• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Server / Creating ActiveSync Device Access Rules Based on User Agent in Exchange Server 2010

Creating ActiveSync Device Access Rules Based on User Agent in Exchange Server 2010

August 3, 2012 by Paul Cunningham 8 Comments

In a recent article I demonstrated how to create ActiveSync device access rules in Exchange Server 2010.

That demonstration mainly focused on device access rules that are based on the device type or model. When you’re creating a device access rule via Exchange Control Panel those are the only two characteristics you can base the rule on.

However the device access rule can also be based on the user agent characteristic, if you create the rule using PowerShell and the New-ActiveSyncDeviceRule cmdlet instead of the Exchange Control Panel.

Getting the ActiveSync Device User Agent

For this example the organization has been configured to quarantine new types of mobile devices. A number of devices have connected, including an iPhone 3GS and an iPhone 4S. We want to allow the iPhone 4S, but not the 3GS (this is just for the sake of demonstration).

The Exchange Control Panel shows the list quarantined devices but not the user agents.

You can open the details of a device from the list and see the user agent, but this is a fishing exercise if you have a long list of quarantined devices and no knowledge of which users have which specific mobile devices.

A faster method is to use PowerShell to list the user agents.

1
2
3
4
5
6
DeviceUserAgent                           DeviceAccessState DeviceType                    DeviceModel
---------------                           ----------------- ----------                    -----------
...
Apple-iPhone4C1/902.206                         Quarantined iPhone                        iPhone
Apple-iPhone2C1/902.206                         Quarantined iPhone                        iPhone
...

Creating a Device Access Rule Based on the User Agent Characteristic

From the above list the Apple-iPhone4C1/902.206 user agent (which is the iPhone 4S) is the one that we want to allow to connect to Exchange.

1
New-ActiveSyncDeviceAccessRule -QueryString Apple-iPhone4C1/902.206 -Characteristic UserAgent -AccessLevel Allow

After this rule has been added the iPhone 4S is able to connect to ActiveSync, while th 3GS and other quarantined device types still can’t.

1
2
3
4
5
6
DeviceUserAgent                           DeviceAccessState DeviceType                    DeviceModel
---------------                           ----------------- ----------                    -----------
...
Apple-iPhone4C1/902.206                             Allowed iPhone                        iPhone
Apple-iPhone2C1/902.206                         Quarantined iPhone                        iPhone
...

Bug with ActiveSync Device Access Rules Based on User Agent

While testing this scenario I encountered an error in the Exchange Control Panel. After creating an ActiveSync device access rule that is based on the UserAgent characteristic, the Device Access Rules portion of the Exchange Control Panel breaks.

When refreshing the Device Access Rules list an error occurs:

Sorry! We’re having trouble processing your request right now. Please try again in a few minutes.

This error persists until you use PowerShell to remove any device access rules that are based on UserAgent.

I discussed this with Microsoft and they have opened a bug for it and will hopefully be able to issue an update that corrects the error some time in the future (the problem also exists in the Exchange 2013 Preview). In the mean time they have confirmed that device access rules based on UserAgent are supported.

However the error means that once you start using rules like this you will need to do all of your device access rules management via PowerShell.

Exchange Server ActiveSync, Exchange 2010, Exchange 2013, iPhone, Security

Comments

  1. Craig says

    June 14, 2013 at 1:51 am

    Paul, SP3 seemed to have resolved the issue in the last part of this article. I can not see all my rules in ECP.

    Reply
    • Craig says

      June 14, 2013 at 1:51 am

      I meant I CAN see all my rules. 🙂

      Reply
    • Paul Cunningham says

      June 14, 2013 at 11:59 am

      Excellent.

      Reply
  2. Martin Eddy says

    August 9, 2012 at 11:18 am

    That’s a pretty big bug. I can’t believe it hasn’t shown up before.

    Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • Hands-on SharePoint Syntex Blog Series – Part I
  • The Practical 365 Weekly Update: S2, Ep 8 – What to expect in 2021, Solarigate, TLS in Exchange and new Teams updates
  • Security updates released for Exchange and SharePoint Servers 2010 to 2019
  • The Practical 365 Weekly Update: S2, Ep 7 – Urgent Exchange security updates, new Teams features launch
  • How to train your users against threats with Attack Simulation Training
Practical 365

Related Posts

Related Posts

Training Courses

  • Configuring and Managing Office 365 Security
  • Office 365 Admin Playbook
  • Exchange 2016 Exam 70-345
  • Managing Exchange Mailboxes and Distribution Groups in PowerShell
  • More Training Courses...

Recommended Resources

  • Office 365 Security Resources
  • Office 365 Books
  • Exchange Server Books
  • Exchange Server Migrations
  • Exchange Analyzer
  • Digicert SSL Certificates

About This Site

Practical 365 is a leading site for Office 365 and Exchange Server news, tips and tutorials. Read more...

Find out more about advertising with us.

Contact us


Subscribe to our newsletter
  • Facebook
  • Twitter
  • RSS
  • YouTube

Copyright © 2021 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland