In an Exchange Server 2010 organization where there are policies about which types of mobile devices can connect to the Exchange server using ActiveSync, the administrators may wish to prevent new device types from connecting without their knowledge.
Exchange 2010 provides the capability for administrators to control how a new device type is treated by Exchange thanks to the ActiveSync organization settings.
The default setting for this (perhaps unfortunately, from a security point of view) is “Allow”. You can see this using the Get-ActiveSyncOrganizationSettings cmdlet in the Exchange Management Shell.
[PS] C:\>Get-ActiveSyncOrganizationSettings | select DefaultAccessLevel | fl DefaultAccessLevel : Allow
With this default access level any new mobile device type can connect to the server.
Configuring the ActiveSync Organization Settings
The administrator can change this using the Set-ActiveSyncOrganizationSettings cmdlet so that new device types are quarantined instead, requiring administrator approval before they can be used to connect to the Exchange server.
Aside from setting the default access level there are two other useful options that we can make use of:
- AdminMailRecipients specifies the email addresses of administrators who are notified when a new device type attempts to connect.
- UserMailInsert specifies an additional text string that is appended to the end user notification email that is sent by Exchange to let them know that their device has been quarantined. This makes it possible to include some friendly instructions for the end user, such as who to contact about the matter.
Here is an example:
[PS] C:\>Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients administrator@exchan geserverpro.net -UserMailInsert "Your mobile device type has not yet been approved for use. Please contact the Help Desk for further assistance."
You can also configure these settings using the Exchange Control Panel, in the Phone & Voice section. I just happen to find the shell a bit faster to use.
Let’s take a look at what happens once these ActiveSync organization settings have been applied. The user Vik Kirby attempts to connect to Exchange ActiveSync with a new Windows Phone 7 device.
Vik receives an email notification that the mobile phone is temporarily blocked. This arrives in the mailbox, accessible via Outlook or OWA, but is also permitted to sync to the mobile device itself (although no other content will sync to the device).
You may notice the custom text string that was specified using the UserMailInsert parameter.
The administrator specified with the AdminMailRecipients parameter also receives a notification email.
Example of Allowing a Quarantined ActiveSync Device
Clicking the link “To perform an action for this device…” opens the Exchange Control Panel to manage the device. This can also be found if you open the Exchange Control Panel and navigate to the Phone & Voice section again.
Choosing Allow and then clicking Save (at the bottom of the window) would permit Vik to use the device. The specific device ID is shown as allowed for Vik’s mailbox, visible using Get-CASMailbox.
[PS] C:\>Get-CASMailbox vik.kirby | select displayname,ActiveSyncAllowedDeviceIDs | fl DisplayName : Vik Kirby ActiveSyncAllowedDeviceIDs : {F04016EDD8F2DD3BD6A9DA5137583C5A}
However another user with the same type of device will still not be allowed to connect, and will be placed in Quarantine.
For those mobile devices where upon reviewing the first quarantined device you decide you want to allow all matching devices to also connect, you can create a device access rule.
In the Exchange Control Panel, again in Phone & Voice, select the quarantined device and choose “Create a rule for similar devices…”.
The Device Family and Model are pre-populated based on the quarantined device you selected.
Save the policy and any subsequent new mobile device matching those criteria will be treated according to the rule you have configured.
Is there a way to let an end users allow their own device? (just for themselves)4
(Exchange 2016/2019 onpremise)
We are migrating from exchange 2010 to exchange 2016.
when we had to add a phone we would receive a email with a link :
To perform an action for this device, go to the following page in the Exchange Control Panel:
https://getmymail.trinitas.org/ecp/UsersGroups/EditEASMailbox.aspx?id=cbec20e2-8d68-44
NOW : NO LINK
To perform an action for this device, select the device from among the quarantined devices displayed on the ActiveSync Access tab in the Exchange Control Panel. <== NOLINK
How do we get the link back .. it is very inconvenient to have to open up ecp to allo the users phone… Please help .. I cant find my answer anywhere……….
Dear Paul,
As of now we have default polices for Exchange ActiveSync Access Settings, however if i configure to quarantine devices. Would this impact my existing users as well. I mean users who are already configured mailbox access through mobile.
IF yes , then is there any way out to put exception for those users.
I would like to know the answer to the same question. How do we apply this setting without affecting existing users? I turned it on, but it immediately blocked access to all my devices including mine.
Hi Paul,
I really need some help to save one of my team members.
We got our Exchange admin accusing the Service Desk person of running a script “Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Allow” , but this Service Desk person does not do anything on Powershell and all his tasks are done via the Exchange GUI.
There was a request on that day to give authorize a Mobile Phone to access emails.
