The default ActiveSync organization setting in Exchange Server 2010 is to allow any mobile device to connect to an Exchange mailbox without requiring approval from an administrator.
Consider a scenario where the business has decided that mobile devices should be blocked or quarantined by default, requiring administrator approval before they are allowed to connect.
As an example, the ActiveSync organization setting is set to quarantine.
In this case there are several users already using their mobile device to connect to Exchange. With the new setting applied one of them, Mary Hayes, is no longer able to connect, while the other person, Vik Kirby, is still able to connect without any issues.
In the view of quarantined devices we can only see Mary Hayes. Vik Kirby’s device has not been quarantined.
If the desired outcome was to quarantine all existing users and have their devices reviewed and approved where appropriate, then we need to work out how to deal with users such as Vik Kirby who were not affected by the change in policy.
In the help information for Set-ActiveSyncOrganizationSettings we can see the following notes for DefaultAccessLevel option.
The DefaultAccessLevel parameter specifies whether new devices or existing devices are allowed, blocked, or quarantined.
Note: If you use the ActiveSyncDeviceAccessRule rule to define an access group of Exchange mobile devices together with their access level for a specific set of devices, those devices are not affected by the DefaultAccessLevel parameter.
While it does refer to mobile devices that are permitted by an ActiveSync device access rule, what it doesn’t say is what to expect for an individual user’s device that has been explicitly granted access (for example during a previous period when the default access level was set to block/quarantine).
If we use Get-CASMailbox to review mailboxes that have ActiveSync device associations we can see the difference between Mary and Vik.
[PS] C:\>Get-CASMailbox | where {$_.HasActiveSyncDevicePartnerShip} | select name,activesyncallowed*,activesyncblocked* | ft -auto
Name ActiveSyncAllowedDeviceIDs ActiveSyncBlockedDeviceIDs
---- -------------------------- --------------------------
Alan.Reid {1249054091, androidc259148960} {}
Mahera.Bawa {1249054091, Appl87941C1N3NS} {}
Mary.Hayes {} {}
Vik.Kirby {F04016EDD8F2DD3BD6A9DA5137583C5A} {}
Vik has a previously allowed device that is letting him continue to connect despite the change to the organization default access level.
To remove this approved device all we need to do is null the ActiveSyncAllowedDeviceIDs attribute for Vik.
Set-CASMailbox vik.kirby -ActiveSyncAllowedDeviceIDs $null
This change may take a short time to replicate through your environment. On next connection attempt we can see that Vik’s device becomes quarantined as intended.
About Paul Cunningham
Hi Paul.
Great article. I was looking for something like this for a while as I have been dealt a similar scenario in my organisation at present. There are many existing users using devices that have the ActiveSync enabled. In fact, we have the default profile applied to every user on the domain which allows them to use ActiveSync.
I want to make a new access rule so that anyone from now on will have to come to the I.T Helpdesk for us to grant them access. If I apply the new rule to all users, the existing connected users will no longer be able to receive their mail on their devices until they come to us. As there are well over 100 people that will be affected like this, what is the best way to leave the default access rule on their exchange account or what do you suggest doing? I will try and roll out the new access rule one by one on the existing users rather than having them all loose access to their mail all at once.
Sorry about the long winded mail.
I hope you can help me.
Mike
Hi Mike,
If you check out this article you should see that as long as the device is either allowed by personal exemption, or allowed by device access rule, then a change to the default organization access rule will have no effect on them.
http://exchangeserverpro.com/exchange-activesync-device-access-state