• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Server / How to Block or Quarantine the Outlook for iOS and Android App in Exchange Server and Office 365

How to Block or Quarantine the Outlook for iOS and Android App in Exchange Server and Office 365

January 30, 2015 by Paul Cunningham 77 Comments

Microsoft has released the Outlook for iOS and Android app, which is intended to replace the OWA for Devices mobile client on Apple iOS and Google Android smartphones and tablets.

The Outlook for iOS and Android app is essentially another ActiveSync client for connecting mobile devices to Exchange and Office 365. It also supports other mail services like Outlook.com.

For some organizations there are a number of security and compliance concerns with the way the new Outlook for iOS and Android app functions that will mean those organizations will want to block or quarantine the app from connecting to their Exchange or Office 365 mailboxes until it can be further evaluated.

You can read more about the new app and some of the technical concerns people have with it here:

  • Outlook for iOS and Android

In the meantime, here’s how to block or quarantine Outlook for iOS and Android app. First let’s look at how it appears as a mobile device association in Exchange.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[PS] C:>Get-MobileDevice -Mailbox alex.heyne | fl FriendlName,Device*,Client*,Is*
 
FriendlyName            : Outlook for iOS and Android
DeviceId                : 94B42B2A37D109AE
DeviceImei              :
DeviceMobileOperator    :
DeviceOS                : Outlook for iOS and Android 1.0
DeviceOSLanguage        :
DeviceTelephoneNumber   :
DeviceType              : Outlook
DeviceUserAgent         : Outlook-iOS-Android/1.0
DeviceModel             : Outlook for iOS and Android
DeviceAccessState       : Allowed
DeviceAccessStateReason : Global
DeviceAccessControlRule :
ClientVersion           : 14.1
ClientType              : EAS
IsManaged               : False
IsCompliant             : False
IsDisabled              : False

For Exchange Server 2010 use Get-ActiveSyncDevice instead of Get-MobileDevice.

ActiveSync device access rules can be based on a few different device criteria. From the information above it looks like the DeviceModel will be the simplest approach here, as others such as UserAgent may change with later versions of the Outlook for iOS and Android app.

To block the Outlook for iOS and Android app in Office 365, Exchange Server 2010 or 2013 with a device access rule:

1
[PS] C:>New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Block

To quarantine instead:

1
[PS] C:>New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Quarantine

Devices should now appear as blocked or quarantined with the reason of “DeviceRule”.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[PS] C:>Get-MobileDevice -Mailbox alex.heyne | fl FriendlName,Device*,Client*,Is*
 
 
DeviceId                : 94B42B2A37D109AE
DeviceImei              :
DeviceMobileOperator    :
DeviceOS                : Outlook for iOS and Android 1.0
DeviceOSLanguage        :
DeviceTelephoneNumber   :
DeviceType              : Outlook
DeviceUserAgent         : Outlook-iOS-Android/1.0
DeviceModel             : Outlook for iOS and Android
DeviceAccessState       : Blocked
DeviceAccessStateReason : DeviceRule
DeviceAccessControlRule : Outlook for iOS and Android (DeviceModel)
ClientVersion           : 14.1
ClientType              : EAS
IsManaged               : False
IsCompliant             : False
IsDisabled              : False

Additional info: Outlook for iOS/Android Still Able to Connect After Disabling ActiveSync

Exchange Server ActiveSync, Exchange 2010, Exchange 2013, Mobile, Office 365, Outlook, Outlook for iOS and Android

Comments

  1. Hassan says

    July 13, 2020 at 1:06 pm

    Hi Paul

    How long does this usually take to take effect? I ran this yesterday around 3:00pm and its 7:00 AM now but I can still see Outlook app connecting to Exchange Online.

