Preventing New ActiveSync Device Types from Connecting to Exchange Server 2010

In an Exchange Server 2010 organization where there are policies about which types of mobile devices can connect to the Exchange server using ActiveSync, the administrators may wish to prevent new device types from connecting without their knowledge.

Exchange 2010 provides the capability for administrators to control how a new device type is treated by Exchange thanks to the ActiveSync organization settings.

Learn even more in the Beginner's Guide to Exchange Server 2010 ActiveSync. Grab your copy here.

The default setting for this (perhaps unfortunately, from a security point of view) is “Allow”. You can see this using the Get-ActiveSyncOrganizationSettings cmdlet in the Exchange Management Shell.

[PS] C:\>Get-ActiveSyncOrganizationSettings | select DefaultAccessLevel | fl

DefaultAccessLevel : Allow

With this default access level any new mobile device type can connect to the server.

Configuring the ActiveSync Organization Settings

The administrator can change this using the Set-ActiveSyncOrganizationSettings cmdlet so that new device types are quarantined instead, requiring administrator approval before they can be used to connect to the Exchange server.

Aside from setting the default access level there are two other useful options that we can make use of:

  • AdminMailRecipients specifies the email addresses of administrators who are notified when a new device type attempts to connect.
  • UserMailInsert specifies an additional text string that is appended to the end user notification email that is sent by Exchange to let them know that their device has been quarantined. This makes it possible to include some friendly instructions for the end user, such as who to contact about the matter.

Here is an example:

[PS] C:\>Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients administrator@exchan
geserverpro.net -UserMailInsert "Your mobile device type has not yet been approved for use. Please contact the Help Desk for further assistance."

You can also configure these settings using the Exchange Control Panel, in the Phone & Voice section. I just happen to find the shell a bit faster to use.

Let’s take a look at what happens once these ActiveSync organization settings have been applied. The user Vik Kirby attempts to connect to Exchange ActiveSync with a new Windows Phone 7 device.

Vik receives an email notification that the mobile phone is temporarily blocked. This arrives in the mailbox, accessible via Outlook or OWA, but is also permitted to sync to the mobile device itself (although no other content will sync to the device).

You may notice the custom text string that was specified using the UserMailInsert parameter.

The administrator specified with the AdminMailRecipients parameter also receives a notification email.

Example of Allowing a Quarantined ActiveSync Device

Clicking the link “To perform an action for this device…” opens the Exchange Control Panel to manage the device. This can also be found if you open the Exchange Control Panel and navigate to the Phone & Voice section again.

Choosing Allow and then clicking Save (at the bottom of the window) would permit Vik to use the device. The specific device ID is shown as allowed for Vik’s mailbox, visible using Get-CASMailbox.

[PS] C:\>Get-CASMailbox vik.kirby | select displayname,ActiveSyncAllowedDeviceIDs | fl

DisplayName                : Vik Kirby
ActiveSyncAllowedDeviceIDs : {F04016EDD8F2DD3BD6A9DA5137583C5A}

However another user with the same type of device will still not be allowed to connect, and will be placed in Quarantine.

For those mobile devices where upon reviewing the first quarantined device you decide you want to allow all matching devices to also connect, you can create a device access rule.

In the Exchange Control Panel, again in Phone & Voice, select the quarantined device and choose “Create a rule for similar devices…”.

The Device Family and Model are pre-populated based on the quarantined device you selected.

Save the policy and any subsequent new mobile device matching those criteria will be treated according to the rule you have configured.

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Comments

  1. Turbomcp says:

    Thanks paul
    always interesting stuff

  2. Stef Bearne says:

    I had implemented this a few months ago at the request of HR. The policy was required so that only an exempt employee should be granted access, rather than by device type. Once the policy was applied, all existing devices were quarantined too. Is there a way to grandfather in existing users (Exch 2003 Mobile Admin tools had an exclusion list)? It wasn’t a big problem as I had communicated the change prior, but it would have been nice to circumvent approving previously connected devices.

  3. Hi Paul,

    In our organization the default access level is Quarantine

    How to achieve the below requirement

    “All devices in the quarantined list for more than a month should be purged from the list”

  4. Carol Ostos says:

    Is it possible to enable quarantine policy for a domain (limited scope) as opposed to enable this at the organization level?

    • No. For that type of granularity I’d say look at third party MDM solutions.

      • Carol Ostos says:

        We are looking at Good for Enterprise but I have been asked to research about implementing quarantine devices for Activesync. Seems like you have to be careful if enabling this once Avctivesync is already used in Production. I hope to convince Senior Management that MDM is a more robust solution that Activesync. Wish me luck!

  5. Kevin O'Brien says:

    Hi Paul,

    Is it possible to manage a device with ActiveSync policies but block the device from having email access?

    thank you,
    Kevin

    • Nobody has ever asked me that before.

      I’ve looked at what is available in ActiveSync policies and I don’t see anything that would fit that scenario.

      Why do you want to manage the device if it isn’t going to get email?

      • Kevin O'Brien says:

        Hi Paul,

        I have never been asked that before either. This is for a client. Some of their people have company iPad’s but don’t use email on them. The boss asked him if it was possible so I am not sure what the reasoning is. I am only assuming that they want the ability to remote wipe. Not sure what other reason you would have for this request. I found this article by Paul Robichaux about blocking devices:

        http://windowsitpro.com/exchange-server-2010/managing-exchange-activesync-device-access

        I tested it out by setting up my iPhone for email, and then running these commands to block the device. Email was blocked at the phone and the phone was still associated with my account. I am not about to wipe out my iPhone but it looks like this may work. I sent the info over to the client so they can play with it. Not sure I’ll ever see this kind of request again.

        Thanks!
        Kevin

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.