Is there any way where we can find out what exactly happened ?
Can working on the GUI cause the script to execute in error ?
Hello Paul, can you tell me why a device would appear as unknown in the status as opposed to Quarantined? we have a small number of devices exhibiting this behavior and do not have the option to Allow/Block.
Thanks
Hi Paul,
It is possible to prevent end users to get that email “Your Mobile Device is temporarily blocked” you mentioned we can edit the text but I was wondering a way to not send this email to end users?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
None that I’m aware of.
I never tried it, but what about an Exchange transport rule to catch and remove those mails?
At our organization, we have about 15 people who can authorize devices (by choosing “Allow” then “Save”).
Days later, we see a device that should NOT have been Allowed. We want to track down which administrator authorized the device. Is there a way to view this info in the ECP (or anywhere else)?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Yes, admin audit logging should reveal that for you.
I accidentally blocked a user and I need to allow them. How do I unblock them?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Here you go:
https://www.practical365.com/unblock-mobile-device-exchange-server/
This has been helpful Paul. My Server is now fully protected
Is it possible to prevent user from getting the email notification “Your mobile phone is temporarily blocked from synchronizing using Exchange ActiveSync until your administrator grants it access.” when his/her device is quarantined?
Hi can anybody let me know, How to know who enable or disabled ActiveSync and OWA features to the user in Exchnage 2010.
One more thing I would like to add is in Exchange I have not configured anything for Active Sync and it is all Allowed. From Mobile Iron it is not blocking or quarantine any device. We don’t have the Mobile iron server – we are only using the Core system to install mobile iron on the client device and manage emails of our company. We can only Retire and wipe our users phone via mobile iron but we don’t have any blocking from mobile iron.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
I’m not at all familiar with that way of using MobileIron. If you’re not using a MobileIron server, and clients hit Exchange directly for ActiveSync, then yes you’ll need to use the ActiveSync controls in Exchange to manage who can and can’t access it.
Perfect! Thank you so much Paul for your reply and I am very much pleased to see your quick response to my issue. It’s an honor to get some knowledge from you. You are the BEST! I am going to download the Active Sync guide of yours to have some more understanding on this feature. Just wanted to know if you are come up with any guidance about Exchange 2016 in future – please let us know.
Thank you once again for your help and support.
One more thing – in your early comments you said that you can add the existing device ID in allow list which eliminate the impact on that users once we turn on the Quarantine option. Do we have to add one by one through CAS MAILBOX command or can we do it via console?
Hello Paul,
I believe that you are amazing and a very helpful guider for exchange admins. I have a question, we have a MobileIron in place for our mobile devices and we are looking forward to block our Active Sync via exchange – I see the script but in assumptions it says no MDM in place. What can we do to in place exchange active sync with third party MDM and not interrupting existing users when we enable the policy.
Thank you
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
MobileIron relies on ActiveSync, so if you try to block ActiveSync at the Exchange level you’re likely to disrupt MobileIron users.
The short answer is, your ActiveSync service should not be externally accessible. It should only be accessible by the MobileIron servers.
Thank you for your reply Paul. It means that we should configure Active Sync in Mobile iron not in Exchange? If we enable Quarantine in Exchange it will disrupt existing users correct?
Thank you
Dear Paul,
I would like to setup “IF the user associate a new mobile device (provided that the default policy is not quarantine), then send a email to the corresponding user”?
How can I accomplish it? many thanks.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You’d need to write a custom script and have it poll for new mobile device associations and send the email notifications.
Good day Paul,
we have seen that user devices moving from one user to another (e.g. if someone leaves the company)and there has been no cleanup… So if the “new” user has this devices in its block list and the old user has the device in the allowed list, the new user is able to connect.
My question would be: What is the leading Attribute to see if a user (better the device) is allowed to connect?
(Exchange 2013).
best regards,
Andy
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
That doesn’t sound right to me. If the new user has that specific device ID in their blocked list (viewed in Get-CASMailbox) then they shouldn’t be able to connect with it, even if someone else could.
Hi Paul,
that’s the point. I understand it exactly as you do: It should be blocked for the user which has this DeviceID in its blocked list.
But we saw that while testing and a guy from our Exchange Usergroup confirmed it.
best regards,
Andy
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You can send me the full output of Get-CASMailbox for the users, and Get-MobileDevice for the users, and can take a look. Send it to paul at this domain.
Paul we used to get the https link included in the email to approve the device ….it is no longer showing up?
Do you know how to fix this?
Thanks
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
No, have never seen/noticed that.
The Exchange ActiveSync service has quarantined the mobile phone listed below. It won’t be able to synchronize Exchange content until you take action.
