In this day and age, practically everyone uses their smartphone to check their E-mail while they are on the go. Even so, mobile access to an Exchange inbox is not without risk. A lost or stolen mobile device could for example, allow an unauthorized person unrestricted access to the sensitive information within the device owner’s mailbox. Fortunately, Exchange Server provides a mechanism for ensuring that mobile devices connecting to Exchange Server are properly secured.
The primary tool for enforcing mobile device security is the mobile device mailbox policy. This policy determines the security requirements for user’s mobile devices. For example, a mobile device mailbox policy might be configured to require users to security their devices with a password. Of course, mobile device mailbox policies can be used to require device level security that is far more comprehensive.
Although Exchange Server provides a default policy that applies to all users, it is possible to create multiple mobile device mailbox policies, and apply those policies on an as needed basis. This is useful for situations in which some users need a higher degree of security than others.
To apply a mobile device mailbox policy to a user’s mailbox, open the Exchange Admin Center, and click on the Recipients container. Next, click on the recipient whose mailbox you want to modify, and then click on the Edit icon. Now, select the Mailbox Features tab within the resulting dialog box, and then scroll down to the Mobile Devices section. Click the View Details link, and you will see a Mobile Device Details window that is similar to the one that is shown in Figure A. As you can see in the figure, this mailbox is configured to use the default mobile device mailbox policy, but you can click the Browse button to select a different policy.
This mailbox is using the Default mobile device mailbox policy.
The policies themselves can be found within the Exchange Admin Center, by clicking on the Mobile container, and then clicking on the Mobile Device Mailbox Policies tab, as shown in the figure below. Here you can see the default policy that was applied to the user’s mailbox, but it is also possible to create additional policies by clicking on the New icon. That way, you can apply different policies to different groups of users.
You can find the policies on the Mobile Device Mailbox Policies tab.
To edit a mobile device mailbox policy, select the policy, and then click on the Edit icon. Upon doing so, your browser will display a pop-up window that allows you to edit the policy. This window is divided into two tabs.
The first of these tabs is the General tab, which you can see in the next figure. As you can see, this tab contains three settings. First, there is the policy name. Every mobile device mailbox policy has to have a name assigned to it, and this is where the name is assigned. Second, the window contains a checkbox that you can use to designate the policy as the default policy. Exchange only allows for a single default policy. Finally, there is a checkbox that you can select if you wish to allow mobile devices that do not fully support the policy. I will come back to this one in a moment.
The General tab contains the policy name, and a couple of check boxes.
The window’s second tab is the Security tab, which you can see below. This tab provides the security settings that can be applied to mobile devices. As you can see in the figure below, the Security tab provides a rather modest collection of security settings. This tab for example, can be used to require a password, require device level encryption, or to enforce a specific degree of password complexity.
The Security tab provides settings that can be used to configure device password and encryption requirements.
So as you can see, mobile device mailbox policies are pretty straightforward. You can either modify the default policy or create your own policy, and then apply it to the user’s mailboxes. In spite of this simplicity, there is one more issue that needs to be addressed.
As you may recall, the Mobile Device Mailbox Policy dialog box’s Security tab contained a setting called Allow Mobile Devices that Don’t Fully Support These Security Policies, and I said that I would talk about this setting later on. As the setting’s name implies, this check box, if enabled, will allow a user to use a mobile device, even if the device does not recognize all of the settings within the mobile device mailbox policy.
At first, this might seem a little bit strange when you consider that the settings shown on the Security tab relate primarily to password complexity and encryption. These are all standard functions, which should be supported by almost any mobile device. So why the setting to allow non-compatible devices?
The reason why this setting exists is because Exchange supports far more policy settings than the ones that are exposed through the Security tab. Most of the policy settings can only be configured through the Exchange Management Shell. In fact, policy settings exist that will allow you to disable WiFi from the device, or disable the device camera. You can also block consumer mail (such as Gmail or Hotmail), or disable Bluetooth. There are dozens of security settings available, but not every device works with every security setting. As such, the Allow Mobile Devices that Don’t Fully Support These Security Policies check box, essentially determines whether mobile device security will be strictly enforced, or loosely enforced based on a device’s capabilities. Incidentally, you can find a list of the available security settings at: https://technet.microsoft.com/en-us/library/bb123756(v=exchg.160).aspx
In most cases, it probably isn’t going to be necessary to be too heavy handed with mobile device security policies. Even so, numerous policy settings exist that you can use to custom tailor your mobile device security policies to meet your organization’s own unique needs.