Chapter 7. Managing mobile messaging
In our increasingly connected world, users want to be able to access email, calendars, contacts, and scheduled tasks no matter the time or place. With Microsoft Exchange 2013 and Microsoft Exchange Online, you can make anywhere, anytime access to Exchange data a real possibility. How? Start by using the built-in web and mobile access features that Exchange offers to allow users to connect to Exchange over the Internet and from cellular networks. With on-premises Exchange, web access, mobile access, and secure anywhere access are all implemented as separate features that are available when you install the Client Access server role for Exchange 2013. These features include Exchange ActiveSync, Outlook Web App, Outlook Web App for Devices, and Outlook Anywhere. Outlook Anywhere is the default protocol for current versions of Microsoft Outlook. Exchange ActiveSync, Outlook Web App, and Outlook Web App for Devices are also available for Exchange Online.
Mastering mobile device and wireless access essentials
Exchange 2013 and Exchange Online support wireless access for users with many types of mobile devices via Exchange ActiveSync and Outlook Web App for Devices. Exchange ActiveSync allows users to link mobile devices to their Exchange accounts so that Exchange synchronizes mail data with the mobile device. Because mail and other data is stored on the device, users can access their email, calendar, contacts, and scheduled tasks whether they are online or offline.
Outlook Web App for Devices allows users to access Outlook Web App on a tablet or smartphone simply by accessing the app in the device’s browser and logging in. Unlike Exchange ActiveSync, Outlook Web App for Devices does not normally store mail and related data in a file cache on a user’s mobile device.
Using Exchange ActiveSync and Outlook Web App for Devices
Because sensitive data might be stored on a user’s mobile device with Exchange ActiveSync, several safeguards are in place to prevent unauthorized access to this data. The first safeguard is a device password, which can be reset remotely by the user or by an administrator. The second safeguard is a remote wipe feature that remotely instructs a mobile device to delete all its Exchange and corporate data. A third safeguard is a data encryption requirement, which can be enabled and enforced.
When you install Exchange 2013 or use Exchange Online, Exchange ActiveSync and Outlook Web App for Devices are automatically configured for use, which makes these features easy to manage. However, there are still some essential concepts you should know to manage them more effectively. This section explains these concepts.
Note
All devices running Windows Phone 8, Windows 8 RT, Windows 8.1 and later have encryption that is enabled by default. As an Exchange administrator, you can fine-tune the mobile access configuration for your organization in many ways, as discussed later in this chapter. At a minimum, you’ll want to ensure that the appropriate level of authentication is applied. You’ll also want to create and apply mobile device mailbox policy and Outlook Web App policy.
Exchange ActiveSync allows users with smartphones and other mobile devices to initiate synchronization with Exchange to keep their data up to date and receive notices from Exchange that trigger synchronization through the Direct Push feature. Direct Push is a key feature about which you probably want to know a bit more. It works like this:
The user configures her mobile device to synchronize with Exchange, selecting specific Exchange folders that she wants to keep up to date.
When a new message arrives in a designated sync folder, a control message is sent to the mobile device.
The control message initiates a data synchronization session, and the device performs background synchronization with Exchange.
After synchronization, users can then access their data while they are offline. In Exchange 2013, Direct Push is either enabled or disabled as is Exchange ActiveSync itself. Because Direct Push uses HTTPS, TCP port 443 must be open on your firewall between the Internet and the Client Access server to which the user is connecting.
Managing Exchange ActiveSync and Outlook Web App for Devices
With Exchange Online, Exchange ActiveSync and Outlook Web App for Devices are enabled by default and you cannot change this setting. With Exchange 2013, Exchange ActiveSync is enabled for each user by default, but you can disable Exchange ActiveSync for specific users as necessary.
To disable Exchange ActiveSync for specific users, follow these steps:
In Exchange Admin Center, select Recipients in the Feature pane, and then select Mailboxes.
You should now see a list of users with Exchange mailboxes in the organization. Double-tap or double-click the user’s name to open the Properties dialog box for the user account.
On the Mailbox Features page, the enabled mobile and web access features for the user are displayed.
To disable Exchange ActiveSync for this user, under Mobile Devices, select Disable Exchange ActiveSync, and then tap or click Yes.
To enable Exchange ActiveSync for this user, under Mobile Devices, select Enable Exchange ActiveSync, and then tap or click Yes.
To disable OWA For Devices for this user, under Mobile Devices, select Disable OWA For Devices, and then tap or click Yes.
To enable OWA For Devices for this user, under Mobile Devices, select Enable OWA For Devices, and then tap or click Yes.
Tap or click Save.
Real World
Exchange ActiveSync notifications are sent over the Internet. The actual process of receiving synchronization requests and sending synchronization notifications is handled by Exchange. Exchange ActiveSync is, in fact, configured as an ASP.NET application on the web server. For Exchange ActiveSync to work properly, IIS server must be configured properly.
To define organization-wide security and authentication options, you can use mobile device mailbox policies. When you install Exchange 2013 or use Exchange Online, a default mobile device mailbox policy is created. Through mobile device mailbox policy settings, you can precisely control mobile browsing capabilities for all users in the enterprise, including the following:
Whether Apple mobile devices can get push notifications
Whether passwords are required, and how passwords must be configured
Synchronization settings to include in addition to calendar and email items
Permitted devices and device options, such as whether a device can use Wi-Fi, infrared, Bluetooth, storage cards, or its built-in camera
Whether the device, its storage cards, or both must be encrypted
Although you configure many mobile device settings in Exchange Admin Center, you will need to use Exchange Admin Shell to fully customize mobile device options.
Moving from remote mail to Outlook Anywhere
Two additional technologies you can use for mobile access are remote mail and Outlook Anywhere. These technologies require extra configuration for both Outlook clients and Exchange servers. This section discusses Outlook client configuration. See Chapter 6 for a discussion of Exchange server configuration.
Beginning with Outlook 2013 and Exchange Server 2013, Microsoft is moving away from remote mail. Previously, with remote mail you could configure Outlook to connect to Exchange Server using a dial-up connection to your organization’s modem bank. Remote mail was useful in the following scenarios:
Users at a branch office must connect to Exchange Server by means of dial-up connections.
Laptop users want to connect to Exchange Server through dial-up connections when out of the office.
Users working at home need to connect to Exchange Server by means of dial-up connections.
Remote mail is being replaced by Outlook Anywhere, which is a technology that allows users to access Exchange Server over the Internet using Outlook. In current Outlook clients, Outlook Anywhere is the default access technology. With Outlook Anywhere, you don’t need to use a virtual private network (VPN) to securely connect Outlook to Exchange Server. Instead of relying on VPN for security, Outlook Anywhere takes advantage of standard Internet security features to ensure that communications are secure.
Outlook Anywhere is a dynamic communication protocol for remotely accessing Exchange Server using RPC over HTTP, with or without SSL encryption: With RPC over HTTP, remote procedure calls (RPCs) are nested within HTTP packets, which can either be encrypted or not encrypted with SSL, and then transmitted. By adding encryption to either technique, you help ensure that data transmitted between Outlook and Exchange Server is protected. Secure communication with SSL is the default configuration for Outlook Anywhere.
Outlook Anywhere is particularly useful in these scenarios:
Users at a branch office must connect to Exchange Server over a broadband connection, such as a digital subscriber line (DSL) or a cable modem, and you don’t have a VPN, or you want to simplify the connection process by eliminating the need for a VPN.
