Greetings,

Hope this finds you well. How can I restrict (via shell or EAC) a particular group in AD to only receive email on iPads? Everything else should be blocked (OWA, iPhones and all other devices). Any advice/help will be highly appreciated.

Than

I believe that you would create a mobile device policy that restricts things the way you want them restricted.

https://technet.microsoft.com/en-us/library/bb124315(v=exchg.150).aspx

Ten you can apply this policy to all the mailboxes in a particular distribution group using a command like this.

Get-DistributionGroupMember -Identity Group_Name | Set-CasMailbox -ActiveSyncMailboxPolicy "Name of policy you created"

You might want to schedule this command to run in a scheduled task to ensure that new mailboxes are added on a timely basis.

Morning Ed,

Thank you very much for your response. My apologies for not being very specific when wording my query.

Basically, the scenario is; we have a specific OU in AD with users who in some cases have more than one mobile device. What we would like to achieve is restrict users from this OU to only use iPads to access email (via OWA/ActiveSync). In other words, accessing mail on mobile phones and devices of any type/model should be blocked. We currently have policies already setup in EAC, which allow different types/models of devices throughout the organization, to connect to Exchange for email.

My concerns with your kindly suggested solution is:

1) With our current setup, some rules might get overridden/confused - if creating a rule to block a device type/model for the OU while organization-wide rules already in place.

2) How will we create rules for users who have more than one device type/model that we want to block?

What I ended up doing just for the interim, and whilst still researching a more efficient way, I ran the below command (found online) which gave me a listing of all the active devices in the OU:

Get-Mailbox -ResultSize Unlimited  -OrganizationalUnit "ou=MyOU,dc=MyDC,dc=local" | ForEach {
$user = $_.SamAccountName
Get-MobileDeviceStatistics -Mailbox:$_.Identity |
Select-Object @{label="User" ; expression={$user}},DeviceType, DeviceFriendlyName, DeviceID, DeviceOS, DeviceModel, lastsuccesssync
}

From here, I went into EAC to manually block unwanted devices in the concerned users mailbox settings. The problem with this is its manual, and could get cumbersome if dealing with high volumes of users. It equally does not accommodate future users and the devices they may add to the network.

Thanks

You can change my script to do the same thing for mailboxes in that OU and schedule it to run as a scheduled task.

Will do - Thank you!

You're welcome.  Please feel free to mark posts as the answer or helpful as appropriate.