Posey's Tips & Tricks
ActiveSync Policies and Windows Phone 7 Walkthrough
Windows Phone 7's ActiveSync support leaves something to be desired -- Brien Posey walks you through what's available, what's not and why.
Even though Microsoft has said from the beginning that Windows Phone 7 was a consumer device, I have to admit that I was shocked by the device's lack of support for ActiveSync policies. In case you are not familiar with ActiveSync policies, they are group policy settings used by Exchange Server in an effort to secure mobile devices used in enterprise environments.
In all fairness, ActiveSync policies are not universal. Historically, Apple, Google, and other manufacturers of mobile device operating systems have only supported a subset of the available ActiveSync policies. Microsoft even publishes a list of which ActiveSync policy settings are supported by which mobile operating systems.
Because not every mobile operating system supports every ActiveSync policy setting, Microsoft create a setting within the Exchange ActiveSync Mailbox policies that allows administrators to prevent non provisionable devices from being used with ActiveSync. Of course Windows Mobile 6.1 and 6.5 were fully provisionable, so it seems odd that the Windows Phone 7 operating system would lack support for some of the ActiveSync policy settings.
Microsoft hasn't completely abandoned support for ActiveSync policy settings in Windows Phone 7. There are seven ActiveSync policy settings that are still supported. These policy settings include:
- Password Required
- Minimum Password Length
- Idle Timeout Frequency Value
- Device Wipe Threshold
- Allow Simple Password
- Password Expiration
- Password History
It is worth nothing that the Password Required setting is the only ActiveSync Policy Setting that is supported by the Windows Phone 7 operating system regardless of whether the organization is using Exchange 2003 SP2, Exchange 2007 and Exchange 2010. All of the other policy settings are only supported in organizations using Exchange 2007 or Exchange 2010.
So what happens if you try to use some of the other ActiveSync policy settings with a Windows Phone 7 device? Well, some policy settings always return a value of true and others always return a value of false. Here are the policy settings that always return a value of true:
- Disable Removable Storage
- Disable IrDA
- Disable Desktop Sync
- Block Remote Desktop
- Block Internet Sharing
The reason why most of these settings return a value of true is because Windows Phone 7 devices lack support for the feature that the policy setting is addressing. For example, the Disable Removable Storage setting always returns a value of true because Windows Phone 7 devices don't have removable storage. The same can also be said for IrDA (infrared), Desktop Sync, Remote Desktop, and Internet Sharing.
All of the other ActiveSync policy settings return a value of false. Microsoft provides reasons why a value of false is returned for some of the policy settings. For example, here are some ActiveSync policy settings and the reasons why they return a value of False:
- Mobile Encryption Removable – Windows Phone 7 doesn't support removable storage, so there is nothing removable to encrypt.
- Mobile Encryption Enabled – The Windows Phone 7 file system is not accessible (without a hack), so there is nothing to encrypt.
- Enable Device Encryption – Once again, encryption isn't supported.
- Allow Unsigned Applications – Previous versions of Windows Mobile allowed organizations to deploy mobile applications at will. Windows Phone 7 only supports applications that have been purchased from the Marketplace.
- Unsigned CAB Access Role – Again, only Marketplace applications may be installed.
- Alphanumeric Device Password Required – Windows Phone 7 does not support the use of alphanumeric passwords.
- Min Device Password Complex Characters – Again, alphanumeric passwords are not supported by Windows Phone 7.
- Unapproved Application List – There is no such thing as unapproved applications since applications can only be installed through the Marketplace.
- Approved Application List – Every application in the entire Marketplace is considered to be approved.
- Allow HTML E-mail – I'm not really sure why this one returns a value of False since Windows Phone 7 does allow HTML E-mail.
- Sync While Roaming – You can't control the synchronization process through ActiveSync policies. It is up to the end user to decide whether or not they want to synchronize the device if they are roaming.
These are the only unsupported ActiveSync policy settings that Microsoft has given an explanation for. According to Microsoft, every ActiveSync policy setting that hasn't been explicitly mentioned here returns a value of False. However, this does not seem to hold true in every case.
If what Microsoft says is true then the Allow Camera and Allow Wi-Fi settings should return a value of False, which should disable those particular device features. However, I have no trouble using the camera and Wi-Fi connection on my Windows Phone 7 device in spite of the fact that the device has been provisioned by Exchange 2007.
Thankfully, there are a lot of hints on various Web sites that Microsoft may be planning some future updates that will make Windows Phone 7 devices a bit more palatable to enterprise environments.
Brien Posey is a seven time Microsoft MVP with over two decades of IT experience. As a freelance writer, Posey has written many thousands of articles and written or contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. When He isn't busy writing, Brien Posey enjoys exotic travel, scuba diving, and racing his Cigarette boat. You can visit his personal Web site at: www.brienposey.com.