Is Quarantine Smarter than Block for ActiveSync Device Access Rules?

During the recent issues with iOS 6.1 causing excessive transaction logging on Exchange servers many administrators took steps to block iOS 6.1 devices from their servers using ActiveSync device access rules.

But when Apple released iOS 6.1.2 (which may or may not actually fix the problem) they noticed that upgraded devices weren’t being automatically allowed to connect to Exchange again.

To demonstrate this I put an iOS 6.1 block rule on my test server, connected at least once to confirm my device was being blocked, and then updated the device to iOS 6.1.2.

update-ios

After running the update the device still can’t connect to Exchange. A look at the device state still shows that it is blocked by the rule put in place for iOS 6.1, even though I upgraded to 6.1.2.

[PS] C:\>Get-ActiveSyncDeviceStatistics -Mailbox alan.reid | select device*

DeviceType                    : iPhone
DeviceID                      : ApplC39GQ8NNDTDL
DeviceUserAgent               : Apple-iPhone4C1/1002.142
DeviceModel                   : iPhone4C1
DeviceFriendlyName            : Black iPhone 4S
DeviceOS                      : iOS 6.1 10B142
DeviceAccessState             : Blocked
DeviceAccessStateReason       : DeviceRule
DeviceAccessControlRule       : iOS 6.1 10B142 (DeviceOS)
DevicePolicyApplied           : Default
DevicePolicyApplicationStatus : AppliedInFull
DeviceActiveSyncVersion       : 14.1

I don’t want to remove the device access rule because the bug still exists in iOS 6.1 and other devices might still be running that version and try to connect to the server again.

So what can I do to let the updated device gain access to the server again?

One option is to remove the device from Exchange entirely. This causes it to be assessed as a new device the next time it connects, and in this scenario would be allowed to connect.

remove-mobile-device

However at a large scale this may be impractical and cause a lot of administrative effort.

Another option is to use a device access rule that quarantines devices instead of blocking them. For example, here is a device access rule that quarantines the iPad 3 running iOS 6.1.

New-ActiveSyncDeviceAccessRule -QueryString "iOS 6.1 10B141" -Characteristic DeviceOS -AccessLevel Quarantine

When the device attempts to connect it is put in the quarantine state instead of being blocked.

[PS] C:\>Get-ActiveSyncDeviceStatistics -Mailbox mary.hayes | select device*

DeviceType                    : iPad
DeviceID                      : ApplDLXH8DELDVGJ
DeviceUserAgent               : Apple-iPad3C3/1002.141
DeviceModel                   : iPad3C3
DeviceFriendlyName            : Black iPad
DeviceOS                      : iOS 6.1 10B141
DeviceOSLanguage              : en-GB
DeviceAccessState             : Quarantined
DeviceAccessStateReason       : DeviceRule
DeviceAccessControlRule       : iOS 6.1 10B141 (DeviceOS)
DevicePolicyApplied           : Default
DevicePolicyApplicationStatus : AppliedInFull
DeviceActiveSyncVersion       : 14.1

After updating the device to iOS 6.1.2 it is allowed to connect again with no administrative action required.

[PS] C:\>Get-ActiveSyncDeviceStatistics -Mailbox mary.hayes | select device*

DeviceType                    : iPad
DeviceID                      : ApplDLXH8DELDVGJ
DeviceUserAgent               : Apple-iPad3C3/1002.146
DeviceModel                   : iPad3C3
DeviceFriendlyName            : Black iPad
DeviceOS                      : iOS 6.1.2 10B146
DeviceOSLanguage              : en-GB
DeviceAccessState             : Allowed
DeviceAccessStateReason       : Global
DeviceAccessControlRule       :
DevicePolicyApplied           : Default
DevicePolicyApplicationStatus : AppliedInFull
DeviceActiveSyncVersion       : 14.1

So which is the smarter approach?

  • Blocking devices gives the administrator the most control over when the devices are allowed to connect to the server again. In the case of iOS 6.1 multiple updates have since been released that do not solve the very serious problem of excessive transaction logging, therefore the continued blocking of the device is a good thing. However when the bug is fixed the administrators will have to spend more time unblocking devices, which is possibly a costly exercise in very large scale environments.
  • Quarantining devices is the least administrative effort, because an updated device will automatically be allowed to reconnect when it updates to a version that has no block/quarantine rule configured on the server. However the risk exists that an administrator will process a quarantine request and allow a device running one of the bad iOS versions to begin connecting to the server again.

As you can see neither approach is entirely perfect but fortunately administrators have some choice and flexibility in how they deal with this issue.

Learn even more in the Beginner's Guide to Exchange Server 2010 ActiveSync. Grab your copy here.

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Comments

  1. joe orsini says:

    Paul/et all is there a way to block unknown versions of IOS via this method (and the ones in your earlier article)?

    IE- to block future versions of IOS until we can test them?

  2. Shane Bryan says:

    Hi Paul, is it possible – if I have the device ID of the users iPad running 6.1, to do a quarantine on that single device rather than just removing or wiping it?

    In the EMC the only 2 options are ‘Remove mobile phone partnership’ & ‘Perform a remote wipe’.

    I only have a small number of users running 6.1, so I’d prefer to ‘suspend’ their syncing until they upgrade, but I need to do it on a user by user basis as I have 1 very important user, away on a fund raising trip and if I blocked his phone, it would NOT go down well :-)

    Cheers Shane.

    • I haven’t tested whether changing a block rule to a quarantine rule means that the blocked devices switch to a state of quarantine. But maybe that is one approach.

      • Shane Bryan says:

        So in Powershell, is there a cmdlet that I can run, with the users device ID then, to block that device rather than delete or wipe it? In effect, just suspend syncing until I can confirm that it’s at 6.1.2?

  3. Quarantining has to be the best way as it keeps management to the minimum, if you block then depending on the size could become very time consuming.

    I assume that it would also allow you to let your bosses device sync? while keeping others quarantined as this can also cause headaches bigger than the initial problem.

  4. At my workplace, the system admins have opted for the first option: blocking devices. While I agree that this provides more control to the admin, the problem is that we have 2 that collaborate on a part-time basis so it is really difficult for them to keep track of all devices (e.g. the ticket system needs to be updated but overworked admins barely have time to finish all tasks…and then go update the ticket system!). The two part-time admins spend so much unlocking devices that this effort becomes too costly. Given the experience at my company, I would ask for people to opt for option 2.

  5. Tony Brock says:

    For me, quarantined devices could still fill up my log drives…

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.