Index for the series:
Exchange ActiveSync Building Blocks – Intro
Background reading (not a pre-requisite):
[MS-ASCMD] Common Status Codes
[MS-ASPROV] ActiveSync Provision Protocol Specification
[MSDN] Provisioning, Policies, Remote Wipe, and ABQ in Exchange ActiveSync
I hope you’ve all been following along and gained a deeper understanding of the Exchange ActiveSync protocol, and possibly had time to play with coding something yourself if you are so inclined. We should at this time be able to do the initial FolderSync with Exchange, and handle most errors thrown at us.
There are of course tons of things ActiveSync I haven’t covered yet, and it is a "one step at a time" journey.
If you’re testing against an Exchange Server where you do not have direct access to the admin console, and it is under the control of an Exchange admin who doesn’t permit just about anyone to sync you might have run into issues related to provisioning already, so the next step for us is to cover this very topic.
Provisioning is the mechanism which ensures that ActiveSync clients implement a given set of security policies. If necessary; Exchange Server will block devices that don’t implement the policy set.
Let’s first define a couple of terms:
The "Allow non-provisionable" setting
There is a setting called "Allow non-provisionable devices" in the “Exchange ActiveSync Mailbox Policy” properties that we have toggled on and off a couple of times now. The definition of non-provisionable device is an ActiveSync client which is not able to apply policies to the device.
This comes in two flavors – devices that do not support provisioning at all, and devices that do support policies, but not the specific policies you want to apply. (For instance a commonly unsupported policy is "Encryption".) The device might not serve up an understandable explanation why it will not sync, and Exchange might just say non-provisionable, but the difference can be seen by sniffing the traffic between the device and Exchange.
A provisionable device will request that the server sends down the policy, and will reply with a yes/no to each setting, whereas a non-provisionable device will not request the policies at all.
The corollary to this is that a provisionable device is one that not only accepts policies in general, but also the settings specific to your Exchange Server.
This means that whether you can call a specific device provisionable or not can only be seen in combination with your environment. (If we want to get nitpicklingly technical we could say that Windows Mobile 6.1 and 6.5 are the only "true" provisionable devices as they are the only devices that support all policies.)
If you check the "Allow" switch this means that all devices will be able to sync regardless of whether they support the policies or not. But a device which indicates itself as provisionable will request the policies and implement as many as it can even when it is not forced to do so. If you allow all devices the content of this article will be purely an academical exercise for you, and you’ll be able to sync as shown in previous code samples. You can still tag along if you find it interesting nonetheless of course 
There are differences between Exchange 2007 and Exchange 2010 how the server side details are handled, and I will primarily describe the 2010 way of doing it. (My EAS MD utility handles it for ActiveSync protocol version 12.0 – 14.1 so don’t worry – source code can be provided for your specific scenario.)
Read more
