<

Disable Exchange ActiveSync feature by default

Published on
6,783 Points
3,683 Views
1 Endorsement
Last Modified:
We receive many questions about how to disable the Exchange ActiveSync feature by default so that once an email account is created, the ActiveSync feature is disabled by default for that account, and since this is not configurable neither by Exchange server settings nor by any script, I will share with you the best practice to work around this issue.

We will do the below configuration:
 
  1. Configure on the Exchange server a policy named DisableMobileAccess to allow a maximum of zero mobile devices to connect through ActiveSync or through OWA for devices per user, and apply it on the organization level. Thus, when we create a user with a mailbox, even if the ActiveSync is enabled for it by default, the user will not be able to connect via ActiveSync since the allowed number of devices for him is zero by default! (He will not be able to connect through OWA for Devices feature either.)
     
  2. Configure on the Exchange server a policy named EnableMobileAccess to allow a maximum of a specified number of mobile devices to connect through ActiveSync per user, and apply it on the users level, so for each user we want to grant him an ActiveSync access, we will add his account to that policy, in my example, the specified number will be 50 which is the default number in the default policy settings on the Exchange Server 2013.

To Create the DisableMobileAccess policy, log on to your Exchange Server 2013, open the Exchange management shell with administrator privileges, and run the below cmdlet:
 
New-ThrottlingPolicy -Name DisableMobileAccess -EasMaxDevices 0 -ThrottlingPolicyScope Organization

Open in new window


To Create the EnableMobileAccess policy, log on to your Exchange Server 2013, open the Exchange management shell with the administrator privileges, and run the below cmdlet:
 
New-ThrottlingPolicy -Name EnableMobileAccess -EasMaxDevices 50 -ThrottlingPolicyScope Regular

Open in new window


After creating those policies, the DisableMobileAccess policy will be applied to each user in your organization, and whenever you want to allow a user to access his email through ActiveSync you must add his account to the EnableMobileAccess policy by running the below cmdlet:
 
Set-ThrottlingPolicyAssociation -Identity UserAccount -ThrottlingPolicy EnableMobileAccess

Open in new window


Note: the above will be applied immediately on the newly created email accounts. To apply it to the existing email accounts you must run the following script first; this script will delete the mobile devices for all users, so when a user tries to sync, the new policies will be applied on it.
 
$UserList = get-content "c:\scripts\users.csv"

Open in new window


$UserList | % {Get-mobileDeviceStatistics -Mailbox $_ | remove-mobiledevice -Confirm:$false}

Open in new window


The users.csv is a file contains the account name of all users; it is exported by running the below script:
 
Get-ADUser -Filter * -Properties * | select -Property samaccountname | Export-Csv "C:\Users.csv" -NoTypeInformation

Open in new window


Thank You.
1
Comment
1 Comment
 
LVL 7

Author Comment

by:Marwan Osman
Great, thank you
0

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Join & Write a Comment

This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month