Now, if we look back at Exchange 2010, we can see that things have changed quite a bit in the GUI:
So how do we configure a more robust and feature rich policy in Exchange Server 2013?
PowerShell
Configuring the Mobile Policies via Powershell in Exchange 2013 is almost exactly the same as in Exchange Server 2010 and the options that can be configured are essentially the same as well.
Below is a comparison of the options for Exchange 2010 and Exchange 2013 when it comes to configuring the ActiveSync or Mobile Device policies (depending on the Exchange version). Differences are noted by the blue text. Some that are highlighted are just named differently in the versions:
Exchange Server 2013 |
Exchange Server 2010 |
| -AllowBrowser | -AllowBluetooth |
| -AllowCamera | -AllowBrowser |
| -AllowConsumerEmail | -AllowCamera |
| -AllowDesktopSync | -AllowConsumerEmail |
| -AllowExternalDeviceManagement | -AllowDesktopSync |
| -AllowHTMLEmail | -AllowExternalDeviceManagement |
| -AllowInternetSharing | -AllowHTMLEmail |
| -AllowIrDA | -AllowInternetSharing |
| -AllowMobileOTAUpdate | -AllowIrDA |
| -AllowNonProvisionableDevices | -AllowMobileOTAUpdate |
| -AllowPOPIMAPEmail | -AllowNonProvisionableDevices |
| -AllowRemoteDesktop | -AllowPOPIMAPEmail |
| -AllowSimplePassword | -AllowRemoteDesktop |
| -AllowSMIMEEncryptionAlgorithmNegotiation | -AllowSimpleDevicePassword |
| -AllowSMIMESoftCerts | -AllowSMIMEEncryptionAlgorithmNegotiation |
| -AllowStorageCard | -AllowSMIMESoftCerts |
| -AllowTextMessaging | -AllowStorageCard |
| -AllowUnsignedApplications | -AllowTextMessaging |
| -AllowUnsignedInstallationPackages | -AllowUnsignedApplications |
| -AllowWiFi | -AllowUnsignedInstallationPackages |
| -AlphanumericPasswordRequired | -AllowWiFi |
| -ApprovedApplicationList | -AlphanumericDevicePasswordRequired |
| -AttachmentsEnabled | -ApprovedApplicationList |
| -Confirm | -AttachmentsEnabled |
| -DeviceEncryptionEnabled | -Confirm |
| -DevicePolicyRefreshInterval | -DeviceEncryptionEnabled |
| -DomainController | -DevicePasswordEnabled |
| -Identity | -DevicePasswordExpiration |
| -IrmEnabled | -DevicePasswordHistory |
| -IsDefault | -DevicePolicyRefreshInterval |
| -MaxAttachmentSize | -DomainController |
| -MaxCalendarAgeFilter | -Identity |
| -MaxEmailAgeFilter | -IrmEnabled |
| -MaxEmailBodyTruncationSize | -IsDefaultPolicy |
| -MaxEmailHTMLBodyTruncationSize | -MaxAttachmentSize |
| -MaxInactivityTimeLock | -MaxCalendarAgeFilter |
| –MaxPasswordFailedAttempts | -MaxDevicePasswordFailedAttempts |
| –MinPasswordComplexCharacters | -MaxEmailAgeFilter |
| -MinPasswordLength | -MaxEmailBodyTruncationSize |
| -MobileOTAUpdateMode | -MaxEmailHTMLBodyTruncationSize |
| -Name | -MaxInactivityTimeDeviceLock |
| -PasswordEnabled | -MinDevicePasswordComplexCharacters |
| -PasswordExpiration | -MinDevicePasswordLength |
| -PasswordHistory | -MobileOTAUpdateMode |
| -PasswordRecoveryEnabled | -Name |
| -RequireDeviceEncryption | -PasswordRecoveryEnabled |
| -RequireEncryptedSMIMEMessages | -RequireDeviceEncryption |
| -RequireEncryptionSMIMEAlgorithm | -RequireEncryptedSMIMEMessages |
| -RequireManualSyncWhenRoaming | -RequireEncryptionSMIMEAlgorithm |
| -RequireSignedSMIMEAlgorithm | -RequireManualSyncWhenRoaming |
| -RequireSignedSMIMEMessages | -RequireSignedSMIMEAlgorithm |
| -RequireStorageCardEncryption | -RequireSignedSMIMEMessages |
| -UnapprovedInROMApplicationList | -RequireStorageCardEncryption |
| -UNCAccessEnabled | -UnapprovedInROMApplicationList |
| -WhatIf | -UNCAccessEnabled |
| -WSSAccessEnabled | -WhatIf |
| -WSSAccessEnabled |
The main differences are name changes for the options and the dropping of Bluetooth in the options configuration:
Exchange Server 2013 |
Exchange Server 2010 |
| -AllowBluetooth | |
| -AllowSimplePassword | -AllowSimpleDevicePassword |
| -AlphanumericPasswordRequired | -AlphanumericDevicePasswordRequired |
| -PasswordEnabled | -DevicePasswordEnabled |
| -PasswordExpiration | -DevicePasswordExpiration |
| -PasswordHistory | -DevicePasswordHistory |
| -IsDefault | -IsDefaultPolicy |
| -MaxInactivityTimeLock | -MaxInactivityTimeDeviceLock |
| -MaxPasswordFailedAttempts | -MaxDevicePasswordFailedAttempts |
| -MinPasswordComplexCharacters | -MinDevicePasswordComplexCharacters |
| -MinPasswordLength | -MinDevicePasswordLength |
On to configuring! First step is to create a new policy for your mobile active sync devices. The cmdlet we use here is ‘New-MobileDeviceMailboxPolicy’. Here is an example of this command used to create a new policy for your IT department:
New-MobileDeviceMailboxPolicy -name:”IT Mobile Devices” -AlphaNumericPasswordRequired:$true -MinPasswordComplexCharacters:3 -PasswordHistory:10
Now we have a basic policy that enforces an alphanumeric password with three types of characters and has a ten password history.
Once we have a policy created we can verify the policies that are enabled in Exchange with the Get-MobileDeviceMailboxPolicy PowerShell command:
Now let’s say that in the future you are required to change some of the settings in your policy. For example you are required to have a 15 password history and allow password recovery. For this we can use the ‘Set-MobileDeviceMailboxPolicy’:
If you need to remove a policy, simply use the Remote-MobileDeviceMailboxPolicy command:
Further Reading
Get-MobileDeviceMailboxPolicy
New-MobileDeviceMailboxPolicy
Remove-MobileDeviceMailboxPolicy
Set-ActiveSyncMailboxPolicy ***
Set-MobileDeviceMailboxPolicy
*** The Set-ActiveSyncMailboxPolicy cmdlet will be removed in a future version of Exchange. Use the Set-MobileMailboxPolicy cmdlet instead. If you have any scripts that use the Set-ActiveSyncMailboxPolicy cmdlet, update them to use the Set-MobileMailboxPolicy cmdlet.
Hi Great Article,
One of our users is not able to connect to the server and is getting a “Security update required” message all the time.
Is there a way to know which part of the policy he violated to get this message.
Thanks again
What phone are they using to connect to Exchange, and what version of Exchange is configured?