Laptop users want to connect to Exchange Server through broadband or T1 connections when out of the office without having to use VPNs.
Users working at home need to connect to Exchange Server by means of broadband connections without having to use a VPN.
Dial-up users can also use Outlook Anywhere. In this case, the users connect to the Internet by using their dial-up connection and then connect to Exchange using Outlook Anywhere.
Enabling Outlook Anywhere requires separate client and server configurations. You work with Outlook Anywhere by following the procedures discussed in the Managing Outlook Anywhere section of Chapter 6. Although Outlook 2013 or later should use Outlook Anywhere by default, Outlook 2007 and Outlook 2010 do not.
You can configure Outlook to use Outlook Anywhere by completing the following steps:
Exit Outlook. Start the Mail utility. (In Control Panel, tap or click User Accounts, and then tap or click Mail.)
In the Mail Setup–Outlook dialog box, tap or click Show Profiles. Then, in the Mail window, tap or click Add.
Type the name of the profile, such as Outlook Anywhere, and then tap or click OK. This starts the Add New E-mail Account Wizard.
If you’ve properly configured the Autodiscover service, Autodiscover will automatically configure the client for you, and you can skip the rest of this procedure. Otherwise, you need to manually configure settings. Select the Manually Configure Server Settings check box, and then tap or click Next.
Select Microsoft Exchange, and then tap or click Next.
In the Server text box, type the host name of the mail server, such as mailer1. You can also enter the FQDN of the mail server, such as mailer1.cpandl.com. Using the fully qualified domain name can help ensure a successful connection when the mail server is in a different domain or forest.
In the User Name text box, enter the user’s domain logon name or domain user name, such as Williams or William Stanek. Tap or click Check Name to confirm that you’ve entered the correct user name for the mailbox. You’ll want to store a local copy of the user’s email on his computer, so make sure that the Use Cached Exchange Mode check box is selected.
Tap or click More Settings to display the Microsoft Exchange dialog box.
With Outlook 2007 or Outlook 2010, you’ll usually want to manually control the connection state and connect to Exchange only when there is an active connection (meaning when you are online as opposed to when you are offline). On the General tab, select both Manually Control Connection State and Connect With The Network options. If you want the user to be prompted for a connection type, select the Choose Connection Type When Starting check box.
By default, data sent between Outlook and Exchange is encrypted. If you don’t want to encrypt message traffic, on the Security tab, under Encryption, clear the Encrypt Data Between Microsoft Office Outlook And Microsoft Exchange.
On the Connection tab, select the Connect To Microsoft Exchange Using HTTP check box.
Tap or click the Exchange Proxy Settings button to open the Exchange Proxy Settings dialog box, shown in Figure 7-1.
In the Use This URL To Connect To My Proxy Server For Exchange text box, enter the Exchange Outlook Web App URL. Selecting the Connect Using SSL Only check box ensures that the connection to Exchange Server is secure and uses SSL. The Exchange Server must have a properly configured and trusted SSL certificate. If you configure Outlook 2013 while on your corporate network, you may find that this option is not selected. Thus, Outlook attempts to connect to Outlook Anywhere using HTTP without SSL.
The On Fast Networks and On Slow Networks check boxes allow you to configure the protocols used by Outlook Anywhere. When configuring these options, keep the following in mind:
If you select neither check box, Outlook tries to use TCP/IP. Outlook can switch between TCP/IP and Outlook Anywhere. If you are not connected to the corporate LAN either directly or via a VPN, TPC/IP will fail. I recommend only selecting this option when a client will always be on the corporate network and when you always want the client to use TCP/IP and SMTP for communications.
If you select both check boxes, Outlook Anywhere first tries to use RPC over HTTP. If it experiences problems connecting or transmitting, it then tries to use RPC over TCP/IP. Unless appropriate ports are open on the corporate firewall, RPC over TCP/IP will fail if you are not connected to the corporate LAN either directly or via a VPN. Because you’ve optimized for usage on both fast and slow networks, Outlook initially assumes you’re on a fast network, which allows Outlook to quickly transition from one technology to the other. If Outlook later detects you’re on a slow network, Outlook allows for longer than usual timeouts and latency. Although this change can slow down the transition from one technology to the other, it does help to ensure that Outlook waits long enough for a response before transitioning. I recommend this setting when you prefer that Outlook connects to Exchange using HTTP over RPC.
If you select only the Slow Network check box and Outlook Anywhere detects the user is on a slow network, it first tries to use RPC over HTTP and then tries to use RPC over TCP/IP. Because Outlook Anywhere allows for longer than usual timeouts and latency the transition from one to the other can be delayed. The definition of a slow network is configured in Group Policy. By default, a slow network is a network with a connection speed of 256 kilobits per second or less transmission speed. I don’t recommend using only this option unless you know Outlook will always be on a slow network.
If you select only the Fast Network check box and Outlook Anywhere detects the user is on a fast network, it first tries to use RPC over HTTP and then tries to use RPC over TCP/IP. Because Outlook Anywhere doesn’t allow for longer than usual timeouts and latency, the transition from one to the other is performed as quickly as possible. I don’t recommend using only this option unless you know Outlook will always be on a fast network.
NT LAN Manager (NTLM) authentication is the default authentication technique. Using NTLM authentication ensures that the user’s credentials are protected and encrypted when transmitted over the network.
After you finish configuring remote mail, tap or click OK twice. In the Add New E-mail Account Wizard, tap or click Next, and then tap or click Finish.
In the Mail dialog box, select Prompt For A Profile To Be Used, and then tap or click OK.
Managing Exchange Server features for mobile devices
Mobile access to Exchange Server is supported on smartphones and other mobile devices. Most mobile devices include extensions that permit the use of additional features, including
Autodiscover
Direct Push
Remote Device Wipe
Password Recovery
Direct File Access
Remote File Access
In Exchange Server, these features are all enabled by default. The sections that follow discuss how these features work and how related options are configured.
Using Autodiscover
The Autodiscover service simplifies the provisioning process for mobile devices and for Outlook 2007 and later clients by returning the required Exchange settings after a user enters his or her email address and password. This provisioning eliminates the need to configure mobile carriers in Exchange Server, in addition to the need to download and install the carriers list on mobile devices.
Understanding Autodiscover
Autodiscover is enabled by default. The Default Web Site associated with a particular Client Access server has an associated Autodiscover virtual directory that handles proxying and authentication for Autodiscover. The Exchange Back End website associated with the Mailbox server hosting the user’s mailbox has an Associated Autodiscover virtual directory through which devices can be provisioned. These virtual directories handle Autodiscover requests:
Whenever an Outlook client queries for service details
Whenever a user account is configured or updated
Whenever the network connection changes
Each Client Access server is configured with a service connection point that contains an authoritative list of Autodiscover URLs for the associated Active Directory forest. The Autodiscover service URL for the service connection point is either https://SMTPdomain/autodiscover/autodiscover.xml or https://autodiscover.SMTPdomain/autodiscover/autodiscover.xml, where SMTPdomain is the name of the SMTP domain to which the client wants to connect, such as Pocket-consultant.com.
CAServerName is the name of a Client Access server in the site to which the client is connecting. For example, if the user’s email address is [email protected], the primary SMTP domain address is contoso.com.