To perform an action for this device, go to the following page in the Exchange Control Panel:
>>>> this is the link we used to get in email alerts about quarantined devices<<<>>>https://domainname.com/ecp/UsersGroups/EditEASMailbox.aspx?id=75bd258f-06e6-437f-a48e-bb62b571fda0<<<<<
Information about the device that triggered this notice:
User:
user@domain.com
Device model:
MotoMilestoneX45
Device type:
MotoMilestoneX45
Device ID:
4130303030303243324232363041
Device OS:
Device user agent:
Moto-Milestone X/4.5.1
Device phone number:
Device IMEI:
Exchange ActiveSync version:
12.1
Device policy applied:
Legacy MotoBlur
Device policies status:
PartiallyApplied
Device access state:
Quarantined
Device access state reason:
Global
Device access control rule:
Any Ideas?
hmmm been awaiting moderation since Jan 14? Did I get lost?
Hi..
Can this message be changed from default?
”
The Exchange ActiveSync service has quarantined the mobile phone listed below. It won’t be able to synchronize Exchange content until you take action”
to something that you find more related to your organization?
I know that you can add text, but I would like to change this as well
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
No, you can only add text to it.
Thanks for answer
Hi Paul,
Is there a way you can restrict only “outlook” email client from connecting to the server using activesync ?
So forcing device to only connect via outlook and not any other native client or installed app mail client.
Thanks.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Yes. Configure the org level to block or quarantine as shown above. Then make a device access rule for the specific app/device you want to allow. Example here:
https://www.practical365.com/creating-activesync-device-access-rules-exchange-server-2010/
Great, thanks a lot for your help.
Hi Paul,
Just came across your article when searching for information, Although it’s an old posting I hope you get the chance to provide some suggestions. Our scenario is similar to some already mentioned here, we’ve implemented ActiveSync with about 350 devices already using it. We need to enable quarantine so we can control new device registration, how do we achieve this without impacting existing users who have similar device types? This is not only for new device types, as existing user might already have them. This would be for any user trying to use any type of ActiveSync capable device, to configure access to email and calendaring. I couldn’t find any info for this specific scenario, I’m hoping you can provide some suggestions. Thank you.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Do you want to pre-approve all current devices for individuals? Or pre-approve certain device types from being quarantined?
The ideal end result would be for us to be able to use the quarantine functionality to approve any new device registrations, regardless of the device type. Right now we can’t implement quarantine on specific devices, without impacting existing users. I suppose pre-approving all current devices for individual might have to be done, in order to implement quarantine; however our concern is to prevent any impact on those existing users, this would need to be transparent to the them including any notification of their device being blocked. Is there a way that you know of that can allow us to achieve this? Thank you.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
So you want to approve all existing device partnerships before you turn on quarantine for new devices. See this article for an explanation and script:
http://blogs.technet.com/b/rmilne/archive/2015/02/25/exchange-activesync-script-to-grandfather-existing-devices.aspx
Hello,
Is it possible to set up a rule/policy where every device/user requires administrator approval before they can be used to connect to the Exchange server.
We have noticed that our users configure their accounts on any device one the they know the configuration settings and we don’t want that to happen.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Yes, set the default access level to Quarantine. The article above shows how to manage the default access level.
Hi Paul,
With quarantine policy enabled for the whole organization can it be achieved for some users all new devices to automaticaly be aproved/allowed?
I want to restrict EAS for part of the company. The other part should be able to use it on all devices.
Thank you!
Slav.
Hi Paul,
In setting up a new device access rule for Exchange 2010, is this rule set for the entire organization? What I mean is, we have 3 sites – us.company.com, asia.company.com, Europe.company.com. If I launch ECP for US.company.com and create an access rule, does the rule only apply to US or am I setting it for the entire organization, all three sites?
Thank you!
Kevin
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Device access rules apply to the entire Exchange organization.
Thanks for the info Paul!
-Kevin
Really enjoyed this write-up.
Is there anyway to stop the notification emails to the User?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You could probably block the messages with a Transport rule if you configure one that looks for some of the text strings in the notification email.
Is that the only way to stop the notification?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
AFAIK yes
Paul, is it possible to PRE-Allow existing devices so that when we turn on the Quarantine mode they do not receive a notice?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Yes, if you know the device ID you can add it to the allowed device IDs for a mailbox by using Set-CASMailbox. For iPhones the device ID can be found in the OS and I think it is also on the packaging, it is displayed as the serial number but the device ID that it appears as in Exchange has some characters prepended, “Appl”.
For other devices like Android and WinPho I don’t know exactly where to find the device ID/serial in advance.
