Sometimes when users try to connect a new mobile device to Exchange, they receive this error message: “Error with your new mobile phone partnership – You have 11 phone partnerships out of the maximum allowed 10 partnerships.” In this post, you will learn how deal with these Exchange device limits.

Bastian A. Wieczorek

Bastian is a senior IT consultant with more than 20 years of experience in IT administration. He focuses on helping organizations plan and operate enterprise collaboration solutions.

Since the "bring-your-own-device" (BYOD) trend started, many Exchange administrators have had to deal with a growing number of different devices. This caused a problem I will discuss today. Every device connected to Exchange has a so-called device partnership stored in Active Directory. Every time when an Exchange ActiveSync (EAS) device tries to sync with Exchange, such a partnership is established. If the maximum number of allowed partnerships is exceeded, the user will receive an error message.

Microsoft ActiveSync Objects ^

The first time such a connection occurs, Exchange will create a container of the type msExchActiveSyncDevices under the user object in Active Directory. Inside the container, the server will create an msExchActiveSyncDevices object for every device. For more information about the process, please read this Microsoft guide.

msExchActiveSyncDevices objects in Active Directory

msExchActiveSyncDevices objects in Active Directory

Depending on the environment, this can lead to a large number of objects in Active Directory that Exchange never deletes (as long as the user object isn´t deleted). Microsoft discovered this issue and came up with a throttling policy in Exchange 2010 (see here).

Managing maximum number of Exchange ActiveSync partnerships ^

Microsoft disabled most of the throttling policy parameters in Exchange 2010 RTM and most limits were set to infinite; this changed in 2010 SP1. One such parameter is the EASMaxDevices that Microsoft documented:

The EasMaxDevices parameter specifies a limit to the number of Exchange ActiveSync partnerships that a user can have at one time. By default, each user can create that amount of Exchange ActiveSync partnerships with their Exchange account. After users exceed the limit, they must delete one of their existing partnerships before they can create any more new partnerships. An email error message describing the limitation is sent to the user when the limit is exceeded. Additionally, an event is logged in the Application log when a user exceeds the limit.

This parameter therefore controls how many devices a user can add. You can check it with:

In an Exchange 2010 environment that uses the default throttling policy, Exchange would not allow users to use more than 10 device partnerships. If a user tries to connect more devices, Exchange would notify the user in different ways:

Email message:

Subject: Error with your new mobile phone partnership

Importance: High

You have 10 phone partnerships out of the maximum allowed 10 partnerships. After you reach the maximum, you can’t create additional partnerships until you delete existing ones from your account. To do so, sign in to:

Outlook Web App; click Options > Phone > Mobile Phones, and delete any unused partnerships.

Mobile device message:

Error with your new mobile phone partnership. You have 11 phone partnerships out of the maximum allowed 10 partnerships.

The issue is often frustrating for users, as their new devices will not work out of the box. Most users will then get in contact with the IT department. If the company has a helpdesk, the support technicians can explain how to resolve the issue with Outlook Web Access (OWA) (if OWA is enabled for the user).

Managing the throttling policy ^

If this isn’t possible, you have three options to deal with the problem:

1.) Change the default throttling policy.

To do this, change the default throttling policy via Set-ThrottlingPolicy and increase the EASMaxDevices setting from 10 to 20 possible devices with (the example below could change all throttling policies, so be careful):

However, this is often the worst option, because it increases the number of permitted devices for all users and thus the user may return after reaching the new limit.

2.) Create a new throttling policy.

You can create a new throttling policy. This makes sense if you have power users (helpdesk technicians, for instance) who often have to add new devices for troubleshooting.

You can create a new policy via the following steps:

Create a new throttling policy:

Allow a certain number of devices (20, for example):

Assign the policy to the user:

3.) Remove the device partnerships that are no longer needed via the GUI.

Microsoft Exchange control panel Mobile device details

Microsoft Exchange control panel Mobile device details

4.) Remove the device partnerships no longer needed via PowerShell.

Depending on the Exchange version, you can use either Get-MobileDeviceStatistics or Get-ActiveSyncDeviceStatistics to generate a list of configured devices for the user as in the example below:

Generate a list of configured devices Get MobileDeviceStatistics

Generate a list of configured devices Get MobileDeviceStatistics

Based on this, you can then remove the old device partnership based on the GUID, with either the Remove-MobileDevice or the Remove-ActiveSyncDevice command, depending on the Exchange version.

Remove a device partnership with Remove MobileDevice

Remove a device partnership with Remove MobileDevice

Automatically remove device partnerships ^

If you run into this problem, you could write a script that automatically scans the Exchange environment for old device partnerships and then automatically deletes them.

Yet there is a better way. There is a built-in Exchange solution (also used in Exchange Online). However, Exchange administrators often do not know about this solution, as it isn't widely mentioned or documented. Moreover, admins cannot access it via the GUI. The solution here, since Exchange 2013, is again the Throttling Policy. However, this time we will use the EasMaxInactivityForDeviceCleanup parameter in that policy. Microsoft explains it like this:

The EasMaxInactivityForDeviceCleanup parameter specifies the length of time that a user's device partnerships will remain active. By default, there is no limit to the number of days that a user's device partnerships will remain active. Use this value if you want to minimize the amount of inactive device partnerships in your organization. To use this setting, specify a value in days since the user's last sync time to cause the device partnership to be removed.

Let's assume you want to delete all inactive device partnerships automatically that are older than 30 days. You can then change the default policies (the example below might change all throttling polices, so be careful):

Or there's a much better option: Build a policy you can assign on a per-user level with the following steps:

Create a new throttling policy:

Delete inactive EAS devices after 30 days:

Assign it to the user:

The device enrollment process ^

Once you assign the policy to a user, you might discover that nothing happens. The user still has the same amount of device partnerships configured. The reason is that Microsoft decided that the cleanup action should only occur when there is a need for it. So instead of running it regularly, which might waste system resources, the cleanup should happen on demand, which saves system resources. But when and how?

The answer is quite easy: During the enrollment of a new device, the following events occur:

1.) The user starts to pair a new mobile device with Microsoft ActiveSync.

2a.) If the default throttling policy is not changed (meaning that the EasMaxInactivityForDeviceCleanup is set to $Null) and if the user does not have a throttling policy assigned, no device partnership cleanup occurs. That is the default in most Exchange environments.

2b.) If the default throttling policy is changed (meaning that the EasMaxInactivityForDeviceCleanup is set to 30 days) or if the user has a special throttling policy assigned, the Exchange server will check the already existing device partnerships and then remove inactive device partnerships now.

3.) The next check will ensure that the number of remaining partnerships remains under the limit for devices (100 in Exchange 2016/2013; in Exchange 2010 the value was 10). If that is the case, the Microsoft Exchange server will add the new device.

Conclusion ^

Microsoft Exchange administrators can prevent users from getting frustrated when they add a new device by doing some very small changes in the Microsoft Exchange environment. Additionally, it helps them save some time that they can spend on important topics, and on top of that, it helps to keep the system clean.

Win the monthly 4sysops member prize for IT pros

Share
0

Related Posts

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account