In a recent article I demonstrated how to use ActiveSync organization settings to prevent new mobile devices from connecting to Exchange Server 2010.
For organizations that are considering using a default organization setting of “block” or “quarantine” (as the article demonstrated) there is the consideration of what to do about existing mobile users.
In effect, if you were to change your setting to “quarantine” and do nothing else, any existing users with ActiveSync devices set up to connect to Exchange will be quarantined as well. For example here I have four ActiveSync users who were quarantined when the new setting was applied.
You can see the same information using the Get-ActiveSyncDevice in the management shell:
[PS] C:\>Get-ActiveSyncDevice -Filter {DeviceaccessState -eq "Quarantined"} | ft RunspaceId FriendlyNam DeviceId DeviceImei DeviceMobil DeviceOS DeviceOSLan DeviceTelep DeviceType DeviceUserA e eOperator guage honeNumber gent ---------- ----------- -------- ---------- ----------- -------- ----------- ----------- ---------- ----------- 79ddab73... androidc... Android ... Android Android/... 79ddab73... androidc... Android ... Android Android/... 79ddab73... Appl8794... iPhone Apple-iP... 79ddab73... ApplDLXH... iPad Apple-iP...
So we have a few options about how to approach this situation.
Manually Approving Quarantined ActiveSync Devices
The simplest approach is to manually approve the quarantined devices. All you need to do is highly an entry in the quarantined device list and click the Allow button.
However this is not very efficient if all you intend to do is allow every one of them. For one thing it only approves that device for that specific user. What if you really wanted to approve all similar devices for any user?
Create a Device Access Rule Based on a Quarantined Device
Exchange 2010 allows us to create device access rules straight from the interface where quarantined devices are displayed. Simply highlight a quarantined device and choose Create a rule for similar devices.
Create a Device Access Rule using PowerShell
ActiveSync devices rules can also be created using the New-ActiveSyncDeviceAccessRule cmdlet. New-ActiveSyncDeviceAccessRule takes a few parameters, the most important ones for this example are the -QueryString and -Characteristic parameters.
Let’s take a closer look at the iPhones currently known to my Exchange server.
[PS] C:\>Get-ActiveSyncDevice | where {$_.DeviceModel -like "iPhone*"} | fl device* DeviceId : Appl87941C1N3NS DeviceType : iPhone DeviceUserAgent : Apple-iPhone2C1/902.206 DeviceModel : iPhone DeviceAccessState : Quarantined DeviceAccessStateReason : Global DeviceAccessControlRule : DeviceActiveSyncVersion : 14.0 DeviceId : ApplC39GQ8NNDTDL DeviceType : iPhone DeviceUserAgent : Apple-iPhone4C1/902.206 DeviceModel : iPhone DeviceAccessState : Quarantined DeviceAccessStateReason : Global DeviceAccessControlRule : DeviceActiveSyncVersion : 14.0
So, to create the ActiveSync device access rule for iPhones we can run:
New-ActiveSyncDeviceAccessRule -AccessLevel Allow -Characteristic DeviceModel -QueryString iPhone
We can verify the intended outcome of this device access rule using Get-ActiveSyncDevice again.
[PS] C:\>Get-ActiveSyncDevice | where {$_.DeviceModel -like "iPhone*"} | fl device* DeviceId : Appl87941C1N3NS DeviceType : iPhone DeviceUserAgent : Apple-iPhone2C1/902.206 DeviceModel : iPhone DeviceAccessState : Allowed DeviceAccessStateReason : DeviceRule DeviceAccessControlRule : iPhone (DeviceModel) DeviceActiveSyncVersion : 14.0 DeviceId : ApplC39GQ8NNDTDL DeviceType : iPhone DeviceUserAgent : Apple-iPhone4C1/902.206 DeviceModel : iPhone DeviceAccessState : Allowed DeviceAccessStateReason : DeviceRule DeviceAccessControlRule : iPhone (DeviceModel) DeviceActiveSyncVersion : 14.0
Any mobile devices of model “iPhone” will now be allowed to connect to Exchange ActiveSync.
Further examples:
Hi guys! Paul, as always – GREAT post… again!
But I need some help please! We have 4 ActiveSync Policies configured in Exchange 2010. I have no problem creating the access rules etc, but how can I create the access rule to apply ONLY to one specific Ativesync Poliy?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Not possible, unfortunately. You can use the different policies to apply different device requirements like PIN/passcode strength etc, but the device access rules apply to the entire organization regardless of which policy is applied.
If you want to get down to more granular policy stuff like that you’ll need an MDM solution like Intune, MobileIron, Airwatch etc.
Is there any way to link an ActiveSync Device Policy to an ActiveSync Access Rule and make sure the access rule is only applied to one person for testing?
I have a testing device policy setup but I want to be able to test on different devices without affecting other users.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
No. Device access rules apply to everyone. Except for when the device ID has been added to a mailboxes list of allowed device IDs, because that will mean the device is allowed no matter what device access rules exist.
But how to distinguish device ID for same model and same branded mobile ?
It will be same for both person if they work in a company with using generic email id and same department.
For Example :
Samsung Galaxy J2 SM-J200G
Hi Paul,
Is there any way to check when the device is allowed and who’s allowed (We have multiple admins)? My default org access level is quarantine. Thanks!
Paul, we use an MDM server that forwards all ActiveSync calls to the CAS. So direct ActiveSync traffic from device to the CAS is forbidden, only the MDM server should be able too. How could we prevent the direct calls? OWA uses the same URL, so no redirect possible. EAS needs to be turned on for the users as well. Is there a way to tell the Exchange to only accept calls from a certain IP? IIS restrictions maybe? Thank you
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Most customers I’ve worked with solve this by using an application-aware reverse proxy or load balancer, and excluding the /Microsoft-Server-ActiveSync virtual directory from general access.
