In a recent article I demonstrated how to create ActiveSync device access rules in Exchange Server 2010.
That demonstration mainly focused on device access rules that are based on the device type or model. When you’re creating a device access rule via Exchange Control Panel those are the only two characteristics you can base the rule on.
However the device access rule can also be based on the user agent characteristic, if you create the rule using PowerShell and the New-ActiveSyncDeviceRule cmdlet instead of the Exchange Control Panel.
Getting the ActiveSync Device User Agent
For this example the organization has been configured to quarantine new types of mobile devices. A number of devices have connected, including an iPhone 3GS and an iPhone 4S. We want to allow the iPhone 4S, but not the 3GS (this is just for the sake of demonstration).
The Exchange Control Panel shows the list quarantined devices but not the user agents.
You can open the details of a device from the list and see the user agent, but this is a fishing exercise if you have a long list of quarantined devices and no knowledge of which users have which specific mobile devices.
A faster method is to use PowerShell to list the user agents.
DeviceUserAgent DeviceAccessState DeviceType DeviceModel --------------- ----------------- ---------- ----------- ... Apple-iPhone4C1/902.206 Quarantined iPhone iPhone Apple-iPhone2C1/902.206 Quarantined iPhone iPhone ...
Creating a Device Access Rule Based on the User Agent Characteristic
From the above list the Apple-iPhone4C1/902.206 user agent (which is the iPhone 4S) is the one that we want to allow to connect to Exchange.
New-ActiveSyncDeviceAccessRule -QueryString Apple-iPhone4C1/902.206 -Characteristic UserAgent -AccessLevel Allow
After this rule has been added the iPhone 4S is able to connect to ActiveSync, while th 3GS and other quarantined device types still can’t.
DeviceUserAgent DeviceAccessState DeviceType DeviceModel --------------- ----------------- ---------- ----------- ... Apple-iPhone4C1/902.206 Allowed iPhone iPhone Apple-iPhone2C1/902.206 Quarantined iPhone iPhone ...
Bug with ActiveSync Device Access Rules Based on User Agent
While testing this scenario I encountered an error in the Exchange Control Panel. After creating an ActiveSync device access rule that is based on the UserAgent characteristic, the Device Access Rules portion of the Exchange Control Panel breaks.
When refreshing the Device Access Rules list an error occurs:
Sorry! We’re having trouble processing your request right now. Please try again in a few minutes.
This error persists until you use PowerShell to remove any device access rules that are based on UserAgent.
I discussed this with Microsoft and they have opened a bug for it and will hopefully be able to issue an update that corrects the error some time in the future (the problem also exists in the Exchange 2013 Preview). In the mean time they have confirmed that device access rules based on UserAgent are supported.
However the error means that once you start using rules like this you will need to do all of your device access rules management via PowerShell.
Paul, SP3 seemed to have resolved the issue in the last part of this article. I can not see all my rules in ECP.
I meant I CAN see all my rules. 🙂
Pingback: How to Block iOS 6.1 ActiveSync Devices from Exchange Server 2010
That’s a pretty big bug. I can’t believe it hasn’t shown up before.
Pingback: Leitura de fim-de-semana - subject: exchange
Pingback: Exchange 2010: User Agent-based ActiveSync Device Access Rules « JC’s Blog-O-Gibberish
Pingback: Exchange 2010: Creating ActiveSync Device Access Rules