How to enforce Exchange ActiveSync Mailbox policies on mobile devices

Has your CTO/CFO/CEO/ITM (whatever acronym they decide to give themselves) asked you to lock down or secure mobile devices? Well if they haven’t then they sure as hell should! The security risks, in particular loss of confidential information from mobile devices is extremely high with more and more devices storing more data.

One of many interesting reads on this topic is ‘Business Risks and Security Assessment for Mobile Devices
http://www.isaca.org/Journal/Past-Issues/2008/Volume-1/Pages/Business-Risks-and-Security-Assessment-for-Mobile-Devices1.aspx. Even though this article was written in 2008 it is still very much relevant.

What to communicate to the business?

Before you enforce any changes you will need to communicate to the business of the change. Below is an example of an email template that we sent to our users prior to setting the changes.

We also included documentation on how to set the pin code on the device but did not have many requests for it. The device (iPhone) was intuitive enough for users to configure.

How to check your Exchange ActiveSync Mailbox Policies?

  1. In the console tree, navigate to Organization Configuration > Client Access.
  2. In the result pane, click the Exchange ActiveSync Mailbox Policies tab, and then select the policy you want to view or configure.
  3. In the action pane, click Properties.

How to create a new policy?

Here is the PS command to create a new policy with password requirement settings (4 digit pin) and encryption. I prefer to leave the default one as is, and create a new one with the settings you want. From there we assign the newly created policy as the default policy.

New-ActiveSyncMailboxPolicy -Name '4DigitPin' -AllowNonProvisionableDevices $false -DevicePasswordEnabled $true -AlphanumericDevicePasswordRequired $false -MaxInactivityTimeDeviceLock '00:15:00' -MinDevicePasswordLength '4' -PasswordRecoveryEnabled $false -RequireDeviceEncryption $true -AttachmentsEnabled $true -AllowSimpleDevicePassword $true

To set the new policy as the default you simply use the following command:

set-ActiveSyncMailboxPolicy -Identity '4DigitPin' -IsDefaultPolicy $true

Conclusion

As you can tell its pretty easy to enable pin enforcement/encryption on your end devices without requiring too much configuration and you will be one step closer to securing your network and devices.

You can go further and really lock down the scripts to your liking – I encourage it (with caution) but at a minimum please do the above.

References:

Leave a Reply

QR Code Business Card
%d bloggers like this: