswordRecoveryEnabled -Name
-RequireDeviceEncryption -PasswordRecoveryEnabled
-RequireEncryptedSMIMEMessages -RequireDeviceEncryption
-RequireEncryptionSMIMEAlgorithm -RequireEncryptedSMIMEMessages
-RequireManualSyncWhenRoaming -RequireEncryptionSMIMEAlgorithm
-RequireSignedSMIMEAlgorithm -RequireManualSyncWhenRoaming
-RequireSignedSMIMEMessages -RequireSignedSMIMEAlgorithm
-RequireStorageCardEncryption -RequireSignedSMIMEMessages
-UnapprovedInROMApplicationList -RequireStorageCardEncryption
-UNCAccessEnabled -UnapprovedInROMApplicationList
-WhatIf -UNCAccessEnabled
-WSSAccessEnabled -WhatIf
-WSSAccessEnabled

The main differences are name changes for the options and the dropping of Bluetooth in the options configuration:

Exchange Server 2013

Exchange Server 2010

-AllowBluetooth
-AllowSimplePassword -AllowSimpleDevicePassword
-AlphanumericPasswordRequired -AlphanumericDevicePasswordRequired
-PasswordEnabled -DevicePasswordEnabled
-PasswordExpiration -DevicePasswordExpiration
-PasswordHistory -DevicePasswordHistory
-IsDefault -IsDefaultPolicy
-MaxInactivityTimeLock -MaxInactivityTimeDeviceLock
-MaxPasswordFailedAttempts -MaxDevicePasswordFailedAttempts
-MinPasswordComplexCharacters -MinDevicePasswordComplexCharacters
-MinPasswordLength -MinDevicePasswordLength

On to configuring! First step is to create a new policy for your mobile active sync devices. The cmdlet we use here is ‘New-MobileDeviceMailboxPolicy’. Here is an example of this command used to create a new policy for your IT department:

New-MobileDeviceMailboxPolicy -name:”IT Mobile Devices” -AlphaNumericPasswordRequired:$true -MinPasswordComplexCharacters:3 -PasswordHistory:10


Now we have a basic policy that enforces an alphanumeric password with three types of characters and has a ten password history.

MailboxPolicy04

Once we have a policy created we can verify the policies that are enabled in Exchange with the Get-MobileDeviceMailboxPolicy PowerShell command:

MailboxPolicy06

Now let’s say that in the future you are required to change some of the settings in your policy. For example you are required to have a 15 password history and allow password recovery. For this we can use the ‘Set-MobileDeviceMailboxPolicy’:

MailboxPolicy07

If you need to remove a policy, simply use the Remote-MobileDeviceMailboxPolicy command:

MailboxPolicy08



Further Reading
Get-MobileDeviceMailboxPolicy
New-MobileDeviceMailboxPolicy
Remove-MobileDeviceMailboxPolicy
Set-ActiveSyncMailboxPolicy ***
Set-MobileDeviceMailboxPolicy


*** The Set-ActiveSyncMailboxPolicy cmdlet will be removed in a future version of Exchange. Use the Set-MobileMailboxPolicy cmdlet instead. If you have any scripts that use the Set-ActiveSyncMailboxPolicy cmdlet, update them to use the Set-MobileMailboxPolicy cmdlet.

Advertisements

2 thoughts on “Exchange 2013 – Configure Your Mobile Device Mailbox Policy

  1. Hi Great Article,

    One of our users is not able to connect to the server and is getting a “Security update required” message all the time.

    Is there a way to know which part of the policy he violated to get this message.

    Thanks again

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s