Natalia Merzlyakova - Fotolia
Architects and administrators should define and apply Outlook Web App mailbox policies in Exchange 2013 to ensure a consistent end-user experience.
Outlook Web App (OWA) mailbox policy configuration options can be broken down into three main categories: features, file access and offline access.
Features. This policy category allows an administrator to configure the Outlook Web App mailbox features available to end users. These features are spread across the categories of communication management, information management, security, user experience and time management. In the user experience feature category, for example, an admin can specify whether end users may select from a range of themes in OWA.
Controlling OWA mailbox features can be important for organizations that must launch only basic OWA messaging functionality for certain groups, such as factory floor workers. In these scenarios, an Exchange administrator can use Outlook Web App mailbox policies to disable nonessential features for end users, such as instant messaging, unified messaging, journaling and tasks.
File access. In the file access category of OWA mailbox policies, admins can control how end users view and access attachments from computers. This is an important security feature for organizations that must closely control attachment access within OWA.
Offline access. This policy category for Outlook Web App controls whether end users can access email from the OWA mailbox when working offline from the network.
OWA mailbox policies and restrictions
There are two steps to deploy Outlook Web App mailbox policies: create the policies and then apply them to the desired mailboxes. Admins can create, configure and apply OWA mailbox policies in the Exchange Administration Center or the Exchange Management Shell.
To create and configure OWA mailbox policies in the Exchange Administration Center, select the Permissions option from the feature pane and then choose the Outlook Web App Policies tab. In the Exchange Management Shell, an Exchange admin will use the following four cmdlets to create and manage OWA mailbox policies:
- New-OwaMailboxPolicy to create new policies;
- Get-OwaMailboxPolicy to retrieve policy settings;
- Set-OwaMailboxPolicy to modify policy settings; and
- Remove-OwaMailboxPolicy to remove policies.
There are a few caveats for admins when setting OWA mailbox policies. According to Microsoft, it can take up to 60 minutes for changes made to OWA mailbox policies to take effect. It's possible to work around this delay by running the IISRESET /noforce command on the Exchange 2013 mailbox server; however, change control procedures will play a part in determining when this is possible.
In addition, certain parameters of Exchange Management Shell cmdlets are only available in the on-premises version of Exchange 2013, while other parameters are only available in Exchange Online. For example, the DisableFacebook parameter of the Set-OwaMailboxPolicy cmdlet, which is used to control whether Facebook integration is enabled or disabled in OWA, is not available in the on-premises version of Exchange 2013.
On the other hand, the DomainController parameter of the New-OwaMailboxPolicy cmdlet, which is used to specify an on-premises domain controller that configuration changes are written to, is only available in the on-premises version of Exchange 2013. So, be sure you understand parameter environment restrictions, particularly if running a hybrid Exchange environment.
To apply Outlook Web App mailbox policies to end user mailboxes, use the Set-CASMailbox cmdlet, which applies client access settings against mailboxes. The specific parameter used to specify the OWA mailbox policy is the OwaMailboxPolicy parameter, where the name of the policy is supplied as the value of this parameter.
Accurately scope which mailboxes will receive the desired OWA mailbox policy, otherwise policies could be applied to mailboxes incorrectly. This would lead to inconsistent end-user experiences.
Setting the OwaMailboxPolicy parameter to a value of $null will remove any policy from that mailbox. Attempts to remove actual OWA mailbox policies will succeed -- as long as those policies aren't applied to any mailboxes. If the policies are applied to mailboxes, admins will receive a warning message and the policy won't be removed.
Set and apply default policies in OWA mailbox
A default OWA mailbox policy named "Default" is created when Exchange 2013 is first installed. This policy has all features and options enabled, with the exception that it does not force WebReady document viewing when a converter is available.
Even though this default OWA mailbox policy comes up when you first install Exchange 2013, it is not automatically applied to any mailboxes by default. To view this, run the Get-CasMailbox cmdlet against a newly created mailbox and examine the value of the OwaMailboxPolicy parameter; it will be blank by default.
In an on-premises Exchange 2013 deployment, there can still be associated OWA configuration options on this mailbox. Admins can also configure OWA features by making relevant changes at the OWA virtual directory level -- using either the Exchange Administration Center or the Set-OwaVirtualDirectory cmdlet.
If a mailbox does not have an Outlook Web App mailbox policy applied to it, the corresponding settings at the virtual directory level will apply. However, any settings specified in an OWA mailbox policy will override the same settings specified on the OWA virtual directory. Therefore, an Exchange administrator must understand whether any settings have been specified at the OWA virtual directory level, particularly when troubleshooting policy issues.
Giving outsiders access into OWA
Dealing with Exchange Administration Center issues
How Exchange 2016 differs from Exchange 2013