An Exchange Server organization can have multiple mobile device mailbox policies, but only one can be the default policy.
The default policy is automatically assigned to new mailbox users, and also to those mailboxes that have not been manually reassigned to a non-default policy.
Confusingly, the policy that Exchange Server 2010 and 2013 create automatically during setup is called “Default”. However the name “Default” is not the true indication of which policy is the default.
Instead it is the IsDefaultPolicy (for Exchange 2010) or IsDefault (for Exchange 2013) property that actually determines which one is the default policy. You can see which policy is the default by using the Get-ActiveSyncMailboxPolicy or Get-MobileDeviceMailboxPolicy cmdlet.
Exchange 2010:
[PS] C:\>Get-ActiveSyncMailboxPolicy | Select Name,IsDefaultPolicy Name IsDefaultPolicy ---- --------------- Default True International Users EAS Policy False Connectivity Test Only False High Security Mobile Device Policy False
Exchange 2013:
[PS] C:\>Get-MobileDeviceMailboxPolicy | Select Name,IsDefault Name IsDefault ---- --------- Default True International Users Mobile Device Policy False High Security Mobile Device Policy False
Note: you can use Get-ActiveSyncMailboxPolicy in Exchange 2013 as well, however if you do you will see a (harmless) warning “The Get-ActiveSyncMailboxPolicy cmdlet will be removed in a future version of Exchange.” For more info see Changes to Mobile Device Management Cmdlets in Exchange Server 2013.
You may have a business requirement to choose another policy as the default, such as a desire to set the most common policy as default, or a desire to set the most secure policy as default.
However before you proceed let’s take a look at how Exchange applies the default mobile device mailbox policy.
Here we can see that Paul Cunningham is assigned the policy named “Default”, which happens to also be the default policy at that moment. We can also see that the ActiveSyncMailboxPolicyIsDefaulted property is set to True for Paul’s mailbox.
[PS] C:\>Get-CASMailbox paul.cunningham | Select Name,ActiveSyncMailboxPolicy* Name : Paul Cunningham ActiveSyncMailboxPolicy : Default ActiveSyncMailboxPolicyIsDefaulted : True
This means that if we change the default mobile device mailbox policy to a different policy, that change will also take effect for Paul Cunningham.
In comparison, we can see that Alan Reid is configured for a different mobile device policy. When that change was made the ActiveSyncMailboxPolicyIsDefaulted property of his mailbox was automatically set by Exchange to False.
[PS] C:\>Get-CASMailbox alan.reid | Select Name,ActiveSyncMailboxPolicy* Name : Alan.Reid ActiveSyncMailboxPolicy : International Users Mobile Device Policy ActiveSyncMailboxPolicyIsDefaulted : False
This means that if we change the default mobile device mailbox policy to a different policy, that change will not take effect for Alan Reid, and he will remain on the same policy.
Let’s say that Alan was assigned the “International Users Mobile Device Policy” for an overseas trip. He has returned from overseas and you want to reassign the “Default” policy to his mailbox.
[PS] C:\>Set-CASMailbox alan.reid -ActiveSyncMailboxPolicy "Default" [PS] C:\>Get-CASMailbox alan.reid | Select Name,ActiveSyncMailboxPolicy* Name : Alan.Reid ActiveSyncMailboxPolicy : Default ActiveSyncMailboxPolicyIsDefaulted : False
Alan is now assigned to the “Default” policy again, but the ActiveSyncMailboxPolicyIsEnabled property is still set to False.
This means that Alan Reid will remain configured with the policy named “Default” even if the default is changed to a different policy.
So before you change the default mobile device mailbox policy you just need to be aware that all mailboxes where the ActiveSyncMailboxPolicyIsDefaulted is set to True will be re-assigned to the new default policy, and those set to False will not.
To see a list of mailboxes that will not be re-assigned when the default mailbox policy changes you can run the following commands to find the name of the default policy, then filter the results of Get-CASMailbox for those that are assigned that policy but have ActiveSyncMailboxPolicyIsDefaulted set to False.
