Configure Microsoft Exchange permissions for gatekeeping
To use Microsoft ActiveSync gatekeeping in BlackBerry Enterprise Service 10, you must configure management roles in Microsoft Exchange Server 2010 with the correct permissions to manage mailboxes and client access for Microsoft ActiveSync. To perform this task you must be a Microsoft Exchange administrator with the appropriate permissions to create and change management roles.
Before you begin: On
the computer that hosts Microsoft
Exchange, create an account and mailbox to manage gatekeeping in BlackBerry Enterprise Service 10 (for example, BES10Admin). You must specify the login information for this account
when you create a Microsoft
ActiveSync configuration in the Universal Device Service console.
- On a computer that hosts the Microsoft Exchange Management Shell, open the Microsoft Exchange Management Shell.
- Type New-ManagementRole -Name "<new_role_mail>" -Parent "Mail Recipients". Press ENTER.
- Type New-ManagementRole -Name "<new_role_ca>" -Parent "Organization Client Access". Press ENTER.
- Type Get-ManagementRoleEntry "<new_role_mail>\*" | Where {$_.Name -ne "Get-ADServerSettings"} | Remove-ManagementRoleEntry. Press ENTER.
- Type Get-ManagementRoleEntry "<new_role_ca>\*" | Where {$_.Name -ne "Get-CasMailbox"} | Remove-ManagementRoleEntry. Press ENTER.
- Type Add-ManagementRoleEntry "<new_role_mail>\Get-ActiveSyncDeviceStatistics" -Parameters Mailbox. Press ENTER.
- Type Add-ManagementRoleEntry "<new_role_mail>\Get-ActiveSyncDevice" -Parameters Identity. Press ENTER.
- Type Add-ManagementRoleEntry "<new_role_ca>\Set-CasMailbox" -Parameters Identity, ActiveSyncBlockedDeviceIDs, ActiveSyncAllowedDeviceIDs. Press ENTER.
- Type New-RoleGroup "<new_group>" -Roles "<new_role_mail>", "<new_role_ca>". Press ENTER.
- Type Add-RoleGroupMember -Identity "<new_group>" -Member "BES10Admin". Press ENTER.