When the client connects to Active Directory, the client authenticates to Active Directory by using the user’s credentials and then queries for the available service connection point objects. One service connection point object is created for each Client Access server deployed in the Exchange organization. This object contains a ServiceBindingInfo attribute with the fully qualified domain name of the corresponding Client Access server in the form https://ServerFQDN/autodiscover/ autodiscover.xml, where ServerFQDN is the fully qualified name of the Client Access server. After the client obtains and enumerates the service connection point instances, the client connects to the first Client Access server in the enumerated list and obtains the profile information needed to connect to the user’s mailbox. This profile is formatted with XML and also includes a list of available Exchange features.
Configuring URLs and authentication for Autodiscover
When you install a Client Access server, the server is configured with a Default Web Site that has a virtual directory for Autodiscover. Through this virtual directory, you can specify different URLs for internal access and external access to Autodiscover. You also can configure various authentication options.
In the Exchange Admin Center, select Servers in the Feature pane and then select Virtual Directories to view a list of the front-end virtual directories used by Client Access servers in the Exchange organization, which includes an entry for each Autodiscover virtual directory available. If you’ve made any changes to an Autodiscover virtual directory, you should verify that you can still access Autodiscover. If you can’t access Autodiscover or suspect there is a configuration problem, you can reset the Autodiscover virtual directory by selecting it in the list of virtual directories, and then selecting Reset. In the Warning dialog box, enter the full file path to a network share in which a settings file can be created to store the current settings for the Autodiscover virtual directory, such as \mailserver21updatesAutodiscoverlog.txt. Finally, confirm that you want to reset the virtual directory by selecting Reset. When you reset a virtual directory, Exchange deletes the virtual directory and then recreates it with its default settings. Resetting a directory means any custom settings will be lost. To complete the process, you must run the iisreset /noforce command on the affected server.
Important
Only front-end virtual directories are listed in Exchange Admin Center and only the settings of front-end virtual directories are modified by the reset. If you also want to reset the corresponding back-end virtual directory after resetting a front-end virtual directory, you must do this in Exchange Management Shell.
In Exchange Management Shell, you have additional management options for the Autodiscover service. To get detailed information about the Autodiscover configuration, type the following command:
Get-AutodiscoverVirtualDirectory -Server MyServer | flMyServer is the name of the Client Access server you want to examine. Included in the detailed information is the identity of the Autodiscover virtual directory, which you can use with related cmdlets, and the authentication methods enabled for internal and external access. By default, Autodiscover is configured to use Basic authentication, NTLM authentication, integrated Windows authentication, Web Services security, and Outlook Authorization Authentication. By using the Set-AutodiscoverVirtualDirectory cmdlet, you can enable or disable these authentication methods, in addition to digest authentication. You can also set the internal and external URLs for Autodiscover. Neither URL is set by default.
By default, only information about the related front-end virtual directories is included. To add information about the related back-end virtual directories, set -ShowMailboxVirtualDirectories to $true. Set -ADPropertiesOnly to $true if you want to only view the properties stored in Active Directory. The following example gets information for all Autodiscover virtual directories in the Exchange organization:
Get-AutodiscoverVirtualDirectory -ShowMailboxVirtualDirectories | fl
To disable Autodiscover, type the following command:
Remove-AutodiscoverVirtualDirectory -Identity ServerNameDirName
(WebSiteName)ServerName is the name of the Client Access server on which this feature should be disabled, DirName is the name of the virtual directory to remove, and WebSiteName is the name of the web site you are configuring, such as:
Remove-AutodiscoverVirtualDirectory –Identity "CorpMailSvr25Autodiscover (Default Web Site)"
If you later want to enable Autodiscover, you can type the following command:
New-AutodiscoverVirtualDirectory -Identity -Identity "CorpMailSvr25Autodiscover (Default Web Site)"
MyServer is the name of the Client Access server on which this feature should be enabled for the Default Web Site.
Get-AutodiscoverVirtualDirectory cmdlet syntax and usage New-AutodiscoverVirtualDirectory cmdlet syntax and usage Set-AutodiscoverVirtualDirectory cmdlet syntax and usage Remove-AutodiscoverVirtualDirectory cmdlet syntax and usage provide the full syntax and usage for the Get-AutodiscoverVirtualDirectory, New-AutodiscoverVirtualDirectory, Set-AutodiscoverVirtualDirectory and Remove-AutodiscoverVirtualDirectory cmdlets, respectively.
Using Direct Push
Direct Push automates the synchronization process, enabling a mobile device to make requests to keep itself up to date. When the website used with Exchange ActiveSync has SSL enabled, Direct Push allows a mobile device to issue long-lived Hypertext Transfer Protocol Secure (HTTPS) monitoring requests to Exchange Server. Exchange Server monitors activity in the related user’s mailbox. If new mail arrives or other changes are made to the mailbox—such as modifications to calendar or contact items—Exchange sends a response to the mobile device, stating that changes have occurred and that the device should initiate synchronization with Exchange Server. The device then issues a synchronization request. When synchronization is complete, the device issues another long-lived HTTPS monitoring request.
Port 443 is the default TCP port used with SSL. For Direct Push to work, port 443 must be opened between the Internet and the organization’s Internet-facing Client Access server or servers. You do not need to open port 443 on your external firewalls to all of your Client Access servers—only those to which users can establish connections. The Client Access server receiving the request automatically proxies the request so that it can be handled appropriately. If necessary, this can also mean proxying requests between the mobile device and the Client Access server in the user’s home site. A user’s home site is the Active Directory site in which the mailbox server hosting his or her mailbox is located.
Using remote device wipe
Although passwords help to protect mobile devices, they don’t prevent access to the device. You can protect the data on mobile devices in several ways. One such way is to apply a mobile device mailbox policy that controls access to the device and encrypts its content. Another way is to have a strict policy that requires users and administrators to remotely wipe lost or stolen devices. A remote device wipe command instructs a mobile device to delete all Exchange and corporate data.
Remotely wiping a device
An administrator or the owner of the device can prevent the compromising of sensitive data by initiating a remote device wipe. After you initiate a remote device wipe and the device receives the request, the device confirms the remote wipe request by sending a confirmation message and then removes all its sensitive data the next time it connects to Exchange Server. Wiping sensitive data should prevent it from being compromised.
Real World
The way remote wipe is implemented depends on the way the related protocol is implemented on the device. Although Exchange 2013 only requires that Exchange and corporate data be removed, most device operating systems wipe all data on the device and then return the device to its factory default condition. A complete wipe can also remove any data stored on any storage card inserted into the device.
All devices running Windows Phone 8, Windows 8 RT, Windows 8.1 and later support the remote wipe protocol as implemented for Exchange 2013. When you issue a remote wipe for one of these devices, the wipe only affects Exchange and corporate data. For these devices, client application settings also can determine whether the wipe actually deletes the sensitive data or simply makes it inaccessible. As data on these devices is encrypted by default, any data remaining would be protected by encryption.
The easiest way to wipe a device remotely is to have the device owner initiate the wipe using Outlook Web App. When the device acknowledges the request, the user will get a confirmation email. The device owner can wipe a device by following these steps:
Open your web browser. In the Address field, type the Outlook Web App URL, such as https://mail.cpandl.com/owa, and then press Enter to access this page.
When prompted, provide the logon credentials of the user whose device you want to wipe. Do not provide your administrator credentials.
On the Outlook Web App toolbar, tap or click the gear icon (Settings), and then tap or click Options.
The left pane of the Options view provides a list of options. Tap or click Phone.
The user’s mobile devices are listed in the details pane. Select the device you want to wipe, and then tap or click Wipe Device.
Confirm the action when prompted.