Exchange 2010:
[PS] C:\>$default = (Get-ActiveSyncMailboxPolicy | Where {$_.IsDefaultPolicy}).Name
[PS] C:\>Get-CASMailbox -ResultSize Unlimited | Where {$_.ActiveSyncMailboxPolicy -eq $default -and $_.ActiveSyncMailboxPolicyIsDefaulted -eq $false}
Exchange 2013:
[PS] C:\>$default = (Get-MobileDeviceMailboxPolicy | Where IsDefault).Name
[PS] C:\>Get-CASMailbox -ResultSize Unlimited | Where {$_.ActiveSyncMailboxPolicy -eq $default -and $_.ActiveSyncMailboxPolicyIsDefaulted -eq $false}
In my example I discover the Alan Reid fits that criteria, and I want to reconfigure his mailbox so that it is included when the default mailbox policy is changed.
Strangely there is no parameter for modifying the ActiveSyncMailboxPolicyIsDefaulted property with Set-CASMailbox. However, if we “null” the ActiveSyncMailboxPolicy property it will have the same effect.
[PS] C:\>Set-CASMailbox Alan.Reid -ActiveSyncMailboxPolicy $null [PS] C:\>Get-CASMailbox Alan.Reid | Select Name,ActiveSyncMailboxPolicy* Name : Alan.Reid ActiveSyncMailboxPolicy : Default ActiveSyncMailboxPolicyIsDefaulted : True
Finally, when you are ready to change the default mobile device mailbox policy to a different policy that suits your business needs, you can use the Set-ActiveSyncMailboxPolicy cmdlet in Exchange 2010, or the Set-MobileDeviceMailboxPolicy cmdlet in Exchange 2013.
Exchange 2010:
[PS] C:\>Set-ActiveSyncMailboxPolicy "High Security Mobile Device Policy" -IsDefaultPolicy $true
Exchange 2013:
[PS] C:\>Set-MobileDeviceMailboxPolicy "High Security Mobile Device Policy" -IsDefault $true
Comments for this blog post are now closed; please contact team@practical365.com for any additional questions and comments, thank you.
I’d like to share how I understand about the ActiveSyncMailboxPolicyIsDefaulted property.
1/ The ActiveSyncMailboxPolicy property of a user’s mailbox indicates what mobile device mailbox policy is assigned to them, regardless the ActiveSyncMailboxPolicyIsDefaulted property.
2/ The ActiveSyncMailboxPolicyIsDefaulted property (true|false) determines whether a mailbox’s mobile device policy is subject to change to a policy which is set as default.
-If it’s True, a mailbox’s mobile device policy will be set or changed to the policy which is set to be the default.
-If it’s False, there are 2 scenarios
a) if a mailbox already has a mobile device policy (i.e. ActiveSyncMailboxPolicy property is not $null), the mailbox’s mobile device policy won’t change. It means that no matter what a policy is set as default, the mailbox’s current mobile device policy won’t change. The ActiveSyncMailboxPolicyIsDefaulted property won’t change and remains False.
b) if a mailbox currently doesn’t have a policy assigned to it (i.e. ActiveSyncMailboxPolicy property is $null), then the mailbox’s mobile device policy will be set to the one which is set as default (by running the cmdlet “set-mobileDeviceMailboxPolicy -Identity any_policy -IsDefault $true”) AND the ActiveSyncMailboxPolicyIsDefaulted property will be automatically changed to True.
In order to change the IsDefaulted property, simply assign the same policy again to the user.
Set-CASMailbox -ActiveSyncMailboxPolicy “current default policy”
I have the other way around requirement, I need to set a bulk of users to NOT have ActiveSyncMailboxPolicyIsDefaulted; from True to False.
When setting up to $Null, it works from False to True but not other way..
Any hint is much appreciated…