Exchange and Activesync: Limiting the mailbox to sync with only one device

Just came back from a customer which needed to limit the number of mobile device to one per mailbox. For this implementation the customer used all kind of smart phones, so the challange was also to find the unique Device ID from the Smartphone and add it to a Active Directory Attribute called: msExchMobileAllowedDeviceIDs. I created a Powershell script which read a text file and add the ID to AD. The script is also adding a dummy ID for all other mailboxes. It could also be disabled but the customer was more satisfied with the error from a wrong device than a disable.

Some Powershell commands to find the deviceID:

Check existing devices: Get-CASMailbox | select name, ActiveSyncAllowedDeviceIDs

Result in:
Name ActiveSyncAllowedDeviceIDs
——- ———————
Kent Agerlund {8377362998263}
Kåre Rude Andersen {HTCAndcdjjd667w92xz}
Claus Codam {Applkjhds876ds}

How to add a new mobile phone

Before the mobile device are allowed to communicate with exchange we need to whitelist the device, this is done by added a unique number from the smart device. This number could be read directly from some devices but on others (typical Android devices) you need to make an initial connection and the copy the unique number to a text file.

1) Start by deleting the dummy xyz:
get-casmailbox –identity kra | Set-CASMailbox –ActiveSyncAllowedDeviceIDs:$null

2) Check the current DeviceID setting:
Get-CASMailbox -Identity kra| fl

3) Let the device syncronize once and get the DeviceID:
Get-ActiveSyncDeviceStatistics -Mailbox kra
Result in information like:
DeviceType: iPhone
DeviceID: Appl86228L593KJ
DeviceUserAgent: Apple-iPhone2C1/801.400

4) Create a text file with contents like this:
user1email@coretech.dk IMEI352554033231642
user2email@coretech.dk Appl7R292FBYA4S
user3email@coretech.dk HTCac8773fggb56tt2d213df5b6c6612

5) Create a Powershell script which could look like this:
ActiveSyncAllow.ps1
Get-CASmailbox | Set-CASMailbox –ActiveSyncAllowedDeviceIDs:xyz
$assoc = get-content C:\script\activesyncallow.txt | foreach {
$Fullinfo = @{}
$Fullinfo.email, $Fullinfo.IMEI = $_.split()
$Fullinfo
}
$assoc | ForEach {
Set-CASMailbox -ActiveSyncAllowedDeviceIDs $_.Imei -Identity $_.email
}

6) Run the powershell script whenever you need to change allowed devices.


Leave a Reply

CAPTCHA Image
(required)