    Reply
  2. ramkumara says

    March 4, 2019 at 5:20 pm

    Hi Paul,

    how do i check if outlook for ios app is allowed in our exchange environment?
    We are using o365

    I wanna check the access control rules

    Reply
  3. Daniel says

    September 21, 2018 at 1:16 am

    Hi Paul,

    We have the O365 Exchange Admin Center in the “quarantine mode” in place. Since about 3 weeks we do face some issues with the Outlook app. After users are fully enroll to Intune they do install Outlook and should end up in the quarantine at least the first time however it seems that some Outlook intallations do no longer find their way into quarantine and keep that blocking message forvever in Outlook. We have a device access policy also for Outlook in Exchange. Any diea why this happens?

    Thanks
    Daniel

    Reply
  4. Daniel Berger says

    September 21, 2018 at 1:16 am

    Hi Paul,

    We have the O365 Exchange Admin Center in the “quarantine mode” in place. Since about 3 weeks we do face some issues with the Outlook app. After users are fully enroll to Intune they do install Outlook and should end up in the quarantine at least the first time however it seems that some Outlook intallations do no longer find their way into quarantine and keep that blocking message forvever in Outlook. We have a device access policy also for Outlook in Exchange. Any diea why this happens?

    Thanks
    Daniel Berger

    Reply
  5. Kaush says

    August 14, 2018 at 5:58 pm

    Hello Paul,

    I just tested the said commands and it looks like the entire tenant is blocked and are are unable to use the Outlook app on their phones!

    Am I getting it all wrong here?

    Also is there a way to block the app only for a specific user?

    Reply
  6. Ben says

    April 11, 2018 at 1:57 am

    You can set exemptions for specific user:

    1. Select Manage My Organization and then click on Users & Groups;
    2. Search the user for whom you want to create the exemption for, and then select Details;
    3. Under Phone & Voice Features, select Exchange ActiveSync and then select Edit;
    4. Under Mobile Devices, select the device that you want to exempt and then click either Allow;
    5. Click Save to create the exemption.

    Reply
  7. Devaud says

    December 12, 2017 at 2:08 am

    Hello,

    I redid the test is it works, Thanks

    Reply
  8. bonesleon says

    May 21, 2017 at 8:45 am

    So if I want to disable OWA for android and iOS mobile devices on say, Exchange 2016, it would essentially be the same process?

    New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString “Outlook for iOS and Android” -AccessLevel Block

    Reply
    • Paul Cunningham says

      May 21, 2017 at 5:59 pm

      Yes.

      Reply
      • William says

        November 17, 2017 at 7:10 am

        This link suggests that the New-ActiveSyncDeviceaccessRule method won’t work, but suggests a “Set-CASMailbox -OWAforDevicesEnabled” method:

        (removed)

        Reply
        • Paul Cunningham says

          November 17, 2017 at 9:06 am

          That article was from 2013 and refers to a completely different app.

          Reply
          • Devaud says

            December 11, 2017 at 10:19 pm

            Hello Paul,
            The New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString command “Outlook for iOS and Android” -AccessLevel Block no longer works with Office 365.

            Error message :
            New-ActiveSyncDeviceAccessRule: The term “New-ActiveSyncDeviceAccessRule” is not recognized as a cmdlet name,

          • Paul Cunningham says

            December 11, 2017 at 10:27 pm

            That cmdlet works fine for me. Do you have PowerShell connected to Exchange Online?

  9. Brent Braun says

    March 3, 2017 at 4:42 am

    Hi Paul,

    How can you restrict OWA access for a whole domain? We are currently controlling ActiveSync access with Quarantine, but if someone download the OWA app, they can get around our quarantine restrictions and automatically access email.

    Reply
    • Brent Braun says

      March 3, 2017 at 4:43 am

      We are using Office 365.

      Reply
    • Paul Cunningham says

      March 3, 2017 at 8:28 am

      You can disable the app per-mailbox. Look at Set-CASMailbox and the OWAforDevicesEnabled property.

      Reply
  10. Lou Gerritse says

    October 20, 2016 at 4:03 am

    Is this still the case for the outlook apps provided for IOS and ANDROID?

    Reply
    • Paul Cunningham says

      October 20, 2016 at 8:55 am

      Which part?

      Reply
      • Naushad Ambar says

        January 1, 2017 at 10:49 pm

        HI Paul,

        how can we restrict IOS and android native email client or only outlook, kindly share the command for Exchange server 2013 and we need to allow only for certain user.

        Reply
  11. Fidel Quintela says

    June 28, 2016 at 1:51 pm

    Paul, nice article. Any experience with blocking Windows 8 and 10 default mail app. It seems to connect via ActiveSync. That is a definite hole if only allowing external access through OWA with TFA and passcode protected ActiveSync devices.

    Reply
    • Paul Cunningham says

      June 28, 2016 at 8:38 pm

      Yes, you can block them.

      Reply
  12. TLN says

    May 25, 2016 at 1:06 pm

    How to customize the email send to user when the block policy is enabled.

    Reply
    • Paul Cunningham says

      May 25, 2016 at 2:04 pm

      You can only customize the quarantine message, not the block message.

      Reply
  13. Megan Sheppard says

    April 21, 2016 at 12:57 am

    Any way to make an exception for 1 or 2 users? I need to let some security people to install it and connect for testing, but I don’t want to open it for everyone to make this happen.

    Reply
  14. Manoj Kumar says

    January 8, 2016 at 9:30 pm

    Hi Paul,

    I got to know this article from one of post in MobileIron community and I read all article related to Blocking Active sync on 2010 and these are very simple and interesting.

    Hope you can help me out this.

    We have Exchange 2010 and integrated with MobileIron MDM. We have following setup:
    1) using Native Client & Email+ app on Android devices to fetch Mail, Contact, Calendar etc.
    2) Using only Native Client on iOS device to fetch Mail, Contact, Calendar etc.

    We want to Allow Only Native Client & Email+ app on Android devices and Native Client on iOS devices and Block else (It can be any apps) since on Play Stores and App Stores there are number of apps that can access exchange data and we can’t find all these app and block them.

    I know there are some other ways to achieve this and we implemented those as well but couldn’t fully block Active sync.

    Any help will be highly appreciated.

    Thanks,
    Manoj

    Reply
    • Paul Cunningham says

      January 10, 2016 at 3:11 pm

      If you’re using MobileIron you should be controlling it all through MobileIron.

      Reply
  15. Marinko says

    September 1, 2015 at 11:03 pm

    Hi Paul,

    Is it possible to create restriction based on device GUID?

    For example: Have a list of company distributed devices (GUID’s) allowed and all other devices quarantined.

    Thanks,
    Marinko

    Reply
  16. Hoa Nguyen says

    August 12, 2015 at 8:41 pm

    Hi Paul,
    On the same mobile device, suppose that we have setuped 3 email client apps connecting to Exchange server, such as: Native email app, Outlook-iOS app, Touchdown app
    By using cmdlets as your post above, is it possible to quarantine and block: Native email app and Outlook-iOS app, but only allow Touchdown app on the device to access exchange server? Could you help me some quickly guideline for that case?
    Any help will highly appriciated!

    Many Thanks

    Reply
    • Rosario says

      August 12, 2015 at 8:51 pm

      I think you could have a look at my if-clause in my post here. The filtering is done on a string basis, so, knowing the string with which the eMail-Client-App will connect to the Exchange server should be enough to quarantine or block it. Unless Exchange can only see the mobile device and not the eMail-App’s signature.

      Reply
  17. Rino Mardo says

    July 12, 2015 at 4:54 pm

    how to do the above in ECP? there is no query string to be modified.

    Reply
    • Paul Cunningham says

      July 12, 2015 at 6:59 pm

      Why not just use PowerShell? Fast and easy.

      Reply
  18. Russ says

    April 29, 2015 at 9:25 pm

    What about blocking Gmail app from Android 5.0 and up and new Inbox app?

