Merging in latest from upstream (ZP/z-push:refs/heads/develop)

* commit '8a35ab80': ZP-77 Added link to Z-Push wiki page on policies to policies.ini. Use constant instead of hard-coded 'default' string in z-push-admin.php. ZP-77 Remove unnecessary brackets. ZP-77 Only save policyname and policyhash after provisioning has been successful. PolicyName is part of mapping of SyncProvisioning now. Get the policyname from the backend only to determine which policy is configured for the user. ZP-77 Save the policies from file in zpush.php and make them available via a getter. ZP-77 Update GetUserPolicyName() header in zarafa.php and backend.php to match the interface. Change log entry from multiple lines to single one. ZP-852 Show user's policy name in z-push-admin. ZP-77 Do not check for policy changes in Ping. Changed logging in DeviceManager for policy name. Disabled PasswordRecoveryEnabled policy in default section of policies.ini. ZP-77 Missing closing "}". ZP-77 Changed loading of SyncProvisioning object. Added function to Streamer to return variable names of mapping. ZP-77 Fixed typo in allowstoragecard policy name (was allostoragecard). ZP-77 Move default policies to utils. Join the default policies with the loaded policies and build hash on the joined policies. Comment the policies. ZP-77 Use magic setter method for saving policies' hash in device data. Change Exception message to notify that policies changed. ZP-77 Better param description in setPolicies of ASDevice. Added TODO to get the policy name in zarafa backend. ZP-77 Save policies' hash in devicedata. Compare saved policies from devicedate with the current policies in ProvisionRequired call. ZP-77 Added policies.ini containing the default policies. On the Provisioning load policies from the policies.ini. Added check if default policies exist. Extended backend to load custom policies.

Merging in latest from upstream (ZP/z-push:refs/heads/develop)
* commit '8a35ab80': ZP-77 Added link to Z-Push wiki page on policies to policies.ini. Use constant instead of hard-coded 'default' string in z-push-admin.php. ZP-77 Remove unnecessary brackets. ZP-77 Only save policyname and policyhash after provisioning has been successful. PolicyName is part of mapping of SyncProvisioning now. Get the policyname from the backend only to determine which policy is configured for the user. ZP-77 Save the policies from file in zpush.php and make them available via a getter. ZP-77 Update GetUserPolicyName() header in zarafa.php and backend.php to match the interface. Change log entry from multiple lines to single one. ZP-852 Show user's policy name in z-push-admin. ZP-77 Do not check for policy changes in Ping. Changed logging in DeviceManager for policy name. Disabled PasswordRecoveryEnabled policy in default section of policies.ini. ZP-77 Missing closing "}". ZP-77 Changed loading of SyncProvisioning object. Added function to Streamer to return variable names of mapping. ZP-77 Fixed typo in allowstoragecard policy name (was allostoragecard). ZP-77 Move default policies to utils. Join the default policies with the loaded policies and build hash on the joined policies. Comment the policies. ZP-77 Use magic setter method for saving policies' hash in device data. Change Exception message to notify that policies changed. ZP-77 Better param description in setPolicies of ASDevice. Added TODO to get the policy name in zarafa backend. ZP-77 Save policies' hash in devicedata. Compare saved policies from devicedate with the current policies in ProvisionRequired call. ZP-77 Added policies.ini containing the default policies. On the Provisioning load policies from the policies.ini. Added check if default policies exist. Extended backend to load custom policies.
098e2a1a · Sebastian Kummer · 804d9207 · 8a35ab80 · 098e2a1a · 098e2a1a
Commit 098e2a1a authored Mar 30, 2016 by Sebastian Kummer
14 changed files
--- a/src/backend/zarafa/zarafa.php
+++ b/src/backend/zarafa/zarafa.php
@@ -1063,6 +1063,20 @@ class BackendZarafa implements IBackend, ISearchProvider {
        return $r;
    }
+    /**
+     * Returns the policy name for the user.
+     * If the backend returns false, the 'default' policy is used.
+     * If the backend returns any other name than 'default' the policygroup with
+     * that name (defined in the policies.ini file) will be applied for this user.
+     *
+     * @access public
+     * @return string|boolean
+     */
+    public function GetUserPolicyName() {
+        // TODO: get the user's policy from the users' directory
+        return false;
+    }
    /**----------------------------------------------------------------------------------------------------------
     * Implementation of the ISearchProvider interface

--- a/src/config.php
+++ b/src/config.php
@@ -143,6 +143,9 @@
    // true - allow older devices, but enforce policies on devices which support it
    define('LOOSE_PROVISIONING', false);
+    // The file containing the policies' settings.
+    define('PROVISIONING_POLICYFILE', '/etc/z-push/policies.ini');
    // Default conflict preference
    // Some devices allow to set if the server or PIM (mobile)
    // should win in case of a synchronization conflict

--- a/src/lib/core/asdevice.php
+++ b/src/lib/core/asdevice.php
@@ -7,7 +7,7 @@
 *
 * Created   :   11.04.2011
 *
-* Copyright 2007 - 2015 Zarafa Deutschland GmbH
+* Copyright 2007 - 2016 Zarafa Deutschland GmbH
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, version 3,
@@ -49,6 +49,7 @@ class ASDevice extends StateObject {
    const FOLDERTYPE = 2;
    const FOLDERSUPPORTEDFIELDS = 3;
    const FOLDERSYNCSTATUS = 4;
+    const DEFAULTPOLICYNAME = 'default';
    // expected values for not set member variables
    protected $unsetdata = array(
@@ -61,7 +62,8 @@ class ASDevice extends StateObject {
                                    'wipeactionon' => false,
                                    'lastupdatetime' => 0,
                                    'conversationmode' => false,
-                                    'policies' => array(),
+                                    'policyhash' => false,
+                                    'policyname' > self::DEFAULTPOLICYNAME,
                                    'policykey' => self::UNDEFINED,
                                    'forcesave' => false,
                                    'asversion' => false,

--- a/src/lib/core/devicemanager.php
+++ b/src/lib/core/devicemanager.php
@@ -230,11 +230,12 @@ class DeviceManager {
     *
     * @param string        $policykey
     * @param boolean       $noDebug        (opt) by default, debug message is shown
+     * @param boolean       $checkPolicies  (opt) by default check if the provisioning policies changed
     *
     * @access public
     * @return boolean
     */
-    public function ProvisioningRequired($policykey, $noDebug = false) {
+    public function ProvisioningRequired($policykey, $noDebug = false, $checkPolicies = true) {
        $this->loadDeviceData();
        // check if a remote wipe is required
@@ -245,8 +246,18 @@ class DeviceManager {
        $p = ( ($this->device->GetWipeStatus() != SYNC_PROVISION_RWSTATUS_NA && $policykey != $this->device->GetPolicyKey()) ||
              Request::WasPolicyKeySent() && $this->device->GetPolicyKey() == ASDevice::UNDEFINED );
        if (!$noDebug || $p)
            ZLog::Write(LOGLEVEL_DEBUG, sprintf("DeviceManager->ProvisioningRequired('%s') saved device key '%s': %s", $policykey, $this->device->GetPolicyKey(), Utils::PrintAsString($p)));
+        if ($checkPolicies) {
+            $policyHash = $this->GetProvisioningObject()->GetPolicyHash();
+            if ($this->device->hasPolicyhash() && $this->device->getPolicyhash() != $policyHash) {
+                $p = true;
+                ZLog::Write(LOGLEVEL_INFO, sprintf("DeviceManager->ProvisioningRequired(): saved policy hash '%s' changed '%s'. Provisioning required.", $this->device->getPolicyhash(), $policyHash));
+            }
+        }
        return $p;
    }
@@ -280,9 +291,9 @@ class DeviceManager {
     * @return SyncProvisioning
     */
    public function GetProvisioningObject() {
-        $p = new SyncProvisioning();
+        $policyName = $this->getPolicyName();
-        // TODO load systemwide Policies
+        $p = SyncProvisioning::GetObjectWithPolicies($this->getProvisioningPolicies($policyName));
-        $p->Load($this->device->GetPolicies());
+        $p->PolicyName = $policyName;
        return $p;
    }
@@ -315,6 +326,21 @@ class DeviceManager {
        return true;
    }
+    /**
+     * Saves the policy hash and name in device's state.
