Exchange ActiveSync Security Settings Policy

Top  Previous  Next


This section only applies to Exchange ActiveSync enabled devices.


The implementation of Exchange ActiveSync varies from device to device and some do not support (all of) these security features.   Information about which features different device types support is available in Wikipedia at:


Editing an existing policy

You can edit an existing policy by expanding the navigation tree, under the node Policies, select Security Settings.  The action pane will display all of the security policies that are defined.  By default there is a single policy Default Security Policy.  Right mouse click the name of the policy that you want to modify in the action pane and then select Configuration Wizard...


Creating a new policy

To create a new policy, expand Policies and select Security Settings in the navigation tree then right mouse click an existing policy in action pane.  Select All Tasks > Copy settings to new policy... then enter the Name of the new policy and click OK.  The new policy is created as a clone of the existing policy - to change the settings in the new policy, follow the instructions for Editing an existing policy above.


Defining the Policy

In either case, the Policy Management Wizard will run to allow you to define the policy.

1.Press Next on the Welcome screen and again on the Policy Name screen.
2.Optionally configure the Windows Mobile Policy Settings then click Next.
3.Optionally configure the Symbian S60 Policy Settings then click Next.
4.On the Exchange ActiveSync Policy Settings page of the wizard, set up the required policy elements.  To lock an element, right mouse on the node in the Security Policy window.  The icon in the tree will change to reflect the lock status:
5.Select Lock Code Policy to set/change any of the following:
a)Device Password Enabled - indicates whether or not the device requires a password..
b)Allow Simple Password - indicates whether or not the device allows simple passwords.
c)Alphanumeric Password Required - indicates whether or not the device password must contain both letters and numbers.
d)Min Password Length - the minimum number of characters allowed in a device password..
e)Min Complex Characters - the number of complex characters (numbers and symbols) that a device password must contain.
f)Password Expiration - indicates whether the device password expires and must be replaced.
g)Password Expiration Days - the number of days before a password expires.
h)Password History - indicates whether the device retains a history of its passwords.
i)Password History Length - the number of passwords to keep in history.
j)Max inactivity time - the number of minutes of inactivity before the device locks itself. (For iOS devices, see also the Passcode Restrictions in the iOS Device Settings Policy)
k)Max Password Failure Attempts - the number of the times that the password can be entered incorrectly before the device wipes itself.


6.Encryption Policy:
a)Device encryption enabled - will only work if the target device a) supports this feature and b) activates/deactivates it according to the setting in the ActiveSync policy.  For example, the iPhone 3GS device supports data encryption but it is always on.  The iPhone 3G does not support data encryption at all.  So this setting has no effect on either of these devices.
b)(New in version 5.14) Device encryption required - For iPhone OS 3.1 and higher devices (and other EAS devices that support this policy setting), devices that don’t support hardware encryption will be blocked - the EAS account on the device will be disabled.
NOTE: for iPhones, this only works with iPhone OS 3.1 and higher.  Devices running iPhone OS 3.0 (and earlier) ‘pretend’ to be encrypted and cannot therefore be blocked.


7.Once the policy is configured, click Next.
8.Click Finish to complete the wizard.


Deploying the Policy to a Group of Users or an Individual User

To deploy a new Security Settings policy or change the currently deployed policy, expand the Administration node in the navigation tree, expand Users and Groups until you can see the user or group that you want to apply the policy to.


Deploying to a Group

1.In the navigation tree, right mouse click the group that you want to deploy to and then select Properties.
2.Select the Policies tab and select the policy from the drop down list.
3.Click Apply then click OK.

Users in the group will receive the new/changed policy next time their device performs a device management session - by default, this is once a day.


Deploying to a User

1.In the action pane, right mouse click the user that you want to deploy the policy to and the select Properties.
2.Check Show Advanced to display the advanced properties - this is sticky, once you have checked this it will remain checked until you choose to hide the advanced properties again.
3.Select the Policies tab and select the policy from the drop down list.
4.Click Apply then click OK.


Page url: