• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint Online
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Videos
    • Interview Videos
    • How To Guide Videos
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Server / Creating ActiveSync Device Access Rules in Exchange Server 2010

Creating ActiveSync Device Access Rules in Exchange Server 2010

June 26, 2012 by Paul Cunningham 32 Comments

In a recent article I demonstrated how to use ActiveSync organization settings to prevent new mobile devices from connecting to Exchange Server 2010.

For organizations that are considering using a default organization setting of “block” or “quarantine” (as the article demonstrated) there is the consideration of what to do about existing mobile users.

In effect, if you were to change your setting to “quarantine” and do nothing else, any existing users with ActiveSync devices set up to connect to Exchange will be quarantined as well. For example here I have four ActiveSync users who were quarantined when the new setting was applied.

Quarantined ActiveSync devices
Quarantined ActiveSync devices

You can see the same information using the Get-ActiveSyncDevice in the management shell:

1
2
3
4
5
6
7
8
9
[PS] C:\>Get-ActiveSyncDevice -Filter {DeviceaccessState -eq "Quarantined"} | ft
 
RunspaceId  FriendlyNam DeviceId    DeviceImei  DeviceMobil DeviceOS    DeviceOSLan DeviceTelep DeviceType  DeviceUserA
            e                                   eOperator               guage       honeNumber              gent
----------  ----------- --------    ----------  ----------- --------    ----------- ----------- ----------  -----------
79ddab73...             androidc...                         Android ...                         Android     Android/...
79ddab73...             androidc...                         Android ...                         Android     Android/...
79ddab73...             Appl8794...                                                             iPhone      Apple-iP...
79ddab73...             ApplDLXH...                                                             iPad        Apple-iP...


So we have a few options about how to approach this situation.

Manually Approving Quarantined ActiveSync Devices

The simplest approach is to manually approve the quarantined devices. All you need to do is highly an entry in the quarantined device list and click the Allow button.

Allowing a quarantined ActiveSync device
Allowing a quarantined ActiveSync device

However this is not very efficient if all you intend to do is allow every one of them. For one thing it only approves that device for that specific user. What if you really wanted to approve all similar devices for any user?

Create a Device Access Rule Based on a Quarantined Device

Exchange 2010 allows us to create device access rules straight from the interface where quarantined devices are displayed. Simply highlight a quarantined device and choose Create a rule for similar devices.

Creating an ActiveSync device rule
Creating an ActiveSync device rule

 

Create a Device Access Rule using PowerShell

ActiveSync devices rules can also be created using the New-ActiveSyncDeviceAccessRule cmdlet. New-ActiveSyncDeviceAccessRule takes a few parameters, the most important ones for this example are the -QueryString and -Characteristic parameters.

Let’s take a closer look at the iPhones currently known to my Exchange server.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[PS] C:\>Get-ActiveSyncDevice | where {$_.DeviceModel -like "iPhone*"} | fl device*
 
DeviceId                : Appl87941C1N3NS
DeviceType              : iPhone
DeviceUserAgent         : Apple-iPhone2C1/902.206
DeviceModel             : iPhone
DeviceAccessState       : Quarantined
DeviceAccessStateReason : Global
DeviceAccessControlRule :
DeviceActiveSyncVersion : 14.0
 
DeviceId                : ApplC39GQ8NNDTDL
DeviceType              : iPhone
DeviceUserAgent         : Apple-iPhone4C1/902.206
DeviceModel             : iPhone
DeviceAccessState       : Quarantined
DeviceAccessStateReason : Global
DeviceAccessControlRule :
DeviceActiveSyncVersion : 14.0


So, to create the ActiveSync device access rule for iPhones we can run:

1
New-ActiveSyncDeviceAccessRule -AccessLevel Allow -Characteristic DeviceModel -QueryString iPhone


We can verify the intended outcome of this device access rule using Get-ActiveSyncDevice again.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[PS] C:\>Get-ActiveSyncDevice | where {$_.DeviceModel -like "iPhone*"} | fl device*
 
DeviceId                : Appl87941C1N3NS
DeviceType              : iPhone
DeviceUserAgent         : Apple-iPhone2C1/902.206
DeviceModel             : iPhone
DeviceAccessState       : Allowed
DeviceAccessStateReason : DeviceRule
DeviceAccessControlRule : iPhone (DeviceModel)
DeviceActiveSyncVersion : 14.0
 
DeviceId                : ApplC39GQ8NNDTDL
DeviceType              : iPhone
DeviceUserAgent         : Apple-iPhone4C1/902.206
DeviceModel             : iPhone
DeviceAccessState       : Allowed
DeviceAccessStateReason : DeviceRule
DeviceAccessControlRule : iPhone (DeviceModel)
DeviceActiveSyncVersion : 14.0


Any mobile devices of model “iPhone” will now be allowed to connect to Exchange ActiveSync.

Further examples:

  • Creating ActiveSync Device Access Rules Based on User Agent in Exchange Server 2010

Exchange Server ActiveSync, Android, Exchange 2010, iPad, iPhone, Mobile, Windows Phone

Comments

  1. Sean says

    February 15, 2017 at 11:20 pm

    Hi guys! Paul, as always – GREAT post… again!

