In the 1st part we talked about Autodiscovery & Direct Push. In this part we will focus more on configuring policies

Exchange Activesync Mailbox policy

Exchange ActiveSync Mailbox Policy makes it possible to enhance the security of mobile devices used to access your Exchange servers. As an example, you can use policy to require a password of a specific length and to configure devices to automatically prompt for a password after a period of inactivity.

Each mailbox policy you create has a name and a specific set of rules with which it is associated. Because you can apply policies separately to mailboxes when you create or modify them, you can create different policies for different groups of users. For example, you can have one policy for users and another policy for managers. You can also create separate policies for departments within the organization. For example, you can have separate policies for Marketing, Customer Support, and Technology.

Viewing Existing Exchange ActiveSync Mailbox Policies

In Exchange Management Console, you can view the currently configured Exchange ActiveSync Mailbox policies by completing the following steps:

 Start Exchange Management Console. Expand the Organization Configuration node, and then select Client Access.
 In the details pane, you'll see a list of current policies.
In Exchange Management Shell, you can list policies using the Get-MobileMailboxPolicy cmdlet. provides the syntax, usage, and sample output. If you do not provide an identity with this cmdlet, all available Exchange ActiveSync Mailbox policies are listed.

Syntax

Get-MobileMailboxPolicy [-Identity 'PolicyIdentity']

Usage

Get-MobileMailboxPolicy Get-MobileMailboxPolicy -Identity 'Primary ActiveSync Mailbox Policy'


Creating Exchange ActiveSync Mailbox Policies

The Exchange ActiveSync Mailbox policies you create apply to your entire organization. You apply policies separately after you create them, as discussed in the "Assigning Exchange ActiveSync Mailbox Policies" section of this chapter.
In Exchange Management Console, you can create a new policy by completing the following steps:
1. Start Exchange Management Console. Expand the Organization Configuration node, and then select Client Access.
2. In the details pane, you'll see the Exchange ActiveSync Mailbox Policy node. Right-click an open area of the details pane, and select New Exchange ActiveSync Mailbox Policy.
3. As shown in Figure Below, type a descriptive name for the policy, and then use the following options to configure the policy:


PIC:


Allow Non-Provisionable Devices : Non-provisionable devices are older devices that do not support the Autodiscover service. If you select this option, these older devices can connect to Exchange 2007 by using Exchange ActiveSync.

 Allow Attachments To Be Downloaded To Device : Enables attachments to be downloaded to mobile devices. If you do not select this option, any message attachments are not downloaded with user messages.

 Require Alphanumeric Passwords :  Requires that a password contain numeric and alphanumeric characters. If you do not select this option, users can use simple passwords, which may not be secure.

 Enable Password Recovery : Enables the device password to be recovered from the server. If you do not select this option and the user forgets his or her password, you will not be able to reset the device password and the user will be unable to access his or her mailbox using the device.

 Require Encryption On Device : Requires mobile devices to use encryption. Since encrypted data cannot be accessed without the appropriate password, this helps to protect the data on the device. If you select this option, Exchange will only allow devices to download data if they use encryption.

 Allow Simple Password :  Allows the user to use a non-complex password instead of a password that meets the minimum complexity requirements.

 Minimum Password Length :  Allows you to set a minimum password length. You must select the related check box to the desired minimum password length, such as eight characters. The longer the password, the more secure it is. A good minimum password length is between 8 and 12 characters.

 Time Without User Input Before Password Must Be Re-Entered : Allows you to specify the length of time (in minutes) that a device can go without user input before it locks. You must select the related check box to the desired time interval, such as 15.

 Password Expiration : Allows you to specify the maximum length of time users can keep a password before they have to change it. You can use this option to require users to change their passwords periodically. A good password expiration value is between 30 and 90 days.

 Enforce Password History : Allows you to specify how frequently old passwords can be reused. the maximum length of time users can keep a password before they have to change it. You can use this option to discourage users from changing back and forth between a common set of passwords. To disable this option, set the size of the password history to zero. To enable this option, set the desired size of the password history. A good value is between 3 and 6.
1. Click New to create the policy, and then click Finish.

In Exchange Management Shell, you can create new Exchange ActiveSync Mailbox policies using the New-MobileMailboxPolicy cmdlet

Syntax

New-MobileMailboxPolicy -Name 'Name'  [-AllowNonProvisionableDevices <$true | $false>]

 [-AllowSimpleDevicePassword <$true | $false>]
 
 [-AlphanumericDevicePasswordRequired <$true | $false>]

 [-AttachmentsEnabled <$true | $false>]
 
 [-DeviceEncryptionEnabled <$true | $false>]

 [-DevicePasswordEnabled <$true | $false>]

 [-DevicePasswordExpiration 'Limit']

 [-DevicePasswordHistory 'Number']

 [-MaxAttachmentSize 'Limit']

 [-MaxDevicePasswordFailedAttempts 'Limit']

 [-MaxInactivityTimeDeviceLock 'Limit']

 [-MinDevicePasswordLength <'Null' or 'Number'>]

 [-PasswordRecoveryEnabled <$true | $false>]

