Tip

Implementing Exchange ActiveSync mailbox policy best practices

With the explosion of mobile devices in the enterprise, keeping the email and data on those devices secure has grown exceedingly critical. ActiveSync mailbox policies are the primary mechanism used for managing mobile device security in Exchange Server, but different policy settings and determining which policies to use -- and when -- can prove vexing.

    Requires Free Membership to View

There's no "right" or "wrong" way when it comes to Exchange ActiveSync mailbox policies, but there are certain best practices you should follow.

Exchange ActiveSync mailbox policies: One size does not fit all

Different users have different needs. Therefore, it doesn't make sense to use a "one-size-fits-all" ActiveSync mailbox policy, nor should you use the default policy. Instead, be prudent and create a series of specialized policies and assign them on an as-needed basis.

After deciding to move forward with specialized Exchange ActiveSync mailbox policies, the first thing to do is create the various policies you're going to need (more on that later). The next step is to disable ActiveSync usage for all mailboxes. This ensures that none of the mailboxes continue to use the default ActiveSync policy and that ActiveSync is disabled by default for newly created user accounts. The easiest way to disable ActiveSync is to open the Exchange Management Shell (EMS) and enter the following command:

Get-Mailbox | Set-CASMailbox –ActiveSyncEnabled $False

The next step is to apply a custom ActiveSync policy to a subset of your Exchange Server mailboxes. There are various criteria you can consider here, but one common approach involves basing the ActiveSync mailbox policy assignment on Active Directory group membership.

For example, let's say you want to enable ActiveSync and apply an ActiveSync mailbox policy named "FullUse" to all the members of an Active Directory group named "Executives." In short, you want to give the executives in your organization unrestricted ActiveSync use, and you do that via the following PowerShell script:

$GroupMembers = Get-DistributionGroupMember -Identity 'Executives'

ForEach ($member in $GroupMembers)

{

       $member | Set-CASMailbox -ActiveSyncEnabled $true

       $member | Set-CASMailbox -ActiveSyncMailboxPolicy "FullUse"

}

Exchange ActiveSync mailbox policy criteria

If you're familiar with PowerShell, you can see it's relatively easy to create an ActiveSync mailbox policy and assign it to members of various Active Directory groups. The biggest challenge is deciding which policies you should create and who to assign those policies to.

The good news is that there really isn't a right or wrong way to build ActiveSync mailbox policies. Every organization has its own unique needs and it's best to adapt the policy creation and assignment process that best meets your organization's needs. That said, here are some techniques I recommend.

  • Device-based policies

Different makes and device models support different policy settings. Therefore, some organizations choose to create policies based on the device's capabilities. For example, you can create a policy for Windows Phone 8 devices and a separate policy for iOS devices. This is important to understand because iOS does not support all the available policy settings.

Also, some organizations base their policies on differentiating between corporate-owned devices and users' personal devices. You may choose to create a policy for corporate-owned devices that disables cameras and Bluetooth connectivity, and then have another policy for users' personal devices that is considerably more permissive.

  • Job-function policies

Many corporations also use ActiveSync policy settings to disable mobile device hardware that is not explicitly required for a user's job.

For example, employees in the research and development department probably have a lot more sensitive information on their mobile devices than most, so it is wise to create a policy that requires much more complex passwords for these employees' devices.

About the author
Brien Posey is a ten-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a chief information officer at a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the nation's largest insurance companies and for the Department of Defense at Fort Knox.

This was first published in April 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.