Q: One of the most pressing issues I have to deal with today concerns the proliferation of Exchange push-email smart phones in my company. To be blunt, none of my users will tolerate a PIN or password on their phones. Given that, what are my options? I was wondering if I could enable the Exchange Device Security Settings when a user reports to me that their phone is missing or stolen. Can I at that time enable the settings with a Wipe device after failed (attempts): setting of 1 or 0, then make the other users Exceptions..., thereby making the stolen phone immediately useless? Has anyone tried this idea? Thanks for any response.
A: As far as I can tell, what you want to do isn't possible because the device will have to accept the security policy. Because the wipe command is in effect a security policy, when it's activated, if the device doesn't already have a policy enabled, then it will prompt the user to accept the policy and not wipe until this is done.
When I looked into this further, I found that although the GUI seems to suggest you can enable a password policy without specifying a length (i.e., having a 0 length password), it doesn't actually work. When the device tries to sync, you still get prompted to enter a password, although it can be only one character in length. Personally, I feel you need to take a stand and insist the users have a short pass code!
—Nathan Winters
Consider upgrading to Exchange Server 2007 and using the vastly better range of security policy capabilities that it provides for mobile devices.
—Tony Redmond
Further Reading
See these articles for more information about Exchange 2003's support for Direct Push and mobile-security features: