Found my own answers:
First, the ABQ interface in ECP apparently is not there until you apply
SP1 for Exchange 2010 (we will be doing that shortly).
Second, you can do the ABQ-thing via PowerShell using the Set-
ActiveSyncOrganizationSettings cmdlet: this is a global setting, and
seems to be set to Allow by default - hence why you could have any
number of devices connect once you enabled a user for ActiveSync,
despite what you put in the ActiveSyncAllowedDevceIDs property.
I set our ActiveSyncOrganizationSettings to Quarantine - the user
trying to sync now gets an email saying the device is temporarily
blocked while permissions are being checked. Once I put their device
ID in the ActiveSyncAllowedDeviceIDs property, they can sync and they
also get a message saying their device has been granted full access.
As a test, afte I set the global setting to quarantine, i entered a
bogus Device Id in my ActiveSyncAllowedDeviceIDs. Bingo! my device
could no longer sync. Once i put in the correct device id, all was
There are several other properties on the
ActivesyncOrganizationSettings, like AdminEmailRecipients - the email
addresses you specify for this are supposed to get notifications that
a user is trying to sync a device. Unfortunately, that is not working
for me consistenly (worked when my own device was quarantined, but not
anyone else's). If anyone has any insight about this little quirk, I'd
love to hear it.