The Windows Embedded Compact 7 release adds support for Microsoft Exchange ActiveSync Over The Air (OTA) and Desktop Pass Through (DTPT) synchronization. This release makes this functionality available to original equipment manufacturer (OEM), original device manufacturer (ODM), and independent software vendor (ISV) partners, and to enterprise and consumer end users. Virtually all Exchange server administrators use Exchange mailbox policies so that mobile devices can securely connect to an enterprise’s Exchange server. This article describes the Exchange mailbox policies that Windows Embedded Compact 7 supports.
Exchange ActiveSync is a Microsoft Exchange synchronization protocol that is optimized for high-latency and low-bandwidth networks. The protocol, based on HTTP and XML, gives mobile devices access to an organization's information on a server that is running Microsoft Exchange. Using Exchange ActiveSync, mobile device users can work with their email, calendar, contacts, and tasks, and maintain access to this information when they are working offline. When the mobile device requests information about an email account, the Exchange server automatically broadcasts mailbox status changes to the mobile device. The technology that makes this synchronization possible is called Direct Push.
The first time that a mobile device connects to an Exchange server, the server pushes Exchange group mailbox policies down to the mobile device. The most basic set of these policies is used to secure the mobile device itself.
Device Lock makes a mobile device work like a smart card: users must enter a Personally Identifiable Number (PIN) to lock the mobile device when it is not in use. Windows Embedded Compact 7 supports all Exchange Group Mailbox Polices associated with Device Lock along with other Exchange mailbox polices. Table 1 lists all mailbox policies that Windows Embedded Compact 7 supports.
Device Lock is defined by the interactions among the following mailbox group policies:
Prevents device users from choosing a PIN that contains a simple pattern such as ‘1111,’ predictable sequences such as ‘1234’ or ‘1357,’ or one that has too few digits such as ‘22.’
Gives an Exchange server administrator the ability to remotely set the expiration time of a password or PIN on a device.
Gives device users the ability to request a password or PIN reset and ensures that devices lock reliably. When a user requests a PIN reset, the user must meet the requirements that are defined for unlocking the device.
Gives Exchange server administrators the ability to require users to select a new password or PIN that is different from a previous password. Also provides the user with data about the number of stored passwords if the new password matches a previous password.
Table 1: Exchange ActiveSync mailbox policy settings with a standard CAL (Client Access License)
Setting
Description
Supported?
Allow HTML email
Specifies whether email synchronized to the device can be in HTML format. If this setting is set to $false, all email is converted to plain text.
Yes
Allow non-provisionable devices
Specifies whether older devices that may not support all policy settings can connect to Exchange 2007 by using Exchange ActiveSync.
Allow simple password
Enables or disables the ability to use a simple password such as 1234. The default value is $true.
Allow S/MIME software certificates
Specifies whether S/MIME software certificates are allowed on the mobile device.
No
Alphanumeric password required
Sets up a requirement that a password contain both numeric and nonnumeric characters.
Attachments enabled
Allows the mobile device to download attachments.
Device encryption enabled
Enables encryption on the device. Not all devices can enforce encryption.
Password enabled
Enables the device password.
Password expiration
Defines the length of time after which a device password must be changed.
Password history
Specifies the number of past passwords that a user's mailbox can store. A user cannot reuse a stored password.
Policy refresh interval
Defines how frequently the device updates the Exchange ActiveSync policy from the server.
Maximum attachment size
Specifies the maximum size of attachments that the device downloads automatically.
Maximum calendar age filter
Specifies the maximum range of calendar days that can be synchronized to the device.
Maximum failed password attempts
Specifies how many times the device user can enter an incorrect password before the device performs a wipe of all data.
Maximum inactivity time lock
Specifies the length of time that a device can go without user input before it locks.
Minimum password length
Specifies the minimum password length.
Maximum email age filter
Specifies the maximum number of days' worth of email items to synchronize to the device.
Maximum HTML email body truncation size
Specifies the size, in kilobytes (KB), beyond which HTML-formatted email messages are truncated when they are synchronized to the device.
Minimum device password complex characters
Specifies the minimum number of complex characters required in a device password. A complex character is any character that is not a letter.
Maximum email body truncation size
Specifies the size, in kilobytes (KB), beyond which email messages not in HTML format are truncated when they are synchronized to the device.
Password recovery
Allows the device to generate a recovery password that is sent to the server. If the user forgets the device password, the user can use the recovery password to unlock the device and create a new device password.
Require device encryption
Specifies whether device encryption is required. If set to $true, the device must be able to support and implement encryption to synchronize with the server.
Require encrypted S/MIME messages
Specifies whether S/MIME messages must be encrypted.
Require manual synchronization while roaming
Specifies whether the device can only synchronize manually while roaming. Automatic device synchronization while roaming frequently leads to larger-than-expected data costs for the mobile device plan.
Require storage card encryption
Specifies whether the storage card must be encrypted. Not all mobile device operating systems support storage card encryption. For more information, see your device and mobile operating system for more information.
UNC file access
Enables access to files that are stored on Windows file share (UNC) shares.
WSS file access
Enables access to files that are stored in Microsoft Windows SharePoint Services document libraries.
Table 2: Exchange ActiveSync mailbox policy settings with an enterprise CAL (Client Access License)
Allow Bluetooth
Specifies whether a mobile device permits Bluetooth connections. The available options are Disable, HandsFree Only, and Allow.
Allow browser
Specifies whether Pocket Internet Explorer is permitted on the mobile device. This setting does not affect third-party browsers installed on the device.
Allow camera
Specifies whether the mobile device camera can be used.
Allow consumer email
Specifies whether the mobile device user can configure a personal email account (either POP3 or IMAP4) on the device.
Allow desktop sync
Specifies whether the mobile device can synchronize with a computer through a cable, Bluetooth, or IrDA connection.
Allow Internet sharing
Specifies whether the mobile device can be used as a modem for a desktop or portable computer.
Allow IrDA
Specifies whether infrared connections are permitted to and from the mobile device.
Allow POP IMAP email
Specifies whether the user can configure a POP3 or an IMAP4 email account on the device.
Specifies whether the mobile device can initiate a remote desktop connection.
Allow storage card
Specifies whether the mobile device can access information that is stored on a storage card.
Allow text messaging
Specifies whether text messaging is permitted from the device.
Allow unsigned applications
Specifies whether unsigned applications can be installed on the device.
Allow unsigned installation packages
Specifies whether an unsigned installation package can be run on the device.
Allow Wi-Fi
Specifies whether wireless Internet access is permitted on the device.
Approved application list
Specifies a list of approved applications that can be run on the device.
Unapproved in ROM application list
Specifies a list of applications that cannot be run in ROM.
W. Giberson edited Revision 2. Comment: Added "Windows Embedded Compact 7" to the title.
Jina Chan edited Revision 1. Comment: Removed "Windows Embedded Compact 7:" from beginning of title -- too awkward