How to allow only Provisioned Windows Mobile Devices to Connect to your Network
It appears that a new feature in Exchange 2007 finally allows us to only allow provisioned (or Authorized) devices to connect to exchange and reject all other devices.
A new feature: Allow by Device ID can be used to only allow authorized devices onto your network.
This feature allows the IT Professional to restrict access by Device ID to a particular user. This feature would prevent devices to be transferred to another user if that device was not specifically added to that new user's allowable device ID list.
The Exchange Server feature can be setup in the following manner manner:
- If a user is disabled for sync in Active Directory they can’t sync with any device
- If a user is enabled for sync
- If the deviceID restriction is null, the user can sync with any device
- If the deviceID restriction is populated using the task, the user can only sync with that device
To configure this feature you use the Exchange Management Shell and run the Set-CASMailbox task.
See example below:
Set-CASMailbox -identity:<user> -ActiveSynAllowedDeviceIDs:"<deviceID_1>", "<deviceID_2>"
Retrieving the Device ID and Provisioning Devices for users
There is currently no built in functionality for retrieving the device ID in advance before the user syncs with Exchange. You will need to use System Management Server or other solution to get the device ID.
Now the question becomes how do you get the Allowed Device ID. This takes a little work:
- Make sure that in Activesync is Disabled for All users in Active Directory.
Steps on how to do that are here on my blog- In Active Directory Create a Special User: Lets Call him "GetUserID"
- Give "GetUserID" permissions to Sync with Activesync in Active Directory by right clicking on the user and selecting Exchange Tasks. (Make sure that this user's DeviceID restriction is set to null so he can sync with any device - Default setting)
- Obtain a new Device and sync it with "GetUserID"s Account. At this point Exchange 2007 will log the DeviceID and associate it with "GetUserID"s Account.
- Run the follow Command to get the ID:
Get-ActiveSyncDeviceStatistics –mailbox:GetUserID |fl DeviceID
You should get a DeviceID that looks similar to this:
Device ID 7A26EDE7FFD642CEB03EDA96127C8DA1- Now you will have the Device ID, find your target User (The one you want to give Windows Mobile Access to), lets call him "MobileUser"
- Run the following Command:
CASMailbox -identity:MobileUser -ActiveSynAllowedDeviceIDs:"7A26EDE7FFD642CEB03EDA96127C8DA1"- "MobileUser" will now only be able to use the provisioned device.
- Cleanup: (Both can be accomplished from the Device Wipe Console)
Wipe the newly provisioned device.
Delete the record of Device ID 7A26EDE7FFD642CEB03EDA96127C8DA1 from GetUserID's Account as you won't need it and it may confuse you in the future.
Automating this process
While this seems like a lot of work it can be easily automated.
Step 1.
Create a CSP that automatically configures a device to use the "GetUserID" logon info. I've written an article on using CSP's here.Step 2.
Put the CSP CAB file in the Autorun Directory on an SD card and setup autorunStep 3.
Capture the Device ID on the Microsoft Exchange ActiveSync Mobile Administration Web toolStep 4.
Wipe the device via the Microsoft Exchange ActiveSync Mobile Administration Web toolStep 5.
Run powershell on Exchange and enter the following:
Set-CASMailbox -identity:<user> -ActiveSynAllowedDeviceIDs:"<deviceID_1>", "<deviceID_2>"Once this is done you will only need to conduct Steps 3 to 5 to provision a device and it can be done in under 5 minutes.
The solution above can be accomplished by only upgrading your CAS (FrontEnd) servers to Exchange 2007 while leaving your Backend Servers on Exchange 2003.