Sometimes you need to manage policies in Exchange ActiveSync programmatically. For example, if a device shows up in a JSS, you can deploy policies to that device at the Exchange ActiveSync (EAS) level rather than using a mobileconfig. To manage these, Microsoft has provided a few pretty easy-to-use commandlets in Powershell.
- The New-MobileDeviceMailboxPolicy commandlet in Powershell will create a policy based on some attributes that you define.
- The Get-MobileDeviceMailboxPolicy commandlet in Powershell will show what the contents of a given policy are.
- The Set-MobileDeviceMailboxPolicy commandlet will set a policy, and has the same structure s the New-MailboxDeviceMailboxPolicy, but applies to existing policies.
- The Remove-MobileDeviceMailboxPolicy commandlet in Powershell will delete a policy.
- The Get-MobileDeviceMailboxPolicy commandlet in Powershell will show all the devices that are associated with a given user.
- The Remove-MobileDevice commandlet in Powershell will remove a partnership between an account and a device.
- The Clear-MobileDevice commandlet in Powershell will wipe a device.
To put these in practice, let’s create a policy called “MarketingEAS” and set a few common password/passcode policies, like requiring a password and requiring an alphanumeric policy. The following New-MobileDeviceMailboxPolicy commandlet creates the Mobile Device mailbox policy MarketingEAS, using -DevicePasswordEnabled and AlphanumeicDevicePasswordRequired as options:
New-MobileDeviceMailboxPolicy -Name:"MarketingEAS" -DevicePasswordEnabled:$true -AlphanumericDevicePasswordRequired:$true
There are lots of other policies, like -AllowBluetooth -AllowCamera -MaxEmailAgeFilter -DevicePasswordHistory etc. Once set, you can look at the contents of the policy using Get-MobileDeviceMailboxPolicy:
Get-MobileDeviceMailboxPolicy -Identity "MarketingEAS"
To then remove a Mailbox Policy, use Remove-MobileDeviceMailboxPolicy. The following removes the policy, bypassing prompts:
Remove-MobileDeviceMailboxPolicy -Identity "MarketingEAS" -Confirm:$false -Force $true
To see what mailbox policy is enforced for a user, you can then run Get-MobileDevice, followed by -Identity and then the short name of the user (e.g. CharlesEdge):
Get-MobileDevice -Identity "CharlesEdge"
Or to see a list of devices associated with my mailbox:
Get-MobileDevice -Mailbox "JAMF\CharlesEdge"
Or unpartner a device (e.g. kryptedipad) from my mailbox, use Remove-MobileDevice, bypassing with -Confirm:
Remove-MobileDevice -Identity kryptedipad -Confirm:$false
To to wipe that iPad and send me an email confirmation, use Clear-MobileDevice:
Clear-MobileDevice -Identity kryptedipad -NotificationEmailAddresses "charles@charlesrulez.com"