+     *
+     * @param SyncProvisioning  $provisioning
+     *
+     * @access public
+     * @return void
+     */
+    public function SavePolicyHashAndName($provisioning) {
+        // save policies' hash and name
+        $this->device->SetPolicyname($provisioning->PolicyName);
+        $this->device->SetPolicyhash($provisioning->GetPolicyHash());
+        ZLog::Write(LOGLEVEL_DEBUG, sprintf("DeviceManager->SavePolicyHashAndName(): Set policy: %s with hash: %s", $this->device->GetPolicyname(), $this->device->GetPolicyhash()));
+    }
    /**----------------------------------------------------------------------------------------------------------
     * LEGACY AS 1.0 and WRAPPER operations
@@ -963,4 +989,37 @@ class DeviceManager {
    private function getLatestFolder() {
        return $this->latestFolder;
    }
+    /**
+     * Loads Provisioning policies from the policies file.
+     *
+     * @param string    $policyName     The name of the policy
+     *
+     * @access private
+     * @return array
+     */
+    private function getProvisioningPolicies($policyName) {
+        $policies = ZPush::GetPolicies();
+        if (!isset($policies[$policyName]) && $policyName != ASDevice::DEFAULTPOLICYNAME) {
+            ZLog::Write(LOGLEVEL_WARN, sprintf("The '%s' policy is configured, but it is not available in the policies' file. Please check %s file. Loading default policy.", $policyName, PROVISIONING_POLICYFILE));
+            return $policies[ASDevice::DEFAULTPOLICYNAME];
+        }
+        ZLog::Write(LOGLEVEL_DEBUG, sprintf("DeviceManager->getProvisioningPolicies(): loaded '%s' policy.", $policyName));
+        return $policies[$policyName];
+    }
+    /**
+     * Gets the policy name set in the backend or in device data.
+     *
+     * @access private
+     * @return string
+     */
+    private function getPolicyName() {
+        $policyName = ZPush::GetBackend()->GetUserPolicyName();
+        $policyName = ((!empty($policyName) && $policyName !== false) ? $policyName : ASDevice::DEFAULTPOLICYNAME);
+        ZLog::Write(LOGLEVEL_DEBUG, sprintf("DeviceManager->getPolicyName(): determined policy name: '%s'", $policyName));
+        return $policyName;
+    }
 }
--- a/src/lib/core/streamer.php
+++ b/src/lib/core/streamer.php
@@ -12,7 +12,7 @@
 *
 * Created   :   01.10.2007
 *
-* Copyright 2007 - 2015 Zarafa Deutschland GmbH
+* Copyright 2007 - 2016 Zarafa Deutschland GmbH
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, version 3,
@@ -82,7 +82,7 @@ class Streamer implements Serializable {
    /**
-     * Return the streamer mapping for this object 
+     * Return the streamer mapping for this object
     *
     * @access public
     */
@@ -421,6 +421,20 @@ class Streamer implements Serializable {
        return true;
    }
+    /**
+     * Returns SyncObject's streamer variable names.
