Device Security Features:
Apart from the communication encryption feature, Exchange Active Sync also offers the below device security features.
Remote wipe If a mobile phone is lost, stolen, or otherwise compromised, you can issue a remote wipe command from the Exchange Server computer or from any Web browser by using Outlook Web App. This command erases all data from the mobile phone.
You can use one of the below method for Remote Wipe,
- Open EMC and navigate to Recipient Configuration->Mailbox
- Select the user that you wanted to wipe the device
- Right click on the user mailbox and click on Manage Mobile Device
- Select the mobile device that you want to wipe
- On action section click on Clear, click on Clear again to finish the activity.
- Login to the OWA/ECP
- Click on Option(if you have logged in to OWA)
- In the Left pane select the Phone Option
- Click the Mobile Phone Tab and select the device you want to Wipe out.
- Click on Wipe Device and click on OK
- Click on Remove Device
Use EMS(Management Shell)
Open Management Shell and use the cmdlet Get-ActiveSyncDeviceStatistics to retrieve the device identity
Cmdlet:- Get-ActiveSyncDeviceStatistics - Mailbox Praveen | fl Identity
The above command will give us the identity of the device, use the cmdlet to wipe the identified device.
Cmdlet:- Clear-ActiveSyncDevice -Identity WM_Praveen
Device password policies Exchange ActiveSync lets you configure several options for device passwords. These options include the following:
Minimum password length (characters) The default length is 4 characters, but as many as 18 can be included.
Require alphanumeric password You can enforce the usage of a character or symbol in the password in addition to numbers. Basically the password strength.
Inactivity time (seconds) This option determines how long the mobile phone must be inactive before the user is prompted for a password to unlock the mobile phone.
Wipe device after failed (attempts) This option specifies how many failed attempts before the device wipe out.
How to configure Exchange Active Sync Policies
We can use the EMC or the management shell to configure the Exchange Active Sync policies.
Open EMC and navigate to Organization Configuration>Client Access
Select the Default Policy(You can create a new policy and add users) and click on Action menu and open the properties.
Set the necessary settings as per your requirement.
Use Exchange Management Shell
We can use the cmdlet Set-ActiveSyncMailboxPolicy to configure the Exchange Active Sync policies.
Below shows one such cmdlet.
Set-ActiveSyncMailboxPolicy -Identity Default -DevicePasswordEnabled $true -DevicePasswordExpiration 12 -DevicePasswordHistory 10 -MaxDevicePasswordFailedAttempts 7 -MaxInactivityTimeDeviceLock 00:10:00 -MinDevicePasswordLength 4 -PasswordRecoveryEnabled $true
Now we can verify the setting by running the cmdlet Get-ActiveSyncMailboxPolicy
As you can see there are some very useful settings when compared to the Exchange 2003 like Enable password recovery to enable password recovery for the mobile phone. Users can use Outlook Web App to look up their recovery password and unlock their mobile phone. Administrators can use the EMC to look up a user's recovery password.