Skip to content

New Exchange 2016 Mobile Device Mailbox Policy

How to create a new MobileDeviceMailboxPolicy in Exchange 2016. (also known as ActiveSync Policy)

 

In this post I will create a new Mobile Device Mailbox policy and assign to the sales users, these users are on the road daily and they are in locations where mobile reception is not always the best and the device needs to meet some basic company security policies.

Note that Microsoft will be discontinuing the ActiveSyncMailboxPolicy cmdlet and it will be replaced with MobileDeviceMailboxPolicy.

 

For the purpose of this post I will be using the MobileDeviceMailboxPolicy as some of the parameters required in my security requirements are not available in the ActiveSyncMailboxPolicy.

 

To get started I will create a new MobileDeviceMailboxPolicy with the following requirements:

  • PasswordEnabled
  • AlphanumericPasswordRequired
  • PasswordRecoveryEnabled
  • AttachementsEnabled false
  • MaxInactivityTimeLock  5 minutes
  • MaxDevicePasswordFailedAttempts 5
  • MinPasswordLength 8
  • MinPasswordComplexCharacters 3
  • PasswordHistory 10

Now that the require for the new policy has been specified, I can go ahead and create the new policy using the following Exchange cmdlets.

 

Now that the new policy has been created, lets verify that all the specify parameters has been set as per the requirements. To verify this run the following cmdlets.

 

Now that the New-MobileDeviceMailboxPolicy has been created, now we need to apply this to the sales team and with the following script we can get all members of the Sales Team and then apply the new Policy.

 

To verify that a Sales user has the new policy, run the following cmdlet:

What is the function of some of the parameters which was used in this policy?

AlphanumericPasswordRequired :

The AlphanumericPasswordRequired parameter specifies whether the password for the mobile device must be alphanumeric. Valid input for this parameter is $true or $false. The default value is $false.

AttachmentsEnabled:

The AttachmentsEnabled parameter specifies whether attachments can be downloaded on the mobile device. Valid input for this parameter is $true or $false. The default value is $true.

When set to $false, this parameter blocks the user from downloading attachments on the mobile device.

MaxInactivityTimeLock:

The MaxInactivityTimeLock parameter specifies the length of time that the mobile device can be inactive before the password is required to reactivate it. This parameter accepts the following values:

  • Timespan   hh:mm:ss, where hh = hours, mm = minutes and ss= seconds. The valid input range is 00:01:00 to 01:00:00 (one minute to one hour).
  • The value Unlimited.

The default value is Unlimited.

MaxPasswordFailedAttempts:

The MaxPasswordFailedAttempts parameter specifies the number of attempts a user can make to enter the correct password for the mobile device.

You can enter any number from 4 through 16 or the value Unlimited. The default value is Unlimited.

MinPasswordComplexCharacters:

The MinPasswordComplexCharacters parameter specifies the character sets that are required in the password of the mobile device. The character sets are:

  • Lower case letters.
  • Upper case letters.
  • Digits 0 through 9.
  • Special characters (for example, exclamation marks).

A valid value for this parameter is an integer from 1 through 4. The default value is 1.

For Windows Phone 8 devices, the value specifies the number of character sets that are required in the password. For example, the value 3 requires at least one character from any three of the character sets.

For Windows Phone 10 devices, the value specifies the following password complexity requirements:

  1. Digits only.
  2. Digits and lower case letters.
  3. Digits, lower case letters, and upper case letters.
  4. Digits, lower case letters, upper case letters, and special characters.

MinPasswordLength:

The MinPasswordLength parameter specifies the minimum number of characters in the mobile device password.

You can enter any number from 1 through 16 or the value $null. The default value is blank. The maximum password length is 16 characters.

PasswordEnabled:

The PasswordEnabled parameter specifies whether a password is required on the mobile device. Valid input for this parameter is $true or $false. The default value is $false.

When set to $true, this parameter requires the user to set a password on the mobile device.

PasswordHistory:

The PasswordHistory parameter specifies the number of unique new passwords that need to be created on the mobile device before an old password can be reused.

You can enter any number from 0 through 50. The default value is 0.

PasswordRecoveryEnabled:

The PasswordRecoveryEnabled parameter specifies whether the recovery password for the mobile device is stored in Exchange. Valid input for this parameter is $true or $false. The default value is $false.

When set to $true, this parameter enables you to store the recovery password for the mobile device in Exchange. The recovery password can be viewed in Outlook on the web or the Exchange admin center.

 

#ThatLazyAdmin

Sharing is caring!

Published inExchange 2016

Be First to Comment

Leave a Reply

Your email address will not be published.