As with all previous versions of Exchange, the default permission in Exchange 2010 for user accounts is to allow Exchange ActiveSync. I don’t like this option and am surprised that Microsoft still doesn’t provide the ability to reverse this. Policy at my company requires you to sign a waiver acknowledging that we, as IT at the company, have the right to wipe your phone and any personal data that may be on it.
The AD attribute for controlling access to Exchange ActiveSync is still msExchOMAAdminWirelessEnable. This attribute has been around since Exchange 2003, controlling access to Outlook Mobile Access (OMA) and whether Automatic Up-to-Date Notifications (AUTD), the precursor to Direct Push, was enabled. Since then, OMA and AUTD have both been discontinued, and you can’t even disable Direct Push anymore in 2010. (I don’t know why you would do so anyway. I assume it was to control high data charges before everyone started using unlimited data plans.)
So the only value in the attribute that has any effect is 4, which disables Exchange ActiveSync. Any other value, including <not set>, has no impact, thereby allowing the user to sync. I have a reason for wanting to set the attribute directly in AD, but you can accomplish the same thing in the Exchange Management Shell by using Set-CASMailbox user -ActiveSyncEnabled:$false.
Tools like AirWatch can help solve the waiver issue for companies as you won’t need to do a full wipe of the device through Exchange to wipe all corporate data from the device.