Exchange 2010 – ActiveSyncOrganizationSetting

The feature called the Allow/Block/Quarantine list (or ABQ for short) was designed to help control of the growing number of Exchange ActiveSync-enabled devices are allowed to connect to Exchange Servers. With this feature, organizations can choose which devices (or families of devices) can connect using Exchange ActiveSync (and conversely, which are blocked or quarantined): Set-ActiveSyncOrganizationSetting

Controlling Exchange ActiveSync device access using the Allow/Block/Quarantine list

Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients -UserMailInsert "Facility Service"


Environment could have enabled Default Access Level as Quarantine. It prevents to access of all devices through the Exchange ActiveSync service before explicitly approved by the administrator.

The Device ID needs to be associated to CAS mailbox, it is the real condition for syncing. It could be achieved through Exchange Management Shell and cmdlet Set-CASmailbox.

How to allow two device IDs for a user? 

Set-CASMailbox –Identity atest -ActiveSyncAllowedDeviceIDs ("Appl8801647U3NP","IMEI351996046976019")

Set-CASMailbox –Identity atest -ActiveSyncAllowedDeviceIDs @{Add="Appl8801647U3NP","IMEI351996046976019"}

How to allow  another device IDs and also remove old one? 

Set-CASMailbox –Identity atest -ActiveSyncAllowedDeviceIDs @{Remove="Appl8801647U3NP",Add="IMEI35134667777809"}

Remove devices which last successfull sync date older than 60 days: Remove-ActiveSyncDevices.ps1

Script for granting already synced device as allowed. 

When we have configured the default access level as quarantine, it means that we created new restriction and all ActiveSync users will not be able to sync their device till we allow them. PowerShell script Lock-EAS-profiles will pass through already existing ActiveSync users and allow their devices.

Please use right-click and “Save as” for downloading ps1 file otherwise the link shows source code in the same window.

But be careful: HasActivesyncDevicePartnership doesn’t reflect actually having device partnership?