Exchange and Activesync: Limiting the mailbox to sync with only one device

Just came back from a customer which needed to limit the number of mobile device to one per mailbox. For this implementation the customer used all kind of smart phones, so the challange was also to find the unique Device ID from the Smartphone and add it to a Active Directory Attribute called: msExchMobileAllowedDeviceIDs. I created a Powershell script which read a text file and add the ID to AD. The script is also adding a dummy ID for all other mailboxes. It could also be disabled but the customer was more satisfied with the error from a wrong device than a disable.

Some Powershell commands to find the deviceID:

Check existing devices: Get-CASMailbox | select name, ActiveSyncAllowedDeviceIDs

Result in:
Name ActiveSyncAllowedDeviceIDs
——- ———————
Kent Agerlund {8377362998263}
Kåre Rude Andersen {HTCAndcdjjd667w92xz}
Claus Codam {Applkjhds876ds}

How to add a new mobile phone

Before the mobile device are allowed to communicate with exchange we need to whitelist the device, this is done by added a unique number from the smart device. This number could be read directly from some devices but on others (typical Android devices) you need to make an initial connection and the copy the unique number to a text file.

1) Start by deleting the dummy xyz:
get-casmailbox –identity kra | Set-CASMailbox –ActiveSyncAllowedDeviceIDs:$null

2) Check the current DeviceID setting:
Get-CASMailbox -Identity kra| fl

3) Let the device syncronize once and get the DeviceID:
Get-ActiveSyncDeviceStatistics -Mailbox kra
Result in information like:
DeviceType: iPhone
DeviceID: Appl86228L593KJ
DeviceUserAgent: Apple-iPhone2C1/801.400

4) Create a text file with contents like this: IMEI352554033231642 Appl7R292FBYA4S HTCac8773fggb56tt2d213df5b6c6612

5) Create a Powershell script which could look like this:
Get-CASmailbox | Set-CASMailbox –ActiveSyncAllowedDeviceIDs:xyz
$assoc = get-content C:\script\activesyncallow.txt | foreach {
$Fullinfo = @{}
$, $Fullinfo.IMEI = $_.split()
$assoc | ForEach {
Set-CASMailbox -ActiveSyncAllowedDeviceIDs $_.Imei -Identity $

6) Run the powershell script whenever you need to change allowed devices.

By | 2011-05-17T12:04:59+00:00 May 17th, 2011|Powershell|0 Comments

About the Author:

Kåre Rude Andersen
Microsoft Certified Trainer since 1996, MCSE, TS and ITP in Microsoft Windows, SQL (also Microsoft), Exchange (MS) and Microsoft Operations Manager. Senior Consultant and have recently worked as a consultant at CSC, SAS, ISS, Nokia and Scandlines.

Leave A Comment