Exchange ActiveSync Policy Compliance Test

Exchange ActiveSync mailbox policies let you apply a common set of policy or security settings to a user or group of users. With the help of these policies, Exchange administrators can indicate what specific devices – thus users – connecting to ActiveSyc, can do.

EAS policies are applied to users; each user can have zero policies or one EAS policy at any given time. If you don't explicitly assign a policy to a user, the default policy is applied instead. During the initial sync of a new device (that is, one that has not been synchronized to the server before), the device and server exchange what EAS calls a policy key. Think of the policy key as a GUID or MAC address; it's a unique key that indicates one specific policy. If the device and server keys do not match, the device is required to request the most recent policy and then apply it. The process of applying a policy to the device is known as provisioning. On most devices, the user will see a dialog box indicating that the server is applying a policy and asking whether to accept it. If the user declines the policy, the server might or might not allow the device to continue to sync to it; the exact behavior depends on whether the default policy on the server allows non-provisioned devices.

Not every device that connects to ActiveSync will implement every setting defined in a policy; some devices may even lie about the policy settings that they implement. Hence, the onus of determining the number of devices that comply with the policy settings and to what extent is the compliance, lies with the administrator. To determine this, administrators can use the Exchange ActiveSync Policy Compliance test. This test reports the count and percentage of devices connecting to ActiveSync that are fully compliant, partially compliant, and completely non-compliant with their mailbox policies. This way, the test  reveals the degree of compliance to configured policies.

Target of the test : A Microsoft Exchange 2013/2016 server

Agent deploying the test : An internal agent

Outputs of the test : One set of results for each type of compliance – Compliant, Partially compliant, Not compliant, Unknown

Configurable parameters for the test
  1. Test period - Indicates how often this test needs to be executed.
  2. Host - Indicates the IP address of the Exchange server.
  3. port - The port number of the client access server. By default, this is 443. 
  4. xchgextensionshellpath - The Exchange Management Shell is a command-line management interface, built on Windows PowerShell v2, which enables you to administer every part of the Microsoft Exchange Server. This test uses the Exchange management shell to run scripts and collect the desired performance metrics from the Exchange server. To enable the test to load the Exchange management shell snap-in (exshell.psc1) for script execution, you need to specify the full path to the Exchange management shell in the XCHGEXTENSIONSHELLPATH text box. For instance, your specification can be, c:\progra~1\micros~1\exchan~1\v14\bin\exshell.psc1.
  5. Logfile Name – The Client Access Server is an IIS web server that hosts Exchange-related web pages. This is why, like any other IIS web server, the client access server creates a daily log of its activities – including Exchange ActiveSync-related activities - in the C:\inetpub\logs\logfiles\W3SVC1\ directory by default. To report metrics on ActiveSync, this test parses the client access server’s log file, reads the ActiveSync-related errors/warnings/general information messages that were recently logged (i.e., during the last 5 minutes) from the file, and writes them to a ActiveSynchLog.log file it creates in the <eg_agent_install_dir>\agent\logs directory. Then, the test reads the metrics of interest from this log file and reports them to the eG manager. To enable the test to do the above, you need to specify the exact path to the directory that contains the client access server’s logs in the logfilename text box.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Total hits:

Indicates the number of devices currently accessing ActiveSync that are of this compliance type .

Number

Compare the value of this measure across compliance types to know how compliant the maximum number of devices are - fully compliant? partially compliant? non-compliant? or unknown? (i.e., the compliance level cannot be determined)

Hits ratio:

Indicates the percentage of devices currently accessing ActiveSync that are of this compliance type.

Percent

Compare the value of this measure across compliance types to know the degree of compliance of devices accessing ActiveSync - fully compliant? partially compliant? or non-compliant? or unknown? (i.e., the compliance level cannot be determined)