Preventing New ActiveSync Device Types from Connecting to Exchange Server 2010

In an Exchange Server 2010 organization where there are policies about which types of mobile devices can connect to the Exchange server using ActiveSync, the administrators may wish to prevent new device types from connecting without their knowledge.

Exchange 2010 provides the capability for administrators to control how a new device type is treated by Exchange thanks to the ActiveSync organization settings.

Learn even more in the Beginner's Guide to Exchange Server 2010 ActiveSync. Grab your copy here.

The default setting for this (perhaps unfortunately, from a security point of view) is “Allow”. You can see this using the Get-ActiveSyncOrganizationSettings cmdlet in the Exchange Management Shell.

[PS] C:\>Get-ActiveSyncOrganizationSettings | select DefaultAccessLevel | fl

DefaultAccessLevel : Allow

With this default access level any new mobile device type can connect to the server.

Configuring the ActiveSync Organization Settings

The administrator can change this using the Set-ActiveSyncOrganizationSettings cmdlet so that new device types are quarantined instead, requiring administrator approval before they can be used to connect to the Exchange server.

Aside from setting the default access level there are two other useful options that we can make use of:

  • AdminMailRecipients specifies the email addresses of administrators who are notified when a new device type attempts to connect.
  • UserMailInsert specifies an additional text string that is appended to the end user notification email that is sent by Exchange to let them know that their device has been quarantined. This makes it possible to include some friendly instructions for the end user, such as who to contact about the matter.

Here is an example:

[PS] C:\>Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients administrator@exchan
geserverpro.net -UserMailInsert "Your mobile device type has not yet been approved for use. Please contact the Help Desk for further assistance."

You can also configure these settings using the Exchange Control Panel, in the Phone & Voice section. I just happen to find the shell a bit faster to use.

Let’s take a look at what happens once these ActiveSync organization settings have been applied. The user Vik Kirby attempts to connect to Exchange ActiveSync with a new Windows Phone 7 device.

Vik receives an email notification that the mobile phone is temporarily blocked. This arrives in the mailbox, accessible via Outlook or OWA, but is also permitted to sync to the mobile device itself (although no other content will sync to the device).

You may notice the custom text string that was specified using the UserMailInsert parameter.

The administrator specified with the AdminMailRecipients parameter also receives a notification email.

Example of Allowing a Quarantined ActiveSync Device

Clicking the link “To perform an action for this device…” opens the Exchange Control Panel to manage the device. This can also be found if you open the Exchange Control Panel and navigate to the Phone & Voice section again.

Choosing Allow and then clicking Save (at the bottom of the window) would permit Vik to use the device. The specific device ID is shown as allowed for Vik’s mailbox, visible using Get-CASMailbox.

[PS] C:\>Get-CASMailbox vik.kirby | select displayname,ActiveSyncAllowedDeviceIDs | fl

DisplayName                : Vik Kirby
ActiveSyncAllowedDeviceIDs : {F04016EDD8F2DD3BD6A9DA5137583C5A}

However another user with the same type of device will still not be allowed to connect, and will be placed in Quarantine.

For those mobile devices where upon reviewing the first quarantined device you decide you want to allow all matching devices to also connect, you can create a device access rule.

In the Exchange Control Panel, again in Phone & Voice, select the quarantined device and choose “Create a rule for similar devices…”.

The Device Family and Model are pre-populated based on the quarantined device you selected.

Save the policy and any subsequent new mobile device matching those criteria will be treated according to the rule you have configured.

Comments

  1. Stef Bearne says

    I had implemented this a few months ago at the request of HR. The policy was required so that only an exempt employee should be granted access, rather than by device type. Once the policy was applied, all existing devices were quarantined too. Is there a way to grandfather in existing users (Exch 2003 Mobile Admin tools had an exclusion list)? It wasn’t a big problem as I had communicated the change prior, but it would have been nice to circumvent approving previously connected devices.

  2. Anil says

    Hi Paul,

    In our organization the default access level is Quarantine

    How to achieve the below requirement

    “All devices in the quarantined list for more than a month should be purged from the list”

  3. Carol Ostos says

    Is it possible to enable quarantine policy for a domain (limited scope) as opposed to enable this at the organization level?

  4. Kevin O'Brien says

    Hi Paul,

    Is it possible to manage a device with ActiveSync policies but block the device from having email access?

    thank you,
    Kevin

    • says

      Nobody has ever asked me that before.

      I’ve looked at what is available in ActiveSync policies and I don’t see anything that would fit that scenario.

      Why do you want to manage the device if it isn’t going to get email?

      • Kevin O'Brien says

        Hi Paul,

        I have never been asked that before either. This is for a client. Some of their people have company iPad’s but don’t use email on them. The boss asked him if it was possible so I am not sure what the reasoning is. I am only assuming that they want the ability to remote wipe. Not sure what other reason you would have for this request. I found this article by Paul Robichaux about blocking devices:

        http://windowsitpro.com/exchange-server-2010/managing-exchange-activesync-device-access

        I tested it out by setting up my iPhone for email, and then running these commands to block the device. Email was blocked at the phone and the phone was still associated with my account. I am not about to wipe out my iPhone but it looks like this may work. I sent the info over to the client so they can play with it. Not sure I’ll ever see this kind of request again.

        Thanks!
        Kevin

  5. Joerg Renggli says

    Hi Paul,

    Is it possible to create a ActiveSyncDeviceAccessRule that queries the “Device ID” and set it to “Allow”, without a mailbox bound to it?

    We have about 40 “lending” ipads in our company and would like to allow these on a Devise base.

    Thank you
    Joerg

  6. Lars says

    Hi Paul,

    many thanks for the great article. Do I need a Standard or an Enterprise CAL?

    Best regards
    Lars

  7. Ken M says

    Paul, is it possible to PRE-Allow existing devices so that when we turn on the Quarantine mode they do not receive a notice?

    • says

      Yes, if you know the device ID you can add it to the allowed device IDs for a mailbox by using Set-CASMailbox. For iPhones the device ID can be found in the OS and I think it is also on the packaging, it is displayed as the serial number but the device ID that it appears as in Exchange has some characters prepended, “Appl”.

      For other devices like Android and WinPho I don’t know exactly where to find the device ID/serial in advance.

Leave a Reply

Your email address will not be published. Required fields are marked *