How to secure the devices that access your Office 365 email

One of the conditions of setting up an Exchange Account on a mobile phone or tablet is that the Exchange administrator has control over that device’s security features. If you’re new to administering Exchange, the level of control that you get over these connected devices may surprise you.

Here’s a few things that you can do.

  • Enable/Disable the camera
  • Enable/Disable WIFI
  • Enable/Disable Internet Tethering
  • Enable/Disable the device’s web browser
  • Enable/Disable personal, POP or IMAP email accounts
  • Enable/Disable the use of storage cards
  • Enable/Disable text messaging
  • Require a password on the device
  • Require a password after a defined period of inactivity

To get this working, there are two main steps.

  1. Create a Mobile Device Mailbox Policy
  2. Apply the Mobile Device Mailbox Policy to the relevant users

How to create your Mobile Device Mailbox Policy

  1. Open PowerShell on your computer
  2. Connect to Exchange Online via PowerShell. Follow our quick guide to get this set up.
  3. Build your New-MobileDeviceMailboxPolicy cmdlet, or use one of our samples below. For more information, refer to the documentation at https://technet.microsoft.com/en-us/library/jj218612(v=exchg.160).aspx
  4. Paste and Run your New-MobileDeviceMailboxPolicy cmdlet. For example:
    New-MobileDeviceMailboxPolicy -Name "No Camera Policy" -AllowCamera $false

How to assign your mobile device mailbox policy to users

To assign the new policy to users, use the Set-CASMailbox cmdlet. See this link for the complete documentation:
https://technet.microsoft.com/en-us/library/bb125264(v=exchg.160).aspx

To use this cmdlet, ensure you are connected to Exchange Online via Powershell

Assign the Policy to all users

Get-Mailbox -ResultSize Unlimited | Set-CASMailbox -ActiveSyncMailboxPolicy "Your Policy Name"

Assign the policy to a specific user

Set-CASMailbox -Identity [email protected] -ActiveSyncMailboxPolicy "Your Policy Name"

Confirm that your policy was added correctly

To make sure your policy was applied successfully run this:

Get-CASMailbox -identity [email protected] | fl *

You should see the policy name next to ActiveSyncMailboxPolicy:Applied Mobile Device Policy

A few minutes after running the policy, you should see it take effect on the relevant devices:

Disable Camera Via Office 365

Camera Disabled Via Office 365

Revert back to the default policy

You can revert back to the default policy by running the following:

Set-CASMailbox -identity [email protected] -ActiveSyncMailboxPolicy "Default"

Sample Policies

Use these sample policies or create your own. These sample policies only use one parameter eg. -AllowCamera $false, though you can add as many parameters to a policy as you like. See this link for the complete list of available parameters: https://technet.microsoft.com/en-us/library/jj218612(v=exchg.160).aspx

Disable a mobile device’s camera

New-MobileDeviceMailboxPolicy -Name "No Camera Policy" -AllowCamera $false

Disable a mobile device’s WIFI

New-MobileDeviceMailboxPolicy -Name "No WIFI Policy" -AllowWifi $false

Disable Internet tethering on a mobile device

New-MobileDeviceMailboxPolicy -Name "No Tethering Policy" -AllowInternetSharing $false

Disable the web browser on a mobile device

New-MobileDeviceMailboxPolicy -Name "No Browser Policy" -AllowBrowser $false

Was this article helpful?

Related Articles