Track the status of the device. When the status changes from Wipe Pending to Wipe Successful, the device wipe is complete.
Note
You can use Outlook Web App for remote device wiping only if the user has used the device previously to access Exchange Server and if you have enabled the Segmentation feature of Exchange Active Directory Integration (which is the default configuration).
Caution
Because wiping a device causes complete data loss, you should do this only when you’ve contacted the user directly (preferably in person) and confirmed that the mobile device has been lost and that he or she understands the consequences of wiping the device. If your organization has a formal policy regarding the wiping of lost devices that might contain sensitive company data, be sure you follow this policy and get any necessary approvals. Keep in mind that although a remote wipe makes it very difficult to retrieve any data from the device, in theory retrieval is possible with sophisticated data recovery tools.
Alternatively, an administrator can log on to Exchange Admin Center and initiate a remote wipe by completing the following steps:
In Exchange Admin Center, select Recipients in the Feature pane, and then select Mailboxes.
Select the mailbox for the user whose device you want to wipe. Next, in the details pane, under Mobile Devices, tap or click View Details.
On the Mobile Device Details page, select the lost device, and then select Wipe Data.
Tap or click Save to initiate the remote wipe.
Track the status of the device. When the status changes from Wipe Pending to Wipe Successful, the device wipe is complete.
In the Exchange Management Shell, you can examine and filter through all of the mobile devices that have linked to Exchange by using Get-MobileDevice. You also can list the mobile devices registered as partners for a user’s mailbox by using the Get-MobileDeviceStatistics cmdlet. In either case, the device identity you want is the DeviceId string. If the user has multiple mobile devices, also be sure to consult the DeviceModel and DeviceOperatorNetwork values.
After you know the mobile device identity, you can issue a remote device wipe command by using the Clear-MobileDevice cmdlet. You then need to confirm that you want to wipe the device when prompted by pressing the Y key. Get-MobileDevice cmdlet syntax and usage Get-MobileDeviceStatistics cmdlet syntax and usage Clear-MobileDevice cmdlet syntax and usage provide the syntax and usage for Get-MobileDevice, Get-MobileDeviceStatistics, and Clear-MobileDevice cmdlets, respectively. With Get-MobileDeviceStatistics, you can specify either the unique identity of the remote device or the user mailbox with which you want to work. The –GetMailboxLog parameter retrieves mailbox logs and usage information. Use the –OutputPath parameter to direct the statistics to a specific folder path or the –Notification-EmailAddresses parameter to email the statistics to specified email addresses.
Important
If you determine that you’ve made a mistake in issuing a remote wipe, you should immediately issue a cancellation request by using the Clear-MobileDevice cmdlet. In this case, set the –Cancel parameter to $true. The remote device processes the cancellation request only if the remote wipe has not yet been initiated.
Note
Exchange also supports the Get-ActiveSyncDevice, Get-ActiveSyncDeviceStatistics and Clear-ActiveSyncDevice cmdlets, which have similar syntax and options as Get-MobileDevice, Get-MobileDeviceStatistics, and Clear-MobileDevice respectivly. Because the ActiveSyncDevice cmdlets only work with ActiveSync devices and the MobileDevice cmdlets work with all supported devices, I prefer to use the Mobile-Device cmdlets and you probably will too.
Reviewing the remote wipe status
When you initiate a remote wipe, the mobile device removes all its data the next time it connects to Exchange Server. You can review the remote wipe status by using an alternate syntax for the Get-MobileDeviceStatistics cmdlet. Instead of passing the –Mailbox parameter to the cmdlet, use the Identity parameter to specify the DeviceId string of the device you wiped. The statistics returned will include these output parameters:
DeviceWipeRequestTime. The time you requested a remote wipe
DeviceWipeSentTime. The time the server sent the remote wipe command to the device
DeviceWipeAckTime. The time when the device acknowledged receipt of the remote wipe command
If there is a DeviceWipeSentTime time stamp, the device has connected to Exchange Server and Exchange Server sent the device the remote wipe command. If there is a DeviceWipeAckTime time stamp, the device acknowledged receipt of the remote wipe and has started to wipe its data.
Using password recovery
Users can create passwords for their mobile devices. If a user forgets his password, you can obtain a recovery password that unlocks the device and lets the user create a new password. The user can also recover his device password by using Outlook Web App.
To use Outlook Web App to recover a user’s device password, complete the following steps:
Open a web browser. In the Address field, type the Outlook Web App URL, such as https://mail.cpandl.com/owa, and then press Enter to access this page.
When prompted, have the user enter her logon credentials or provide the user’s logon credentials. Do not provide your administrator credentials.
On the Outlook Web App toolbar, tap or click the gear icon (Settings), and then tap or click Options.
The left pane of the Options view provides a list of options. Tap or click Phone.
The user’s mobile devices are listed in the details pane. Select the device for which you are recovering the password.
Tap or click Display Recovery Password.
You also can display the device recovery password by completing the following steps:
In the Exchange Admin Center, select Recipients in the Feature pane, and then select Mailboxes.
Select the mailbox for the user whose device you want to wipe. Next, in the details pane, under Mobile Devices, tap or click View Details.
The device recovery password is listed.
In the Exchange Management Shell, you can display the device recovery password by using the –ShowRecoveryPassword parameter of the Get-MobileDeviceStatistics cmdlet. Recovering a device password provides the syntax and usage.
Configuring direct file access
By default, Exchange Server 2013 allows users to access files directly through Outlook, Outlook Web App, and related services. This means that users will be able to access files attached to email messages. You can configure how users interact with files by using one of three options in the Exchange Admin Center:
Allow. Allows users to access files of the specified types, and sends the users’ browser information that allows the files to be displayed or opened in the proper applications
Block. Prevents users from accessing files of the specified types
Force Save. Forces users to save files of the specified types prior to opening them
Table 7-1 lists the file extensions and Multipurpose Internet Mail Extensions (MIME) values that Exchange Server allows, blocks, or sets to force save by default. These settings are applied to the Outlook Web Access (OWA) virtual directory on Client Access servers. If a server has multiple OWA virtual directories or you have multiple Client Access servers, you must configure each directory and server separately.
OPTION | FILE NAME EXTENSIONS | MIME VALUES |
Allow | .avi, .bmp, .doc, .docm, .docx, .gif, .jpg, .mp3, .one, .pdf, .png, .ppsm, .ppsx, .ppt, .pptm, .pptx, .pub, .rpmsg, .rtf, .tif, .tiff, .txt, .vdx, .vsd, .vsdm, .vsdx, .vss, .vssm, .vssx, .vst, .vstm, .vstx, .vsx, .vtx, .wav, .wma, .wmv, .xls, .xlsb, .xlsm, .xlsx, .zip | image/bmp, image/gif, image/jpeg, image/png |
Block | .ade, .adp, .app, .asp, .aspx, .asx, .bas, .bat, .cer, .chm, .cmd, .cnt, .com, .cpl, .crt, .csh, .der, .exe, .fxp, .gadget, .hlp, .hpj, .hta, .htc, .inf, .ins, .isp, .its, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .mht, .mhtml, .msc, .msh, .msh1, .msh1xml, .msh2, .msh2xml, .mshxml, .msi, .msp, .mst, .ops, .osd, .pcd, .pif, .plg, .prf, .prg, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .pst, .reg, .scf, .scr, .sct, .shb, .shs, .tmp, .url, .vb, .vbe, .vbp, .vbs, .vsmacros, .vsw, .ws, .wsc, .wsf, .wsh, .xml | application/hta, application/javascript, application/msaccess, application/prg, application/x-javascript, application/xml, text/javascript, text/scriplet, text/xml, x-internet-signup |
Force Save | .dcr, .dir, .spl, .swf | Application/futuresplash, Application/octet-stream, Application/x-director, Application/x-shockwave-flash |
Note
If there are conflicts between the allow, block, and force save lists, the allow list takes precedence, which means that the allow list settings override the block list and the force save list. As updates are applied to Exchange Server, the default lists can change. Be sure to check the currently applied defaults.