    But I need some help please! We have 4 ActiveSync Policies configured in Exchange 2010. I have no problem creating the access rules etc, but how can I create the access rule to apply ONLY to one specific Ativesync Poliy?

    Reply
    • Paul Cunningham says

      February 16, 2017 at 10:35 am

      Not possible, unfortunately. You can use the different policies to apply different device requirements like PIN/passcode strength etc, but the device access rules apply to the entire organization regardless of which policy is applied.

      If you want to get down to more granular policy stuff like that you’ll need an MDM solution like Intune, MobileIron, Airwatch etc.

      Reply
  2. Chris Cundy says

    May 24, 2016 at 9:26 pm

    Is there any way to link an ActiveSync Device Policy to an ActiveSync Access Rule and make sure the access rule is only applied to one person for testing?

    I have a testing device policy setup but I want to be able to test on different devices without affecting other users.

    Reply
    • Paul Cunningham says

      May 24, 2016 at 9:44 pm

      No. Device access rules apply to everyone. Except for when the device ID has been added to a mailboxes list of allowed device IDs, because that will mean the device is allowed no matter what device access rules exist.

      Reply
      • Manas Dash says

        April 9, 2020 at 3:35 am

        But how to distinguish device ID for same model and same branded mobile ?

        It will be same for both person if they work in a company with using generic email id and same department.

        For Example :
        Samsung Galaxy J2 SM-J200G

        Reply
  3. Mohamed Ali says

    April 8, 2016 at 1:41 am

    Hi Paul,

    Is there any way to check when the device is allowed and who’s allowed (We have multiple admins)? My default org access level is quarantine. Thanks!

    Reply
  4. Mike says

    March 30, 2016 at 1:12 am

    Paul, we use an MDM server that forwards all ActiveSync calls to the CAS. So direct ActiveSync traffic from device to the CAS is forbidden, only the MDM server should be able too. How could we prevent the direct calls? OWA uses the same URL, so no redirect possible. EAS needs to be turned on for the users as well. Is there a way to tell the Exchange to only accept calls from a certain IP? IIS restrictions maybe? Thank you

    Reply
    • Paul Cunningham says

      March 30, 2016 at 11:59 am

      Most customers I’ve worked with solve this by using an application-aware reverse proxy or load balancer, and excluding the /Microsoft-Server-ActiveSync virtual directory from general access.

      Reply
  5. Rebecca Ferguson says

    December 24, 2015 at 4:14 am

    Nevermind! I found it in Exchange admin center>Mobile>mobile device accessmobile device mailbox policies. Thank you!

    Reply
  6. Rebecca Ferguson says

    December 24, 2015 at 4:10 am

    Hi Paul-

    I accidentally made a device rule I did not mean to make. I cannot figure out how to delete it. Pls help

    Reply
  7. Sahin Boluk says

    February 3, 2015 at 6:55 am

    Hi Paul,

    I ran the commands below for new access rules, and none of them seem to work. A device I have with the application in question is still able to sync and send messages. When I check my device stats, the application is showing in the allowed state.

    Am I missing something?

    New-ActiveSyncDeviceAccessRule -AccessLevel Block -Characteristic UserAgent -QueryString “Outlook-iOS-Android/1.0”

    New-ActiveSyncDeviceAccessRule -AccessLevel Block -Characteristic DeviceOS -QueryString “Outlook for iOS and Android 1.0”

    New-ActiveSyncDeviceAccessRule -QueryString ‘Outlook for iOS and Android’ -Characteristic DeviceModel -AccessLevel Block

    Reply
    • Paul Cunningham says

      February 3, 2015 at 9:04 am

      I would say that the device has been allowed for that specific user, eg was quarantined and then allowed. If a personal “allow” exists for a device it will never get blocked by a device access rule.

      More info here:
      https://www.practical365.com/exchange-activesync-device-access-state/

      Reply
      • Sahin Boluk says

        February 4, 2015 at 12:07 am

        Thanks Paul for the quick response. There is no personal allow for my device. Here is the situation a explained a little better. I have an android phone. I have Touchdown installed and I’m using that for my corporate email. Then I download the new Outlook for iOS and Android, and set that up as well on the same device.

        Now I want to block the Outlook for iOS and Android on the same device. Is that possible, or is the rule only based on device/phone and not “per” application?

        Reply
  8. David Bonito says

    March 4, 2014 at 12:00 pm

    Hello Paul – We’ve been running Exchange 2010 SP3 under windows server 2008 r2 for a while now, with only 3 mobile users enjoying email, contacts, calendar, etc. on their devices. Just last week, windows update automatically downloaded the .net 4.5.1 framework and as soon as that happened, no mobile users were able to access exchange server or their mailboxes (trying to connect gets an “unable to open connection to server. security error occurred). Multiple tech support calls to Microsoft haven’t solved the problem. Could this be a situation where the activesync device rules were blown away? We can’t for the life of us figure this out. Thanks, Dave.

