Welcome to HandStep Sign in | Join | Help
How to allow only Provisioned Windows Mobile Devices to Connect to your Network

THATS a very cool feature!!

I really need to get an Exchange 2007 box up and running now...

It appears that a new feature in Exchange 2007 finally allows us to only allow provisioned (or Authorized) devices  to connect to exchange and reject all other devices. 

A new feature: Allow by Device ID can be used to only allow authorized devices onto your network.

This feature allows the IT Professional to restrict access by Device ID to a particular user.  This feature would prevent devices to be transferred to another user if that device was not specifically added to that new user's allowable device ID list.

The Exchange Server feature can be setup in the following manner manner:

  • If a user is disabled for sync in Active Directory they can’t sync with any device
  • If a user is enabled for sync
    • If the deviceID restriction is null, the user can sync with any device
    • If the deviceID restriction is populated using the task, the user can only sync with that device

To configure this feature you use the Exchange Management Shell and run the Set-CASMailbox task. 
See example below:
Set-CASMailbox -identity:<user> -ActiveSynAllowedDeviceIDs:"<deviceID_1>", "<deviceID_2>"

Retrieving the Device ID and Provisioning Devices for users

There is currently no built in functionality for retrieving the device ID in advance before the user syncs with Exchange.  You will need to use System Management Server or other solution to get the device ID. 

Now the question becomes how do you get the Allowed Device ID.   This takes a little work:

  1. Make sure that in Activesync is Disabled for All users in Active Directory.
    Steps on how to do that are here on my blog
  2. In Active Directory Create a Special User:  Lets Call him "GetUserID"
  3. Give "GetUserID" permissions to Sync with Activesync in Active Directory by right clicking on the user and selecting Exchange Tasks.  (Make sure that this user's DeviceID restriction is set to null so he can sync with any device - Default setting)
  4. Obtain a new Device and sync it with "GetUserID"s Account.  At this point Exchange 2007 will log the DeviceID and associate it with "GetUserID"s Account.
  5. Run the follow Command to get the ID:
    Get-ActiveSyncDeviceStatistics –mailbox:GetUserID |fl DeviceID
    You should get a DeviceID that looks similar to this:
    Device ID 7A26EDE7FFD642CEB03EDA96127C8DA1
  6. Now you will have the Device ID, find your target User (The one you want to give Windows Mobile Access to), lets call him "MobileUser"
  7. Run the following Command:
    CASMailbox -identity:MobileUser -ActiveSynAllowedDeviceIDs:"7A26EDE7FFD642CEB03EDA96127C8DA1"
  8. "MobileUser" will now only be able to use the provisioned device.
  9. Cleanup: (Both can be accomplished from the Device Wipe Console)
    Wipe the newly provisioned device.
    Delete the record of Device ID 7A26EDE7FFD642CEB03EDA96127C8DA1 from GetUserID's Account as you won't need it and it may confuse you in the future.

I'm still checking to see if this can be accomplished by only upgrading your CAS (FrontEnd) servers to Exchange 2007 while leaving your Backend Servers on Exchange 2003.   

Related...


[Is that Windows Mobile in your pocket?]
Posted: Wednesday, February 28, 2007 10:25 PM by PMoh
Filed under: ,

Comments

No Comments

Anonymous comments are disabled