Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
Microsoft Exchange Server 2010 enables you to restrict
access to Microsoft Exchange ActiveSync by using the device
ID. This feature prevents users from synchronizing unauthorized
mobile phones with Exchange 2010. You can configure this
restriction on each user's mailbox. By default, if Exchange
ActiveSync is enabled for a user, the user can synchronize the
Exchange mailbox with any mobile phone. To restrict a user to a
specific mobile phone, populate the
ActiveSyncAllowedDeviceIDs parameter from the
The ActiveSyncAllowedDeviceIDs parameter accepts a list of device IDs that are allowed to synchronize with the mailbox. However, devices are not blocked from synchronizing unless this parameter is used together with settings that are defined by the set-ActiveSyncOrganizationSettings –DefaultAccessLevel cmdlet.
|When you use the set-ActiveSyncOrganizationSettings –DefaultAccessLevel cmdlet, devices can still be blocked if they do not comply with a specific ActiveSync policy, regardless of whether the device is allowed by the list that is provided to ActiveSyncAllowedDeviceIDs.|
For more information about the set-ActiveSyncOrganizationSettings –DefaultAccessLevel cmdlet, see Set-ActiveSyncOrganizationSettings
If Exchange ActiveSync isn't enabled for users, users won't be able to synchronize any mobile phone with Exchange. You can enable a specific mobile phone for Exchange ActiveSync, but only by using the Exchange Management Shell.
Looking for other management tasks related to Exchange ActiveSync mobile phones? Check out Managing Exchange ActiveSync Devices.
Exchange ActiveSync is enabled for the user.
Use the Shell to enable a mobile phone for Exchange ActiveSync
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Exchange ActiveSync Device Settings" entry in the Client Access Permissions topic.
This example adds two mobile phones to a list of allowed mobile phones for the user with the alias tonysmit. The mobile phones are added through a property called the DeviceID, which is a unique identifier associated with every mobile phone.
Set-CASMailbox -Identity: "tonysmit" -ActiveSyncAllowedDeviceIDs: "<DeviceID_1>","<DeviceID_2>"
|There is no built-in functionality for retrieving the device ID
before the user synchronizes with the Exchange server. After the
user has synchronized the mobile phone with the Exchange server,
this example will enable you to retrieve the device ID:
For more information about syntax and parameters, see Set-CASMailbox.
For more information about how to manage Windows Mobile phones, visit the Windows Mobile Center Web site.