To control and manage a remote Exchange instance, enable PowerShell integration through MEM on the UEM console after configuring the PowerShell on the Workspace ONE UEM server.


Before using modern authentication, see the Enable Modern Authentication for PowerShell Integrated Deployment section.

Before you begin

  1. Navigate to Email > Email Settings in the UEM console and select Configure. The Add Email Configuration wizard form displays. MEM Configuration wizard
  2. In the Platform wizard form, select Direct as the Deployment Model.
  3. Select Exchange as the Email Type and Exchange 2010/2013/2016/2019 or Office 365 as the Exchange Version. Select Next.
  4. In the Deployment wizard form, complete the required setting.
    Setting Description
    Friendly name Enter a friendly name for the PowerShell deployment. This name gets displayed on the MEM dashboard screen for devices managed by PowerShell.
    PowerShell URL Enter the PowerShell URL which is the PowerShell instance on the email server in relation to the Workspace ONE UEM Server. Typically, the PowerShell URL is in the form of https://<emailserver>/powershell.
    Ignore SSL errors between AirWatch and Exchange server

    To Ignore SSL Errors to allow devices to ignore Secure Socket Layer (SSL) certificate errors between Workspace ONE UEM and Exchange server, select Enable.

    A valid SSL trust must always be established between Workspace ONE UEM and Exchange server using valid certificates.

    Use Service Account Credentials Select Enable to use the credentials from the Cloud Connector Application Pool as the Service Account for PowerShell connections.

    Refer to Microsoft documentation for more information on ExchangeEnvironmentName.

    Default Value: Microsoft 365

    Authentication Type
    Select the authentication type based on the Exchange Server settings. The options available are:
    • Basic – Workspace ONE UEM connects to the remote PowerShell endpoint using the basic authentication type.
    • Kerberos – The email server uses Kerberos to authenticate a domain account and NTLM for a local computer account.
    • Modern – Workspace ONE UEM connects to the remote PowerShell endpoint using the Modern authentication type.
    • Negotiate – Workspace ONE UEM connects to the remote PowerShell endpoint using the negotiate authentication type.
    Admin Username

    Enter the user name of the PowerShell Service Account if the Use Service Account Credentials option is not enabled.

    • Domain users must specify the user name in the form of domain\username.
    • Local users on a server computer must specify the user name in the form of servername\username.
    Admin Password Enter the password of the PowerShell Service Account if the Use Service Account Credentials option is not enabled.
    One time sync after configuration Select Enable to enable this option to sync with PowerShell soon after configuration.
    Filter sync results

    You can restrict the sync action to certain filtered groups by selecting the options:

    • None – Syncs the devices retrieved by the PowerShell queries.
    • Organization Unit – Organization Unit Configuration limits the sync results to devices whose users are in the selected Organization Unit in Active Directory. The Organization Unit Base DN is fetched from the Directory Services configuration and the Group Search Filter is the Organization Unit name.
    • Groups – Group configuration limits the sync results to specific groups defined in Office 365. You can define these groups by navigating to Exchange Control Panel > Recipients > Groups.

      The Group sync option is available only for Office 365 implementations. The service account must have the privileges to the Get-Group cmdlet.

    • Custom – Custom configuration limits the sync results to devices whose users belong to the specified Custom DN. The Custom DN can be an Organization Unit or specific users' Distinguished Name. Custom configuration is useful for piloting PowerShell integration against a small subset of users.
  5. Select Next. The Profiles wizard form displays.
  6. (Optional) If you plan to migrate the users from an existing MEM configuration, then associate a profile with the MEM configuration.
  7. Select Next. Save the settings.
    Note: The MEM Config Summary form provides a quick overview of the basic configuration you have just created for the PowerShell deployment.
  8. Select the Add option from the Mobile Email Management Configuration main page to configure more deployments.
  9. Optionally, you can configure the Advanced Settings. To configure, navigate to Email > Settings page.
    Setting Description
    PowerShell Sync Batch Size

    The batch size determines the number of CasMailbox and ActiveSyncDevice/MobileDevice objects returned per PowerShell session when using the Sync Mailboxes or Run Compliance features.

    The batch size depends on whether AirWatch Cloud Connector or Enterprise Integration Service (EIS) is being used. For AirWatch Cloud Connector and direct connection, the number of devices is 25000 and for EIS 2500 devices. The PowerShell MEM config detects these conditions and sets the batch size accordingly.

