Managing your Active Sync Device from Outlook Web Access in Exchange 2007 SP1


In Exchange 2007, Outlook Web Access (OWA) offers a portal for users to manage their Exchange Active Sync (EAS) devices.

How to access that information?

  1. Log on to OWA
  2. Click “Options”
  3. Click “Mobile Device”

Here is what the page looks like:

Note: If ActiveSync is not enabled for the Exchange user, “Mobile Device” tab won’t be shown. You can run the PowerShell command to check the status. Here is the result from a test server for example:

[PS] D:\Documents and Settings\ Administrator >Get-CASMailbox -Identity:test |fl ActiveSyncEnabled

ActiveSyncEnabled : True

What can the page do for you?

Note: The following includes the Exchange 2007 and Service Pack 1 (SP1) features:

1) Device status

As shown in the snapshot, the page will list all the Active Sync devices that the Exchange user has ever synced. Each device will be identified with its Type, Last-Sync-Time, and Status, which contains detailed device information, such as First-Sync-Time, User-Agent, etc.

Note: Exchange has provided the protocol support to let the device send up the device-related data (e.g. Friendly Name, OS, Phone number, etc) to the server. But not all devices implement that part of protocol. Therefore, it’s possible that you won’t see all the data shown in the screenshot.

On the server side, the Exchange administrator can use the following PowerShell command to get the same data.

[PS] D:\Documents and Settings\Administrator>Get-ActiveSyncDeviceStatistics -mailbox:test

FirstSyncTime : 5/11/2007 10:07:47 PM
LastPolicyUpdateTime :
LastSyncAttemptTime : 5/11/2007 10:07:56 PM
LastSuccessSync : 5/11/2007 10:07:56 PM
DeviceType : PocketPC
DeviceID : v120Device
DeviceUserAgent : NSync
DeviceWipeSentTime :
DeviceWipeRequestTime :
DeviceWipeAckTime :
LastPingHeartbeat :
RecoveryPassword : ********
DeviceModel :
DeviceIMEI :
DeviceFriendlyName :
DeviceOS :
DeviceOSLanguage :
DevicePhoneNumber :
Identity : test@contoso.com\AirSync-PocketPC-v120Device

2) Remote Wipe

This is a very handy feature that was only available to Exchange administrators in Exchange 2003. Now an EAS user can wipe his/her device, primarily in case of device loss. Once the link is clicked and confirmed, the wipe command will be issued to the server and the link will change to “Cancel Wipe Request”. (SP1 feature)

As you can infer, there is still a chance for the EAS user to cancel a wipe request if he/she initiated it by accident or subsequently found the device. But the courtesy time is short – once the device initiates a sync to the server and picks up the wipe command, it will be too late to undo the request.

Right before the device clears its data, it will send a last notice to the server. Accordingly, the server will be very friendly to send the device owner a “Remote Device Wipe Confirmation” email, telling you the device is cleared. (SP1 feature)

Note: After the remote wipe, if you luckily find your lost device and want to re-sync it, you must remove it from the OWA device list (refer to “Remove mobile device” section for more info). Otherwise, it will keep on re-wiping itself. This is a security feature by-design.

The following shows how to wipe and cancel wipe with corresponding PowerShell command:

[PS] D:\Documents and Settings\Administrator>Clear-ActiveSyncDevice -Identity:test@contoso.com\AirSync-PocketPC-v120Device

Confirm
Are you sure you want to perform this action?
Clearing Mobile Device
“test@contoso.com\AirSync-PocketPC-v120Device”. All the data on the device will be permanently deleted.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is “Y”):y
[PS] D:\Documents and Settings\Administrator>Clear-ActiveSyncDevice -Identity:test@blah- dom.blah.com\AirSync-PocketPC-v120Device -Cancel:$true

3) Remove mobile device partnership

This is the first link above the device table. Basically what it does is to clean up the sync state data of the selected device on the server. It’s useful in several situations:

a. Clean up data: if you switch to a new device, the legacy data of the old device will still hang around occupying your mailbox space. You can find the device and clean it out.

b. Terminate remote wipe: as being said, if you want to re-sync your device after a remote-wipe, you have to come to here to remove it first.

c. Start from scratch: well, theoretically this wouldn’t happen, but it might in the real life – if you feel your device is not working properly and want to start a fresh sync from the scratch, you can remove the device partnership from the server (i.e. here) and the device, then get fresh restart.

The corresponding PowerShell command for the admin is as following:

[PS] D:\Documents and Settings\Administrator>Remove-ActiveSyncDevice -Identity:test@contoso.com\AirSync-PocketPC-v120Device

Confirm
Are you sure you want to perform this action?
Removing mobile device
“test@contoso.com\AirSync-PocketPC-v120Device”. All dataabout the device will be removed. The device must be re-synchronized.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is “Y”):y

4) Pin Recovery

This is a nice feature to give the EAS user a chance to unlock the device if he/she forgets the device PIN. Clicking the “Display Recovery Password” will show a pop-up dialog bearing the Recovery Password. Here, I’d like to call out that the recovery password is NEITHER the same as the device PIN and, for example on Windows Mobile (WM) devices, NOR used in the same way. Actually its usage is sort of tricky: Menu, then Reset Password, <type in new password> then <type in Recovery Password>.

There is no related PowerShell command for an Exchange administrator to get this info due to security reasons.

