When you install Exchange, synchronization access to Exchange is enabled by default for all users in your organization. You can disable synchronization at the organizational level using Exchange System Manager. You can also use the Active Directory Users and Computers snap-in to enable or disable synchronization access for a user or groups of users.

As an added level of security, you can use Microsoft Windows Mobile devices with Exchange ActiveSync with RSA SecurID two-factor authentication.

Note:
No additional device configuration is required to support RSA SecurID. The device presents the appropriate authentication automatically when synchronizing with an Exchange ActiveSync server protected by RSA SecurID.

The steps to use RSA SecurID with Exchange ActiveSync include the following:

1. Set up the RSA SecurID server components.
   
2. Configure IIS to use RSA SecurID.
   
3. Set up user accounts.
   

For detailed steps for configuring RSA SecurID with Exchange ActiveSync, see How to Use RSA SecurID with Exchange ActiveSync.

After you have configured your Exchange environment for synchronization, you must also configure the client devices. You must individually configure each mobile device in your organization. Alternatively you can instruct users how to configure their own devices.

• For detailed steps for configuring a mobile device to use Exchange ActiveSync, see How to Configure a Mobile Device to Use Exchange ActiveSync.
  
• For detailed steps for configuring a mobile device to use AUTD, see How to Specify a Mobile Operator for Up-to-Date Notifications on a Device.
  

The following topics explain how to configure Exchange ActiveSync in your organization.

• For detailed information about how to enable ActiveSync features at the organizational level, see How to Enable and Disable Exchange ActiveSync Features at the Organizational Level.
  
• For information about how to enable Exchange ActiveSync for individual users or groups of users, see How to Enable and Disable Exchange ActiveSync Features at the User Level.
  

Microsoft Windows Mobile-based 5.0 devices use the Microsoft CryptoAPI (CAPI) certificate store to securely store root certificates. Exchange ActiveSync checks the root certificate store on the mobile device to verify that the certificate on the server it is connecting to was issued by a trusted authority.

Root certificates that are included with a Windows Mobile 5.0 device represent the following certificate authorities:

• VeriSign
  
• GTE CyberTrust
  
• Equifax
  
• Entrust
  
• GlobalSign
  
• Thawte
  

For the procedure to add a root certificate to a Windows Mobile-based 5.0 device, see the Installing a Root Certificate in the Windows Mobile Version 5.0 SDK.

For information about how to add root certificates to the Windows Mobile 2003 Smartphone and to Windows Mobile 2002 Smartphone, see the Microsoft Knowledge Base article 841060, "How to add root certificates to Windows Mobile 2003 Smartphone and to Windows Mobile 2002 Smartphone."