Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

Microsoft Exchange Server 2010 enables you to restrict access to Microsoft Exchange ActiveSync by using the device ID. This feature prevents users from synchronizing unauthorized mobile phones with Exchange 2010. You can configure this restriction on each user's mailbox. By default, if Exchange ActiveSync is enabled for a user, the user can synchronize the Exchange mailbox with any mobile phone. To restrict a user to a specific mobile phone, populate the ActiveSyncAllowedDeviceIDs parameter from the Set-CASMailbox cmdlet.

The ActiveSyncAllowedDeviceIDs parameter accepts a list of device IDs that are allowed to synchronize with the mailbox. However, devices are not blocked from synchronizing unless this parameter is used together with settings that are defined by the set-ActiveSyncOrganizationSettings –DefaultAccessLevel cmdlet.

Note:
When you use the set-ActiveSyncOrganizationSettings –DefaultAccessLevel cmdlet, devices can still be blocked if they do not comply with a specific ActiveSync policy, regardless of whether the device is allowed by the list that is provided to ActiveSyncAllowedDeviceIDs.

For more information about the set-ActiveSyncOrganizationSettings –DefaultAccessLevel cmdlet, see Set-ActiveSyncOrganizationSettings

If Exchange ActiveSync isn't enabled for users, users won't be able to synchronize any mobile phone with Exchange. You can enable a specific mobile phone for Exchange ActiveSync, but only by using the Exchange Management Shell.

Looking for other management tasks related to Exchange ActiveSync mobile phones? Check out Managing Exchange ActiveSync Devices.

Prerequisites

Exchange ActiveSync is enabled for the user.

Use the Shell to enable a mobile phone for Exchange ActiveSync

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Exchange ActiveSync Device Settings" entry in the Client Access Permissions topic.

This example adds two mobile phones to a list of allowed mobile phones for the user with the alias tonysmit. The mobile phones are added through a property called the DeviceID, which is a unique identifier associated with every mobile phone.

Copy Code
Set-CASMailbox -Identity: "tonysmit" -ActiveSyncAllowedDeviceIDs: "<DeviceID_1>","<DeviceID_2>"
Note:
There is no built-in functionality for retrieving the device ID before the user synchronizes with the Exchange server. After the user has synchronized the mobile phone with the Exchange server, this example will enable you to retrieve the device ID: Get-ActiveSyncDeviceStatistics -Mailbox:"<EmailAlias>" |fl DeviceID

For more information about syntax and parameters, see Set-CASMailbox.

For more information about how to manage Windows Mobile phones, visit the Windows Mobile Center Web site.