    Reply
    • Paul Cunningham says

      March 4, 2014 at 12:28 pm

      Were they blown away? The only way to tell is look at your device access rules. An empty list may be fine because by default there are no rules. If you created some yourself do you still see them there?

      I would recommend you use the ExRCA.com website to test ActiveSync connectivity for your server.

      Reply
  9. William says

    January 21, 2014 at 4:39 am

    Hi, always enjoy your blog – very informative!

    I know this is an old post but relates to some new work I have. We have a need to block certain versions of Android phones and I am wondering if multiple characteristics can be used with a single Device Access Rule. For example, I need to block Androids where

    $_.DeviceOS -like “*Android 2.2*”

    and

    $_.DeviceType -ne “Touchdown”

    and

    $_.DeviceUserAgent -notlike “*Touchdown*”

    We’re trying to block Android phones running and version of 2.2 that are using the native email application. Is that possible? We’re on Exchange 2010. Thanks!

    Reply
    • Paul Cunningham says

      January 21, 2014 at 1:27 pm

      Sadly no, wildcards and partial matches don’t work.

      You could consider a default org level of block and then device access rules to allow specific makes/models?.

      Reply
      • William says

        January 22, 2014 at 1:48 am

        Many thanks for your reply.

        So wildcards don’t work – got it.

        What if I didn’t have wildcards but I did have multiple criteria? Does that work? Most examples that I have seen online only show a single ‘characteristic’ as the criteria. Can two be used – as in DeviceType -eq Android & DeviceOS -eq Android 2.2?

        Again, many thanks!

        Reply
        • Paul Cunningham says

          January 22, 2014 at 10:28 am

          One rule, one characteristic, one query. Not a big deal IMO as a large set of rules can be efficiently managed with PowerShell.

          If you’re looking for greater flexibility in device access management then a third party MDM solution would be worth looking into.

          Reply
  10. Larry Wong says

    January 9, 2014 at 9:53 am

    I want to enable Quarantine for all new devices but allow any already connected devices. Is there any way to prevent the already connected users from receiving the Quarantine notification e-mail?

    Reply
    • Paul Cunningham says

      January 9, 2014 at 10:14 pm

      Yes, Steve Goodman covers that very topic here:
      http://www.stevieg.org/2013/01/implementing-exchange-activesyncs-quarantine-features/

      Reply
  11. david says

    June 27, 2013 at 6:33 pm

    Hello paul,

    can i create a rule to quarantine only Android devices, if yes, please let me know the procedure to do it

    Many thanks
    David

    Reply
    • Paul Cunningham says

      June 28, 2013 at 9:53 pm

      New-ActiveSyncDeviceAccessRule -QueryString “Android” -Characteristic DeviceType -AccessLevel Quarantine

      Reply
  12. Tu says

    March 20, 2013 at 6:28 pm

    Hi Paul,

    Is there any way to allow or block the device base on its IMEI or unique ID? I would like to config the exact device to access Exchange 2010 via Activesync service.

    Hope you could understand my idea. Sorry for my non native english.

    Reply
    • Paul Cunningham says

      April 3, 2013 at 9:06 am

      Not via a device access rule. But you can individually approve a device for a user if it has been quarantined.

      Reply
  13. jared says

    March 14, 2013 at 10:57 am

    Hi Paul – appreciate the clear and concise post. I do have a couple of questions. What if you have users who are connected with their iPhones and iPads and we dont have a device access rule. If we create a device access rule for iPhones and iPads , the question is how will those users be affected? will they receive a notification? a pop up? or anything. we want this to be as transparent as possible. Thanks for your time.

    Reply
    • Paul Cunningham says

      March 14, 2013 at 11:03 am

      See here:
      https://www.practical365.com/preventing-new-activesync-device-types-from-connecting-to-exchange-server-2010

      Quarantine sends an email to the mailbox + the same email is able to be received on the device.

      Block just sends an email to the mailbox but the device can’t download it.

      Reply
      • jared says

        March 14, 2013 at 11:16 am

        thanks for the quick response. To clarify if the device gets quarantined it receives a notification saying hey you have mail waiting but your device needs to be approved. we want to allow only 3 types of devices…Android, iphones and ipads. and if we choose all models then will we still get that error for user agent bug? However if we just choose Android then all other devices will become quarantined…and we don’t that. And if we allow all 3 types then there will be no user intervention unless they have a different type of device that does not fall in these 3 categories.
        Thanks again… I apologize for the lengthy comment. I tend to repeat things to get clarity and confirmations from experts like yourself.

        Reply
        • Paul Cunningham says

          March 17, 2013 at 8:41 am

          Your comment confuses me so I’ll just answer the bit I understand – if you create one or more device access rules based on user agent you will run into that bug in the Exchange Control Panel.

          Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • Microsoft Launches Group Ownership Governance Policy
  • Making the Case for Identity Governance in Azure Active Directory
  • Prepare an Office 365 migration plan assessment using PowerShell
  • Microsoft Releases May 2022 Exchange Server Security Updates
  • New Future of Work for Microsoft 365, IOT and more: Practical 365 Podcast S3 Ep. 2

Copyright © 2022 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland