In part 8 of my series on the Exchange 2013 Preview, I will go over the Mobile device management tab of the EAC.
As every Exchange Administrator knows by now mobile devices are gaining a higher profile as well as creating pain in supporting connectivity. Microsoft had provided this section in the EAC to help you manage these devices. In the EAC you can create rules to block devices as well as rules to control certain aspects of the devices. You will also be able to release devices that were quarantined by Mobile Device Access Rules. Because Microsoft has put an emphasis on PowerShell in Exchange releases since 2007, some of the features will only be available in PowerShell and not in the GUI.
Mobile Device Access
Two things to note here are your Quarantined devices and Mobile Device Access Rules:
Device Access Rules can be important for restricting what devices can be used to sync email with your mail servers.
What kind of rules can we create here?
As you can see from the new Device Rule, we can create rules that allow, block or quarantine certain device types. You could potentially block an entire Family of devices or just one model of device. It’s that simple:
Eventually all devices that have connected to your Exchange server via ActiveSync should show up in the lists for Device Family and Model. However, mine has not shown up. To enable this you would have to run a PowerShell command like this:
New-ActiveSyncDeviceAccessRule -QueryString WP -Characteristic DeviceModel -AccessLevel Allow
Mobile Device Policies
Mobile Device Policies are what you can use to manage your mobile device security. The EAC only reveals the basic security settings that you can control on your mobile ActiveSync devices.
If we look at the Default policy, all security settings are turned off:
If you review the above settings, you can see that these settings are similar to Active Directory user password policies. We have the following settings:
• Require an alphanumeric password
○ Enhanced by how many character sets – up to 4 different ones
• Minimum password length
• Enforce password lifetime (days)
• Password recycle count
As you can see this default policy really does not do anything. At the very least, if you are going to connect mobile devices, I would recommend settings something like this:
This results in an updated policy. Review the information pane on the right:
You can create more policies as need be if you want different groups of users with different settings. To apply the new policy, you would need to go to the Recipient Tab. Click on the Edit button for the user you wish to modify and select the ‘Mailbox Features’:
If the user does not have it enabled, ‘Enable Exchange Activesync’. Once it’s enabled, click on ‘View Details’ under Mobile devices and from here you can change the policy. Note you will also see any connected devices here.
Once you choose the new policy, click Save twice and the policy will be applied to the user.
If you want to apply it in bulk, either do it via PowerShell, or use the Bulk Edit feature in the EAC:
TechNet Articles
http://technet.microsoft.com/en-us/library/bb123783%28v=exchg.150%29.aspx
Related PowerShell Commands
Clear-MobileDevice
Get-MobileDevice
Get-MobileDeviceMailboxPolicy
Get-MobileDeviceStatistics
New-MobileDeviceMailboxPolicy
Remove-MobileDevice
Remove-MobileDeviceMailboxPolicy
Set-MobileDeviceMailboxPolicy
