Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-10-09

Microsoft Exchange Server 2010 lets you restrict access to Exchange ActiveSync by using the device ID. This feature prevents users from synchronizing unauthorized devices with Exchange 2010. You can configure this restriction on each user's mailbox. By default, if Microsoft Exchange ActiveSync is enabled for a user, the user can synchronize their Exchange mailbox with any device. To restrict a user to a specific device, populate the ActiveSyncAllowedDeviceIDs parameter from the Set-CASMailbox cmdlet. To prevent a single device or set of devices, populate the ActiveSyncBlockedDeviceIDs parameter from the Set-CASMailbox cmdlet.

The ActiveSyncBlockedDeviceIDs parameter accepts a list of device IDs that are restricted from synchronizing with the mailbox.

Note:
When you use the set-ActiveSyncOrganizationSettings –DefaultAccessLevel cmdlet, devices can still be blocked if they do not comply with a specific Exchange ActiveSync policy, regardless of whether the device is allowed by the list that is provided to ActiveSyncAllowedDeviceIDs.

For more information about the set-ActiveSyncOrganizationSettings –DefaultAccessLevel cmdlet, see Set-ActiveSyncOrganizationSettings.

If Exchange ActiveSync isn't enabled for the user, the user won't be able to synchronize any device with Exchange. You can prevent a specific device from synchronizing with Exchange, but only by using the Exchange Management Shell.

Looking for other management tasks related to Exchange ActiveSync? Check out Managing Exchange ActiveSync.

Prerequisites

Exchange ActiveSync is enabled for the user.

Use the Shell to disable a device for Exchange ActiveSync

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Exchange ActiveSync device settings" entry in the Client Access Permissions topic.

This example adds the device ID to the ActiveSyncBlockedDeviceIDs parameter list to prevent the device from synchronizing with Microsoft Exchange.

Copy Code
Set-CASMailbox -Identity: "EmailAlias" -ActiveSyncBlockedDeviceIDs: "<DeviceID_1>","<DeviceID_2>"
Note:
There's no built-in functionality for retrieving the device ID before the user synchronizes with the Exchange server.

This example retrieves the device ID after the user has synchronized the device with the Exchange server.

Copy Code
Get-ActiveSyncDeviceStatistics -Mailbox:"<EmailAlias>" |fl DeviceID

For more information about syntax and parameters, see Set-CASMailbox.

For more information about how to manage Windows Mobile phones, visit the Windows Mobile Center Web site.