Exchange Server considers all file extensions and MIME types not listed on the allow, block, or force save list to be unknown files and file types. The default setting for unknown file types is force save.
Based on the user’s selection, the configuration of her network settings, or both, Exchange divides all client connections into one of two classes:
Public or shared computer. A public computer is a computer being used on a public network or a computer shared by multiple people.
Private computer. A private computer is a computer on a private network that is used by one person.
For each Client Access server, you can enable or disable direct access to files separately for public computers and private computers. However, the allow, block, and force save settings for both types of computers are shared and applied to both public and private computers in the same way.
You can configure direct file access on front-end virtual directories by completing the following steps:
In the Exchange Admin Center, select Servers in the Feature pane, and then select Virtual Directories to view a list of the front-end virtual directories used by Client Access servers in the Exchange organization.
Select the OWA virtual directory on the Client Access server you want to manage, and then select Edit. Typically, you’ll want to configure the OWA virtual directory on the Default Web Site because this directory is used by default for Outlook Web App.
In the Virtual Directory dialog box, select the File Access page.
To enable or disable direct file access for public computers, under Public Or Shared Computer, select or clear the Direct File Access check box, as appropriate. (See Figure 7-2.)
Important
When you disable features in the front end, you prevent them from being used because the front end proxies connections to the back end and blocks disabled features from being used. However, if you enable a feature in the front end but the feature is disabled in the back end, clients normally won’t be able to use the feature.
Under Private Computer, you can select or clear the Direct File Access check box to enable or disable direct file access for private computers.
Tap or click Save to apply your settings. As necessary, make corresponding changes in the related back-end virtual directory using Exchange Management Shell.
In the Exchange Management Shell, you can use the Set-OWAVirtualDirectory cmdlet to manage the direct file-access configuration. Use the –Identity parameter to identify the virtual directory with which you want to work, such as:
Set-OWAVirtualDirectory –Identity "Corpsvr127owa (Default Web Site)"
Then specify how you want to configure direct file access on the front-end and back-end virtual directory, such as:
Set-OWAVirtualDirectory –Identity "Corpsvr127owa (Default Web Site)" –DirectFileAccessOnPublicComputersEnabled $false –DirectFileAccessOnPrivateComputersEnabled $true Set-OWAVirtualDirectory –Identity "Corpsvr127owa (Exchange Back End)" –DirectFileAccessOnPublicComputersEnabled $false –DirectFileAccessOnPrivateComputersEnabled $true
If you are unsure of the virtual directory identity value, use the Get-OWAVirtualDirectory cmdlet to retrieve a list of available virtual directories on a named server, as shown in the following example:
Get-OWAVirtualDirectory –Server "Corpsvr127" -ShowMailboxVirtualDirectories
Alternatively, you could get the OWAVirtualDirectory object for both the front end and back end and then set the desired options on both as shown in the following example:
Get-OWAVirtualDirectory –Server Corpsvr127 -ShowMailboxVirtualDirectories | Set-OWAVirtualDirectory –DirectFileAccessOnPublicComputersEnabled $false –DirectFileAccessOnPrivateComputersEnabled $true
Although the server in this example has both the Client Access Server role and the Mailbox Server role installed, you could just as easily apply the changes to front-end and back-end Exchange servers throughout the organization. If you want to make changes across all servers, however, I recommend adding the -Whatif parameter to ensure the command is going to work exactly as expected before executing the command a second time without the -Whatif parameter. In the following example, you disable direct file access on public computers on all front-end and back-end OWA virtual directories:
Get-OWAVirtualDirectory -ShowMailboxVirtualDirectories | Set-OWAVirtualDirectory –DirectFileAccessOnPublicComputersEnabled $false -WhatIf
You configure allowed file types and allowed MIME types by using the -AllowedFileTypes and -AllowedMIMETypes parameters respectively. As these are multivalued properties, you must either enter the complete set of allowed values or use a special shorthand to insert into or remove values from these multivalued properties. The shorthand for adding values is:
@{Add="<ValuetoAdd1>","<ValuetoAdd2>"...}Because you’ll typically want to configure the front-end and back-end virtual directories in the same way, the following example sets the allowed file types on both the front-end and back-end OWA virtual directories:
Get-OWAVirtualDirectory –Server Corpsvr127 -ShowMailboxVirtualDirectories |
Set-OWAVirtualDirectory –AllowedFileTypes @{Add=".log",".man"}In this case, the server has both the Client Access Server role and the Mailbox Server role installed. The shorthand for removing values is:
@{Remove="<ValuetoRemove1>","<ValuetoRemove2>"...}The following is an example:
Get-OWAVirtualDirectory –Server Corpsvr127 -ShowMailboxVirtualDirectories |
Set-OWAVirtualDirectory –AllowedFileTypes @{Remove=".log",".man"}If you want to add values and remove others, you can do this as well by using the following shorthand:
@{Add="<ValuetoAdd1>","<ValuetoAdd2>"...;
Remove="<ValuetoRemove1>","<ValuetoRemove1>"...}You can confirm that values were added or removed as expected by using Get-OWAVirtualDirectory. Because there are so many allowed file types, you won’t get a complete list of file types if you examine the -AllowedFileTypes property as shown in the following example:
Get-OWAVirtualDirectory –Identity "Corpsvr127owa (Default Web Site)" | fl name, allowedfiletypes
A workaround to examine all the values of such a property follows:
$vdir = Get-OWAVirtualDirectory –Identity "Corpsvr127owa (Default Web Site)" $data = $vdir.allowedfiletypes $data | fl *
In this case, you store the virtual directory object in the $vdir variable. Next, you store the values associated with this object’s AllowedFileTypes parameter in the $data variable. Finally, you list each allowed file type.
You can use similar techniques to work with
Blocked file types and blocked MIME types. The corresponding parameters are -BlockedFileTypes and -BlockedMimeTypes respectively.
Forced Save file types and forced save MIME types. The corresponding parameters are -ForcedSaveFileTypes and -ForcedSaveMimeTypes respectively.
Configuring remote file access
By default, Exchange Server 2013 allows users to access files remotely through Outlook Web App (OWA). This means users will be able to access Windows SharePoint Services and Universal Naming Convention (UNC) file shares on SharePoint sites. SharePoint sites consist of Web Parts and Windows ASP.NET–based components that allow users to share documents, tasks, contacts, events, and other information. When you configure UNC file shares on SharePoint sites, you enable users to share folders and files.
You configure remote file access by using configuration options for the ActiveSync virtual directory. The -RemoteDocumentsBlockedServers and -RemoteDocumentsAllowedServers parameters of the Set-ActiveSyncVirtualDirectory cmdlet specify the host names of servers from which clients are denied or allowed access respectively. If there is a conflict between the blocked servers list and the allowed servers list, the block list takes precedence.
