Mobile Device Security Settings: Exchange Mailbox Policies versus SCCM/ConfigMgr 2007
This post focuses on Exchange 2007 and ConfigMgr, although is mostly relevant to Exchange 2003 as well.
Exchange 2007 introduces ActiveSync Mailbox Policies. These can be used to enforce and configure various settings on Mobile devices. Settings such as requiring a password, the password length, the password complexity, enabling the download of attachments, access to UNC and Windows SharePoint Server Shares can now all be configured using Mailbox Policies for ActiveSync.
Most of these settings (and also many more I hasten to add) can also be configured using the device management features in SCCM/ConfigMgr. I've created a table below to map the equivalent settings between the two. The left hand column shows the Exchange setting. The right hand column shows where to find the equivalent in SCCM. In some cases within SCCM they are configured in different "configuration types" depending on the platform. In some cases there is no equivalent in SCCM.
Now, the question facing many will be "which should I use, Exchange or SCCM?". The answer I suspect is the ubiquitous "It depends". I expect many will enforce through both for the following reasons:
- Not all devices connect to Exchange, but you might still want to enforce these settings. You therefore want to enforce the settings using SCCM.
- It is likely that not all devices trying to connect to Exchange will be managed by SCCM (e.g. they may not have the client installed yet). You will therefore want to enforce the settings using Exchange.
Therefore, I think the solution is to enforce settings through both solutions, meaning that the Exchange and SCCM teams will need to be communicating with each other when planning this. However, what if they're not and the Exchange team configure a setting different to the SCCM team? In that case, it will be a case of whoever wrote the value last will win, so expect the setting to be in a constant state of change on those devices.
| Setting |
Description |
ConfigMgr Equivalents |
|
Allow non-provisionable devices |
Allows older devices (those that do not support EAS Policies, for example, Windows Mobile 5.0 without the Messaging and Security Feature Pack applied) to connect to Exchange 2007 by using Exchange ActiveSync. |
None |
|
Allow simple password |
Enables or disables the ability to use a simple password such as 1234. |
Password Policy for Pocket PC 2003 -> Enforce user password type (PIN or strong) |
|
Alphanumeric password required |
Requires that a password contains numeric and non-numeric characters. |
Password Policy for MSFP -> Require numbers and letters |
|
Attachments enabled |
Enables attachments to be downloaded to the mobile device. |
None |
|
Device encryption enabled |
For Windows Mobile 6.0 Devices this controls the storage card encryption on the device |
None |
|
Password enabled |
Enables the device password. |
Password Policy for MSFP -> Enforce password on device
====================
Password Policy for Pocket PC 2003 -> Enable password policy on device |
|
Password expiration |
Enables the administrator to configure a length of time after which a device password must be changed. |
None |
|
Password history |
The number of unique passwords a user must use before an old password can be reused. |
Password Policy for MSFP -> Enforce password history
====================
Password Policy for Pocket PC 2003 -> Enable password history |
|
Policy refresh interval |
Defines how frequently the device checks the Exchange Server for changes to the Exchange ActiveSync policy. |
Effectively the same as the policy polling interval. |
|
Maximum attachment size |
Specifies the maximum size of attachments that are automatically downloaded to the device. |
None |
|
Maximum failed password attempts |
Specifies how many times an incorrect password can be entered before the device performs a wipe of all data. |
Password Policy for MSFP -> Wipe device after failed attempts |
|
Maximum inactivity time lock |
Specifies the length of time a device can go without user input before it locks. |
Password Policy for MSFP -> Inactivity time
====================
Password Policy for Pocket PC 2003 -> Enforce password time-out |
|
Minimum password length |
Specifies the minimum password length. |
Password Policy for MSFP -> Minimum PIN length |
|
Password recovery |
Enables the device password to be recovered from the server. |
None |
|
UNC file access |
Enables access to files stored on Universal Naming Convention (UNC) shares or Windows File Shares as commonly known |
None |
|
WSS file access |
Enables access to files stored on Microsoft Windows SharePoint Services sites |
None |