In my previous post, I tested all the ActiveSync policies on iPhone 4.0 and figured out what worked and what didn’t.
I decided to do the same tests on an HTC Desire running Android 2.2 (Software version 2.09.405.8, Kernel version 188.8.131.52-gf9c0527 htc-kernel@and18-2 #1). Keep in mind that I tested this on Exchange 2007 (SP1, 8.2 build 176.2), running through a TMG 2010, behind a Cisco ASA.
- Allow non-provisionable devices – Easily put, if you select this, you don’t care about checking the policies on the phone at all. In short, Exchange will ask the phone if it supports the policies. If the phone is old or doesn’t support ActiveSync policies at all, Exchange will let is sync anyway.
- Refresh interval (hours) – How often the mobile phone checks for updates of the policy. Default seems to be “Unlimited” and the Experts Exchange discussion also creates some confusion. My experience says that whenever you sync it will check if the policy has been updated.
- Require alphanumeric password & Minimum number of complex characters – Partly works! A complex character is any character that is not a letter. If you enable this setting, the Android will tell you “Security policy required. Your Exchange server requires that you enable security policies to continue synchronizing. Would you like to continue?”. If you put the minimum to 1 you need to have at least 1. When you’re asked for a password it will tell you “Password must contain at least one letter“. If you later change this to minimum 2 complex characters, the Android will disregard this. When the user manually change their password is still says “at least one letter” even though you set it to two.
- Enabled password recovery – Doesn’t work. In case the user forgets their passcode, this article explains how password recovery works. However, when I click Display Recovery Password in OWA, I get “No password is available”.
- Require encryption on the device – At least with 2.2, device encryption is not supported. But even though I enable this policy, the Android continue to sync.
- Require encryption on the storage card – See above.
- Allow simple password – Doesn’t work. It still lets you choose a simple password.
- Number of failed attempts allowed – Doesn’t work! Sure, after a few tried you get: “You have incorrectly drawn your unlock pattern X times. Please try again in 30 seconds” but you can continue trying disregard of what the policy says. However, if you manually select Remote Wipe from the OWA, it will reset the device to Factory Reset at next sync. Do note that content on the SD card is not removed when running Remote Wipe.
- Minimum password length – Doesn’t work! It seems like whatever you choose here, the Android tells you the minimum amount of characters is 4.
- Time without user input before password must be re-entered (in minutes) – Works! In Settings -> Display on the Android, the user can select a Screen timeout of what you set the policy to (or less).
- Password expiration (days) – Sorry, haven’t been able to test this yet.
- Enforce password history – Doesn’t work. I can change password to the same back and forth even though I put this value to 1, but I can’t reset the password to the same as the current password.
Sync Settings tab
- Include past calendar items – Works! If you set the policy to only allow past two weeks items the Android will only let the user select this.
- Include past e-mail items – Works! When you set the policy to only allow for example the past 3 days, the Android GUI doesn’t allow you to select to sync older e-mails than what the policy says. If you change this in the future, the Android will force the user to what you set in the policy.
- Limit message size to (KB) – Doesn’t work. If you limit it to 1 kB, it will, by default, not download the whole message (just text, not including attachments) but you then have the possibility to click “download entire message” and it will allow the whole e-mail to be downloaded.
- Allow synchronization when roaming – Sorry, haven’t been able to test this yet.
- Allow HTML formatted e-mail – Works! If you set this policy, you can only select to download the messages as “plain text” and not as HTML and HTML-emails are showed as plain text. Remeber that e-mails previously downloaded will be kept as plain text if you change this policy at a later time.
- Allow attachments to be downloaded to the device – Works! When you set this policy you see there’s an attachment to an e-mail but when you click it, you get “Alert. Network error“.
- Maximum attachment size (KB) – Works. If you receive an e-mail with a attachment with a larger size than allowed you will see the attachment in the e-mail but if you click it, you will get an error: “Alert. Network error“.
- Allow removable storage – Even though I disallow it, you can use the mounted SD card.
- Allow camera – Doesn’t work.
- Allow Wi-Fi – Doesn’t work. Still possible to connect to Wi-Fi networks even though we disable it in the policy.
- Allow infrared – N/A since no infrared device on HTC Desire.
- Allow Internet sharig from the device – Sorry, haven’t been able to test this yet.
- Allow remote desktop from the device – Sorry, haven’t been able to test this yet.
- Allow synchronization from a desktop – I would guess that this is aimed at Microsoft ActiveSync or the Windows Mobile Device Center. Since Android doesn’t use this, I don’t think this policy will have any affect. Anyone tried it?
- Allow Bluetooth – Doesn’t work. Even though I completely try to disable Bluetooth, it’s still possible to enable it.
- Allow browser – Doesn’t work. It still lets you surf the Internet.
- Allow consumer mail – Even though I disabled this, the Gmail account configured continued to work and if you wanted to add a new e-mail account, you could still add mobileMe, Gmail, Yahoo, AOL and Other accounts.
- Allow unsigned applications – Doesn’t work. I suspect this only works on Windows Mobile.
- Allow unsigned installation packages – See above.
- Allowed Applications – See below.
- Blocked Applications – Doesn’t work. I tried adding the names of some apps on the iPhone, but they can still be started.