Because the -RemoteDocumentsBlockedServers and -RemoteDocumentsAllowedServers parameters are multivalued properties, you must either enter the complete set of allowed values or use the special shorthand discussed earlier in this chapter in the Configuring direct file access section to insert into or remove values from these multivalued properties. To add a server to the blocked or allowed servers list, use the fully qualified domain name of the server, such as mailsvr83.cpandl.com.
The following example adds two servers to the allowed servers list throughout the Exchange organization:
Get-ActiveSyncVirtualDirectory -ShowMailboxVirtualDirectories |
Set-OWAVirtualDirectory –RemoteDocumentsAllowedServers
@{Add="mailsvr83.cpandl.com","corpserver18.treyresearch.net"}Servers that are not listed on either the allow list or the block list are considered to be unknown servers. By default, access to unknown servers is allowed. You can use the -RemoteDocumentsActionForUnknownServers parameter to specify whether to allow or block unknown servers. Set the parameter value to Allow or Block as appropriate. Here is an example:
Get-ActiveSyncVirtualDirectory -ShowMailboxVirtualDirectories | Set-OWAVirtualDirectory -RemoteDocumentsActionForUnknownServers Block
Users have access only to shares hosted on internal servers. For a server to be considered an internal server, you must tell Exchange about the domain suffixes that should be handled as internal by using the -RemoteDocumentsInternalDomainSuffixList parameter. This is a multivalued parameter.
To add a domain suffix, specify the fully qualified domain name of the suffix. An example follows:
Get-ActiveSyncVirtualDirectory -ShowMailboxVirtualDirectories |
Set-OWAVirtualDirectory -RemoteDocumentsInternalDomainSuffixList
@{Add="cpandl.com","treyresearch.net"}To remove a domain suffix, specify the suffix to remove, such as:
Get-ActiveSyncVirtualDirectory -ShowMailboxVirtualDirectories |
Set-OWAVirtualDirectory -RemoteDocumentsInternalDomainSuffixList
@{Remove="proseware.com","litwareinc.com"}Using WebReady Document Viewing
WebReady Document Viewing allows users to view common file types in Outlook Web App without having the applications associated with those file types installed on their computer. WebReady Document Viewing allows users to view the following files:
Adobe PDF documents with the .pdf extension
Microsoft Excel spreadsheets with the.xls and .xlsx extensions
Text and Microsoft Word documents with the .doc, .docx, .dot, .rtf, and .txt extensions
Microsoft PowerPoint presentations with the .pps, .ppt, and .pptx extensions
For attachments, the following related MIME types are supported, in addition to related open XML formats for presentations, spreadsheets, and word processing documents:
application/msword
application/pdf
application/vnd.ms-excel
application/vnd.ms-powerpoint
application/vnd.openxmlformats-officedocument.presentationml.presentation
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
application/vnd.openxmlformats-officedocument.wordprocessingml.document
application/x-msexcel
application/x-mspowerpoint
Note
WebReady Document Viewing works by converting documents in supported formats to HTML so that they can be viewed as a webpage in Outlook Web App. Thus, when an email message has an attachment in a supported format, WebReady Document Viewing allows the document to be viewed without having to first download the document to the user’s computer or open a helper application.
When there are conflicting settings between the direct file, remote file, and WebReady Document Viewing settings, you can force clients to use WebReady Document Viewing first, if you want. This means that the documents will be opened within a client browser rather than in a related application, such as Word.
You can enable or disable WebReady Document Viewing separately for public computers and private computers. However, supported document settings for both types of computers are shared and applied to both public and private computers in the same way.
To configure WebReady Document Viewing and direct file access, complete the following steps:
In the Exchange Admin Center, select Servers in the Feature pane, and then select Virtual Directories to view a list of the front-end virtual directories used by Client Access servers in the Exchange organization.
Select the OWA virtual directory on the Client Access server you want to manage, and then select Edit. Typically, you’ll want to configure the OWA virtual directory on the Default Web Site because this directory is used by default for Outlook Web App.
In the Virtual Directory dialog box, select the File Access page.
To enable or disable direct file access for public computers, under Public Or Shared Computer, you can enable or disable WebReady Document Viewing for public computers by selecting or clearing the WebReady Document Viewing check box. Optionally, force Outlook Web App to use WebReady Document Viewing on public computers when a converter is available.
Important
When you disable features in the front end, you prevent them from being used because the front-end proxies connections to the back end and blocks disabled features from being used. However, if you enable a feature in the front end but the feature is disabled in the back end, clients normally won’t be able to use the feature.
Under Private Computer, you can enable or disable WebReady Document Viewing for private computers by selecting or clearing the WebReady Document Viewing check box. Optionally, force Outlook Web App to use WebReady Document Viewing on private computers when a converter is available.
Tap or click Save to apply your settings. As necessary, make corresponding changes in the related back-end virtual directory using Exchange Management Shell.
In the Exchange Management Shell, you can use the Set-OWAVirtualDirectory cmdlet to manage the WebReady Document Viewing configuration. Use the –Identity parameter to identify the virtual directory you want to work, such as:
Set-OWAVirtualDirectory –Identity "Corpsvr127owa (Default Web Site)"
Then specify how you want to configure WebReady Document Viewing on the front-end and back-end virtual directory, such as:
Set-OWAVirtualDirectory –Identity "Corpsvr127owa (Default Web Site)" -WebReadyDocumentViewingOnPublicComputersEnabled $false -WebReadyDocumentViewingOnPrivateComputersEnabled $true -WebReadyDocumentViewingForAllSupportedTypes $true Set-OWAVirtualDirectory –Identity "Corpsvr127owa (Exchange Back End)" -WebReadyDocumentViewingOnPublicComputersEnabled $false -WebReadyDocumentViewingOnPrivateComputersEnabled $true -WebReadyDocumentViewingForAllSupportedTypes $true
If you are unsure of the virtual directory identity value, use the Get-OWAVirtualDirectory cmdlet to retrieve a list of available virtual directories on a named server, as shown in the following example:
Get-OWAVirtualDirectory –Server "Corpsvr127" -ShowMailboxVirtualDirectories
When working with Set-OWAVirtualDirectory, you configure WebReady file types and WebReady MIME types by using the -WebReadyFileTypes and -WebReadyMime- Types parameters respectively. Because these are multivalued properties, you must either enter the complete set of allowed values or use a special shorthand to insert into or remove values from these multivalued properties. Typically, you’ll want to configure the front-end and back-end virtual directories in the same way.
Working with mobile devices and device policies
Mobile device mailbox policy makes it possible to enhance the security of mobile devices used to access your Exchange servers. For example, you can use policy to require a password of a specific length and to configure devices to automatically prompt for a password after a period of inactivity.
Each mailbox policy you create has a name and a specific set of rules with which it is associated. Because you can apply policies separately to mailboxes when you create or modify them, you can create different policies for different groups of users. For example, you can have one policy for users and another policy for managers. You can also create separate policies for departments within the organization. For example, you can have separate policies for Marketing, Customer Support, and Technology.
Note
Exchange also supports ActiveSync mailbox policies. Because ActiveSync mailbox policies apply only to ActiveSync devices and the mobile device mailbox policies work with all supported devices, I prefer to use the mobile device mailbox policies, and you probably will too. Additionally, although ActiveSync mailbox policies are deprecated and will be phased out in a future release of Exchange, you can still use them. If you do, the techniques are similar to those for mobile device mailbox policies, except that you use the following ActiveSync cmdlets instead of MobileDevice cmdlets: Get-ActiveSyncMailboxPolicy, New-ActiveSyncMailboxPolicy, Set-ActiveSyncMailboxPolicy, and Remove-ActiveSyncMailboxPolicy.
Viewing existing mobile device mailbox policies
When the Client Access server role is installed on an Exchange server, the setup process creates a default mobile device mailbox policy, which allows ActiveSync to be used without restrictions or password requirements. All users with mailboxes have this policy applied by default. You can modify the settings of this policy to change the settings for all users or create new policies for specific groups of users.
In the Exchange Admin Center, you can view the currently configured mobile device mailbox policies by selecting Mobile in the Feature pane, and then selecting Mobile Device Mailbox Policies. In the details pane, you’ll see a list of current policies.
In the Exchange Management Shell, you can list policies by using the Get-MobileDeviceMailboxPolicy cmdlet. Get-MobileDeviceMailboxPolicy cmdlet syntax and usage provides the syntax, usage, and sample output. If you do not provide an identity with this cmdlet, all available mobile device mailbox policies are listed. All devices running Windows Phone 8, Windows 8 RT, Windows 8.1 and later have device encryption that is enabled by default.
Creating mobile device mailbox policies
The mobile device mailbox policies you create apply to your entire organization. You apply policies separately after you create them, as discussed later in this chapter in the Assigning mobile device mailbox policies section.
You can create a new policy by completing the following steps:
In Exchange Admin Center, select Mobile in the Feature pane, and then select Mobile Device Mailbox Policies to see a list of currently defined mobile device mailbox policies.
Tap or click New to open the New Mobile Device Mailbox Policy dialog box.
As shown in Figure 7-3, type a descriptive name for the policy, and then use the following options to configure the policy:
This Is The Default Policy. Makes this the default policy. If you select this option, the policy is assigned to all users who are currently using the previously assigned default policy.
Allow Mobile Devices That Don’t Fully Support…. Allows older devices that do not support all policy settings to synchronize. If you select this option, these older devices can connect to Exchange 2013.
Require A Password. Requires mobile devices to use a password. If you do not select this option, you cannot specify password requirements.
Allow Simple Passwords. Allows the user to use a noncomplex password instead of a password that meets the minimum complexity requirements.
Require An Alphanumeric Password. Requires that a password contain numeric and alphanumeric characters. If you do not select this option, users can use simple passwords, which might not be as secure. If you select this option, you can also specify the number of character sets that are required to be used in passwords. The four character sets are lowercase letters, uppercase letters, numbers, and symbols. You can require from one to four of these character sets to be used in passwords.
Require Encryption On Device. Requires mobile devices to use encryption. Because encrypted data cannot be accessed without the appropriate password, this option helps to protect the data on the device. If you select this option, Exchange allows devices to download data only if they can use encryption (except when you allow mobile devices that don’t fully support mobile device mailbox policy).
Minimum Password Length. Allows you to set a minimum password length. You must select the related check box to set the minimum password length, such as eight characters. The longer the password, the more secure it is. A good minimum password length is between 8 and 12 characters, which is sufficient in most cases.
Number Of Sign-In Failures Before Device Is Wiped. Allows you to specify the number of login failures before the device is wiped. If you select this option, be sure to set a high enough value so that mobile devices aren’t accidentally wiped by users. For example, rather than setting a low value, such as 3, use a higher value, such as 9.
Require Sign-In After The Device Has Been Inactive For (Minutes). Allows you to specify the length of time that a device can go without user input before it locks. If you select this option, be sure to set an interval that allows for normal workflow and isn’t disruptive. For example, if high security isn’t a requirement, you may want to require users to sign-in after 5 to 7 minutes of inactivity rather than having the device lock itself after 2 to 3 minutes of inactivity.
Enforce Password Lifetime (days). Allows you to specify the maximum length of time users can keep a password before they have to change it. You can use this option to require users to change their passwords periodically. A good password expiration value is between 30 and 90 days. This period is sufficient to allow use of the password without requiring overly frequent changes.
Password Recycle Count. Allows you to specify how frequently old passwords can be reused. You can use this option to discourage users from changing back and forth between a common set of passwords. To disable this option, set the size of the password history to zero. To enable this option, set the desired size of the password history. A good value is between 3 and 6. This helps to deter users from switching between a small list of common passwords.
Tap or click Save to create the policy. Optimize the configuration, as discussed in the following section of this chapter, “Optimizing mobile device mailbox policies.”
In the Exchange Management Shell, you can create new mobile device mailbox policies by using the New-MobileDeviceMailboxPolicy cmdlet. New-MobileDeviceMailboxPolicy cmdlet syntax and usage provides the syntax and usage. There are additional policy settings you can access in the shell that you cannot access in the Exchange Admin Center.
Optimizing mobile device mailbox policies
When you create a mobile device mailbox policy, some additional settings are configured automatically. You can modify policy settings by using the Set-MobileDeviceMailboxPolicy cmdlet. By default, access to both Windows file shares and Microsoft Windows SharePoint Services is allowed. You can block access to file shares and SharePoint by setting the -UNCAccessEnabled and -WSSAccessEnabled parameters to $false.
If you specified that passwords are required, by default, simple passwords are not allowed. Additionally, by default, many device features are allowed. By using the TrueFalseParams shown in Set-MobileDeviceMailboxPolicy cmdlet syntax and usage, you can:
Allow or disallow another device to share the device’s Internet connection.
Allow or disallow remote desktop connections.
Allow or disallow the device to access email accounts other than Exchange.
Allow or disallow the device to access removable storage, such as memory cards.
Allow or disallow the device to connect to a wireless network.
Allow or disallow the device to connect to and synchronize with a desktop computer.
Allow or disallow the device to connect to other devices using infrared.
Allow or disallow the device to execute unsigned applications.
Allow or disallow the device to install unsigned applications.
Allow or disallow the device to use the built-in browser.
Allow or disallow the device’s built-in camera.
You can specify the maximum allowed size for email messages by using -MaxEmailBodyTruncationSize and -MaxEmailHTMLBodyTruncationSize. Both parameter values are set in kilobytes. If a standard email message exceeds the MaxEmailBodyTruncationSize value, the message is truncated (clipped). If an HTML-formatted email message exceeds the MaxEmailHTMLBodyTruncationSize, the message is truncated (clipped).
If the policy allows devices to download attachments, the attachment has no default limit size. You can block attachment downloads by setting -AttachmentsEnabled to $false. If you allow attachments and you want to limit the size of attachments that users can download, you can specify the maximum allowed attachment size in kilobytes by using -MaxAttachmentSize.
For past calendar and email items, you can use the -MaxCalendarAgeFilter and -MaxEmailAgeFilter parameters respectively to specify whether all calendar and mail items should be synced or only items from a specific period of time, such as the last two weeks. If you allow Bluetooth, you also can specify how the device can use Bluetooth. To allow the device to use Bluetooth in any mode, set -AllowBlueTooth to Allow. To allow the device to use Bluetooth only in hands-free mode, set -AllowBlueTooth to HandsfreeOnly. To prevent the device from using Bluetooth, set -AllowBlueTooth to Disable.
Assigning mobile device mailbox policies
Mailbox servers automatically apply the default mobile device mailbox policy through implicit inheritance unless you assign a different non-default policy to a user. Any mailbox that has implicitly inherited policy automatically applies the current default policy and its settings. When you modify the default policy or configure a new default policy, you change the settings for all mailbox users that implicitly inherit the default policy.
