1

How does one go about changing the Exchange security policy to allow pins and other security options on Android devices?

Chris
  • 139
  • 1
  • 5

4 Answers4

1

Allow pins or enforce them? The default policy allows them already.

If you want to enforce them, either create a new policy for those you want to enforce or change the default. (note: I believe SBS 2011 enforces them by default)

The policies are in the console under the Organization Configuration, Client Access, Exchange ActiveSync Mailbox Policies. You'd just check the "Require Password" but not the "Require alphanumeric password". The "allow simple password" should be checked, but I would recommend not setting a minimum password length or Password expiration.

warning: I haven't messed with it in the past 6 months, but enabling PIN enforcements can cause issues on Android phones, depending on the type of PIN a user wants to use. Things like face unlock, pattern unlock, etc. come into play and don't work well with the Activesync policies. I advise you test thoroughly with different phones and Android OS levels before deploying.

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
0

It's the same activesync settings that everything else uses.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
0

Require use of a third-party Android ActiveSync application that behaves correctly.

Many of the Mobile Device Management (MDM) solutions leverage a third-party Android ActiveSync application that conforms to the security policies. In many cases, this is Touchdown. In addition to compliance, it obviates the need to support all of the variations of Android ActiveSync applications in existence.

The background for this is that ActiveSync is pretty much a free-for-all. An ActiveSync implementation, such as earlier Android variants, can do or report any status to the server that they want. If an Android ActiveSync implementation doesn't honor a command to brick the device or require a PIN, it doesn't get bricked and the user does not have to enter a PIN. Apple has always conformed fairly well. Microsoft phones (version 7) did not support device encryption.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
-2

In addition to what MDMarra has stated, in order to exercise the functionality you're looking for you'll need to implement a Mobile Device Management (MDM) System of some sort. Something like Air-Watch, Mobile Iron, Boxtone or Blackberry Mobile Fusion (to name a few) will do what you're looking for.

DKNUCKLES
  • 4,028
  • 9
  • 47
  • 60
  • Not really. You can enforce the usage of a PIN and do remote-wipe with just Active Sync. No need for MDM solutions unless you want to roll specific apps out, or have much more granular control than just enforce a PIN policy. – MDMarra Jan 03 '13 at 15:41
  • "Other Security Options" would likely require an MDM of some sort. – DKNUCKLES Jan 03 '13 at 16:35