+     *
+     * @access public
+     * @return multitype:array
+     */
+    public function GetStreamerVars() {
+        $streamerVars = array();
+        foreach ($this->mapping as $v) {
+            $streamerVars[] = $v[self::STREAMER_VAR];
+        }
+        return $streamerVars;
+    }
    /**----------------------------------------------------------------------------------------------------------
     * Private methods for conversion
     */

--- a/src/lib/core/synccollections.php
+++ b/src/lib/core/synccollections.php
@@ -551,9 +551,9 @@ class SyncCollections implements Iterator {
            // Check if provisioning is necessary
            // if a PolicyKey was sent use it. If not, compare with the ReferencePolicyKey
-            if (PROVISIONING === true && $policyKey !== false && ZPush::GetDeviceManager()->ProvisioningRequired($policyKey, true))
+            if (PROVISIONING === true && $policyKey !== false && ZPush::GetDeviceManager()->ProvisioningRequired($policyKey, true, false))
                // the hierarchysync forces provisioning
-                throw new StatusException("SyncCollections->CheckForChanges(): PolicyKey changed. Provisioning required.", self::ERROR_WRONG_HIERARCHY);
+                throw new StatusException("SyncCollections->CheckForChanges(): Policies or PolicyKey changed. Provisioning required.", self::ERROR_WRONG_HIERARCHY);
            // Check if a hierarchy sync is necessary
            if ($this->countHierarchyChange())

--- a/src/lib/core/zpush.php
+++ b/src/lib/core/zpush.php
@@ -6,7 +6,7 @@
 *
 * Created   :   12.04.2011
 *
-* Copyright 2007 - 2015 Zarafa Deutschland GmbH
+* Copyright 2007 - 2016 Zarafa Deutschland GmbH
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, version 3,
@@ -191,6 +191,7 @@ class ZPush {
    static private $topCollector;
    static private $backend;
    static private $addSyncFolders;
+    static private $policies;
    /**
@@ -285,6 +286,13 @@ class ZPush {
            date_default_timezone_set('Europe/Amsterdam');
        }
+        // check if Provisioning is enabled and the default policies are available
+        if (PROVISIONING) {
+            ZPush::$policies = parse_ini_file(PROVISIONING_POLICYFILE, true);
+            if (!isset(ZPush::$policies['default'])) {
+                throw new FatalMisconfigurationException(sprintf("Your policies' configuration file doesn't contain the required [default] section. Please check the %s file.", constant('PROVISIONING_POLICYFILE')));
+            }
+        }
        return true;
    }
@@ -870,4 +878,13 @@ END;
        return $defcapa;
    }
+    /**
+     * Returns the available provisioning policies.
+     *
+     * @return array
+     */
+    static public function GetPolicies() {
+        // TODO another policy providers might be available, e.g. for sqlstatemachine
+        return ZPush::$policies;
+    }
 }
--- a/src/lib/core/zpushdefs.php
+++ b/src/lib/core/zpushdefs.php
@@ -488,7 +488,8 @@ define("SYNC_PROVISION_UNAPPROVEDINROMAPPLIST", "Provision:UnapprovedInROMApplic
 define("SYNC_PROVISION_APPNAME", "Provision:ApplicationName");
 define("SYNC_PROVISION_APPROVEDAPPLIST", "Provision:ApprovedApplicationList");
 define("SYNC_PROVISION_HASH", "Provision:Hash");
+// only for internal use - never to be streamed to the mobile
+define("SYNC_PROVISION_POLICYNAME", "Provision:PolicyName");
 //Search
 define("SYNC_SEARCH_SEARCH", "Search:Search");

--- a/src/lib/default/backend.php
+++ b/src/lib/default/backend.php
@@ -20,7 +20,7 @@
 *
 * Created   :   01.10.2007
 *
-* Copyright 2007 - 2015 Zarafa Deutschland GmbH
+* Copyright 2007 - 2016 Zarafa Deutschland GmbH
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, version 3,
@@ -352,4 +352,17 @@ abstract class Backend implements IBackend {
        }
    }
+    /**
+     * Returns the policy name for the user.
+     * If the backend returns false, the 'default' policy is used.
+     * If the backend returns any other name than 'default' the policygroup with
+     * that name (defined in the policies.ini file) will be applied for this user.
+     *
+     * @access public
+     * @return string|boolean
+     */
+    public function GetUserPolicyName() {
+        return false;
+    }
 }
--- a/src/lib/interface/ibackend.php
+++ b/src/lib/interface/ibackend.php
@@ -329,4 +329,15 @@ interface IBackend {
     * @return string
     */
    public function GetFolderStat($store, $folderid);
+    /**
+     * Returns the policy name for the user.
+     * If the backend returns false, the 'default' policy is used.
+     * If the backend returns any other name than 'default' the policygroup with
+     * that name (defined in the policies.ini file) will be applied for this user.
