PowerShell Integration through MEM in Workspace ONE

On the UEM console, enable PowerShell integration through MEM to control and manage a remote Exchange instance after configuring the PowerShell on the Workspace ONE UEM server.

Table of Contents


  1. In the UEM console, go to Email and navigate to Email Settings and select Configure. The Add Email Configuration wizard form pops up.
  2. Click on Direct as the Deployment Model in the Platform wizard form.
  3. Select Office 365 or Exchange as the Email Type and Exchange 2010/2013/2016/2019 as the Exchange Version. Click on Next.
  4. Complete the following required setting in the deployment wizard form:
  • Friendly Name: A friendly name for the PowerShell deployment is entered. On the MEM dashboard screen, this name gets displayed for devices managed by PowerShell.
  • PowerShell URL: Enter the PowerShell instance called the PowerShell URL on the email server in relation to the Workspace ONE UEM server. The form of https://<emailserver>/PowerShell is typically the PowerShell URL.
  • Ignore SSL errors between Exchange server and Airwatch: Allow devices to ignore Secure Socket Layer (SSL) certificate errors to Ignore SSL Errors between Workspace ONE UEM and Exchange server, select Enable. always establish a valid SSL trust

Between Workspace ONE UEM and Exchange server using valid certificates:

  • Use Service Account Credentials: To use the credentials from the Cloud Connector Application Pool, click on enable as the Service Account for PowerShell connections.
  • Authentication Type: Based on the Exchange Server settings, select the authentication type from the available authentication types and options:

Basic: Using the basic authentication type, Workspace ONE UEM connects to the remote PowerShell endpoint.

Kerberos: For a local computer account, to authenticate a domain account and NTLM, the email server uses Kerberos.

Modern: Using the Modern authentication type, Workspace ONE UEM connects to the remote PowerShell endpoint.

Negotiate: using the negotiate authentication type, Workspace ONE UEM connects to the remote PowerShell endpoint.

  • Admin Username: if the Use Service Account Credentials option is not enabled, enter the user name of the PowerShell Service Account.

In the form of domain\username, Domain users must specify the user name.

In the form of servername\username, local users on a server computer must specify the user name.

  • Admin Password: If the Use Service Account Credentials option is not enabled, enter the password of the PowerShell Service Account.
  • One time sync after configuration: To sync with PowerShell soon after configuration, select Enable to enable this option.
  • Filter sync results: By selecting the options, restrict the sync action to certain filtered groups.

None – The devices are synced retrieved by the PowerShell queries.

Organization Unit: Limits the sync results to devices with Organization Unit Configuration whose users are in the selected Organization Unit in Active Directory. From the Directory Services configuration, the Organization Unit Base DN is fetched, and the Group Search Filter is the Organization Unit name.

Groups: To specific groups defined in Office 365, Group configuration limits the sync results. By navigating to Exchange Control Panel, go to Recipients, and click on Groups. Only for Office 365 implementations, the Group sync option is available. Go to the Get-Group cmdlet the service account and must have the privileges.

Custom: Limit the sync results to devices with Custom configuration whose users belong to the specified Custom DN. The Custom DN can be specific users’ Distinguished Name or an Organization Unit. For piloting PowerShell integration, the Custom configuration is useful against a small subset of users.

  1. Click on Next. The Profiles wizard form pops up.
  2. (Optional)Associate a profile with the MEM configuration if the admin plans to migrate the users from an existing MEM configuration
  3. Click on Next. The settings should be saved. For the PowerShell deployment, The MEM Config Summary form provides a quick overview of the basic configuration the admin just created.
  4. The Add option should be selected from the Mobile Email Management Configuration main page to configure more deployments.
  5. Configure the Advanced Settings optionally:

PowerShell Sync Batch Size: the number of CasMailbox and ActiveSyncDevice/MobileDevice objects returned per PowerShell session is determined by the batch size when using the Sync Mailboxes or Run Compliance features. Whether AirWatch Cloud Connector or Enterprise Integration Service (EIS) is being used determines the batch size. The number of devices is 25000 for AirWatch Cloud Connector and direct connection and for EIS 2500 devices. These conditions and sets the batch size are determined by the PowerShell MEM config accordingly.

Manage Active Sync for Mailbox: Control of Active Sync at the Mailbox Identity level by enabling this option in proper deployments. It is not necessary as a Quarantine or the Global Access State of Block in use.

ActiveSync Partnership on Unenroll Removal: From the Exchange, to remove the partnership of the unenrolled device, select this option. When unenrolled devices are removed from AirWatch, this setting removes unenrolled devices from Exchange.

In AD Sync with the entire forest: Add the viewEntireForest option to the PowerShell session by configuring this option. Depending on how the company’s Organization Groups are structured, this option proves to be quite useful.


  • Barry Allen

    A Full Stack Developer with 10+ years of experience in different domain including SAP, Blockchain, AI and Web Development.

    View all posts


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.