Hi Paul,
many thanks for the great article. Do I need a Standard or an Enterprise CAL?
Best regards
Lars
Hi Paul,
Is it possible to create a ActiveSyncDeviceAccessRule that queries the “Device ID” and set it to “Allow”, without a mailbox bound to it?
We have about 40 “lending” ipads in our company and would like to allow these on a Devise base.
Thank you
Joerg
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
No. Device access rules can be created based on one of four characteristics – DeviceType, DeviceModel, DeviceOS, UserAgent.
Hi Paul,
Is it possible to manage a device with ActiveSync policies but block the device from having email access?
thank you,
Kevin
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Nobody has ever asked me that before.
I’ve looked at what is available in ActiveSync policies and I don’t see anything that would fit that scenario.
Why do you want to manage the device if it isn’t going to get email?
Hi Paul,
I have never been asked that before either. This is for a client. Some of their people have company iPad’s but don’t use email on them. The boss asked him if it was possible so I am not sure what the reasoning is. I am only assuming that they want the ability to remote wipe. Not sure what other reason you would have for this request. I found this article by Paul Robichaux about blocking devices:
http://windowsitpro.com/exchange-server-2010/managing-exchange-activesync-device-access
I tested it out by setting up my iPhone for email, and then running these commands to block the device. Email was blocked at the phone and the phone was still associated with my account. I am not about to wipe out my iPhone but it looks like this may work. I sent the info over to the client so they can play with it. Not sure I’ll ever see this kind of request again.
Thanks!
Kevin
Hi Paul, I’ve read your posts with great interest. We have a immediate need to allow Calendar, Contacts and Tasks to sync but not Mail. We want to use the ZixOne app as the only way to access email. However, the ZixOne app’s Calendar, Contacts and Tasks features are not as robust. I’m greatful for any assistance you can provide.
Is it possible to enable quarantine policy for a domain (limited scope) as opposed to enable this at the organization level?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
No. For that type of granularity I’d say look at third party MDM solutions.
We are looking at Good for Enterprise but I have been asked to research about implementing quarantine devices for Activesync. Seems like you have to be careful if enabling this once Avctivesync is already used in Production. I hope to convince Senior Management that MDM is a more robust solution that Activesync. Wish me luck!
We already have Active Sync in production, and users are already using it on the their devices. we want to enable quarantine for new devices , what will happen for the already added devices? are they going to be quarantined ? if yes how can we exclude them from being quarantined?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Abdelaziz, already answered in an earlier comment. Here you go:
https://www.practical365.com/preventing-new-activesync-device-types-from-connecting-to-exchange-server-2010/#comment-13529
Hi Paul,
I have also setup Exchange 2013 to Always quarantine mobile devices, So that I can manage who is allowed to connect.
Since this configuration change , I see
– Mobile Mailbox Settings
– EASProbeDeviceType
also being quarantined.
Can you eplain something more about those 2 ‘devices’
Thank You !
Regards, Steven
Pingback: Removing Old Quarantined ActiveSync Devices from Exchange Server – Guigsy
Pingback: Removing Old Quarantined ActiveSync Devices from Exchange Server
Hi Paul,
In our organization the default access level is Quarantine
How to achieve the below requirement
“All devices in the quarantined list for more than a month should be purged from the list”
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Hi Anil, I thought it would be easier to answer your question by writing a new post. So here you go:
https://www.practical365.com/removing-old-quarantined-activesync-devices-from-exchange-server/
Pingback: Test-ActiveSyncConnectivity Failure Due to ActiveSync Policies
Pingback: How to Block iOS 6.1 ActiveSync Devices from Exchange Server 2010
Pingback: Old Click » Troubleshooting Android ActiveSync problems with Exchange 2010
Pingback: Exchange 2010: Removing Existing ActiveSync Device Associations
Pingback: Exchange 2010: Creating ActiveSync Device Access Rules
I had implemented this a few months ago at the request of HR. The policy was required so that only an exempt employee should be granted access, rather than by device type. Once the policy was applied, all existing devices were quarantined too. Is there a way to grandfather in existing users (Exch 2003 Mobile Admin tools had an exclusion list)? It wasn’t a big problem as I had communicated the change prior, but it would have been nice to circumvent approving previously connected devices.
@Stef Bearne, were you able to find a solution to grandfathering the existing users?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Steve Goodman has written a guide for how to achieve that.
http://www.stevieg.org/2013/01/implementing-exchange-activesyncs-quarantine-features/
Thanks Paul!
I was almost done with a similar script but was missing the piece about putting the Device IDs into an array.
Thanks paul
always interesting stuff