    Reply
  19. Oscar says

    March 5, 2015 at 1:15 am

    Paul, we only allow a certain group of people to use ActiveSync, Is ActiveSync required in order for Outlook for iOS to work? I want to make sure this is not going to let just anyone connect to Exchange on their phones without approval.

    Thank You.

    Reply
    • Paul Cunningham says

      March 6, 2015 at 1:27 pm

      Yes, Outlook for iOS uses ActiveSync.

      Reply
      • Lim says

        November 27, 2019 at 1:27 pm

        Hi Paul,

        You mentioned that Outlook App for iOS and Android is using ActiveSync. So can I assume that Outlook for iOS and Android are ONLY using ActiveSync?

        Hope to hear from you soon.

        Regards,
        Lim

        Reply
  20. John says

    March 3, 2015 at 7:45 pm

    How to block users from using “mail+ for outlook” app to access their mailbox? since its using OWA, firewall rule will help ?

    Reply
  21. Pari Desai says

    February 18, 2015 at 8:57 am

    Can this be accomplished in Exchange 2007?

    Thanks,
    Pari

    Reply
    • Paul Cunningham says

      February 18, 2015 at 10:48 am

      Exchange 2007 doesn’t have the same capabilities as 2010/2013/O365. You’ll need to look at blocking it with IIS rules or at your reverse proxy.

      Reply
  22. tonydiesel says

    February 17, 2015 at 10:15 am

    do you know if you run the script to block “Outlook for iOS and Android”, will the user be able to still use the native email client to connect? (native being iOS)

    I would test this on my own, but i don’t want to upgrade to iOS8, :(.

    I can tell you running the script to block “Outlook for iOS and Android”. I can still use the native email client. But i want to know if a device gets blocked for attempting to use Outlook APP, can the same device then connect via EAS using the native client?

    you have to have iOS8 to install the Outlook App. Thx

    Reply
    • Paul Cunningham says

      February 17, 2015 at 1:12 pm

      Blocking the Outlook app doesn’t block the native mail app on the same device.

      Reply
  23. John says

    February 12, 2015 at 5:34 am

    How do you setup the opposite policy? How do you allow access to Exchange from the Outlook app only? I don’t want connections from any other mail apps except from the Outlook app. Please do not rail against this question. I just want to know how to do this. Thanks.

    Reply
    • Paul Cunningham says

      February 12, 2015 at 9:55 am

      Set an org level policy to block or quarantine (quarantine is probably going to be better for you) then set either approve devices on a case by case basis or set a device access rule to allow the specific devices/apps you want.

      https://practical365.com/preventing-new-activesync-device-types-from-connecting-to-exchange-server-2010/

      Reply
  24. Chris says

    February 11, 2015 at 8:15 am

    What about using the “Blocked Application” option under the ActiveSync properties using the Exchange GUI?
    Wouldn’t it better to block just the APP instead the device itself. Blocking devices may create issues for IT in case the CEO has decided to test this app in the middle of the night.
    If this option works, what should be the Application name to use?

    Thanks,
    Chris

    Reply
    • Paul Cunningham says

      February 11, 2015 at 3:31 pm

      I’m not sure that option even works actually.

      Reply
  25. Marc says

    February 11, 2015 at 1:30 am

    By default we quarentine all devices and only allow the ones we want, so in a way we are ok on that front.
    We have a very strict password Policy, so having credentials on a 3rd party server is a big issue with us. I can see that a number of users have tried to connect using Outlook for IOS, so my question is, given that they have tried to connect but were quarentined, does it mean that the passwords are still stored in the cloud?
    I may have to force a password change on them.

    Thanks

    Reply
    • Paul Cunningham says

      February 11, 2015 at 3:30 pm

      Possibly. If it is a concern then force a password reset. Frankly that would be what I would do, if my org policies were explicitly against it.

      Reply
      • Joey Peloquin says

        February 14, 2015 at 5:13 am

        In other words, as was just described to me by our messaging architects – this does nothing to solve the problem of _registering_ the app and providing it the creds required to manage mail, it only blocks access once the app tries to sync.

