Posts Tagged ‘Activesync’

SBS2008 Enforces Harsh, Draconian Policies on Mobile Devices by Default

June 27th, 2009 by Paul Sterley | No Comments | Filed in In the Windows Box, Security, Windows Server

Much thanks to Mark B. for the catchy phrase in the title!

SBS 2008, by default, enables some security measures on mobile devies hiwhc use ActiveSync. These security measures are, of course, entirely appropriate for keeping valuable information on NSA employees’ handheld devices secure.

OK, OK, these measures might even be appropriate for the medical field, legal, banking, and a number of other fields.

However, you may have a client who does not want/need/like them. They may become particularly grumpy if these policies are suddenly pushed down to their handheld without warning after an SBS 2008 upgrade.

Here’s how to find and adjust them:

  1. Open Exchange Management Shell.
  2. Expand Organization Configuration.
  3. Select Client Access.
  4. Right-click the Windows SBS Mobile Mailbox Policy object and click Properties.
  5. General Tab:
    • By default, “Allow non-provisionable devices” is checked, so that’s OK.
  6. Password Tab:
    • There are a number of settings in here to adjust, most notably whether or not a password is required on the device, how many characters it must be, and whether it can be “simple” or not. The context-sensitive help is amazingly unhelpful regarding what a “simple” password is, but if you click the link near the bottom labeled “Understanding Exchange ActiveSync Mailbox Policies”, you get a better description, albeit not a comprehensive one. It simply (pun intended) says “This setting enables or disables the ability to use a simple password such as 1234. the default value is $true.”
  7. Sync Settings Tab:
    • Another marvelously well-thought-out move by Microsoft is to set the default to include ALL past Calendar and E-Mail items, and allow attachments. Rumor has it they took money from flash memory card manufacturers for that setting.
    • On my Windows Mobile 5 device, I seem to be able to override these settings, and they do not get set back during the next sync. YMMV.

Alternatively, you could simply delete the entire policy. I suspect that if you did this after the settings were pushed out, the handhelds would not be able to be adjusted until they were reset to default, or until you created a new policy with all settings unchecked or something similar.

Probably the best solution is prevention – disable HTTPS through the firewall during the migration until you have had a chance to adjust these settings or remove the policy.

Tags: , , ,