Confi guring ActiveSync Policies As many of us remember, Exchange Server 2003 SP2 introduced a set of device security settings that allowed us to push out a policy to mobile devices acce
Trang 1Let’s move on to the Authentication tab (Figure 5.45) Here we have the option of enabling Basic authentication (password sent in clear text), typically the authentication method used by Exchange ActiveSync clients In addition, we can specify how the CAS should handle client certifi cates
NOTE
Windows Mobile 5.0 and earlier don’t support the AutoDiscover service, only the next version of Windows mobile, codenamed Crossbow and currently in beta,
supports this feature
Figure 5.45 The Authentication Tab on the Microsoft Server ActiveSync
Properties Page
Trang 2Finally, we have a Remote File Servers tab We won’t go through the available options here
since they are identical to those covered in the Outlook Web Access section in this chapter and
simply allow the access of fi les on remote fi le shares or SharePoint servers
Confi guring ActiveSync Policies
As many of us remember, Exchange Server 2003 SP2 introduced a set of device security settings that allowed us to push out a policy to mobile devices accessing the Exchange 2003 Server using
Exchange ActiveSync We had the option of enforcing passwords on the devices, setting the minimum
password length, setting the inactivity timeout, setting a device to be remotely wiped after x number of failed logon attempts, setting how often the device security settings should be pushed out to the devices, and more One
problem with the device security settings feature in Exchange Server 2003 SP2 was its limitation to one global policy, which applied to all users, unless they were explicitly added to an exception list,
excluding them from all security policy With Exchange Server 2007, it is now possible to create
multiple Exchange ActiveSync policies, giving you much more control of your mobile deployment
In the following example, I’ll show you step by step how an Exchange ActiveSync policy
is created
1 Open the Exchange Management Console , and then expand the Organization
Confi guration work center node
2 Click the Client Access subnode, and then select New Exchange ActiveSync Mailbox Policy in the Action pane
3 In the New Exchange ActiveSync Mailbox Policy, enter a name for your policy and
then check and confi gure the options that should be applied to the user mailboxes to
which this policy is assigned, as shown in Figure 5.46
TIP
Windows mobile 5.0 and earlier devices cannot take advantage of the direct link
access feature, which allows you to access documents in a share on a fi le server, or
documents located on a SharePoint Server Only the next version of Windows mobile, codenamed Crossbow and currently in beta at the time of this writing, supports the direct link access feature
Trang 3Figure 5.46 Creating a New Exchange ActiveSync Mailbox Policy
Trang 44 When ready, click New, and then Finish on the following page.
NOTE
If you have experience with confi guring the device security settings in Exchange
2003 SP2, the options listed in Figure 5.46 should be familiar, with the exception of
four The four new options are Enable password recovery, Require encryption on
device, Password expiration (days), and Enforce password history The fi rst option, Enable password recovery, will store a user’s password on the Exchange Server so it’s
possible to retrieve a lost device password should the user forget it A lost
password can be retrieved by the IT staff using the Exchange Management
Console or the Exchange Management Shell, but a user can also retrieve it himself
via the Mobile Device page in OWA 2007 The second option, Require encryption
on device, will encrypt the data on the storage card in a device, but keep in mind
this option is only supported with devices running the next version of Windows
mobile, codenamed “Crossbow.” The third option, Password expiration (days),
allows us to specify after how many days a device password should stay active
before expiring The fourth option, Enforce password history, makes it possible
to enforce password history so users must use a completely new password when
it has expired
TIP
If you would rather create an Exchange ActiveSync policy using the Exchange
Management Shell, you can do so using the New-ActiveSyncMailboxPolicy cmdlet
For example, the policy confi gured in Figure 5.46 could be created using the
Exchange Management Shell by typing:
New-ActiveSyncMailboxPolicy –Name “Exchange Dogfood – All EAS Users” –
AllowNonProvisionableDevices $false –DevicePasswordEnabled $true –
AlphanumericDevicePasswordRequired $false –MaxInactivityTimeDeviceLock
“00:15:00” –MinDevicePasswordLengh “4” –PasswordRecoveryEnabled $true
–DeviceEncryptionEnabled $true –AttachmentsEnabled $true –AllowSimpleDevicePass word $false –DevicePasswordExpiration “unlimited” –DevicePasswordHistory “0”
Trang 5Figure 5.47 The General Tab on the Properties Page of an Exchange ActiveSync Mailbox Policy
After you have confi gured an Exchange ActiveSync Mailbox Policy, you can always change
it later if required You can do this by selecting the respective policy in the Result pane, and then clicking the Properties link in the Action pane This will bring you to a screen similar to the one shown in Figures 5.47 and 5.48