Hackviking He killed Chuck Norris, he ruled dancing so he took up a new hobby…


Exchange 2007 Active sync screen lock issue with iPhone

A while ago I updated an Exchange Server 2007 with the latest service pack for a client. The SP automatically added a new Exchange ActiveSync Mailbox Policy that required the connected devices to be password protected when the screen went dark. It's a good idea for many security reasons but the users didn't like it at all, and the customer is always right. Changed the default policy so password wasn't required anymore and all was good... for a while.

Then the iPhone users started complaining that there auto lock settings was restricted, they could select 1 to 5 minutes but the alternative "Never" was gone. This setting, when password isn't configured, just turns the screen black after a few minutes of inactivity. Again I thought that would be a good thing for many reasons. The iPhone uses enough battery as is. As always if you can't have it you need it, want it and must have it. So I reviewed the settings again. There was a setting called "Time without user input before password must be re-entered (in minutes)" that was set to 15 minutes but it was grayed out. After testing a lot of things I finally executed a powershell command to solve the issue. Then I noticed that the grayed out option had changed to 0 minutes. So I tested to just check the "Require password" check box bringing all the grayed out options back, setting the timeout to 5 minutes, unchecking the "Require password" option, again graying out the setting I just change, then apply. Then the "Never" option disappeared from the iPhone again. So MS did it again, messed up the GUI, a grayed out option shouldn't effect anything.
Thank god for powershell so you can get down with the software properly!

Hope the pictures give you a clear picture of what I mean. If you have any questions hit me with a comment and I will try to answer your questions.

Posted by Kristofer Källsbo

Comments (3) Trackbacks (0)
  1. What was the PS command that you entered and what did it fix?

  2. I used PS to figure out what the problem was. The problem was that it didn't uncheck all the sub options just disable the GUI for them. I discovered that they were stil in use via PS. But the fix can much more easily be done frpm the GUI as explained in the article.

  3. I believe that was the Set-ActiveSyncMailboxPolicy cmdlet, see Configure Device Password Locking for more information.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

No trackbacks yet.