5) Retrieve Log

Starting with Exchange 2007, we provide a light-weight server logging to track details of the last 15 (configurable) requests/responses and possible errors for problem diagnosis. By default, the logging is off. It can be turned on and tweaked easily from web.config:

<add key=”MailboxLoggingEnabled” value=”true”></add>
<add key=”NumOfQueuedMailboxLogEntries” value=”15″></add>
<add key=”MaxSizeOfMailboxLog” value=”8000″></add>

After the Exchange administrator turns on the logging and device starts syncing, a “Retrieve Log…” link will show on the OWA device page to let the device owner grab the log, which will be dropped into the Inbox as an attachment of an Action email, titled as “Log retrieved for device: XXXXXX”. The log can be very useful to Microsoft support personnel in diagnosing EAS issues.

The log can also be retrieved using the PowerShell Get-ActiveSyncDeviceStatistics command by passing GetMailbxoLog/LogPath parameters: (SP1 feature)

[PS] D:\Documents and Settings\Administrator>Get-ActiveSyncDeviceStatistics -Identity:test@contoso.com\AirSync-PocketPC-v120Device -GetMailboxLog:$true -OutputPath:”C:\”

FirstSyncTime : 5/11/2007 10:30:16 PM
LastPolicyUpdateTime :
LastSyncAttemptTime : 5/11/2007 10:30:24 PM
LastSuccessSync : 5/11/2007 10:30:25 PM
DeviceType : PocketPC
DeviceID : v120Device
DeviceUserAgent : NSync
DeviceWipeSentTime :
DeviceWipeRequestTime :
DeviceWipeAckTime :
LastPingHeartbeat :
RecoveryPassword : ********
DeviceModel :
DeviceIMEI :
DeviceFriendlyName :
DeviceOS :
DeviceOSLanguage :
DevicePhoneNumber :
Identity : test@contoso.com\AirSync-PocketPC-v120Device

Exchange ActiveSync Mailbox Log will be stored at: C:\Exchange ActiveSync Mailbox Log successfully retrieved.

James Chen

Comments (10)
  1. HI - spread the word, trying to find a place to find discussion on this question says:

    What about the idea of going BEYOND OWA….picture this scenario.

    A corporate user is out in the boondocks, with a slow bandwidth connection.  He needs to work on a 15 meg excel document due in  25 minutes, just a few changes.  However, if he was going to log into OWA, he would have to download the attachment, and work on it.  Now how about this–>

    He logs into WO 2008.  Web Outlook 2008.

    Once logging in with domain credentials via https, either a java applet, or some other spiffy HTML coding, shows the full outlook client in a window, not the bone dry OWA that isnt as fully featured as outlook.  Joe Blow logs in, and the only data he downloaded were the pixels to represent the screen.  Say he sees the attachment, he can right click the attachment, and operate on the excel document in the full excel application, but the application is shown to him as pixels, a virtual work environment.  All data changes are maintained on the server, without any downloading any of the core document data.   Once he is done working on the document in the VE 2008 Environment (Virtual Excel), the attachment in his inbox is saved to a "worked on/saved" subfolder in his inbox, then ready to be sent to target destination, where no uploading is involved because the data is on the same lan segment most likely as the mail server, while joe blow is 4,000 miles away.  This could be pricey, but I’m sure there are thousands of enterprises that would love this full functionality, to put a nail in the coffin of Googles web based offerings.  FULLY FEATURED, with nothing skimped.

    This would be a godsend for our corporation, it may require slightly more bandwidth then a dialup connection, because in this day and age, if you aren’t on land-line broadband, you’re easily leeching someones broadband wifi. . .

    What do you all think?

  2. Amit says:

    I don’t get -Cancel Option for canceling the Remote. Any idea why I can’t see it?

  3. None says:

    Does the Send As permissions patch have any negative impact on Active Sync or does it just mess up RIM and Goodlink devices?

  4. James says:

    Amit, the Cancel Wipe is an E2007 SP1 feature (after build 8.1.112).  You can check your CAS server version by going to OWA -> Options -> About -> Microsoft Exchange Client Access server version

  5. Amit says:

    Hey, thanks for the information James, I am using SP1 (build 8.1.85), that is why I am not getting that option. Any help on from where I can download the SP1 (build 8.1.112).

  6. James says:

    Hmm, not sure when the next beta version of SP1 will go public, maybe next month or so.

  7. Hi,

    Is there any way of removing this page from OWA, or locking it out in someway to stop users from getting click happy and wiping their device?

  8. Mike says:

    Justin, yes there is a way for prevent users from have access to manage their mobile devices from the OWA options pages.

    To do this, you can either using the Exchange Management Console and navigate to the Server Configuration node (on the left pane), Select Client Access, then under the OWA section click on the properties for the OWA vdir.  Under the "Segmentation" tab select Exchange ActiveSync and click on the "disable" button.

    You’ll need to restart the IIS process to get the new settings updated in OWA.

    Alternatively you ca use the Set-OWAVirtualDirectory task to do the same thing.

    Here’s an example:

    Set-OWAVirtualDirectory -Identity "Contosoowa (default web site)" -ActiveSyncIntegrationEnabled:$False

  9. Thanks :) One less thing for users to call support for :)

  10. Matthias@losgysin.ch says:

    Hi

    How is the way/procedure in a mixed Ex2007/2003 Environment to remote wipe the PDAs (used ActiveSync) when we like to manage the wiping by the ex2007 CAS Cluster.

    Greetings

    Matthias

Comments are closed.