In a recent article I demonstrated how to use ActiveSync organization settings to prevent new mobile devices from connecting to Exchange Server 2010.
For organizations that are considering using a default organization setting of “block” or “quarantine” (as the article demonstrated) there is the consideration of what to do about existing mobile users.
In effect, if you were to change your setting to “quarantine” and do nothing else, any existing users with ActiveSync devices set up to connect to Exchange will be quarantined as well. For example here I have four ActiveSync users who were quarantined when the new setting was applied.
Quarantined ActiveSync devices
You can see the same information using the Get-ActiveSyncDevice in the management shell:
[PS] C:\>Get-ActiveSyncDevice -Filter {DeviceaccessState -eq "Quarantined"} | ft
RunspaceId FriendlyNam DeviceId DeviceImei DeviceMobil DeviceOS DeviceOSLan DeviceTelep DeviceType DeviceUserA
e eOperator guage honeNumber gent
---------- ----------- -------- ---------- ----------- -------- ----------- ----------- ---------- -----------
79ddab73... androidc... Android ... Android Android/...
79ddab73... androidc... Android ... Android Android/...
79ddab73... Appl8794... iPhone Apple-iP...
79ddab73... ApplDLXH... iPad Apple-iP...
So we have a few options about how to approach this situation.
Manually Approving Quarantined ActiveSync Devices
The simplest approach is to manually approve the quarantined devices. All you need to do is highly an entry in the quarantined device list and click the Allow button.
Allowing a quarantined ActiveSync device
However this is not very efficient if all you intend to do is allow every one of them. For one thing it only approves that device for that specific user. What if you really wanted to approve all similar devices for any user?
Create a Device Access Rule Based on a Quarantined Device
Exchange 2010 allows us to create device access rules straight from the interface where quarantined devices are displayed. Simply highlight a quarantined device and choose Create a rule for similar devices.
Creating an ActiveSync device rule
Create a Device Access Rule using PowerShell
ActiveSync devices rules can also be created using the New-ActiveSyncDeviceAccessRule cmdlet. New-ActiveSyncDeviceAccessRule takes a few parameters, the most important ones for this example are the -QueryString and -Characteristic parameters.
Let’s take a closer look at the iPhones currently known to my Exchange server.
[PS] C:\>Get-ActiveSyncDevice | where {$_.DeviceModel -like "iPhone*"} | fl device*
DeviceId : Appl87941C1N3NS
DeviceType : iPhone
DeviceUserAgent : Apple-iPhone2C1/902.206
DeviceModel : iPhone
DeviceAccessState : Quarantined
DeviceAccessStateReason : Global
DeviceAccessControlRule :
DeviceActiveSyncVersion : 14.0
DeviceId : ApplC39GQ8NNDTDL
DeviceType : iPhone
DeviceUserAgent : Apple-iPhone4C1/902.206
DeviceModel : iPhone
DeviceAccessState : Quarantined
DeviceAccessStateReason : Global
DeviceAccessControlRule :
DeviceActiveSyncVersion : 14.0
So, to create the ActiveSync device access rule for iPhones we can run:
New-ActiveSyncDeviceAccessRule -AccessLevel Allow -Characteristic DeviceModel -QueryString iPhone
We can verify the intended outcome of this device access rule using Get-ActiveSyncDevice again.
[PS] C:\>Get-ActiveSyncDevice | where {$_.DeviceModel -like "iPhone*"} | fl device*
DeviceId : Appl87941C1N3NS
DeviceType : iPhone
DeviceUserAgent : Apple-iPhone2C1/902.206
DeviceModel : iPhone
DeviceAccessState : Allowed
DeviceAccessStateReason : DeviceRule
DeviceAccessControlRule : iPhone (DeviceModel)
DeviceActiveSyncVersion : 14.0
DeviceId : ApplC39GQ8NNDTDL
DeviceType : iPhone
DeviceUserAgent : Apple-iPhone4C1/902.206
DeviceModel : iPhone
DeviceAccessState : Allowed
DeviceAccessStateReason : DeviceRule
DeviceAccessControlRule : iPhone (DeviceModel)
DeviceActiveSyncVersion : 14.0
Any mobile devices of model “iPhone” will now be allowed to connect to Exchange ActiveSync.
Further examples:
About Paul Cunningham
Hi Paul – appreciate the clear and concise post. I do have a couple of questions. What if you have users who are connected with their iPhones and iPads and we dont have a device access rule. If we create a device access rule for iPhones and iPads , the question is how will those users be affected? will they receive a notification? a pop up? or anything. we want this to be as transparent as possible. Thanks for your time.
See here:
http://exchangeserverpro.com/preventing-new-activesync-device-types-from-connecting-to-exchange-server-2010
Quarantine sends an email to the mailbox + the same email is able to be received on the device.
Block just sends an email to the mailbox but the device can’t download it.
thanks for the quick response. To clarify if the device gets quarantined it receives a notification saying hey you have mail waiting but your device needs to be approved. we want to allow only 3 types of devices…Android, iphones and ipads. and if we choose all models then will we still get that error for user agent bug? However if we just choose Android then all other devices will become quarantined…and we don’t that. And if we allow all 3 types then there will be no user intervention unless they have a different type of device that does not fall in these 3 categories.
Thanks again… I apologize for the lengthy comment. I tend to repeat things to get clarity and confirmations from experts like yourself.
Your comment confuses me so I’ll just answer the bit I understand – if you create one or more device access rules based on user agent you will run into that bug in the Exchange Control Panel.
Hi Paul,
Is there any way to allow or block the device base on its IMEI or unique ID? I would like to config the exact device to access Exchange 2010 via Activesync service.
Hope you could understand my idea. Sorry for my non native english.
Not via a device access rule. But you can individually approve a device for a user if it has been quarantined.