Disable Exchange ActiveSync feature by default

We receive many questions about how to disable the Exchange ActiveSync feature by default so that once an email account is created, the ActiveSync feature is disabled by default for that account, and since this is not configurable neither by Exchange server settings nor by any script, I will share with you the best practice to work around this issue.

We will do the below configuration:
 

1. Configure on the Exchange server a policy named DisableMobileAccess to allow a maximum of zero mobile devices to connect through ActiveSync or through OWA for devices per user, and apply it on the organization level. Thus, when we create a user with a mailbox, even if the ActiveSync is enabled for it by default, the user will not be able to connect via ActiveSync since the allowed number of devices for him is zero by default! (He will not be able to connect through OWA for Devices feature either.)
    
2. Configure on the Exchange server a policy named EnableMobileAccess to allow a maximum of a specified number of mobile devices to connect through ActiveSync per user, and apply it on the users level, so for each user we want to grant him an ActiveSync access, we will add his account to that policy, in my example, the specified number will be 50 which is the default number in the default policy settings on the Exchange Server 2013.

To Create the DisableMobileAccess policy, log on to your Exchange Server 2013, open the Exchange management shell with administrator privileges, and run the below cmdlet:
 

New-ThrottlingPolicy -Name DisableMobileAccess -EasMaxDevices 0 -ThrottlingPolicyScope Organization

Select all Open in new window

To Create the EnableMobileAccess policy, log on to your Exchange Server 2013, open the Exchange management shell with the administrator privileges, and run the below cmdlet:
 

New-ThrottlingPolicy -Name EnableMobileAccess -EasMaxDevices 50 -ThrottlingPolicyScope Regular

Select all Open in new window

After creating those policies, the DisableMobileAccess policy will be applied to each user in your organization, and whenever you want to allow a user to access his email through ActiveSync you must add his account to the EnableMobileAccess policy by running the below cmdlet:
 

Set-ThrottlingPolicyAssociation -Identity UserAccount -ThrottlingPolicy EnableMobileAccess

Select all Open in new window

Note: the above will be applied immediately on the newly created email accounts. To apply it to the existing email accounts you must run the following script first; this script will delete the mobile devices for all users, so when a user tries to sync, the new policies will be applied on it.
 

$UserList = get-content "c:\scripts\users.csv"

Select all Open in new window

$UserList | % {Get-mobileDeviceStatistics -Mailbox $_ | remove-mobiledevice -Confirm:$false}

Select all Open in new window

The users.csv is a file contains the account name of all users; it is exported by running the below script:
 

Get-ADUser -Filter * -Properties * | select -Property samaccountname | Export-Csv "C:\Users.csv" -NoTypeInformation

Select all Open in new window

Thank You.