To control and manage a remote Exchange instance, enable PowerShell integration through MEM on the UEM console after configuring the PowerShell on the Workspace ONE UEM server.

Procedure

  1. Navigate to Email > Email Settings in the UEM console and select Configure.
    The Add Email Configuration wizard form displays.
  2. In the Platform wizard form, select Direct as the Deployment Model.
  3. Select Exchange as the Email Type and Exchange 2010/2013/2016/2019 or Office 365 as the Exchange Version. Select Next.
  4. In the Deployment wizard form, complete the required setting.
    Setting Description
    Friendly name Enter a friendly name for the PowerShell deployment. This name gets displayed on the MEM dashboard screen for devices managed by PowerShell.
    PowerShell URL Enter the PowerShell URL which is the PowerShell instance on the email server in relation to the Workspace ONE UEM Server. Typically, the PowerShell URL is in the form of https://<emailserver>/powershell.
    Ignore SSL errors between AirWatch and Exchange server

    To Ignore SSL Errors to allow devices to ignore Secure Socket Layer (SSL) certificate errors between Workspace ONE UEM and Exchange server, select Enable.

    A valid SSL trust must always be established between Workspace ONE UEM and Exchange server using valid certificates.

    Use Service Account Credentials Select Enable to use the credentials from the Cloud Connector Application Pool as the Service Account for PowerShell connections.
    Authentication Type
    Select the authentication type based on the Exchange Server settings. The options available are:
    • Basic – Workspace ONE UEM connects to the remote PowerShell endpoint using the basic authentication type.
    • Kerberos – The email server uses Kerberos to authenticate a domain account and NTLM for a local computer account.
    • Modern – Workspace ONE UEM connects to the remote PowerShell endpoint using the Modern authentication type.
    • Negotiate – Workspace ONE UEM connects to the remote PowerShell endpoint using the negotiate authentication type.
    Admin Username

    Enter the user name of the PowerShell Service Account if the Use Service Account Credentials option is not enabled.

    • Domain users must specify the user name in the form of domain\username.
    • Local users on a server computer must specify the user name in the form of servername\username.
    Admin Password Enter the password of the PowerShell Service Account if the Use Service Account Credentials option is not enabled.
    One time sync after configuration Select Enable to enable this option to sync with PowerShell soon after configuration.
    Filter sync results

    You can restrict the sync action to certain filtered groups by selecting the options:

    • None – Syncs the devices retrieved by the PowerShell queries.
    • Organization Unit – Organization Unit Configuration limits the sync results to devices whose users are in the selected Organization Unit in Active Directory. The Organization Unit Base DN is fetched from the Directory Services configuration and the Group Search Filter is the Organization Unit name.
    • Groups – Group configuration limits the sync results to specific groups defined in Office 365. You can define these groups by navigating to Exchange Control Panel > Recipients > Groups.

      The Group sync option is available only for Office 365 implementations. The service account must have the privileges to the Get-Group cmdlet.

    • Custom – Custom configuration limits the sync results to devices whose users belong to the specified Custom DN. The Custom DN can be an Organization Unit or specific users' Distinguished Name. Custom configuration is useful for piloting PowerShell integration against a small subset of users.
  5. Select Next.
    The Profiles wizard form displays.
  6. (Optional) If you plan to migrate the users from an existing MEM configuration, then associate a profile with the MEM configuration.
  7. Select Next. Save the settings.
    The MEM Config Summary form provides a quick overview of the basic configuration you have just created for the PowerShell deployment.
  8. Select the Add option from the Mobile Email Management Configuration main page to configure more deployments.
  9. Optionally, you can configure the Advanced Settings. To configure, navigate to Email > Settingspage and then select the icon.
    Setting Description
    PowerShell Sync Batch Size

    The batch size determines the number of CasMailbox and ActiveSyncDevice/MobileDevice objects returned per PowerShell session when using the Sync Mailboxes or Run Compliance features.

    The batch size depends on whether AirWatch Cloud Connector or Enterprise Integration Service (EIS) is being used. For AirWatch Cloud Connector and direct connection, the number of devices is 25000 and for EIS 2500 devices. The PowerShell MEM config detects these conditions and sets the batch size accordingly.

    Manage Active Sync for Mailbox

    Select to enable control of Active Sync at the Mailbox Identity level.

    In proper deployments, it is not necessary as a Global Access State of Block or Quarantine is in use.

    Remove ActiveSync Partnership on Unenroll

    Select to remove partnership of the unenrolled device from Exchange.

    This setting removes unenrolled devices from Exchange when they are removed from AirWatch.

    Sync with entire forest in AD

    Select to add the viewEntireForest option to the PowerShell session.

    This option might be helpful depending on how your company’s Organization Groups are structured.