get-casmailbox AS policies

I am trying to make some sense of active sync policies defined, i.e. whether the following settings allow for a "remote wipe" of the device if say it was lost or stolen, and whether a PIN/password is mandatory, or if the policy allows devices to sync whether or not the device meets the security requirements or not. I wasnt sure what "allownonprovisonabledevices" represents? i.e. does that mean if the device doesnt have a PIN or password of 8 chracters or more - still allow it to sync? And which of the parameters below says whether remote wipe can be performed or not?

AllowNonProvisionableDevices             : True
AlphanumericDevicePasswordRequired       : True
AttachmentsEnabled                       : True
DeviceEncryptionEnabled                  : False
RequireStorageCardEncryption             : False
DevicePasswordEnabled                    : True
PasswordRecoveryEnabled                  : True
DevicePolicyRefreshInterval              : 01:00:00
AllowSimpleDevicePassword                : True
MaxAttachmentSize                        : unlimited
WSSAccessEnabled                         : True
UNCAccessEnabled                         : True
MinDevicePasswordLength                  : 8
MaxInactivityTimeDeviceLock              : unlimited
MaxDevicePasswordFailedAttempts          : 4
DevicePasswordExpiration                 : unlimited
DevicePasswordHistory                    : 0
IsDefaultPolicy                          : True
AllowStorageCard                         : True
AllowCamera                              : True
RequireDeviceEncryption                  : False
AllowUnsignedApplications                : True
AllowUnsignedInstallationPackages        : True
AllowWiFi                                : True
AllowTextMessaging                       : True
AllowPOPIMAPEmail                        : True
AllowIrDA                                : True
RequireManualSyncWhenRoaming             : False
AllowDesktopSync                         : True
AllowHTMLEmail                           : True
RequireSignedSMIMEMessages               : False
RequireEncryptedSMIMEMessages            : False
AllowSMIMESoftCerts                      : True
AllowBrowser                             : True
AllowConsumerEmail                       : True
AllowRemoteDesktop                       : True
AllowInternetSharing                     : True
AllowBluetooth                           : Allow
MaxCalendarAgeFilter                     : SixMonths
MaxEmailAgeFilter                        : All
RequireSignedSMIMEAlgorithm              : SHA1
RequireEncryptionSMIMEAlgorithm          : TripleDES
AllowSMIMEEncryptionAlgorithmNegotiation : AllowAnyAlgorithmNegotiation
MinDevicePasswordComplexCharacters       : 1
MaxEmailBodyTruncationSize               : unlimited
MaxEmailHTMLBodyTruncationSize           : unlimited
UnapprovedInROMApplicationList           : {}
ApprovedApplicationList                  : {}
AllowExternalDeviceManagement            : False
MobileOTAUpdateMode                      : MinorVersionUpdates
AllowMobileOTAUpdate                     : True
IrmEnabled                               : True
AdminDisplayName                         :
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
I wasnt sure what "allownonprovisonabledevices" represents?
This allows older devices that may not require/compatible with new securioty policies to connect using activesync. This does not degrade new phones that can take full advantage of new security features.

Remote Wipe is enabled by default unless you have otherwise disabled this feature.

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
So it basically means "if you dont meet our security policy for active sync, you can connect anyway"?
0
pma111Author Commented:
>Remote Wipe is enabled by default unless you have otherwise disabled this feature

How can you check whether this is enabled or has been disabled?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

pma111Author Commented:
any view?
0
Will SzymkowskiSenior Solution ArchitectCommented:
Remote Wipe is based on the Security Policies by default and cannot be changed. You do however have "AllowNonProvisionableDevices             : True" which means any device that does not pertain to the security policies (older phones) are excluded from this policy. Any new phones that abide by the Security Policy automatically have remote wipe enabled.

Remote Wipe is a security feature and cannot be changed. The only exception is if the phone does not support it.

Because you have AllowNonProvisioinableDeivces enabled you may have some devices that might not abide to this policy depending on the age of the phone. This is something that only you can determine.

Will.
0
pma111Author Commented:
so are saying "Remote Wipe is enabled by default unless you have otherwise disabled this feature. " - you cant disable it? Excuse my ignorance just trying to clarify the facts
0
Will SzymkowskiSenior Solution ArchitectCommented:
Unless you completely disable ActiveSync for a mailbox Remote Wipe will be enabled. Initally I thought you could disable this feature but you cannot. Remote Wipe is part of the Built-in security policies by default.

The only way a phone may not be part of this policy is when you have "AllowNonProvisionableDevices" enabled and you have a phone that is older and is not compatible with all of the new Security features built-in ActiveSync.

Will.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.