Managing Mobile devices connecting your Exchange Server 2007

Recently, I came across many people asking a question in forums about a way to restrict windows mobile or ActiveSync supported mobile devices from being used with EAS in an Exchange Server 2007 environment. Several others have already posted many ways to restrict these types of mobile devices. One of the bests I came across is by Microsoft Exchange Team at http://msexchangeteam.com/archive/2008/09/05/449757.aspx this talk about many other ways to do it more efficiently. However, they do require some additional tools.Exchange Server 2007 does have a built in command which can used to restrict those devices you never wanted.  

Restrict:

Set-CASMailbox -Identity <Mailbox Alias> -ActiveSyncAllowedDeviceIDs: <DeviceID> 

You can have multiple devices enabled for the same mailbox by simply specifying each device id in quotes (“IVR100W”) and each separated by a comma. Keep in mind that these IDs are stored in the mailbox of the associated mailbox alias. 

Manage and Audit:

Get-CASMailbox -Identity <Mailbox alias> |FL 

Your manager may come to you some day and ask you about the list of approved devices on your Exchange Server mailboxes. Do not stumble at all, above command will give you the information about device IDs associated with the mailbox name you specify in place of <Mailbox Alias>. A drawback of running this command is that it shows everything related to the CAS role and which is stamped on the mailbox. According the an article http://www.exchangeninjas.com/AllowByDeviceID which was shared to me by one my co workers this audit can be simply carried out by using the cmdlet Get-ActiveSyncDeviceStatistics –Mailbox:<Mailbox Alias> |FL DeviceID but it failed to show me the details I wanted. A little bit of work with Microsoft Excel and a correct filter like –OrganizationUnit should be good to get the desired reports.  

Remove:

Remove-ActiveSyncDevice -Identity <MobileDeviceIDParameter> 

Well, nothing much to explain about this. The command is pretty simple and straight forward. IDs collected using the Get-CASMailbox –Identity command can be used as an input to this command if at all you find some of those IDs aren’t in use.