In a recent article I demonstrated how to use ActiveSync organization settings to prevent new mobile devices from connecting to Exchange Server 2010.

For organizations that are considering using a default organization setting of “block” or “quarantine” (as the article demonstrated) there is the consideration of what to do about existing mobile users.

In effect, if you were to change your setting to “quarantine” and do nothing else, any existing users with ActiveSync devices set up to connect to Exchange will be quarantined as well. For example here I have four ActiveSync users who were quarantined when the new setting was applied.

Quarantined ActiveSync devices
Quarantined ActiveSync devices

You can see the same information using the Get-ActiveSyncDevice in the management shell:

[PS] C:\>Get-ActiveSyncDevice -Filter {DeviceaccessState -eq "Quarantined"} | ft

RunspaceId  FriendlyNam DeviceId    DeviceImei  DeviceMobil DeviceOS    DeviceOSLan DeviceTelep DeviceType  DeviceUserA
            e                                   eOperator               guage       honeNumber              gent
----------  ----------- --------    ----------  ----------- --------    ----------- ----------- ----------  -----------
79ddab73...             androidc...                         Android ...                         Android     Android/...
79ddab73...             androidc...                         Android ...                         Android     Android/...
79ddab73...             Appl8794...                                                             iPhone      Apple-iP...
79ddab73...             ApplDLXH...                                                             iPad        Apple-iP...

So we have a few options about how to approach this situation.

Manually Approving Quarantined ActiveSync Devices

The simplest approach is to manually approve the quarantined devices. All you need to do is highly an entry in the quarantined device list and click the Allow button.

Allowing a quarantined ActiveSync device
Allowing a quarantined ActiveSync device

However this is not very efficient if all you intend to do is allow every one of them. For one thing it only approves that device for that specific user. What if you really wanted to approve all similar devices for any user?

Create a Device Access Rule Based on a Quarantined Device

Exchange 2010 allows us to create device access rules straight from the interface where quarantined devices are displayed. Simply highlight a quarantined device and choose Create a rule for similar devices.

Creating an ActiveSync device rule
Creating an ActiveSync device rule

 

Create a Device Access Rule using PowerShell

ActiveSync devices rules can also be created using the New-ActiveSyncDeviceAccessRule cmdlet. New-ActiveSyncDeviceAccessRule takes a few parameters, the most important ones for this example are the -QueryString and -Characteristic parameters.

Let’s take a closer look at the iPhones currently known to my Exchange server.

[PS] C:\>Get-ActiveSyncDevice | where {$_.DeviceModel -like "iPhone*"} | fl device*

DeviceId                : Appl87941C1N3NS
DeviceType              : iPhone
DeviceUserAgent         : Apple-iPhone2C1/902.206
DeviceModel             : iPhone
DeviceAccessState       : Quarantined
DeviceAccessStateReason : Global
DeviceAccessControlRule :
DeviceActiveSyncVersion : 14.0

DeviceId                : ApplC39GQ8NNDTDL
DeviceType              : iPhone
DeviceUserAgent         : Apple-iPhone4C1/902.206
DeviceModel             : iPhone
DeviceAccessState       : Quarantined
DeviceAccessStateReason : Global
DeviceAccessControlRule :
DeviceActiveSyncVersion : 14.0

So, to create the ActiveSync device access rule for iPhones we can run:

New-ActiveSyncDeviceAccessRule -AccessLevel Allow -Characteristic DeviceModel -QueryString iPhone

We can verify the intended outcome of this device access rule using Get-ActiveSyncDevice again.

[PS] C:\>Get-ActiveSyncDevice | where {$_.DeviceModel -like "iPhone*"} | fl device*

DeviceId                : Appl87941C1N3NS
DeviceType              : iPhone
DeviceUserAgent         : Apple-iPhone2C1/902.206
DeviceModel             : iPhone
DeviceAccessState       : Allowed
DeviceAccessStateReason : DeviceRule
DeviceAccessControlRule : iPhone (DeviceModel)
DeviceActiveSyncVersion : 14.0

DeviceId                : ApplC39GQ8NNDTDL
DeviceType              : iPhone
DeviceUserAgent         : Apple-iPhone4C1/902.206
DeviceModel             : iPhone
DeviceAccessState       : Allowed
DeviceAccessStateReason : DeviceRule
DeviceAccessControlRule : iPhone (DeviceModel)
DeviceActiveSyncVersion : 14.0

Any mobile devices of model “iPhone” will now be allowed to connect to Exchange ActiveSync.

Further examples:

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Sean

    Hi guys! Paul, as always – GREAT post… again!

    But I need some help please! We have 4 ActiveSync Policies configured in Exchange 2010. I have no problem creating the access rules etc, but how can I create the access rule to apply ONLY to one specific Ativesync Poliy?

    1. Paul Cunningham

      Not possible, unfortunately. You can use the different policies to apply different device requirements like PIN/passcode strength etc, but the device access rules apply to the entire organization regardless of which policy is applied.

      If you want to get down to more granular policy stuff like that you’ll need an MDM solution like Intune, MobileIron, Airwatch etc.

  2. Chris Cundy

    Is there any way to link an ActiveSync Device Policy to an ActiveSync Access Rule and make sure the access rule is only applied to one person for testing?

    I have a testing device policy setup but I want to be able to test on different devices without affecting other users.

    1. Paul Cunningham

      No. Device access rules apply to everyone. Except for when the device ID has been added to a mailboxes list of allowed device IDs, because that will mean the device is allowed no matter what device access rules exist.

      1. Manas Dash

        But how to distinguish device ID for same model and same branded mobile ?

        It will be same for both person if they work in a company with using generic email id and same department.

        For Example :
        Samsung Galaxy J2 SM-J200G

  3. Mohamed Ali

    Hi Paul,

    Is there any way to check when the device is allowed and who’s allowed (We have multiple admins)? My default org access level is quarantine. Thanks!

  4. Mike

    Paul, we use an MDM server that forwards all ActiveSync calls to the CAS. So direct ActiveSync traffic from device to the CAS is forbidden, only the MDM server should be able too. How could we prevent the direct calls? OWA uses the same URL, so no redirect possible. EAS needs to be turned on for the users as well. Is there a way to tell the Exchange to only accept calls from a certain IP? IIS restrictions maybe? Thank you

    1. Paul Cunningham

      Most customers I’ve worked with solve this by using an application-aware reverse proxy or load balancer, and excluding the /Microsoft-Server-ActiveSync virtual directory from general access.

  5. Rebecca Ferguson

    Nevermind! I found it in Exchange admin center>Mobile>mobile device accessmobile device mailbox policies. Thank you!

  6. Rebecca Ferguson

    Hi Paul-

    I accidentally made a device rule I did not mean to make. I cannot figure out how to delete it. Pls help

  7. Sahin Boluk

    Hi Paul,

    I ran the commands below for new access rules, and none of them seem to work. A device I have with the application in question is still able to sync and send messages. When I check my device stats, the application is showing in the allowed state.

    Am I missing something?

    New-ActiveSyncDeviceAccessRule -AccessLevel Block -Characteristic UserAgent -QueryString “Outlook-iOS-Android/1.0”

    New-ActiveSyncDeviceAccessRule -AccessLevel Block -Characteristic DeviceOS -QueryString “Outlook for iOS and Android 1.0”

    New-ActiveSyncDeviceAccessRule -QueryString ‘Outlook for iOS and Android’ -Characteristic DeviceModel -AccessLevel Block

      1. Sahin Boluk

        Thanks Paul for the quick response. There is no personal allow for my device. Here is the situation a explained a little better. I have an android phone. I have Touchdown installed and I’m using that for my corporate email. Then I download the new Outlook for iOS and Android, and set that up as well on the same device.

        Now I want to block the Outlook for iOS and Android on the same device. Is that possible, or is the rule only based on device/phone and not “per” application?

