Exchange Activesync policy – can I make it not required for a user

activesyncexchange

Exchange 2010 sp2.

I have a "C" level exec that wants to get his email on his android tablet. Easy enough. However, he doesn't want any Activesync policy applied to his device for remote wipe, etc. not even the default policy, and doesn't want to use OWA.

I thought I knew Exchange pretty well, but can't find a Powershell command or anything that will allow a device to connect without enforcing at least some kind of policy.

Is he out of luck using Activesync? I can set him up with POP3/IMAP, but would rather not.

EDIT: screenshot of the prompts (with the default policy that is "wide open":

enter image description here

UPDATE:

I should add that I did post a short blog about this if anyone is interested on how to do this with a single user. It isn't pretty and I chose not to go that route, but I did work with Microsoft on finding a "way"…again, not pretty and I'd suggest doing it in a test environment first to really understand what/why.

http://dittotech.wordpress.com/2012/12/03/disable-exchange-activesync-policy-for-a-single-user/

Best Answer

The strict answer to your question "can I apply no policy?" is no.

So next we have to look at what the user thinks the policy is. Does he not want to get the security pop-up when adding the account? The don't enable any of the options that cause that pop-up.

The individual settings within ActiveSync policies fall in to two categories: those that affect only the mail client, and those that affect the whole device. Only the ones that affect the whole device result in a security prompt.

To make your user happy, create another ActiveSync policy just for him and apply it. Provided that you don't configure anything that requires system-level security changes, such as password rules and remote wipe, then he won't get the security prompt when the account is set up on the tablet.

Update to make my answer closer to reality:

If the device supports remote wipe, there is no way to suppress the security prompt for remote wipe.

  • During the initial ActiveSync setup, Exchange asks the client "do you support remote wipe?"
    • If the device supports remote wipe, Exchange requires it.
    • If the device does not support remote wipe, then the "Allow non-provisionable devices" option is consulted.
      • If checked, the device is allowed.
      • If not checked, the device is denied a partnership. The phone will either return an error or just show an empty inbox.

There is no way to stop Exchange from asking if it supports remote wipe.

Update after you posted the pic:

You are not going to be able to get rid of that security prompt.

My Android phone will only display the security prompt for capabilities requested by the assigned policy. If the policy changes, I'll get a new prompt.

My boss's phone will display the security prompt with all of the security features it supports. When the policy changes, she does not get a new prompt.

So you are fighting two problems, neither of which you will be able to change:

  1. There is no way to stop Exchange from asking a device if it supports remote wipe.
  2. It appears that your device prompts for all of the security capabilities it supports, regardless of what the Exchange server asks for.
Related Topic