 [-UNCAccessEnabled <$true | $false>]

 [-WSSAccessEnabled <$true | $false>]

Usage

New-MobileMailboxPolicy -Name 'Primary ActiveSync Mailbox Policy'

 -AllowNonProvisionableDevices $true

 -DevicePasswordEnabled $true

 -AlphanumericDevicePasswordRequired $true

 -MaxInactivityTimeDeviceLock '00:15:00'

 -MinDevicePasswordLength '8'

 -PasswordRecoveryEnabled $true

 -DeviceEncryptionEnabled $true

 -AttachmentsEnabled $true

Optimizing Exchange ActiveSync Mailbox Policies

When you create an Exchange ActiveSync Mailbox policy, some additional settings are configured automatically. By default, access to both Windows file shares and Microsoft Windows SharePoint Services is allowed. If you specified that passwords were required, by default, the number of failed attempts allowed is eight. If the policy allows devices to download attachments, there is no default limit on the attachment size. You can modify these and other policy settings by completing the following steps:

• In Exchange Management Console, right-click the policy, and select Properties.
• On the General tab, use the options to configure whether non-provisionable devices, attachments, or both are allowed. If the policy allows attachments and you want to limit the size of attachments that users can download, select the Maximum Attachment Size (KB check box, and then enter the size limit in kilobytes (KB, such as 900.
• If you don't want users to be able to access file shares, SharePoint Services, or both from their mobile devices, clear the Windows File Shares and Windows SharePoint Services check boxes.
• On the Password tab, you must select the Require Password check box to set controls for device passwords. The options available are the same as when you are creating a policy, with one addition: Number Of Failed Attempts Allowed. To limit the number of failed password attempts that can be made before a user's account is locked, select this check box, and then set the allowed limit. Click OK to apply your settings.

In Exchange Management Shell, you can modify Exchange ActiveSync Mailbox policies using the Set-MobileMailboxPolicy cmdlet.

Syntax

New-MobileMailboxPolicy -Identity 'Name'

 [-AllowNonProvisionableDevices <$true | $false>]

 [-AllowSimpleDevicePassword <$true | $false>]

 [-AlphanumericDevicePasswordRequired <$true | $false>]

 [-AttachmentsEnabled <$true | $false>]

 [-DeviceEncryptionEnabled <$true | $false>]

 [-DevicePasswordEnabled <$true | $false>]

 [-DevicePasswordExpiration 'Limit']

 [-DevicePasswordHistory 'Number']

 [-MaxAttachmentSize 'Limit']

 [-MaxDevicePasswordFailedAttempts 'Limit']

 [-MaxInactivityTimeDeviceLock 'Limit']

 [-MinDevicePasswordLength <'Null' or 'Number'>]

 [-Name <'NewName'>]

 [-PasswordRecoveryEnabled <$true | $false>]

 [-UNCAccessEnabled <$true | $false>]

 [-WSSAccessEnabled <$true | $false>]

Usage

Set-MobileMailboxPolicy -Identity 'Primary ActiveSync Mailbox Policy'

 -AllowNonProvisionableDevices $false

 -DevicePasswordEnabled $true

 -AlphanumericDevicePasswordRequired $true

 -MaxInactivityTimeDeviceLock '00:08:00'

 -MinDevicePasswordLength '6'

      -MaxDevicePasswordFailedAttempts '5'

Assigning Exchange ActiveSync Mailbox Policies

The easiest way to assign Exchange ActiveSync Mailbox policies is to do so when you create user mailboxes. In the New Mailbox wizard, you assign the Exchange ActiveSync Mailbox policy on the Mailbox Settings page.
For existing mailboxes, you can assign an Exchange ActiveSync Mailbox policy by completing the following steps:
1. In Exchange Management Console, expand the Recipient Configuration node, and then select the Mailbox node.
2. Right-click the mailbox with which you want to work, and then select Properties.
3. On the Mailbox Features tab, select Exchange ActiveSync, and then click Properties.
4. Select the Apply An Exchange ActiveSync Mailbox Policy check box.
5. Click Browse. In the Select Mobile Mailbox Policy dialog box, select the policy you want to assign, and then click OK. Click OK twice to apply your settings.

In Exchange Management Shell, you can assign an Exchange ActiveSync Mailbox policy to a mailbox using the MobileMailboxPolicy parameter of the Set-CASMailbox cmdlet.
Syntax
Set-CASMailbox -Identity 'MailboxIdentity' - MobileMailboxPolicy 'PolicyIdentity'
Usage
Set-CASMailbox -Identity 'Test User' - MobileMailboxPolicy 'Primary ActiveSync Mailbox Policy'

Removing Exchange ActiveSync Mailbox Policies
When you no longer need an Exchange ActiveSync Mailbox policy, you can remove it. In Exchange Management Console, right-click the policy, and select Remove. As long as no users are assigned to the policy, you'll see a confirmation prompt; clicking Yes tells Exchange Management Console to delete the policy. If users are assigned to the policy, you won't be able to remove it. You'll need to remove the policies from user mailboxes in order to delete the policy.