To set a different policy as the default for new mailbox users, follow these steps:
In Exchange Admin Center, select Mobile in the Feature pane, and then select Mobile Device Mailbox Policies to see a list of currently defined mobile device mailbox policies.
The current default policy has the value (default) as a suffix. To make another policy the default, select the policy you want to be the new default, and then select Edit.
In the Mobile Device Mailbox Policy dialog box, select This Is The Default Policy, and then select Save.
To explicitly assign a policy to a mailbox, complete the following steps:
In Exchange Admin Center, select Recipients in the Feature pane, and then select Mailboxes.
You should now see a list of users with Exchange mailboxes in the organization. Select the mailbox with which you want to work.
In the details pane, under Mobile Devices, select View Details.
In the Mobile Device Details dialog box, select Browse. Choose the policy to apply, and then select OK.
Tap or click Save to apply your settings.
To explicitly assign a policy to multiple mailboxes, complete the following steps:
In Exchange Admin Center, select Recipients in the Feature pane, and then select Mailboxes.
You should now see a list of users with Exchange mailboxes in the organization. Select multiple mailboxes by using the Shift or Ctrl keys.
In the details pane, scroll down. Under Exchange ActiveSync, select Update A Policy.
In the Bulk Assign… dialog box, select Browse. Choose the policy to apply, and then select OK.
Tap or click Save to apply your settings.
If you want mailbox users to use a mobile device mailbox policy other than the default, you can assign a policy directly to mailboxes by using the –ActiveSyncMailboxPolicy parameter of the Set-CASMailbox cmdlet. Assigning a Mobile Device Mailbox Policy to mailboxes provides the syntax and usage.
Removing mobile device mailbox policies
When you no longer need a mobile device mailbox policy, you can remove it, provided that it isn’t the current default policy. In the Exchange Admin Center, select the policy, and then select the Delete button. When prompted to confirm, tap or click Yes to delete the policy. If users are assigned to the policy, they will stop using the policy and implicitly inherit the current default policy.
In the Exchange Management Shell, you can remove a mobile device mailbox policy by using the Remove-MobileMailboxPolicy cmdlet. Remove-MobileMailboxPolicy cmdlet syntax and usage provides the syntax and usage.
Managing device access
You can manage device access to Exchange in several ways. One way to prevent a device from synchronizing with Exchange is to put the device on the blocked mobile device list for the user’s mailbox. The first step is to retrieve the ID of the device you want to prevent from syncing. Unfortunately, there’s no way to retrieve the device ID before the user synchronizes the device with Exchange (unless you already know the device ID). If the user has synced the device already, you can get the device ID using:
Get-MobileDeviceStatistics -Mailbox ExchangeId
-ActiveSync | fl DeviceIDExchangeId is the email address or Exchange alias of the user, such as:
Get-MobileDeviceStatistics -Mailbox KaraH -ActiveSync | fl DeviceID
To prevent a device from synchronizing with Exchange, you must add the device to the -ActiveSyncBlockedDeviceIDs parameter list on the user’s mailbox. To do this, run the following command:
Set-CASMailbox -Identity ExchangeID -ActiveSyncBlockedDeviceIDs
@{Add="DeviceID"}ExchangeID is the email address or Exchange alias for the mailbox user you want to prevent from using certain mobile devices, and DeviceID is the ID of the device to prevent from synchronizing with Exchange. If the device was previously on the user’s allowed ActiveSync device list, you can remove the device from this list in addition to using the following syntax:
Set-CASMailbox -Identity ExchangeID -ActiveSyncAllowedDeviceIDs
@{Remove="DeviceID"}Note
As the blocked list has precedence over the allowed list, you technically don’t have to remove the device from the allowed list. However, if someone accidentally resets the blocked list and you haven’t removed the device from the allowed list, the user will be explicitly permitted to use the device to sync with Exchange.
Although you may sometimes want to manage device access for individual users, you’ll probably prefer to define device access rules to control which device can and cannot sync with Exchange. To work with access rules, you’ll use the following cmdlets:
Get-ActiveSyncDeviceAccessRule. Lists an access group of Exchange mobile devices along with their access level
Get-ActiveSyncDeviceAccessRule [-Identity AccessRuleId] [-DomainController FullyQualifiedName] [-Organization OrgId]
Get-ActiveSyncDeviceClass. Lists mobile devices that have connected to Exchange by their type and model
Get-ActiveSyncDeviceClass [-Identity DeviceGroupId] [-DomainController FullyQualifiedName] [-Filter FilterValues] [-Organization OrgId] [-SortBy AttributeName]
New-ActiveSyncDeviceAccessRule. Defines an access group of Exchange mobile devices along with their access level
New-ActiveSyncDeviceAccessRule -AccessLevel <Allow | Block | Quarantine> -Characteristic <DeviceType | DeviceModel | DeviceOS | UserAgent> -QueryString Devices [-DomainController FullyQualifiedName] [-Organization OrgId]
Remove-ActiveSyncDeviceAccessRule. Removes an existing device access rule
Remove-ActiveSyncDeviceAccessRule -Identity AccessRuleId [-DomainController FullyQualifiedName]
Remove-ActiveSyncDeviceClass. Removes a device class from the list of mobile devices synchronizing with Exchange
Remove-ActiveSyncDeviceClass -Identity DeviceGroupId [-DomainController FullyQualifiedName]
Set-ActiveSyncDeviceAccessRule. Sets the level of access for the ActiveSync Device Access rule
Set-ActiveSyncDeviceAccessRule -Identity AccessRuleId [-AccessLevel <Allow | Block | Quarantine>] [-DomainController FullyQualifiedName]
The following example creates access rules to block several different types of iOS 6.1 devices:
New-ActiveSyncDeviceAccessRule -querystring "iOS 6.1 10B142" -characteristic DeviceOS -accesslevel block New-ActiveSyncDeviceAccessRule -querystring "iOS 6.1 10B143" -characteristic DeviceOS -accesslevel block New-ActiveSyncDeviceAccessRule -querystring "iOS 6.1 10B144" -characteristic DeviceOS -accesslevel block
Finally, by using the following commands you can set a default access level and blocking thresholds for ActiveSync devices:
Get-ActiveSyncDeviceAutoblockThreshold. Lists the Autoblock settings for Exchange ActiveSync mobile devices
Get-ActiveSyncDeviceAutoblockThreshold [-Identity RuleName] [-DomainController FullyQualifiedName]
Set-ActiveSyncDeviceAutoblockThreshold. Modifies the autoblocking settings for mobile devices
Set-ActiveSyncDeviceAutoblockThreshold -Identity RuleName [-AdminEmailInsert MessageText] [-BehaviorTypeIncidenceDuration TimeSpan] [-BehaviorTypeIncidenceLimit Limit] [-DeviceBlockDuration TimeSpan] [-DomainController FullyQualifiedName]
Get-ActiveSyncOrganizationSettings. Lists the Exchange ActiveSync settings for the Exchange organization
Get-ActiveSyncOrganizationSettings [-Identity ExchangeOrgId] [-DomainController FullyQualifiedName] [-Organization OrgId]
Set-ActiveSyncOrganizationSettings. Modifies the Exchange ActiveSync settings for the Exchange organization
Set-ActiveSyncOrganizationSettings [-Identity ExchangeOrgId] [-AdminMailRecipients email1,email2,...emailN] [-DefaultAccessLevel <Allow | Block | Quarantine>] [-DomainController FullyQualifiedName] [-OtaNotificationMailInsert MessageText] [-UserMailInsert MessageText