• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 92
  • Last Modified:

get-casmailbox AS policies

I am trying to make some sense of active sync policies defined, i.e. whether the following settings allow for a "remote wipe" of the device if say it was lost or stolen, and whether a PIN/password is mandatory, or if the policy allows devices to sync whether or not the device meets the security requirements or not. I wasnt sure what "allownonprovisonabledevices" represents? i.e. does that mean if the device doesnt have a PIN or password of 8 chracters or more - still allow it to sync? And which of the parameters below says whether remote wipe can be performed or not?

AllowNonProvisionableDevices             : True
AlphanumericDevicePasswordRequired       : True
AttachmentsEnabled                       : True
DeviceEncryptionEnabled                  : False
RequireStorageCardEncryption             : False
DevicePasswordEnabled                    : True
PasswordRecoveryEnabled                  : True
DevicePolicyRefreshInterval              : 01:00:00
AllowSimpleDevicePassword                : True
MaxAttachmentSize                        : unlimited
WSSAccessEnabled                         : True
UNCAccessEnabled                         : True
MinDevicePasswordLength                  : 8
MaxInactivityTimeDeviceLock              : unlimited
MaxDevicePasswordFailedAttempts          : 4
DevicePasswordExpiration                 : unlimited
DevicePasswordHistory                    : 0
IsDefaultPolicy                          : True
AllowStorageCard                         : True
AllowCamera                              : True
RequireDeviceEncryption                  : False
AllowUnsignedApplications                : True
AllowUnsignedInstallationPackages        : True
AllowWiFi                                : True
AllowTextMessaging                       : True
AllowPOPIMAPEmail                        : True
AllowIrDA                                : True
RequireManualSyncWhenRoaming             : False
AllowDesktopSync                         : True
AllowHTMLEmail                           : True
RequireSignedSMIMEMessages               : False
RequireEncryptedSMIMEMessages            : False
AllowSMIMESoftCerts                      : True
AllowBrowser                             : True
AllowConsumerEmail                       : True
AllowRemoteDesktop                       : True
AllowInternetSharing                     : True
AllowBluetooth                           : Allow
MaxCalendarAgeFilter                     : SixMonths
MaxEmailAgeFilter                        : All
RequireSignedSMIMEAlgorithm              : SHA1
RequireEncryptionSMIMEAlgorithm          : TripleDES
AllowSMIMEEncryptionAlgorithmNegotiation : AllowAnyAlgorithmNegotiation
MinDevicePasswordComplexCharacters       : 1
MaxEmailBodyTruncationSize               : unlimited
MaxEmailHTMLBodyTruncationSize           : unlimited
UnapprovedInROMApplicationList           : {}
ApprovedApplicationList                  : {}
AllowExternalDeviceManagement            : False
MobileOTAUpdateMode                      : MinorVersionUpdates
AllowMobileOTAUpdate                     : True
IrmEnabled                               : True
AdminDisplayName                         :
  • 4
  • 3
1 Solution
Will SzymkowskiSenior Solution ArchitectCommented:
I wasnt sure what "allownonprovisonabledevices" represents?
This allows older devices that may not require/compatible with new securioty policies to connect using activesync. This does not degrade new phones that can take full advantage of new security features.

Remote Wipe is enabled by default unless you have otherwise disabled this feature.

pma111Author Commented:
So it basically means "if you dont meet our security policy for active sync, you can connect anyway"?
pma111Author Commented:
>Remote Wipe is enabled by default unless you have otherwise disabled this feature

How can you check whether this is enabled or has been disabled?
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

pma111Author Commented:
any view?
Will SzymkowskiSenior Solution ArchitectCommented:
Remote Wipe is based on the Security Policies by default and cannot be changed. You do however have "AllowNonProvisionableDevices             : True" which means any device that does not pertain to the security policies (older phones) are excluded from this policy. Any new phones that abide by the Security Policy automatically have remote wipe enabled.

Remote Wipe is a security feature and cannot be changed. The only exception is if the phone does not support it.

Because you have AllowNonProvisioinableDeivces enabled you may have some devices that might not abide to this policy depending on the age of the phone. This is something that only you can determine.

pma111Author Commented:
so are saying "Remote Wipe is enabled by default unless you have otherwise disabled this feature. " - you cant disable it? Excuse my ignorance just trying to clarify the facts
Will SzymkowskiSenior Solution ArchitectCommented:
Unless you completely disable ActiveSync for a mailbox Remote Wipe will be enabled. Initally I thought you could disable this feature but you cannot. Remote Wipe is part of the Built-in security policies by default.

The only way a phone may not be part of this policy is when you have "AllowNonProvisionableDevices" enabled and you have a phone that is older and is not compatible with all of the new Security features built-in ActiveSync.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now