In Exchange Management Shell, you can remove an Exchange ActiveSync Mailbox policy that is not being used by utilizing the Remove-MobileMailboxPolicy cmdlet.

Syntax
Remove-MobileMailboxPolicy -Identity 'Name'

Usage
Remove-MobileMailboxPolicy -Identity 'Primary ActiveSync Mailbox Policy'

Remote Device Wipe
An administrator or the owner of the device can prevent the compromising of sensitive data by initiating a remote device wipe. After you initiate a remote device wipe, the device removes all its data the next time it connects to Exchange Server. Not only does this return the device to its factory default condition, it also removes any data stored on any storage card inserted into the device. Wiping the data prevents it from being compromised.
The easiest way to wipe a device remotely is to have the device owner initiate the wipe. Alternately, an administrator can log on to Outlook Web Access as the device owner and initiate the remote wipe. To do this, follow these steps:
1. Start Internet Explorer. In the Address field, type the Outlook Web Access URL, such as http://http://exch1.com/owa, and then press Enter to access this page.
2. When prompted, provide the logon credentials of the user whose device you want to wipe. Do not provide your administrator credentials.
3. On the Outlook Web Access toolbar, click Options.
4. The left pane of the Options view provides a list of options. Scroll down, and then click Mobile Devices.
5. The user's mobile devices are listed in the details pane. Select the device you want to wipe, and then click Wipe All Data From Device.
6. Confirm the action when prompted.
7. Click Remove Device From List.
    We can use Outlook Web Access for remote device wiping only if the user has used the device previously to access Exchange Server and if you have enabled the Segmentation feature of Exchange Active Directory Integration (which is the default configuration).

Caution:

Because wiping a device will cause complete data loss, you should do this only when you've contacted the user directly (preferably in person) and confirmed that the mobile device has been lost and that he or she understands the consequences of wiping the device. If your organization has a formal policy regarding the wiping of lost devices that may contain sensitive company data, be sure you follow this policy and get any necessary approvals.

In Exchange Management Shell, you can list the mobile devices registered as partners for a user's mailbox using the Get-MobileDeviceStatistics cmdlet. The device identity you want is the DeviceId string. If the user has multiple mobile devices, be sure to consult also the DeviceModel and DeviceOperatorNetwork values.
After you know the mobile device identity, you can issue a remote device wipe command using the Clear-ActiveSyncDevice cmdlet. You'll then need to confirm that you want to wipe the device when prompted by pressing the Y key

Syntax- To get device data
Get-MobileDeviceStatistics -Mailbox 'MailboxIdentity'
Usage
Get-MobileDeviceStatistics -Mailbox 'Test User'

Syntax- To Clear Device
Clear-ActiveSyncDevice - Identity 'MobileDeviceIdentity'
Usage
Clear-ActiveSyncDevice - Identity 'TestuserIdentity'

Reviewing the Remote Wipe Status

When you initiate a remote wipe, the mobile device removes all its data the next time it connects to Exchange Server. You can review the remote wipe status using an alternate syntax for the Get-MobileDeviceStatistics cmdlet. Instead of passing the cmdlet the Mailbox parameter, use the Identity parameter to specify the DeviceId string of the device you wiped. The statistics returned will include these output parameters:

• DeviceWipeRequestTime The time you request a remote wipe.
• DeviceWipeSentTime The time the server sent the remote wipe command to the device.
• DeviceWipeAckTime The time when the device acknowledged receipt of the remote wipe command.

If there is a DeviceWipeSentTime timestamp, the device has connected to Exchange Server and Exchange Server sent the device the remote wipe command. If there is a DeviceWipeAckTime timestamp, the device acknowledged receipt of the remote wipe and has started to wipe its data.

Password recovery
Users can create passwords for their mobile devices. If a user forgets his or her password, you can obtain a recovery password that unlocks the device and lets the user create a new password. The user can also recover his or her device password by using Outlook Web Access.
To use Outlook Web Access to recover a user's device password, complete the following steps:
1. Start Internet Explorer. In the Address field, type the Outlook Web Access URL, such as http://http://exch1/owa, and then press Enter to access this page.
2. When prompted, provide the user's logon credentials. Do not provide your administrator credentials.
3. On the Outlook Web Access toolbar, click Options.
4. The left pane of the Options view provides a list of options. Scroll down, and then click Mobile Devices.
5. The user's mobile devices are listed in the details pane. Select the device for which you are recovering the password.
6. Click Display Device Password.

You can display the device recovery password by completing the following steps:
1. In Exchange Management Console, expand the Recipient Configuration node, and then select the Mailbox node.
2. Right-click the user's mailbox, and then select Manage Mobile Device. The device recovery password is displayed in the Manage Mobile Device dialog box.
In Exchange Management Shell, you can display the device recovery password using the ShowRecoveryPassword parameter of the Get-ActiveSyncDeviceStatistics cmdlet.
Syntax
Get-ActiveSyncDeviceStatistics - Mailbox 'MailboxIdentity' -ShowRecoveryPassword $true
Usage
Get-ActiveSyncDeviceStatistics - Mailbox 'testuser' -ShowRecoveryPassword $true