Dealing with Existing ActiveSync Device Associations when Changing Organization Settings

The default ActiveSync organization setting in Exchange Server 2010 is to allow any mobile device to connect to an Exchange mailbox without requiring approval from an administrator.

Learn even more in the Beginner's Guide to Exchange Server 2010 ActiveSync. Grab your copy here.

Consider a scenario where the business has decided that mobile devices should be blocked or quarantined by default, requiring administrator approval before they are allowed to connect.

As an example, the ActiveSync organization setting is set to quarantine.

In this case there are several users already using their mobile device to connect to Exchange. With the new setting applied one of them, Mary Hayes, is no longer able to connect, while the other person, Vik Kirby, is still able to connect without any issues.

In the view of quarantined devices we can only see Mary Hayes. Vik Kirby’s device has not been quarantined.

If the desired outcome was to quarantine all existing users and have their devices reviewed and approved where appropriate, then we need to work out how to deal with users such as Vik Kirby who were not affected by the change in policy.

In the help information for Set-ActiveSyncOrganizationSettings we can see the following notes for DefaultAccessLevel option.

The DefaultAccessLevel parameter specifies whether new devices or existing devices are allowed, blocked, or quarantined.

Note: If you use the ActiveSyncDeviceAccessRule rule to define an access group of Exchange mobile devices together with their access level for a specific set of devices, those devices are not affected by the DefaultAccessLevel parameter.

While it does refer to mobile devices that are permitted by an ActiveSync device access rule, what it doesn’t say is what to expect for an individual user’s device that has been explicitly granted access (for example during a previous period when the default access level was set to block/quarantine).

If we use Get-CASMailbox to review mailboxes that have ActiveSync device associations we can see the difference between Mary and Vik.

[PS] C:\>Get-CASMailbox | where {$_.HasActiveSyncDevicePartnerShip} | select name,activesyncallowed*,activesyncblocked* | ft -auto

Name        ActiveSyncAllowedDeviceIDs         ActiveSyncBlockedDeviceIDs
----        --------------------------         --------------------------
Alan.Reid   {1249054091, androidc259148960}    {}
Mahera.Bawa {1249054091, Appl87941C1N3NS}      {}
Mary.Hayes  {}                                 {}
Vik.Kirby   {F04016EDD8F2DD3BD6A9DA5137583C5A} {}

Vik has a previously allowed device that is letting him continue to connect despite the change to the organization default access level.

To remove this approved device all we need to do is null the ActiveSyncAllowedDeviceIDs attribute for Vik.

Set-CASMailbox vik.kirby -ActiveSyncAllowedDeviceIDs $null

This change may take a short time to replicate through your environment. On next connection attempt we can see that Vik’s device becomes quarantined as intended.

 

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Comments

  1. mike dunne says:

    Hi Paul.

    Great article. I was looking for something like this for a while as I have been dealt a similar scenario in my organisation at present. There are many existing users using devices that have the ActiveSync enabled. In fact, we have the default profile applied to every user on the domain which allows them to use ActiveSync.

    I want to make a new access rule so that anyone from now on will have to come to the I.T Helpdesk for us to grant them access. If I apply the new rule to all users, the existing connected users will no longer be able to receive their mail on their devices until they come to us. As there are well over 100 people that will be affected like this, what is the best way to leave the default access rule on their exchange account or what do you suggest doing? I will try and roll out the new access rule one by one on the existing users rather than having them all loose access to their mail all at once.

    Sorry about the long winded mail.

    I hope you can help me.

    Mike

  2. Hi Paul,

    How do you remove a subset of approved ActiveSync devices without removing them all? For example, how do you remove Mahera’s Apple device while leaving the other device approved?

    Thanks!

    Jim

  3. I have added devices to the ActiveSyncBlockedID list. I need to remove them so they are allowed. I tried to do set-casmailbo -identity -ActivesynceAllowedDeviceID and it added the device to the allowed list but now it shows up in both allow and blocked. I can’t seem to find how to remove devices from the blocked ID list at all. Thanks

    Dave

  4. Disregard last post. I figured it out. Just used the $null parameter.

  5. Hi Paul,

    We used to allow only single activesync configuration per device for Exchange 2007 sp3 mailbox by using Set-Casmailbox field “ActiveSyncAllowedDeviceIDs”. But in Exchange 2013 somehow it is not working. Even when Exchange 2013 User account is bind with one device ID, he is able to configure multiple handsets.
    We have not created any Access or block rule yet and ActiveSyncOrganizationSettings is Allow.

    Let me know how we can achive single device configuartion per mailbox in Exchange 2013.

    Thanks in advance,
    Manish

    • If there are no access rules blocking the device, and the org setting is set to allow, then they will be able to connect their device. So you will need to look at changing the org setting if you want to block/quarantine everything except those specific devices you wish to allow.

  6. Thanks for you quick response,

    That means I need to set ActiveSyncOrganizationSettings to Quarantine and mention device ID which i want to allow to sync in ActiveSyncAllowedDeviceIDs. No need to create Access or Block Rule right?

    Regards,
    Manish

  7. Hello,

    Would it do any damage to Exchange 2010 to delete the CN=ExchangeActiveSyncDevices leaf container under a user’s object using, e.g., ADSI, FIM or MIIS?

    We have some users who have left. Although their mailbox was deleted months, the ExchangeActiveSyncDevices container still remains under their user object. That’s causing problems deleting the user account for our AD team. However, their user object was moved to a different “disabled” OU before the mailbox was deleted …

    Thanks for any advice,

    - Alan.

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.