    Manage Active Sync for Mailbox

    Select to enable control of Active Sync at the Mailbox Identity level.

    In proper deployments, it is not necessary as a Global Access State of Block or Quarantine is in use.

    Remove ActiveSync Partnership on Unenroll

    Select to remove partnership of the unenrolled device from Exchange.

    This setting removes unenrolled devices from Exchange when they are removed from Workspace ONE UEM.

    Sync with entire forest in AD

    Select to add the viewEntireForest option to the PowerShell session.

    This option might be helpful depending on how your company’s Organization Groups are structured.

Configure Exchange to Block or Quarantine Devices

To manage new devices trying to connect to email for the first time, configure Exchange to either Block or Quarantine devices from an organizational level. Exchange can be configured through either an Exchange PowerShell session or web interface.

For Office 365 and Microsoft Exchange 2010/2013/2016/2019 users, access the web UI through an administrator’s Outlook Web Access (OWA) portal.

Caution: These instructions block or quarantine new devices until they enroll in the UEM console, at which point, Workspace ONE UEM issues relevant PowerShell cmdlets to allow email access for the newly enrolled devices. Use caution while enforcing device block or quarantine at the Global level on the Exchange server. While using this setting in a production environment, ensure that all your devices are enrolled. Typically, this setting is not used during a trial or evaluation. The cmdlet might also temporarily block or quarantine enrolled devices until they check into Workspace ONE UEM. Quarantining or blocking devices from accessing email over ActiveSync allows organizations to ensure that only approved (that is, Workspace ONE UEM managed) devices are allowed for email access. Without this enforcement, there is the possibility that unmanaged devices might gain temporary access to corporate email. The temporary access is until the next PowerShell sync process discovers and blocks them. Define a custom email message for users with blocked devices. Microsoft Exchange can then automatically send users a notification to enroll, when their blocked device attempts to access email. For further information, refer
  1. Configure your organizational settings so that they block or quarantine devices.

    Blocking devices blocks the device outright while quarantining provides you more visibility to unknown devices.

    Quarantining also uses more processing power.

  2. Open the Exchange PowerShell command window from the Exchange Server and enter the required command.

    Choose from:

    • Block devices

      PS C:\Windows\system32> Set-ActiveSyncOrganizationSettings –DefaultAccessLevel Block
    • Quarantine devices

      PS C:\Windows\system32> Set-ActiveSyncOrganizationSettings –DefaultAccessLevel quarantine

Server-Side Session Commands

The server-side session commands to control the Exchange mailbox properties are described in this topic.

Before you begin:

After configuring the Windows PowerShell session on your Workspace ONE UEM console server for issuing remote commands to Exchange 2010/2013/2016/2019 or the cloud-based Office 365 service, connect to the server environment to begin the server-side session.

Note: To check the version of the PowerShell installed, enter $PSVersionTable on the PowerShell command window.

To control the Exchange mailbox properties run the following commands:

  1. Connect to the server-side session and establish a new session.
    $cred = Get-Credential
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri “” -Credential $cred -Authentication Basic -AllowRedirection
  2. Press enter after authentication to run the session command.
  3. Connect to the server and run the Import-PSSession $session command to import the server-side session.

    During device enrollment in the Workspace ONE UEM, devices can be configured for the Exchange through the profile distribution. After configuring, the Workspace ONE UEM console issues commands to enable the Exchange ActiveSync for a user’s mailbox on Exchange.

    The Workspace ONE UEM console also issues a command to allowlist the device IDs being enrolled. Use the Get-CASMailbox command to see a list of devices approved for a mailbox and to select the allowed devices.


    Get-CASMailbox -Identity “” | select {$_.ActiveSyncAllowedDeviceIDs}


    {SEC1CE34C8FCEC35, SEC1BBD5F48A8B3C, CD123C289433F009, boxercfdefaec75acd071b...}

    To query a user’s mailbox to view the blocked device IDs use the following example.


    Get-CASMailbox -Identity "" | select {$_.ActiveSyncBlockedDeviceIDs}


    {Appl87049106A4S, DT095F898778SDF2E1B3453445DG56}

    To close the server-side session, always close the console-server session when troubleshooting is complete. To remove the server-side session, use the following command.

    remove-pssession $session