+     *
+     * @access public
+     * @return string|boolean
+     */
+    public function GetUserPolicyName();
 }
--- a/src/lib/request/provisioning.php
+++ b/src/lib/request/provisioning.php
@@ -74,7 +74,7 @@ class Provisioning extends RequestProcessor {
        // - Remote Wipe
        // - DeviceInformation
        // - Policies
-        // Each of them should only be once per request. 
+        // Each of them should only be once per request.
        WBXMLDecoder::ResetInWhile("provisioningMain");
        while(WBXMLDecoder::InWhile("provisioningMain")) {
            $requestName = "";
@@ -88,7 +88,7 @@ class Provisioning extends RequestProcessor {
                $requestName = SYNC_SETTINGS_DEVICEINFORMATION;
            }
-            if (!$requestName) 
+            if (!$requestName)
                break;
                //set is available for OOF, device password and device information
@@ -150,7 +150,7 @@ class Provisioning extends RequestProcessor {
                case SYNC_SETTINGS_DEVICEINFORMATION:
                    // AS14.1 and later clients pass Device Information on the initial Provision request
-                    if (!self::$decoder->getElementStartTag(SYNC_SETTINGS_SET)) 
+                    if (!self::$decoder->getElementStartTag(SYNC_SETTINGS_SET))
                        return false;
                    $deviceInfoSet = true;
                    $deviceinformation = new SyncDeviceInformation();
@@ -236,6 +236,7 @@ class Provisioning extends RequestProcessor {
                            if (!$prov->Check())
                                throw new FatalException("Invalid policies!");
+                            self::$deviceManager->SavePolicyHashAndName($prov);
                            $prov->Encode(self::$encoder);
                        self::$encoder->endTag();
                    }

--- a/src/lib/syncobjects/syncprovisioning.php
+++ b/src/lib/syncobjects/syncprovisioning.php
@@ -10,7 +10,7 @@
 *
 * Created   :   05.09.2011
 *
-* Copyright 2007 - 2013 Zarafa Deutschland GmbH
+* Copyright 2007 - 2016 Zarafa Deutschland GmbH
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, version 3,
@@ -63,7 +63,7 @@ class SyncProvisioning extends SyncObject {
    public $devpwhistory;
    //AS 12.1 and 14.0 props
-    public $allostoragecard;
+    public $allowstoragecard;
    public $allowcam;
    public $reqdevenc;
    public $allowunsignedapps;
@@ -94,6 +94,9 @@ class SyncProvisioning extends SyncObject {
    public $unapprovedinromapplist;
    public $approvedapplist;
+    // policy name used with the policies; not part of ActiveSync
+    public $PolicyName;
    function SyncProvisioning() {
        $mapping = array (
                    SYNC_PROVISION_DEVPWENABLED                         => array (  self::STREAMER_VAR      => "devpwenabled",
@@ -133,11 +136,15 @@ class SyncProvisioning extends SyncObject {
                    SYNC_PROVISION_DEVPWHISTORY                         => array (  self::STREAMER_VAR      => "devpwhistory",
                                                                                    self::STREAMER_CHECKS   => array(   self::STREAMER_CHECK_CMPHIGHER  => -1 )),
+                    SYNC_PROVISION_POLICYNAME                           => array (  self::STREAMER_VAR      => "PolicyName",
+                                                                                    self::STREAMER_TYPE     => self::STREAMER_TYPE_IGNORE),
                );
        if(Request::GetProtocolVersion() >= 12.1) {
            $mapping += array (
-                    SYNC_PROVISION_ALLOWSTORAGECARD                     => array (  self::STREAMER_VAR      => "allostoragecard",
+                    SYNC_PROVISION_ALLOWSTORAGECARD                     => array (  self::STREAMER_VAR      => "allowstoragecard",
                                                                                    self::STREAMER_CHECKS   => array(   self::STREAMER_CHECK_ONEVALUEOF => array(0,1) )),
                    SYNC_PROVISION_ALLOWCAM                             => array (  self::STREAMER_VAR      => "allowcam",
@@ -235,22 +242,34 @@ class SyncProvisioning extends SyncObject {
        parent::SyncObject($mapping);
    }
+    /**
+     * Loads provisioning policies into a SyncProvisioning object.
