Salam, We have an Exchange 2010 SP1 organization, user's with Blackberry devices usually use their service providers for the Blackberry services and they access their mailboxes using OWA. Now I need to deny people from adding their mailboxes to their Blackberry using OWA and force them to use BESX. The problem is that it seems I can't stop them from doing it, I have a mailbox which I am testing with and I have all the mailbox features disabled for it and I have Outlook Anywhere disabled as well. Yet for some reason if I go the mobile service provider and add the mailbox using OWA it authenticates and adds the mailbox normally. Thank you in advance, Kindest regards.Abdullah^2

Hi OWA or OMA? Do you mean that you want to prevent users from accessing email from OWA or from their handhelds (as in activesynch) Sukh

Hi, To Sukh: I think he did not mention OMA. He means preventing users from using OWA. Blackberry does not use ActiveSync at all. But you can browse the web with a blackberry, thus you can also use OWA with a blackberry. He wants to force the users to retrieve their email via BESx. BESx is a software solution that interacts with Exchange, forwards all email to the Blackberry Mail Service, which then forwards it to the phone provider, who then forwards them to the mobile devices. With Exchange 2003, you would need to disable HTTP and NNTP for the user: http://technet.microsoft.com/en-us/library/aa996482(EXCHG.65).aspx Have you tried it with powershell? like Set-CASMailbox -Identity john@contoso.com -OWAEnabled $false And have you looked at event log already?

@Dennis - My bad, I was rushing this post. I was indicating did he want to use BES to syn email as with Windows mobile/activesynch. @Abdullah@ - This should be possible if you run the command as Dennis has mentioned or you can set via EMC on the user mailbox. http://technet.microsoft.com/en-us/library/bb124124(EXCHG.140).aspx If both fail then run Get-Mailbox -Identity user |fl >c:\user.txt and post. Sukh

Yes it seems Abdullah wants to prevent his users from enrolling their Exchange mailbox over BIS (blackberry internet service). Yes you can disable OWA to prevent BIS access but will block OWA access in general. You can check with RIM to see if they have a separate IP range for BIS then BESX, but I don't think so, I've seen two articles for BIS and BES ip ranges and they are the same, but you can confirm from RIM. If so you can block at the Firewall. Firewall and connection requirements for the BlackBerry Internet Service http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB11036&sliceId=SAL_Public&dialogID=69199896&stateId=0%200%2069201325James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Just read the post again, Abdullah says he wants them to use BESX, doesn't BESX have BES policies as with BES 4.x/5.x, This was you can get the BES devices to use your corporate proxy and restrict access from their (on your proxy). Sukh

Salam, Thank you all for your valuable answers, currently I stopped all features at my test mailbox also I've blocked all the mentioned RIM IP addresses on my Default website in IIS. It seems that it worked after blocking RIM IPs, but I am still wondering how it still had worked :/. I mean I stopped all the mailbox features including MAPI and still I was able to authenticate and add the mailbox through BIS. I tested adding a new Blackberry device it didn't work, but when I tried to edit an existing Blackberry device it authenticated. It might be because the tunnel is still open or something, I'll give it time and monitor if the blocking per RIM IPs is 100% successfull. Again thank you very much, if any one has an explanation why Blackberry devices could still authenticate even when the OWA feature is disbale the community and I would be for sure very grateful. Kindest regards. Abdullah^2

Because BIS appears to be using /EWS to make all requests, blackberry users can still configure BIS to access their mailbox even though the OWA feature has been disabled Since EWS can’t be removed and blocked specially as it would break other functions, like Availability Service, OOF, the cleanest method is to setup a rule in ISA so that the access can be blocked via user agent Securing Exchange Data from Unapproved Mobile Devices (or how to block a phone or service from taking data out of your Exchange Server)Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Good info!James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Salam, Thank you all, this post has been rich indeed and very helpful. All the best, Kindest regards.Abdullah^2