Creating ActiveSync Device Access Rules Based on User Agent in Exchange Server 2010

In a recent article I demonstrated how to create ActiveSync device access rules in Exchange Server 2010.

That demonstration mainly focused on device access rules that are based on the device type or model. When you’re creating a device access rule via Exchange Control Panel those are the only two characteristics you can base the rule on.

However the device access rule can also be based on the user agent characteristic, if you create the rule using PowerShell and the New-ActiveSyncDeviceRule cmdlet instead of the Exchange Control Panel.

Learn even more in the Beginner's Guide to Exchange Server 2010 ActiveSync. Grab your copy here.

Getting the ActiveSync Device User Agent

For this example the organization has been configured to quarantine new types of mobile devices. A number of devices have connected, including an iPhone 3GS and an iPhone 4S. We want to allow the iPhone 4S, but not the 3GS (this is just for the sake of demonstration).

The Exchange Control Panel shows the list quarantined devices but not the user agents.

You can open the details of a device from the list and see the user agent, but this is a fishing exercise if you have a long list of quarantined devices and no knowledge of which users have which specific mobile devices.

A faster method is to use PowerShell to list the user agents.

DeviceUserAgent                           DeviceAccessState DeviceType                    DeviceModel
---------------                           ----------------- ----------                    -----------
...
Apple-iPhone4C1/902.206                         Quarantined iPhone                        iPhone
Apple-iPhone2C1/902.206                         Quarantined iPhone                        iPhone
...

Creating a Device Access Rule Based on the User Agent Characteristic

From the above list the Apple-iPhone4C1/902.206 user agent (which is the iPhone 4S) is the one that we want to allow to connect to Exchange.

New-ActiveSyncDeviceAccessRule -QueryString Apple-iPhone4C1/902.206 -Characteristic UserAgent -AccessLevel Allow

After this rule has been added the iPhone 4S is able to connect to ActiveSync, while th 3GS and other quarantined device types still can’t.

DeviceUserAgent                           DeviceAccessState DeviceType                    DeviceModel
---------------                           ----------------- ----------                    -----------
...
Apple-iPhone4C1/902.206                             Allowed iPhone                        iPhone
Apple-iPhone2C1/902.206                         Quarantined iPhone                        iPhone
...

Bug with ActiveSync Device Access Rules Based on User Agent

While testing this scenario I encountered an error in the Exchange Control Panel. After creating an ActiveSync device access rule that is based on the UserAgent characteristic, the Device Access Rules portion of the Exchange Control Panel breaks.

When refreshing the Device Access Rules list an error occurs:

Sorry! We’re having trouble processing your request right now. Please try again in a few minutes.

This error persists until you use PowerShell to remove any device access rules that are based on UserAgent.

I discussed this with Microsoft and they have opened a bug for it and will hopefully be able to issue an update that corrects the error some time in the future (the problem also exists in the Exchange 2013 Preview). In the mean time they have confirmed that device access rules based on UserAgent are supported.

However the error means that once you start using rules like this you will need to do all of your device access rules management via PowerShell.

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Find Paul on Twitter, LinkedIn or Google+, or get in touch for consulting/support engagements.

Comments

  1. Martin Eddy says:

    That’s a pretty big bug. I can’t believe it hasn’t shown up before.

  2. Paul, SP3 seemed to have resolved the issue in the last part of this article. I can not see all my rules in ECP.

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.