+     *
+     * @param array     $policies - array with policies' names and values
+     *
+     * @access public
+     * @return void
+     */
    public function Load($policies = array()) {
-        if (empty($policies)) {
+        $this->LoadDefaultPolicies();
-            $this->LoadDefaultPolicies();
-        }
+        $streamerVars = $this->GetStreamerVars();
-        else foreach ($policies as $p=>$v) {
+        foreach ($policies as $p=>$v) {
-            if (!isset($this->mapping[$p])) {
+            if (!in_array($p, $streamerVars)) {
-                ZLog::Write(LOGLEVEL_INFO, sprintf("Policy '%s' not supported by the device, ignoring", substr($p, strpos($p,':')+1)));
+                ZLog::Write(LOGLEVEL_INFO, sprintf("Policy '%s' not supported by the device, ignoring", $p));
                continue;
            }
-            ZLog::Write(LOGLEVEL_INFO, sprintf("Policy '%s' enforced with: %s", substr($p, strpos($p,':')+1), Utils::PrintAsString($v)));
+            ZLog::Write(LOGLEVEL_WBXML, sprintf("Policy '%s' enforced with: %s (%s)", $p, (is_array($v)) ? Utils::PrintAsString(implode(',', $v)) : Utils::PrintAsString($v), gettype($v)));
+            $this->$p = (is_array($v) && empty($v)) ? array() : $v;
-            $var = $this->mapping[$p][self::STREAMER_VAR];
-            $this->$var = $v;
        }
    }
+    /**
+     * Loads default policies' values into a SyncProvisioning object.
+     *
+     * @access public
+     * @return void
+     */
    public function LoadDefaultPolicies() {
        //AS 12.0, 12.1 and 14.0 props
        $this->devpwenabled = 0;
@@ -268,7 +287,7 @@ class SyncProvisioning extends SyncObject {
        $this->devpwhistory = 0;
        //AS 12.1 and 14.0 props
-        $this->allostoragecard = 1;
+        $this->allowstoragecard = 1;
        $this->allowcam = 1;
        $this->reqdevenc = 0;
        $this->allowunsignedapps = 1;
@@ -299,4 +318,26 @@ class SyncProvisioning extends SyncObject {
        $this->unapprovedinromapplist = array();
        $this->approvedapplist = array();
    }
+    /**
+     * Returns the policy hash.
+     *
+     * @access public
+     * @return string
+     */
+    public function GetPolicyHash() {
+        return md5(serialize($this));
+    }
+    /**
+     * Returns the SyncProvisioning instance.
+     *
+     * @access public
+     * @return SyncProvisioning
+     */
+    public static function GetObjectWithPolicies($policies = array()) {
+        $p = new SyncProvisioning();
+        $p->Load($policies);
+        return $p;
+    }
 }
--- a/src/policies.ini
+++ b/src/policies.ini
+;;;;;;;;;;;;;;;;;;;;;;;;
+; About policies.ini   ;
+;;;;;;;;;;;;;;;;;;;;;;;;
+; Z-Push policies' file holds the configuration to be applied
+; during the provisioning of a mobile device.
+; Check Z-Push wiki page regarding the provisioning policies:
+; https://wiki.z-hub.io/x/eYAa
+; For more information see the ActiveSync documentation at:
+; https://msdn.microsoft.com/en-us/library/dd299443.aspx
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; The default ActiveSync policy. Do not change its name.
+[default]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Policies for ActiveSync version 12.0 and higher
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Specifies if a device requires a password to unlock it.
+; 0 - Password not required.
+; 1 - Password is required.
+devpwenabled = 0
+; Specifies if a device requires an alphanumeric password to unlock it.
+; 0 - Alphanumeric password not required.
+; 1 - Alphanumeric password required.
+alphanumpwreq = 0
+; Deprecated. Specifies if the device encrypts the content of the storage card.
+; 0 - Storage card encryption not enabled.
