Configuring a Default Mobile Device Mailbox Policy for ActiveSync in Exchange Server 2010 and 2013

An Exchange Server organization can have multiple mobile device mailbox policies, but only one can be the default policy.

Learn even more in the Beginner's Guide to Exchange Server 2010 ActiveSync. Grab your copy here.

The default policy is automatically assigned to new mailbox users, and also to those mailboxes that have not been manually reassigned to a non-default policy.

Confusingly, the policy that Exchange Server 2010 and 2013 create automatically during setup is called “Default”. However the name “Default” is not the true indication of which policy is the default.

Instead it is the IsDefaultPolicy (for Exchange 2010) or IsDefault (for Exchange 2013) property that actually determines which one is the default policy. You can see which policy is the default by using the Get-ActiveSyncMailboxPolicy or Get-MobileDeviceMailboxPolicy cmdlet.

Exchange 2010:

[PS] C:\>Get-ActiveSyncMailboxPolicy | Select Name,IsDefaultPolicy

Name                           IsDefaultPolicy
----                           ---------------
Default                                   True
International Users EAS Policy           False
Connectivity Test Only                   False
High Security Mobile Device Policy       False

Exchange 2013:

[PS] C:\>Get-MobileDeviceMailboxPolicy | Select Name,IsDefault

Name                                     IsDefault
----                                     ---------
Default                                       True
International Users Mobile Device Policy     False
High Security Mobile Device Policy           False

Note: you can use Get-ActiveSyncMailboxPolicy in Exchange 2013 as well, however if you do you will see a (harmless) warning “The Get-ActiveSyncMailboxPolicy cmdlet will be removed in a future version of Exchange.” For more info see Changes to Mobile Device Management Cmdlets in Exchange Server 2013.

You may have a business requirement to choose another policy as the default, such as a desire to set the most common policy as default, or a desire to set the most secure policy as default.

However before you proceed let’s take a look at how Exchange applies the default mobile device mailbox policy.

Here we can see that Paul Cunningham is assigned the policy named “Default”, which happens to also be the default policy at that moment. We can also see that the ActiveSyncMailboxPolicyIsDefaulted property is set to True for Paul’s mailbox.

[PS] C:\>Get-CASMailbox paul.cunningham | Select Name,ActiveSyncMailboxPolicy*

Name                               : Paul Cunningham
ActiveSyncMailboxPolicy            : Default
ActiveSyncMailboxPolicyIsDefaulted : True

This means that if we change the default mobile device mailbox policy to a different policy, that change will also take effect for Paul Cunningham.

In comparison, we can see that Alan Reid is configured for a different mobile device policy. When that change was made the ActiveSyncMailboxPolicyIsDefaulted property of his mailbox was automatically set by Exchange to False.

[PS] C:\>Get-CASMailbox alan.reid | Select Name,ActiveSyncMailboxPolicy*

Name                               : Alan.Reid
ActiveSyncMailboxPolicy            : International Users Mobile Device Policy
ActiveSyncMailboxPolicyIsDefaulted : False

This means that if we change the default mobile device mailbox policy to a different policy, that change will not take effect for Alan Reid, and he will remain on the same policy.

Let’s say that Alan was assigned the “International Users Mobile Device Policy” for an overseas trip. He has returned from overseas and you want to reassign the “Default” policy to his mailbox.

[PS] C:\>Set-CASMailbox alan.reid -ActiveSyncMailboxPolicy "Default"

[PS] C:\>Get-CASMailbox alan.reid | Select Name,ActiveSyncMailboxPolicy*

Name                               : Alan.Reid
ActiveSyncMailboxPolicy            : Default
ActiveSyncMailboxPolicyIsDefaulted : False

Alan is now assigned to the “Default” policy again, but the ActiveSyncMailboxPolicyIsEnabled property is still set to False.

This means that Alan Reid will remain configured with the policy named “Default” even if the default is changed to a different policy.

So before you change the default mobile device mailbox policy you just need to be aware that all mailboxes where the ActiveSyncMailboxPolicyIsDefaulted is set to True will be re-assigned to the new default policy, and those set to False will not.

To see a list of mailboxes that will not be re-assigned when the default mailbox policy changes you can run the following commands to find the name of the default policy, then filter the results of Get-CASMailbox for those that are assigned that policy but have ActiveSyncMailboxPolicyIsDefaulted set to False.

Exchange 2010:

[PS] C:\>$default = (Get-ActiveSyncMailboxPolicy | Where {$_.IsDefaultPolicy}).Name

[PS] C:\>Get-CASMailbox -ResultSize Unlimited | Where {$_.ActiveSyncMailboxPolicy -eq $default -and $_.ActiveSyncMailboxPolicyIsDefaulted -eq $false}

Exchange 2013:

[PS] C:\>$default = (Get-MobileDeviceMailboxPolicy | Where IsDefault).Name

[PS] C:\>Get-CASMailbox -ResultSize Unlimited | Where {$_.ActiveSyncMailboxPolicy -eq $default -and $_.ActiveSyncMailboxPolicyIsDefaulted -eq $false}

In my example I discover the Alan Reid fits that criteria, and I want to reconfigure his mailbox so that it is included when the default mailbox policy is changed.

Strangely there is no parameter for modifying the ActiveSyncMailboxPolicyIsDefaulted property with Set-CASMailbox. However, if we “null” the ActiveSyncMailboxPolicy property it will have the same effect.

[PS] C:\>Set-CASMailbox Alan.Reid -ActiveSyncMailboxPolicy $null

[PS] C:\>Get-CASMailbox Alan.Reid | Select Name,ActiveSyncMailboxPolicy*

Name                               : Alan.Reid
ActiveSyncMailboxPolicy            : Default
ActiveSyncMailboxPolicyIsDefaulted : True

Finally, when you are ready to change the default mobile device mailbox policy to a different policy that suits your business needs, you can use the Set-ActiveSyncMailboxPolicy cmdlet in Exchange 2010, or the Set-MobileDeviceMailboxPolicy cmdlet in Exchange 2013.

Exchange 2010:

[PS] C:\>Set-ActiveSyncMailboxPolicy "High Security Mobile Device Policy" -IsDefaultPolicy $true

Exchange 2013:

[PS] C:\>Set-MobileDeviceMailboxPolicy "High Security Mobile Device Policy" -IsDefault $true
About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.