3.9 Ensure 'Require encryption on device' is set to 'True'

Information

This policy setting specifies whether encryption is required on the mobile device before it is allowed to connect to the Exchange environment.

Rationale:

Unencrypted data on mobile devices can be vulnerable to attacks. Requiring ActiveSync encryption helps to minimize the risk of information being compromised in case a mobile device is lost.

Impact:

Devices that do not support data encryption will be unable to connect to the Exchange server.

Note: This is a mobile device management setting. Use caution when applying these settings as they could have adverse effects depending on the environment, and internal policies around bring your own device (BYOD). These policies could affect a user's personal device.

Solution

To implement the recommended state, execute the following PowerShell cmdlet:

Set-MobileDeviceMailboxPolicy 'Profile' -RequireDeviceEncryption $true

OR

Perform the following actions:

Launch the EAC (Exchange Administrative Center).

Go to 'Mobile' on the left and click on the 'Mobile device mailbox policies' tab.

Double-click the policy you wish to modify and go to the 'Security' settings.

Ensure the Require encryption on device box is checked and click Save

Default Value:

False

See Also

https://workbench.cisecurity.org/benchmarks/12442

Item Details

Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-17, 800-53|AC-17(1), 800-53|SC-7, 800-53|SI-4, CSCv7|12.12

Plugin: Windows

Control ID: da071a97af0cbd741054b1e1661ecbaa342a50ad0001dd261fee72aa25680657