Product Documentation

Microsoft Exchange ActiveSync device policies

Jun 23, 2015

You can use the Exchange ActiveSync device policy to configure an email client on users' devices to let them access their corporate email hosted on Exchange. You can create policies for iOS, Android HTC, Android TouchDown, Android for Work, Samsung SAFE, Samsung KNOX, and Windows Phone 8.1. Each platform requires a different set of values, which are described in detail in the following topics:

Before you can create this policy, you will need to know the host name or IP address of the Exchange Server.

  1. In the XenMobile console, click Configure > Device Policies. The Device Policies page appears.

     

    Device Policies page

     

  2. Click Add to add a new policy. The Add New Policy dialog appears.

     

    Select Exchange policy

     

  3. Click Exchange. The Exchange Policy information page appears.

  4. In the Policy Information pane, type the following information:
    1. Policy Name: Type a descriptive name for the policy.
    2. Description: Type an optional description of the policy.
  5. Click Next. The Policy Platforms page appears.
    Note: When the Policy Platforms page appears, all platforms are selected and you see the iOS platform configuration panel first.
  6. Under Platforms, select the platform or platforms you want to add.
    • If you selected iOS, configure the following settings:

      Exchange ActiveSync account name: Type any Exchange Server account name.

      Exchange ActiveSync host name: Type the Exchange Server host name or IP address.

      Use SSL: Select whether to secure connections between users' devices and the Exchange Server. The default is On.

      Domain: Enter the domain in which the Exchange Server resides.
      Note: You can use the system macro ${user.domainname} in this field to automatically look up users' domain names.

      User: Specify the user name for the Exchange user account.
      Note: You can use the system macro ${user.username} in this field to automatically look up users' names.

      Email address: Specify the user's full email address.
      Note: You can use the system macro ${user.mail} in this field to automatically look up users' email accounts.

      Password: Enter an optional password for the Exchange user account.

      Email sync interval: Select any sync interval value from dropdown box.

      Identity credential (keystore or PKI credential): Optional. Select configured Cert/PKI credential from dropdown box.

      Authorize email move between accounts: Optional. Select On/Off.  The default is Off.

      Send email only from email app: Optional.  Select On/Off.  The default is Off.

      Disable email recent syncing: Optional.  Select On/Off.  The default is Off.

      Enable S/MIME: Optional.  Select On/Off.  The default is Off.

      Enable per message S/MIME switch: Optional.  Select On/Off.  The default is Off.
       

    • If you selected Android HTC, configure the following settings:

      Configuration display name: Type the name for this policy that appears on users' devices.

      Server address: Type the Exchange Server host name or IP address.

      User ID: Specify the user name for the Exchange user account.
      Note: You can use the system macro ${user.username} in this field to automatically look up users' names.

      Password: Enter an optional password for the Exchange user account.

      Domain: Enter the domain in which the Exchange Server resides.
      Note: You can use the system macro ${user.domainname} in this field to automatically look up users' domain names.
      Email address: Specify the user's full email address.
      Note: You can use the system macro ${user.mail} in this field to automatically look up users' email accounts.

      Use SSL: Select whether to secure connections between users' devices and the Exchange Server. The default is On.

    • If you selected Android TouchDown, configure the following settings:

      Server name or IP address: Type the Exchange Server host name or IP address.

      Domain: Type the domain in which the Exchange Server resides.
      Note: You can use the system macro ${user.domainname} in this field to automatically look up users' domain names.
      User ID: Specify the user name for the Exchange user account.
      Note: You can use the system macro ${user.username} in this field to automatically look up users' names.

      Password: Type an optional password for the Exchange user account.

      Email address: Specify the user's full email address.
      Note: You can use the system macro ${user.mail} in this field to automatically look up users' email accounts.

      Identity credential (keystore or PKI): In the list, click an optional identity credential if you have configured an identity provider for XenMobile. This field is only required when Exchange requires a client certificate authentication.  Default is 'None'.

      App Setting: Optionally, add TouchDown app settings for this policy.

      Policy: Optionally, add TouchDown policies for this policy.

    • If you selected Android for Work, configure the following settings:

      Server name or IP address: Type the Exchange Server host name or IP address.

      Domain: Type the domain in which the Exchange Server resides.
      Note: You can use the system macro ${user.domainname} in this field to automatically look up users' domain names.

      User ID: Specify the user name for the Exchange user account.
      Note: You can use the system macro ${user.username} in this field to automatically look up users' names.

      Password: Type an optional password for the Exchange user account.

      Email address: Specify the user's full email address.
      Note: You can use the system macro ${user.mail} in this field to automatically look up users' email accounts.

      Identity credential (keystore or PKI): In the list, click an optional identity credential if you have configured an identity provider for XenMobile. This field is only required when Exchange requires a client certificate authentication. Can be added in doc default is ‘None’.

    • If you selected Samsung SAFE or Samsung KNOX, configure the following settings:

      Server name or IP address: Type the Exchange Server host name or IP address.

      Domain: Type the domain in which the Exchange Server resides.
      Note: You can use the system macro ${user.domainname} in this field to automatically look up users' domain names.
       
      User ID: Specify the user name for the Exchange user account.
      Note: You can use the system macro ${user.username} in this field to automatically look up users' names.

      Password: Type an optional password for the Exchange user account.
       
      Email address: Specify the user's full email address.
      Note: You can use the system macro ${user.mail} in this field to automatically look up users' email accounts.

      Identity credential (keystore or PKI): In the list, click an optional identity credential if you have configured an identity provider for XenMobile. This field is only required when Exchange requires a client certificate authentication.  The default is 'None'.

      Use SSL connection: Select whether to secure connections between users' devices and the Exchange Server. The default is On.

      Sync contacts: Select whether to enable synchronization for users' contacts between their devices and the Exchange Server. The default is On.

      Sync calendar: Select whether to enable synchronization for users' calendars between their devices and the Exchange Server. The default is On.

      Default account: Select whether to make users' Exchange account the default for sending email from their devices. The default is On.
       
    • If you selected Windows Phone 8.1, configure the following settings.

      Note: This policy does not allow you to set the user password. Users must set that parameter from their devices after you push the policy.

      Account name or display name: Type the Exchange ActiveSync account name.

      Server name or IP address: Type the Exchange Server host name or IP address.

      Domain: Enter the domain in which the Exchange Server resides.
      Note: You can use the system macro ${user.domainname} in this field to automatically look up users' domain names.
      User ID or user name: Specify the user name for the Exchange user account.
      Note: You can use the system macro ${user.username} in this field to automatically look up users' names.
      Email address: Specify the user's full email address.
      Note: You can use the system macro ${user.mail} in this field to automatically look up users' email accounts.

      Use SSL connection: Select whether to secure connections between users' devices and the Exchange Server. The default is Off.

      Past days to sync: In the list, click how many days into the past to sync all content on the device with the Exchange Server.

      Frequency: In the list, click the schedule to use when syncing data that is sent to the device from the Exchange Server.

      Logging level: In the list, click Disabled, Basic, or Advanced to specify the level of detail when logging Exchange activity.

  7. Expand Deployment Rules and then configure the following settings: The Base tab appears by default.

     

    Deployment rules

     

    1. In the lists, click options to determine when the policy should be deployed.
      1. You can choose to deploy the policy when all conditions are met or when any conditions are met. The default option is All.
      2. Click New Rule to define the conditions.
      3. In the lists, click the conditions, such as Device ownership and BYOD, as shown in the preceding figure.
      4. Click New Rule again if you want to add more conditions. You can add as many conditions as you would like.
    2. Click the Advanced tab to combine the rules with Boolean options.

       

      Advanced deployment rules with base rules

       

      The conditions you chose on the Base tab appear.
    3. You can use more advanced Boolean logic to combine, edit, or add rules.
      1. Click AND, OR, or NOT.
      2. In the lists that appear, choose the conditions that you want to add to the rule and then click the Plus sign (+) on the right-hand side to add the condition to the rule.

        At any time, you can click to select a condition and then click EDIT to change the condition or Delete to remove the condition.

      3. Click New Rule again if you want to add more conditions.

        In this example, the device ownership must be BYOD, the device local encryption must be True, and the device mobile country code cannot be only Andorra.

        Advanced deployment rules complete

         

  8. Click Next. The Exchange Policy Assignment page appears.
  9. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list to which you want to assign the policy. The groups you select appear in the right-hand Delivery groups to receive app assignment list.

     

    Policy assignment page

     

  10. Expand Deployment Schedule and then configure the following settings:
    1. Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON. If you choose OFF, no other options need to be configured.
    2. Next to Deployment schedule, click Now or Later. The default option is Now.
    3. If you click Later, click the calendar icon and then select the date and time for deployment.
    4. Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.
    5. Next to Deploy for always-on connection, click ON or OFF. The default option is OFF.
      Note: This option applies when you have configured the scheduling background deployment key in Settings > Server Properties. The always-on option is not available for iOS devices.
    Note: The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always on connection, which does not apply to iOS.

     

    Deployment schedule

     

  11. Click Save.