After configuring the PowerShell on AirWatch server, enable PowerShell integration through MEM on the AirWatch Console to control and manage a remote Exchange instance.

To enable PowerShell integration:

  1. Navigate to Email > Settings in the AirWatch Console and select Configure. The Add Email Configuration wizard form displays.

  2. In the Platform wizard form:

    • Select Direct as the Deployment Model.
    • Select Exchange as the Email Type and Exchange 2010/2013/2016 or Office 365 as the Exchange Version. Select Next.
  3. In the Deployment wizard form:


Setting Description
Friendly name Enter a friendly name for the PowerShell deployment. This name gets displayed on the MEM dashboard screen for devices managed by PowerShell.
PowerShell Settings
PowerShell URL Enter the PowerShell URL which is the PowerShell instance on the email server in relation to the AirWatch Server. Typically, the PowerShell URL is in the form of https://<emailserver>/powershell.
Ignore SSL errors between AirWatch and Exchange server

Select Enable to Ignore SSL Errors to allow devices to ignore Secure Socket Layer (SSL) certificate errors between AirWatch and Exchange server.


AirWatch recommends that a valid SSL trust should always be established between AirWatch and Exchange server using valid certificates.

PowerShell Authentication
Use Service Account Credentials Select Enable to to use the credentials from the Cloud Connector Application Pool as the Service Account for PowerShell connections.
Authentication Type

Select the authentication type based on the Exchange Server settings. The options available are:

  • Basic – AirWatch connects to the remote PowerShell endpoint using the basic authentication type.
  • NTLM (Negotiate) – AirWatch connects to the remote PowerShell endpoint using the negotiate authentication type.
  • Kerberos – The email server uses Kerberos to authenticate a domain account and NTLM for a local computer account.

Admin Username

Enter the username of the PowerShell Service Account if the Use Service Account Credentials option is not enabled.

  • Domain users should specify the username in the form of domain\username.
  • Local users on a server computer should specify the username in the form of servername\username.
Admin Password Enter the password of the PowerShell Service Account if the Use Service Account Credentials option is not enabled.
Sync Settings
One time sync after configuration Select Enable to enable this option to sync with PowerShell soon after configuration.
Limit sync results by

You may restrict the sync action to certain filtered groups by choosing the options:

  • None – This is the default option. This syncs the devices retrieved by the Powershell queries.
  • Organization Unit Configuration – Organization Unit Configuration limits the sync results to devices whose users are in the selected Organization Unit in Active Directory. The Organization Unit Base DN is fetched from the Directory Services configuration and the Group Search Filter is the Organization Unit name.
  • Group – Group configuration limits the sync results to specific groups defined in Office 365. You can define these groups by navigating to Exchange Control Panel > Recipients > Groups.


      The Group sync option is available only for Office 365 implementations.

      The service account must have the privileges to the Get-Group cmdlet.

  • Custom – Custom configuration limits the sync results to devices whose users belong to the specified Custom DN.The Custom DN can be an Organization Unit or specific users' Distinguished Name.

    Custom configuration is useful for piloting PowerShell integration against a small subset of users.

  1. Select Next. The Profiles wizard form displays.
  2. This is an optional step. If you plan to migrate the users from an existing MEM configuration then associate a profile with the MEMconfiguration.



  1. Select Next. The MEM Config Summary form provides a quick overview of the basic configuration you have just created for the PowerShell deployment. Save the settings.
  2. You may select the Add option from the Mobile Email Management Configuration main page to configure more deployments.


  1. Optionally, you can configure the Advanced Settings. To do this, navigate to Email > Settings page and then select the With_SEG_advanced icon.

    Setting Description
    PowerShell Sync Batch Size

    The batch size determines the number of CasMailbox and ActiveSyncDevice/MobileDevice objects returned per PowerShell session when using the Sync Mailboxes or Run Compliance features.


    The batch size depends on whether VMware Enterprise Systems Connector or Enterprise Integration Service (EIS) is being used. For VMware Enterprise Systems Connector and direct connection AirWatch recommends 25000 devices and for EIS 2500 devices. The PowerShell MEM config detects these conditions and sets the batch size accordingly.

    Manage Active Sync for Mailbox

    Select to enable control of Active Sync at the Mailbox Identity level.

    In proper deployments, this is not necessary as a Global Access State of Block or Quarantine is in use.

    Remove ActiveSync Partnership on Unenroll

    Select to remove partnership of the unenrolled device from Exchange.

    This will remove unenrolled devices from Exchange when they are removed from AirWatch.

    Sync with entire forest in AD

    Select to add the viewEntireForest option to the PowerShell session.

    This may be helpful depending on how your company’s Organization Groups are structured.