Policy Object Validating Users msExchOmaAdminWirelessEnable Attribute

Hello -

We're running Active Roles 7.2.1 and our Service Desk recently sent a request to have the following values in the Mailbox Features tab be defined consistently:

  • Outlook Mobile Access
  • Exchange ActiveSync
  • Up-to-date Notifications

By consistently, I mean all three settings should be disabled (default) or enabled.  They should not have a mix.

These three settings are reflected in the msExchOmaAdminWirelessEnable attribute as an integer value of 0 (all three enabled) or 7 (all three disabled).

I'm testing a Policy Object that will validate that all three values are the same.

When attempting to validate msExchOmaAdminWirelessEnable is 0 or 7, the policy object allows one of the three settings to be changed and saved successfully.  It does flag the change as a violation when running a Check Policy against the test OU, but does not display an error when making the change.

If I change the Policy Object to check for the following three virtual attributes that are part of msExchOmaAdminWirelessEnable:

  • edsva-MsExch-ProtocolSettings-OMA-Enable
  • edsva-MsExch-ProtocolSettings-ActiveSync-Enable
  • edsva-MsExch-ProtocolSettings-UpToDateNotifications-Enable

It does block the change of one attribute by displaying the error message, but from what I can tell I can only check whether all three are disabled or all three are enabled but not both.

From what I can tell, this Policy Object would work if:

  • I could check for an integer value and display an error if the value for msExchOmaAdminWirelessEnable is not 0 or 7.
  • I could check whether all three values are disabled or all three values are enabled and display an error if they are mixed.

Thank you in advance for any suggestions.

  • You may have to resort to a bit of scripting here. Check the SDK for examples of onCheckPropertyValue. This function will allow code to be executed that can check the values of attributes when the Next, Save or Finish buttons are clicked. If a violation is discovered by the logic in the script, an error can be returned to the user and the change prevented from occurring. Once the code is written you will have a Provisioning Policy apply the script to the OU's where the users exist where you want the validation to be performed.