The Exchange 2007 Wiki

Menu

Getting Started
Programming Exchange
PowerShell Scripts

Organization Node
  - Mailbox
  - Client Access
  - Hub Transport
  - Unified Messaging
Server Node
  - Mailbox
  - Client Access
  - Hub Transport
  - Unified Messaging
Edge Transport
Recipient Management
Tips and Tricks
FAQs
  - Definitions
  - Ask a Question

Site Index
Home


Wall of Fame
Syndication
Feedback

The content on this site is provided "AS IS" with no warranties, and confers no rights.

IT Policies

 Exchange Server 2007

Exchange ActiveSync Info > Security Settings 

Exchange ActiveSync Policy User Experience

Purpose
This document was created to evaluate the various experiences that an Information Worker (IW) can have based on Exchange ActiveSync Policies being applied onto their devices in different states.

Possible States:

  • First Time Policy Applied onto device
  • Modify specific settings on device within the same policy
  • Reassign user to a new Exchange ActiveSync policy
  • Removing an Exchange ActiveSync policy from the user

1.   Executive Summary

This table covers all scenarios where a user may be associated with an Exchange ActiveSync policy.

Scenario
 User Prompted
 Remote Wipe Works

First Time Policy Applied onto Device

Yes

Yes

Modify Policy Settings Same Policy

Yes – only if pwd is requires user intervention (eg. longer pwd)

Yes

Reassign User to new Policy

Yes – only if pwd is requires user intervention (eg. longer pwd)

Yes

Remove Policy

No

Yes

Remote Wipe Only
There are IT Pro customers who want to leverage the Exchange 2007 ActiveSync Remote Wipe because it is integrated into OWA (for user self-service scenarios),  but these same customers do not want to enforce device passwords functionality because (1) they are using a 3rd party mobile security or device management software, or (2) they do not want their users to take the usability hit of a device password. 

For these customers, Exchange 2007 ActiveSync and Windows Mobile allows you to create a Remote Wipe only policy.  This is done by creating a policy with no password requirement and assign them to your identified users.

Pros: Enables you to have Remote Wipe functionality without having your users be prompted to accept a policy right before the device gets wiped.

Con: Minor configuration required.  As an IT Pro, you will still need to create a “blank” Exchange ActiveSync policy (with no password requirement) and assign them to your users to get this to work.

 

2.   First Time Policy Applied onto Device

When a user first attempts to establish their Exchange ActiveSync partnership and their mailbox has been setup with an EAS Policy, they will get the following prompts.

This scenario is pretty straight forward and once the policy is applied they are able to perform a remote wipe action without any further prompting via OWA or EMC.

Here are the settings that we now have on the EAS Policy:

Setting
 Before
 After

DevicePasswordRequired

True

MinDevicePasswordLength

4

MaxInactivityTimeDeviceLock

15

 First Time Policiy Appliied onto Device

3.   Modify Specific Settings on Devices within the same policy

In this example we keep the same EAS Policy assigned to the user, but we change a few settings.

Scenario 1 – Password not required
Here are the settings that we now have on the EAS Policy:

Setting
 Before
 After

DevicePasswordRequired

True

False

Results
NO USER PROMPT
In this case, the policy continues to be applied to the device, but the user is not notified that they are no longer required to have a device password.  If they tried to remove their device password they would be allowed.

This type of policy in actuality still handles the Remote Wipe scenario without prompting the user to accept the policy before performing the type. 

3. Modify Specific Settings on Devices within the same policy

Scenario 2

Here are the settings that we now have on the EAS Policy:

Setting
 Before
 After

DevicePasswordRequired

True

True

MinDevicePasswordLength

4

5

MaxInactivityTimeDeviceLock

15

20

Results

3. Modify Specific Settings on Devices within the same policy - Scenario 2

4.   Reassign user to a new Exchange ActiveSync policy

Scenario – Identical Policy Settings, just different Policy Name

Here are the settings that we now have on the EAS Policy:

Setting
 Before
 After

Policy Name

Test

Test2

DevicePasswordRequired

True

True

MinDevicePasswordLength

5

5

MaxInactivityTimeDeviceLock

20

20

Results
NO USER PROMPT
Since there were no actual setting changes.  Just the policy name changed.

Scenario – Different Policy Name and Policy Settings

Here are the settings that we now have on the EAS Policy:

Setting
 Before
 After

Policy Name

Test

Test2

DevicePasswordRequired

True

True

MinDevicePasswordLength

5

6

MaxInactivityTimeDeviceLock

20

30

Results
USER PROMPT

The user is required to create a longer pwd, so they are prompted to action upon this new policy setting.

4. Reassign user to a new Exchange ActiveSync policy

5.   Removing an Exchange ActiveSync policy from the user

Scenario

In this scenario, the user has a policy applied on their device and then their IT Pro removes the EAS Policy.

Here are the settings that we now have on the EAS Policy:

Setting
 Before
 After

Policy Name

Test2

DevicePasswordRequired

True

MinDevicePasswordLength

6

MaxInactivityTimeDeviceLock

30

Results
NO USER PROMPT

Since there were no actual setting changes.  Just the policy is removed. 

In this case, the Remote Wipe feature continues to work because there is now an “empty” policy on their device.

User is allowed to remove their pwd if they even pick up on this change.

5. Removing an Exchange ActiveSync policy from the user

Site

Changes
Index
Search

 

User

 

Log In
Register

 
 

Last Modified 5/1/08 11:25 AM