Allowing Exchange Activesync by Device ID in Exchange 2007

I've had a number of customers ask if this is possible and one of my colleagues Michael Higashi on the Exchange team wrote this excellent article for our Exchange 2007 customers about how to limit access to Exchange Activesync service to a specific device denoted by the DEVICE ID.

This feature allows the IT Professional to restrict access by Device ID to a particular user.  This feature would prevent devices to be transferred to another user if that device was not specifically added to that new user's allowable device ID list.

The basic model how restriction is done is:

· If a user is disabled for sync they can’t sync with any device

· If a user is enabled for sync…

o If the deviceID restriction is null, the user can sync with any device

o If the deviceID restriction is populated using the task, the user can only sync with that device

To configure this feature you use the Exchange Management Shell and run the Set-CASMailbox task.  See example below:

Set-CASMailbox -identity:<user> -ActiveSynAllowedDeviceIDs:"<deviceID_1>", "<deviceID_2>"

Retrieving the Device ID

There is currently no built in functionality for retrieving the device ID in advance before the user syncs with Exchange.  You will need to use System Management Server or other solution to get the device ID.  For testing purposes, you can quickly retrieve the device ID by running this command.

Get-ActiveSyncDeviceStatistics –mailbox:<username> |fl DeviceID

 

Hope you find this useful!!