Nevermind! I found it in Exchange admin center>Mobile>mobile device accessmobile device mailbox policies. Thank you!
Hi Paul-
I accidentally made a device rule I did not mean to make. I cannot figure out how to delete it. Pls help
Pingback: Office 365 Mobile Device Management - Getting Started
Hi Paul,
I ran the commands below for new access rules, and none of them seem to work. A device I have with the application in question is still able to sync and send messages. When I check my device stats, the application is showing in the allowed state.
Am I missing something?
New-ActiveSyncDeviceAccessRule -AccessLevel Block -Characteristic UserAgent -QueryString “Outlook-iOS-Android/1.0”
New-ActiveSyncDeviceAccessRule -AccessLevel Block -Characteristic DeviceOS -QueryString “Outlook for iOS and Android 1.0”
New-ActiveSyncDeviceAccessRule -QueryString ‘Outlook for iOS and Android’ -Characteristic DeviceModel -AccessLevel Block
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
I would say that the device has been allowed for that specific user, eg was quarantined and then allowed. If a personal “allow” exists for a device it will never get blocked by a device access rule.
More info here:
https://www.practical365.com/exchange-activesync-device-access-state/
Thanks Paul for the quick response. There is no personal allow for my device. Here is the situation a explained a little better. I have an android phone. I have Touchdown installed and I’m using that for my corporate email. Then I download the new Outlook for iOS and Android, and set that up as well on the same device.
Now I want to block the Outlook for iOS and Android on the same device. Is that possible, or is the rule only based on device/phone and not “per” application?
Hello Paul – We’ve been running Exchange 2010 SP3 under windows server 2008 r2 for a while now, with only 3 mobile users enjoying email, contacts, calendar, etc. on their devices. Just last week, windows update automatically downloaded the .net 4.5.1 framework and as soon as that happened, no mobile users were able to access exchange server or their mailboxes (trying to connect gets an “unable to open connection to server. security error occurred). Multiple tech support calls to Microsoft haven’t solved the problem. Could this be a situation where the activesync device rules were blown away? We can’t for the life of us figure this out. Thanks, Dave.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Were they blown away? The only way to tell is look at your device access rules. An empty list may be fine because by default there are no rules. If you created some yourself do you still see them there?
I would recommend you use the ExRCA.com website to test ActiveSync connectivity for your server.
Hi, always enjoy your blog – very informative!
I know this is an old post but relates to some new work I have. We have a need to block certain versions of Android phones and I am wondering if multiple characteristics can be used with a single Device Access Rule. For example, I need to block Androids where
$_.DeviceOS -like “*Android 2.2*”
and
$_.DeviceType -ne “Touchdown”
and
$_.DeviceUserAgent -notlike “*Touchdown*”
We’re trying to block Android phones running and version of 2.2 that are using the native email application. Is that possible? We’re on Exchange 2010. Thanks!
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Sadly no, wildcards and partial matches don’t work.
You could consider a default org level of block and then device access rules to allow specific makes/models?.
Many thanks for your reply.
So wildcards don’t work – got it.
What if I didn’t have wildcards but I did have multiple criteria? Does that work? Most examples that I have seen online only show a single ‘characteristic’ as the criteria. Can two be used – as in DeviceType -eq Android & DeviceOS -eq Android 2.2?
Again, many thanks!
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
One rule, one characteristic, one query. Not a big deal IMO as a large set of rules can be efficiently managed with PowerShell.
If you’re looking for greater flexibility in device access management then a third party MDM solution would be worth looking into.
I want to enable Quarantine for all new devices but allow any already connected devices. Is there any way to prevent the already connected users from receiving the Quarantine notification e-mail?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Yes, Steve Goodman covers that very topic here:
http://www.stevieg.org/2013/01/implementing-exchange-activesyncs-quarantine-features/
Hello paul,
can i create a rule to quarantine only Android devices, if yes, please let me know the procedure to do it
Many thanks
David
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
New-ActiveSyncDeviceAccessRule -QueryString “Android” -Characteristic DeviceType -AccessLevel Quarantine
Pingback: Removing Old Quarantined ActiveSync Devices from Exchange Server
Hi Paul,
Is there any way to allow or block the device base on its IMEI or unique ID? I would like to config the exact device to access Exchange 2010 via Activesync service.
Hope you could understand my idea. Sorry for my non native english.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Not via a device access rule. But you can individually approve a device for a user if it has been quarantined.
Hi Paul – appreciate the clear and concise post. I do have a couple of questions. What if you have users who are connected with their iPhones and iPads and we dont have a device access rule. If we create a device access rule for iPhones and iPads , the question is how will those users be affected? will they receive a notification? a pop up? or anything. we want this to be as transparent as possible. Thanks for your time.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
See here:
https://www.practical365.com/preventing-new-activesync-device-types-from-connecting-to-exchange-server-2010
Quarantine sends an email to the mailbox + the same email is able to be received on the device.
Block just sends an email to the mailbox but the device can’t download it.
thanks for the quick response. To clarify if the device gets quarantined it receives a notification saying hey you have mail waiting but your device needs to be approved. we want to allow only 3 types of devices…Android, iphones and ipads. and if we choose all models then will we still get that error for user agent bug? However if we just choose Android then all other devices will become quarantined…and we don’t that. And if we allow all 3 types then there will be no user intervention unless they have a different type of device that does not fall in these 3 categories.
Thanks again… I apologize for the lengthy comment. I tend to repeat things to get clarity and confirmations from experts like yourself.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Your comment confuses me so I’ll just answer the bit I understand – if you create one or more device access rules based on user agent you will run into that bug in the Exchange Control Panel.
Pingback: Exchange 2010: User Agent-based ActiveSync Device Access Rules