+; 1 - Storage card encryption enabled.
+devencenabled = 0
+; Specifies if the server supports storing a recovery password which could be
+; sent by the client using the Settings command.
+; This policy is currently not supported by Z-Push.
+; 0 - Password recovery not enabled on the server.
+; 1 - Password recovery enabled on the server.
+; pwrecoveryenabled = 0
+; Deprecated.
+docbrowseenabled =
+; Specifies if email attachments are enabled for download.
+; 0 - Attachments not allowed for download.
+; 1 - Attachments allowed for download.
+attenabled = 1
+; Specifies the minimum client password length to unlock it.
+; The mindevpwlenngth can be empty or have a value between 1 and 16.
+; If the value is empty or 1, there is no minimum length for the device password.
+mindevpwlenngth = 4
+; The maximum number of seconds of inactivity before the device locks itself.
+; If this value is greater than or equal to 9999, the client interprets it as unlimited.
+maxinacttimedevlock = 900
+; The maximum number of failed password attempts to unlock the device.
+; The client SHOULD perform a local wipe or enter a timed lock out mode if the maximum
+; number of failed password attempts is reached.
+; The maxdevpwfailedattempts can be empty or have a value between 4 and 16.
+; If the value is empty, the client interprets this as no maximum number of
+; failed password attempts has been set by the security policy.
+maxdevpwfailedattempts = 8
+; The maximum attachment size in bytes as determined by security policy.
+maxattsize = ''
+; Specifies if the device allows simple passwords. A simple password contains
+; repeated ("0000") or sequential ("xyz") characters only.
+allowsimpledevpw = 1
+; The maximum number of days until a password expires.
+; Empty or 0 devpwexpiration value indicates that the password will not expire.
+devpwexpiration = 0
+; The minimum number of previously used passwords stored to prevent reuse by the device.
+; 0 - Do not store previously used passwords.
+; >0 - Store the minimum number of previously used passwords.
+devpwhistory = 0
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Policies for ActiveSync version 12.1 and higher
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; The device allows to use a storage card.
+; 0 - SD card not allowed.
+; 1 - SD card allowed.
+allowstoragecard = 1
+; The device allows to use the built-in camera.
+; 0 - Usage of the built-in camera not allowed.
+; 1 - Usage of built-in the camera allowed.
+allowcam = 1
+; Specifies if the client uses encryption.
+; 0 - Encryption not required.
+; 1 - Encryption required.
+reqdevenc = 0
+; Specifies if the device allows unsigned applications to execute.
+; 0 - Unsigned applications not allowed to execute.
+; 1 - Unsigned applications allowed to execute.
+allowunsignedapps = 1
+; The required complexity level of the device password.
+; Valid values for mindevcomplexchars are between 1 and 4. The value specifies
+; the number of character groups to be contained in the password.
+; The character groups are:
+; - Lower case alphabetical characters
+; - Upper case alphabetical characters
+; - Numbers
+; - Non-alphanumeric characters
+; For example, if the value of mindevcomplexchars is 2, a password may contain
+; lower case and upper case characters. A password with numbers and non-alphanumeric
+; characters would be also valid.
+mindevcomplexchars = 3
+; The device allows the use of Wi-Fi connections.
+; 0 - The use of Wi-Fi connections not allowed.
+; 1 - The use of Wi-Fi connections allowed.
+allowwifi = 1
+; The device allows the use of SMS or text messaging.
+; 0 - SMS or text messaging not allowed.
+; 1 - SMS or text messaging allowed.
+allowtextmessaging = 1
+; The device allows access to POP or IMAP email.
+; 0 - POP or IMAP email access not allowed.
+; 1 - POP or IMAP email access allowed.
+allowpopimapemail = 1
+; The use of Bluetooth on the device.
+; 0 - Disable Bluetooth.
+; 1 - Disable Bluetooth, but allow the configuration of hands-free profiles.
+; 2 - Allow Bluetooth.
+allowbluetooth = 2
+; The device allows the use of IrDA (infrared) connections.
+; 0 - Disable IrDA.
+; 1 - Allow IrDA.
