How to allow only Provisioned Windows Mobile Devices to Connect to your Network

It appears that a new feature in Exchange 2007 finally allows us to only allow provisioned (or Authorized) devices  to connect to exchange and reject all other devices. 

A new feature: Allow by Device ID can be used to only allow authorized devices onto your network.

This feature allows the IT Professional to restrict access by Device ID to a particular user.  This feature would prevent devices to be transferred to another user if that device was not specifically added to that new user's allowable device ID list.

The Exchange Server feature can be setup in the following manner manner:

  • If a user is disabled for sync in Active Directory they can’t sync with any device
  • If a user is enabled for sync
    • If the deviceID restriction is null, the user can sync with any device
    • If the deviceID restriction is populated using the task, the user can only sync with that device

To configure this feature you use the Exchange Management Shell and run the Set-CASMailbox task. 
See example below:
Set-CASMailbox -identity:<user> -ActiveSynAllowedDeviceIDs:"<deviceID_1>", "<deviceID_2>"

Retrieving the Device ID and Provisioning Devices for users

There is currently no built in functionality for retrieving the device ID in advance before the user syncs with Exchange.  You will need to use System Management Server or other solution to get the device ID. 

Now the question becomes how do you get the Allowed Device ID.   This takes a little work:

  1. Make sure that in Activesync is Disabled for All users in Active Directory.
    Steps on how to do that are here on my blog
  2. In Active Directory Create a Special User:  Lets Call him "GetUserID"
  3. Give "GetUserID" permissions to Sync with Activesync in Active Directory by right clicking on the user and selecting Exchange Tasks.  (Make sure that this user's DeviceID restriction is set to null so he can sync with any device - Default setting)
  4. Obtain a new Device and sync it with "GetUserID"s Account.  At this point Exchange 2007 will log the DeviceID and associate it with "GetUserID"s Account.
  5. Run the follow Command to get the ID:
    Get-ActiveSyncDeviceStatistics –mailbox:GetUserID |fl DeviceID
    You should get a DeviceID that looks similar to this:
    Device ID 7A26EDE7FFD642CEB03EDA96127C8DA1
  6. Now you will have the Device ID, find your target User (The one you want to give Windows Mobile Access to), lets call him "MobileUser"
  7. Run the following Command:
    CASMailbox -identity:MobileUser -ActiveSynAllowedDeviceIDs:"7A26EDE7FFD642CEB03EDA96127C8DA1"
  8. "MobileUser" will now only be able to use the provisioned device.
  9. Cleanup: (Both can be accomplished from the Device Wipe Console)
    Wipe the newly provisioned device.
    Delete the record of Device ID 7A26EDE7FFD642CEB03EDA96127C8DA1 from GetUserID's Account as you won't need it and it may confuse you in the future.

Automating this process

While this seems like a lot of work it can be easily automated. 

Step 1.
Create a CSP that automatically configures a device to use the  "GetUserID" logon info.  I've written an article on using CSP's here.

Step 2.
Put the CSP CAB file in the Autorun Directory on an SD card and setup autorun

Step 3.
Capture the Device ID on the Microsoft Exchange ActiveSync Mobile Administration Web tool

Step 4.
Wipe the device via the Microsoft Exchange ActiveSync Mobile Administration Web tool

Step 5.
Run powershell on Exchange and enter the following:
Set-CASMailbox -identity:<user> -ActiveSynAllowedDeviceIDs:"<deviceID_1>", "<deviceID_2>"

Once this is done you will only need to conduct Steps 3 to 5 to provision a device and it can be done in under 5 minutes.

The solution above can be accomplished by only upgrading your CAS (FrontEnd) servers to Exchange 2007 while leaving your Backend Servers on Exchange 2003. 

Comments (5)

  1. Uli Zug says:

    Did you already check if the "Allow by DeviceID" works with a CAS Exchange 2007 and Exchange 2003 Mailbox servers ?

    I would really appreciate any input on that.



  2. Anonymous says:

    Many Organizations aren’t ready to upgrade their entire Enterprise to Exchange 2007 however they do want

  3. TheVik says:

    Yes It will work with Exchange 2003 Mailbox and an Exchange 2007 CAS

  4. says:

    not sure that Device provisionning will work with Exchange 2003 mailboxes ; on my test plateforme my E2K7 CAS server claims it’s a read only mailboxes

    adding manually msExchMobileAllowedDeviceIDs attribut on an existing E2K3 mailbox do not change anything

    e2k3 users continue to synchronize through the CAS

    has anyone already tried this ?

  5. Mika@finland says:

    Something is wrong: <<If the deviceID restriction is populated using the task, the user can only sync with that device>>

    This information seems to be not correct.

    Example: user has mobile device allowed by deviceID and he sets up MAC client Mail 4.3 which uses activesync. MACs client works fine with SOAP and UQExchange.

    Is there something wrong in our exch environment or does exchange 2007 let Mail 4.3 pass because it does not send any kind of deviceID.

    Has anyone noticed same kind of behavior?

Skip to main content