Inhibit mobile device access to Exchange

Posted on 2012-09-14
Last Modified: 2012-12-28

We've got problem with a device connecting to one of our mailbox.

One of our customers recently lost his mobile phone that was configured to connect to his mailbox on Exchange, now we configured the new phone to access that same box but we want to inhibit access from the old one for security reasons.

We managed to isolate the S/N of the old one and, with the comand Remove-ActiveSyncDevice -Identity *identity of the old device* we succesfuly remove the old device.
After a couple of minutes if we execute Get-ActiveSyncDeviceStatistics -mailbox *mailbox* we discover that it's still synching

Is there a way to permanently disallow a device, of which we have the ID, to sync with Exchange?

Question by:r3helpdesk
    LVL 63

    Expert Comment

    by:Simon Butler (Sembee)
    If the device has gone walkabout, why not send a wipe command?

    The connection is still established. Running IISRESET will force the device to create a new connection and the new settings will apply.

    LVL 37

    Accepted Solution


    I agree with Simon. The first thing you should do when a phone is lost of stolen is wipe it to prevent company data from falling into the wrong hands. If you remove the partnership, like you have, the phone will just automatically re-establish the partnership. If you change the user's password and do an IISRESET, that should prevent the phone from syncing as you force the phone to re-authenticate and now the password in the phone doesn't match. The problem with that is that it can result in the account getting locked out as the phone keeps trying the wrong password.

    If for some reason, you don't want to wipe it, you can set a list of allowed device IDs on the mailbox. This will prevent any devices not on that list from syncing. To do that, get the serial number of the new device and run:

    Set-CasMailbox <email address> -ActiveSyncAllowedDeviceIDs <serial number>


    Author Comment

    Hello jjmck,

    this command looks helpful
    Set-CasMailbox <email address> -ActiveSyncAllowedDeviceIDs <serial number>

    If for any reasons I chose to go back to not having an Allowed device ID list, is there a command to undo this action?

    Wouldn't it be easier to just blacklist the lost one instead of allowing all the other devices?
    Is there an ActiveSync "disallowed" listed device list instead?
    LVL 37

    Expert Comment

    by:Jamie McKillop
    To go back to not having an allowed list, run:

    Set-CasMailbox <email address> -ActiveSyncAllowedDeviceIDs $null

    There is no blacklist option.


    Author Comment

    Thank you very much,

    We'll test this command and see if it resolves our problem

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    Set OWA language and time zone in Exchange for individuals, all users or per database.
    In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
    How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now