In on-premises Exchange and Exchange Online the default mobile device mailbox policy (previously referred to as an ActiveSync mailbox policy) allows non-provisionable devices.
[PS] C:\>Get-MobileDeviceMailboxPolicy | fl name,allownon*
Name : Default
AllowNonProvisionableDevices : True
This default configuration creates the least friction with onboarding mobile device users for Exchange and Exchange Online. However, Microsoft TechNet states:
This setting specifies whether mobile devices that may not support application of all policy settings are allowed to connect to Exchange by using Exchange ActiveSync. Allowing non-provisionable mobile devices has security implications. For example, some non-provisionable devices may not be able to implement an organization’s password requirements.
The recommended practice is to not allow non-provisionable mobile devices in your default mobile device mailbox policy.
If you do have specific devices or applications that you want to allow as exceptions to that rule, create a second mobile device mailbox policy that is not the default policy, and assign that to approved users on a case by case basis.