• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint Online
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Videos
    • Interview Videos
    • How To Guide Videos
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Server / Creating ActiveSync Device Access Rules Based on User Agent in Exchange Server 2010

Creating ActiveSync Device Access Rules Based on User Agent in Exchange Server 2010

August 3, 2012 by Paul Cunningham 8 Comments

In a recent article I demonstrated how to create ActiveSync device access rules in Exchange Server 2010.

That demonstration mainly focused on device access rules that are based on the device type or model. When you’re creating a device access rule via Exchange Control Panel those are the only two characteristics you can base the rule on.

However the device access rule can also be based on the user agent characteristic, if you create the rule using PowerShell and the New-ActiveSyncDeviceRule cmdlet instead of the Exchange Control Panel.

Getting the ActiveSync Device User Agent

For this example the organization has been configured to quarantine new types of mobile devices. A number of devices have connected, including an iPhone 3GS and an iPhone 4S. We want to allow the iPhone 4S, but not the 3GS (this is just for the sake of demonstration).

The Exchange Control Panel shows the list quarantined devices but not the user agents.

Creating ActiveSync Device Access Rules Based on User Agent in Exchange Server 2010

You can open the details of a device from the list and see the user agent, but this is a fishing exercise if you have a long list of quarantined devices and no knowledge of which users have which specific mobile devices.

Creating ActiveSync Device Access Rules Based on User Agent in Exchange Server 2010

A faster method is to use PowerShell to list the user agents.

1
2
3
4
5
6
DeviceUserAgent                           DeviceAccessState DeviceType                    DeviceModel
---------------                           ----------------- ----------                    -----------
...
Apple-iPhone4C1/902.206                         Quarantined iPhone                        iPhone
Apple-iPhone2C1/902.206                         Quarantined iPhone                        iPhone
...

Creating a Device Access Rule Based on the User Agent Characteristic

From the above list the Apple-iPhone4C1/902.206 user agent (which is the iPhone 4S) is the one that we want to allow to connect to Exchange.

1
New-ActiveSyncDeviceAccessRule -QueryString Apple-iPhone4C1/902.206 -Characteristic UserAgent -AccessLevel Allow


After this rule has been added the iPhone 4S is able to connect to ActiveSync, while th 3GS and other quarantined device types still can’t.

1
2
3
4
5
6
DeviceUserAgent                           DeviceAccessState DeviceType                    DeviceModel
---------------                           ----------------- ----------                    -----------
...
Apple-iPhone4C1/902.206                             Allowed iPhone                        iPhone
Apple-iPhone2C1/902.206                         Quarantined iPhone                        iPhone
...

Bug with ActiveSync Device Access Rules Based on User Agent

While testing this scenario I encountered an error in the Exchange Control Panel. After creating an ActiveSync device access rule that is based on the UserAgent characteristic, the Device Access Rules portion of the Exchange Control Panel breaks.

When refreshing the Device Access Rules list an error occurs:

Creating ActiveSync Device Access Rules Based on User Agent in Exchange Server 2010

Sorry! We’re having trouble processing your request right now. Please try again in a few minutes.

This error persists until you use PowerShell to remove any device access rules that are based on UserAgent.

I discussed this with Microsoft and they have opened a bug for it and will hopefully be able to issue an update that corrects the error some time in the future (the problem also exists in the Exchange 2013 Preview). In the mean time they have confirmed that device access rules based on UserAgent are supported.

However the error means that once you start using rules like this you will need to do all of your device access rules management via PowerShell.

Exchange Server ActiveSync, Exchange 2010, Exchange 2013, iPhone, Security

Comments

  1. Craig says

    June 14, 2013 at 1:51 am

    Paul, SP3 seemed to have resolved the issue in the last part of this article. I can not see all my rules in ECP.

    Reply
    • Craig says

      June 14, 2013 at 1:51 am

      I meant I CAN see all my rules. šŸ™‚

      Reply
    • Paul Cunningham says

      June 14, 2013 at 11:59 am

      Excellent.

      Reply
  2. Martin Eddy says

    August 9, 2012 at 11:18 am

    That’s a pretty big bug. I can’t believe it hasn’t shown up before.

    Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • Microsoft Launches Group Ownership Governance Policy
  • Making the Case for Identity GovernanceĀ in Azure Active Directory
  • Prepare an Office 365 migration plan assessment using PowerShell
  • Microsoft Releases May 2022 Exchange Server Security Updates
  • New Future of Work for Microsoft 365, IOT and more: Practical 365 Podcast S3 Ep. 2

Copyright © 2022 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland