Manage Learn to apply best practices and optimize your operations.

Step 1: How to create an ActiveSync Mailbox Policy in Exchange Server 2007

Learn how to create an Exchange 2007 mobile device security policy, called an ActiveSync Mailbox Polilcy, that can password protect mobile devices on a per-user basis.

In Exchange Server 2003 SP2, you can create a mobile device security policy that required users to password protect their mobile devices. Once created though, this policy applied globally to all mobile device users.

Exchange Server 2007 allows you to assign mobile device security policies on a per-user basis. These policies are called Exchange ActiveSync Mailbox Policies.

To create an Exchange ActiveSync Mailbox Policy in Exchange 2007:

  1. Open the Exchange Management Console and navigate to Organization Configuration -> Client Access to view any existing policies that apply to mobile devices in your organization.

  2. Click the New Exchange ActiveSync Mailbox Policy link found in the Actions pane to launch the New Exchange ActiveSync Mailbox Policy wizard, as shown in Figure 1.

    Figure 1: Exchange 2007 allows you to create ActiveSync Mailbox Policies.
    Figure 1

  3. As you can see, there are a number of parameters that you can set within the policy. The first thing you have to do is to enter a name for the mobile device security policy you're creating. In most cases, it is best to enter a name that describes the policy's purpose.

  4. Below the Mailbox Policy Name field are a number of checkboxes that you can use to enable or disable various policy elements:

    • The first checkbox allows you to decide whether or not you want to allow users to use non-provisionable mobile devices. What this means is that the mobile device security policy that you are creating is not compatible with some older mobile devices.

      If security is really important to you, leave this checkbox blank so that Exchange Server 2007 will not allow those types of mobile devices to be used. Remember though that leaving the checkbox deselected does not constitute a global ban on older mobile devices -- the ban will only apply to those users to whom the policy has been assigned.

    • The next checkbox is pretty self-explanatory. It allows you to control whether or not mobile users are allowed to download email attachments to their mobile devices.

      Whether or not you should allow email attachment downloads really depends on the nature of your business. For example, if you work for a real estate firm, and the agents in your office need to be able to review contracts, then you probably want to allow attachment downloads.

      On the other hand, if your users don't usually have a legitimate business need for downloading email attachments, you might want to prohibit attachment downloads as an antivirus measure and to conserve bandwidth. Since many mobile carriers charge based on the amount of data downloaded, you might also save a considerable amount of money by blocking email attachments.

    • The lower section allows you to require a password, and then set the parameters for that password. For example, you can set the password length and complexity requirements. You can also control the amount of time that a mobile device can be idle before it locks itself and requires the user to re-enter the password for continued use.

  5. Once you've enabled and disabled the mobile device security policy options to your liking, click the New button and the ActiveSync Mailbox Policy will be created.

  6. When the creation process completes, click the Finish button to close the wizard.

The mobile device security policy you just created will now be listed in the Organization Configuration -> Client Access container, as shown in Figure 2.

Figure 2 : The new policy is in Organization Configuration -> Client Access.
Figure 2


 Home: Introduction
 Step 1: How to create an ActiveSync Mailbox Policy in Exchange Server 2007
 Step 2: How to assign an Exchange 2007 ActiveSync Mailbox Policy to users
 Step 3: How to remotely wipe a mobile device in Exchange Server 2007

Brien M. Posey, MCSE
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at

Dig Deeper on Exchange Server setup and troubleshooting