Implementing Exchange ActiveSync mailbox policy best practices

Exchange ActiveSync mailbox policy implementation is different for every organization, but that doesn't mean there are no best practices to follow.

With the explosion of mobile devices in the enterprise, keeping the email and data on those devices secure has...

grown exceedingly critical. ActiveSync mailbox policies are the primary mechanism used for managing mobile device security in Exchange Server, but different policy settings and determining which policies to use -- and when -- can prove vexing. There's no "right" or "wrong" way when it comes to Exchange ActiveSync mailbox policies, but there are certain best practices you should follow.

Exchange ActiveSync mailbox policies: One size does not fit all

Different users have different needs. Therefore, it doesn't make sense to use a "one-size-fits-all" ActiveSync mailbox policy, nor should you use the default policy. Instead, be prudent and create a series of specialized policies and assign them on an as-needed basis.

After deciding to move forward with specialized Exchange ActiveSync mailbox policies, the first thing to do is create the various policies you're going to need (more on that later). The next step is to disable ActiveSync usage for all mailboxes. This ensures that none of the mailboxes continue to use the default ActiveSync policy and that ActiveSync is disabled by default for newly created user accounts. The easiest way to disable ActiveSync is to open the Exchange Management Shell (EMS) and enter the following command:

Get-Mailbox | Set-CASMailbox –ActiveSyncEnabled $False

The next step is to apply a custom ActiveSync policy to a subset of your Exchange Server mailboxes. There are various criteria you can consider here, but one common approach involves basing the ActiveSync mailbox policy assignment on Active Directory group membership.

For example, let's say you want to enable ActiveSync and apply an ActiveSync mailbox policy named "FullUse" to all the members of an Active Directory group named "Executives." In short, you want to give the executives in your organization unrestricted ActiveSync use, and you do that via the following PowerShell script:

$GroupMembers = Get-DistributionGroupMember -Identity 'Executives'

ForEach ($member in $GroupMembers)


       $member | Set-CASMailbox -ActiveSyncEnabled $true

       $member | Set-CASMailbox -ActiveSyncMailboxPolicy "FullUse"


Exchange ActiveSync mailbox policy criteria

If you're familiar with PowerShell, you can see it's relatively easy to create an ActiveSync mailbox policy and assign it to members of various Active Directory groups. The biggest challenge is deciding which policies you should create and who to assign those policies to.

The good news is that there really isn't a right or wrong way to build ActiveSync mailbox policies. Every organization has its own unique needs and it's best to adapt the policy creation and assignment process that best meets your organization's needs. That said, here are some techniques I recommend.

  • Device-based policies

Different makes and device models support different policy settings. Therefore, some organizations choose to create policies based on the device's capabilities. For example, you can create a policy for Windows Phone 8 devices and a separate policy for iOS devices. This is important to understand because iOS does not support all the available policy settings.

Also, some organizations base their policies on differentiating between corporate-owned devices and users' personal devices. You may choose to create a policy for corporate-owned devices that disables cameras and Bluetooth connectivity, and then have another policy for users' personal devices that is considerably more permissive.

  • Job-function policies

Many corporations also use ActiveSync policy settings to disable mobile device hardware that is not explicitly required for a user's job.

For example, employees in the research and development department probably have a lot more sensitive information on their mobile devices than most, so it is wise to create a policy that requires much more complex passwords for these employees' devices.

About the author
Brien Posey is a ten-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a chief information officer at a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the nation's largest insurance companies and for the Department of Defense at Fort Knox.

Dig Deeper on Outlook management