  8. David Bonito

    Hello Paul – We’ve been running Exchange 2010 SP3 under windows server 2008 r2 for a while now, with only 3 mobile users enjoying email, contacts, calendar, etc. on their devices. Just last week, windows update automatically downloaded the .net 4.5.1 framework and as soon as that happened, no mobile users were able to access exchange server or their mailboxes (trying to connect gets an “unable to open connection to server. security error occurred). Multiple tech support calls to Microsoft haven’t solved the problem. Could this be a situation where the activesync device rules were blown away? We can’t for the life of us figure this out. Thanks, Dave.

    1. Paul Cunningham

      Were they blown away? The only way to tell is look at your device access rules. An empty list may be fine because by default there are no rules. If you created some yourself do you still see them there?

      I would recommend you use the ExRCA.com website to test ActiveSync connectivity for your server.

  9. William

    Hi, always enjoy your blog – very informative!

    I know this is an old post but relates to some new work I have. We have a need to block certain versions of Android phones and I am wondering if multiple characteristics can be used with a single Device Access Rule. For example, I need to block Androids where

    $_.DeviceOS -like “*Android 2.2*”

    and

    $_.DeviceType -ne “Touchdown”

    and

    $_.DeviceUserAgent -notlike “*Touchdown*”

    We’re trying to block Android phones running and version of 2.2 that are using the native email application. Is that possible? We’re on Exchange 2010. Thanks!

    1. Paul Cunningham

      Sadly no, wildcards and partial matches don’t work.

      You could consider a default org level of block and then device access rules to allow specific makes/models?.

      1. William

        Many thanks for your reply.

        So wildcards don’t work – got it.

        What if I didn’t have wildcards but I did have multiple criteria? Does that work? Most examples that I have seen online only show a single ‘characteristic’ as the criteria. Can two be used – as in DeviceType -eq Android & DeviceOS -eq Android 2.2?

        Again, many thanks!

        1. Paul Cunningham

          One rule, one characteristic, one query. Not a big deal IMO as a large set of rules can be efficiently managed with PowerShell.

          If you’re looking for greater flexibility in device access management then a third party MDM solution would be worth looking into.

  10. Larry Wong

    I want to enable Quarantine for all new devices but allow any already connected devices. Is there any way to prevent the already connected users from receiving the Quarantine notification e-mail?

  11. david

    Hello paul,

    can i create a rule to quarantine only Android devices, if yes, please let me know the procedure to do it

    Many thanks
    David

    1. Paul Cunningham

      New-ActiveSyncDeviceAccessRule -QueryString “Android” -Characteristic DeviceType -AccessLevel Quarantine

  12. Tu

    Hi Paul,

    Is there any way to allow or block the device base on its IMEI or unique ID? I would like to config the exact device to access Exchange 2010 via Activesync service.

    Hope you could understand my idea. Sorry for my non native english.

    1. Paul Cunningham

      Not via a device access rule. But you can individually approve a device for a user if it has been quarantined.

  13. jared

    Hi Paul – appreciate the clear and concise post. I do have a couple of questions. What if you have users who are connected with their iPhones and iPads and we dont have a device access rule. If we create a device access rule for iPhones and iPads , the question is how will those users be affected? will they receive a notification? a pop up? or anything. we want this to be as transparent as possible. Thanks for your time.

      1. jared

        thanks for the quick response. To clarify if the device gets quarantined it receives a notification saying hey you have mail waiting but your device needs to be approved. we want to allow only 3 types of devices…Android, iphones and ipads. and if we choose all models then will we still get that error for user agent bug? However if we just choose Android then all other devices will become quarantined…and we don’t that. And if we allow all 3 types then there will be no user intervention unless they have a different type of device that does not fall in these 3 categories.
        Thanks again… I apologize for the lengthy comment. I tend to repeat things to get clarity and confirmations from experts like yourself.

        1. Paul Cunningham

          Your comment confuses me so I’ll just answer the bit I understand – if you create one or more device access rules based on user agent you will run into that bug in the Exchange Control Panel.

Leave a Reply