How to secure the devices that access your Office 365 email
One of the conditions of setting up an Exchange Account on a mobile phone or tablet is that the Exchange administrator has control over that device’s security features. If you’re new to administering Exchange, the level of control that you get over these connected devices may surprise you.
Here’s a few things that you can do.
- Enable/Disable the camera
- Enable/Disable WIFI
- Enable/Disable Internet Tethering
- Enable/Disable the device’s web browser
- Enable/Disable personal, POP or IMAP email accounts
- Enable/Disable the use of storage cards
- Enable/Disable text messaging
- Require a password on the device
- Require a password after a defined period of inactivity
To get this working, there are two main steps.
- Create a Mobile Device Mailbox Policy
- Apply the Mobile Device Mailbox Policy to the relevant users
How to create your Mobile Device Mailbox Policy
- Open PowerShell on your computer
- Connect to Exchange Online via PowerShell. Follow our quick guide to get this set up.
- Build your New-MobileDeviceMailboxPolicy cmdlet, or use one of our samples below. For more information, refer to the documentation at https://technet.microsoft.com/en-us/library/jj218612(v=exchg.160).aspx
- Paste and Run your New-MobileDeviceMailboxPolicy cmdlet. For example:
New-MobileDeviceMailboxPolicy -Name "No Camera Policy" -AllowCamera $false
How to assign your mobile device mailbox policy to users
To assign the new policy to users, use the Set-CASMailbox cmdlet. See this link for the complete documentation:
https://technet.microsoft.com/en-us/library/bb125264(v=exchg.160).aspx
To use this cmdlet, ensure you are connected to Exchange Online via Powershell
Assign the Policy to all users
Get-Mailbox -ResultSize Unlimited | Set-CASMailbox -ActiveSyncMailboxPolicy "Your Policy Name"
Assign the policy to a specific user
Set-CASMailbox -Identity [email protected] -ActiveSyncMailboxPolicy "Your Policy Name"
Confirm that your policy was added correctly
To make sure your policy was applied successfully run this:
Get-CASMailbox -identity [email protected] | fl *
You should see the policy name next to ActiveSyncMailboxPolicy:
A few minutes after running the policy, you should see it take effect on the relevant devices:
Revert back to the default policy
You can revert back to the default policy by running the following:
Set-CASMailbox -identity el[email protected] -ActiveSyncMailboxPolicy "Default"
Sample Policies
Use these sample policies or create your own. These sample policies only use one parameter eg. -AllowCamera $false, though you can add as many parameters to a policy as you like. See this link for the complete list of available parameters: https://technet.microsoft.com/en-us/library/jj218612(v=exchg.160).aspx
Disable a mobile device’s camera
New-MobileDeviceMailboxPolicy -Name "No Camera Policy" -AllowCamera $false
Disable a mobile device’s WIFI
New-MobileDeviceMailboxPolicy -Name "No WIFI Policy" -AllowWifi $false
Disable Internet tethering on a mobile device
New-MobileDeviceMailboxPolicy -Name "No Tethering Policy" -AllowInternetSharing $false
Disable the web browser on a mobile device
New-MobileDeviceMailboxPolicy -Name "No Browser Policy" -AllowBrowser $false
Leave a Reply
Want to join the discussion?Feel free to contribute!