+allowirda = 1
+; The device requires manual synchronization when the device is roaming.
+; 0 - Do not require manual sync; allow direct push when roaming.
+; 1 - Require manual sync when roaming.
+reqmansyncroam = 0
+; The maximum number of calendar days that can be synchronized.
+; 0 - All days
+; 4 - 2 weeks
+; 5 - 1 month
+; 6 - 3 months
+; 7 - 6 months
+maxcalagefilter = 0
+; Specifies if the client uses HTML-formatted email.
+; 0 - HTML-formatted email not allowed.
+; 1 - HTML-formatted email allowed.
+allowhtmlemail = 1
+; The email age limit for synchronization.
+; 0 - Sync all
+; 1 - 1 day
+; 2 - 3 days
+; 3 - 1 week
+; 4 - 2 weeks
+; 5 - 1 month
+maxemailagefilter = 0
+; The maximum truncation size for plain text–formatted email.
+; -1 - No truncation.
+; 0 - Truncate only the header.
+; >0 - Truncate the email body to the specified size.
+maxemailbodytruncsize = -1
+; The maximum truncation size for HTML-formatted email.
+; -1 - No truncation.
+; 0 - Truncate only the header.
+; >0 - Truncate the email body to the specified size.
+maxemailhtmlbodytruncsize = -1
+; Specifies if the client sends signed S/MIME messages.
+; 0 - Signed S/MIME messages not required.
+; 1 - Signed S/MIME messages required.
+reqsignedsmimemessages = 0
+; Specifies if the client sends encrypted email messages.
+; 0 - Encrypted email messages not required.
+; 1 - Email messages required to be encrypted.
+reqencsmimemessages = 0
+; The algorithm used to sign S/MIME messages.
+; 0 - Use SHA1.
+; 1 - Use MD5.
+reqsignedsmimealgorithm = 0
+; The algorithm used to encrypt S/MIME messages.
+; 0 - TripleDES algorithm
+; 1 - DES algorithm
+; 2 - RC2128bit
+; 3 - RC264bit
+; 4 - RC240bit
+reqencsmimealgorithm = 0
+; Controls negotiation of the encryption algorithm.
+; 0 - Do not negotiate.
+; 1 - Negotiate a strong algorithm.
+; 2 - Negotiate any algorithm.
+allowsmimeencalgneg = 2
+; Specifies if the client can use soft certificates to sign outgoing messages.
+; 0 - Soft certificates are not allowed.
+; 1 - Soft certificates are allowed.
+allowsmimesoftcerts = 1
+; Specifies if the device allows the use of a web browser.
+; 0 - Do not allow the use of a web browser.
+; 1 - Allow the use of a web browser.
+allowbrowser = 1
+; Specifies if the device allows the user to configure a personal email account.
+; 0 - Do not allow the user to configure a personal email account.
+; 1 - Allow the user to configure a personal email account.
+allowconsumeremail = 1
+; Specifies if the device allows the use of Internet Sharing.
+; 0 - Do not allow the use of Internet Sharing.
+; 1 - Allow the use of Internet Sharing.
+allowinternetsharing = 1
\ No newline at end of file
--- a/src/z-push-admin.php
+++ b/src/z-push-admin.php
@@ -860,6 +860,7 @@ class ZPushAdminCLI {
        echo "WipeRequest on:\t\t". ($device->GetWipeRequestedOn() ? strftime("%Y-%m-%d %H:%M", $device->GetWipeRequestedOn()) : "not set")."\n";
        echo "WipeRequest by:\t\t". ($device->GetWipeRequestedBy() ? $device->GetWipeRequestedBy() : "not set")."\n";
        echo "Wiped on:\t\t". ($device->GetWipeActionOn() ? strftime("%Y-%m-%d %H:%M", $device->GetWipeActionOn()) : "not set")."\n";
+        echo "Policy name:\t\t". ($device->GetPolicyName() ? $device->GetPolicyName() : ASDevice::DEFAULTPOLICYNAME)."\n";
        if ($device->GetOLPluginVersion()) {
            echo "Acacia OL Plugin:\n";