        So, my enterprise users that have unfortunately already installed Outlook and started using it have already exposed their creds to a third party server. Further, absent a fully configured and deployed MAM solution that can prevent mobile application installation, I also cannot prevent additional users from installing and configuring the app.

        It looks like I’d better get that email security bulletin and out the door. How ironic that some of our users will be reading it from the app it warns them not to use!

        Thanks for the timely post and information, Paul.

        Reply
  26. Arjen says

    February 10, 2015 at 6:42 am

    Hy Paul,

    We have a multitenant Exchange 2010 environment (Multitenancy by ABP’s). Can I apply an ActiveSyncDeviceAccessRule to (all users of) only one customer?

    Reply
    • Arjen says

      February 10, 2015 at 6:48 am

      All users of this customer have one common value in a custom attribute (ABP is applied by that value) and are in a common Security and Distribution Group.

      Reply
    • Paul Cunningham says

      February 10, 2015 at 9:05 am

      No.

      Reply
  27. Rosario Carcò says

    February 10, 2015 at 1:49 am

    Thanks a lot Paul, we just blocked it on Exchange 2010.

    We would like to monitor the users using it despite being blocked, so as to be able to inform them that they should delete their account in the cloud and change their password.

    Will your Get-EASDeviceReport.ps1 still be able to track those users or should we only quarantine instead of blocking it, to be able to see who is attempting to use it?

    Rosario

    Reply
    • Paul Cunningham says

      February 10, 2015 at 9:06 am

      Why not try it yourself and see the results first hand? You’ve put the block rule in place, grab a test device and install the app and try to connect.

      Reply
      • Rosario Carcò says

        February 10, 2015 at 8:57 pm

        YES! I scheduled your Script to run every night and I can see new users having made an attempt. SyncAge displays NEVER and LastSyncAttemptTime and LastSuccessSync are empty.

        GREAT, that is what we need.

        I modified the if clause in your script to filter out only the new iOS-Android users/devices and inverted to show SyncAge LESS than the given 30 days to get only users/devices who connected in the last few days, like this:

        if ($EASDevice.DeviceModel -like ‘*Outlook for iOS and Android*’ -and ($syncAge -le $Age -or $syncAge -eq “Never”))

        Of course you could omit the whole syncAge part if you are only intrested in tracking the iOS-Android users that started only recently as the app was released.

        Yours, Rosario

        Reply
  28. Ste Mc says

    February 7, 2015 at 9:02 pm

    Hi Paul

    We need to block this on exchange 2007 but the cmdlet above doesnt seem to work, could you advise?

    The error i get is :

    [PS] C:Windowssystem32>New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString “Outlook for iOS and Android” -AccessLevel Block
    The term ‘New-ActiveSyncDeviceAccessRule’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify th
    the path is correct and try again.
    At line:1 char:31
    + New-ActiveSyncDeviceAccessRule <<<< -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Block
    + CategoryInfo : ObjectNotFound: (New-ActiveSyncDeviceAccessRule:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    Many thanks, great article

    Reply
    • Paul Cunningham says

      February 8, 2015 at 8:18 am

      Exchange 2007 doesn’t have that feature. You’ll need to look at other ways to block it, such as blocking the user agent in IIS or on your reverse proxy.

      Reply
      • Art Alexion says

        February 10, 2015 at 5:15 am

        We have a mixed 2007 & 2013 environment. Will blocking it on the 2013 CAS servers also effectively block it for the 2007 mailboxes. That is, I assume the EAS rule is applied to the CAS piece.

        Reply
        • Paul Cunningham says

          February 10, 2015 at 9:05 am

          Not sure, but I would assume so. Only way to know for sure is to test it.

          Reply
  29. David says

    February 7, 2015 at 3:08 pm

    Hi Paul !

    Great info ! We are on exchange 2007 and outlook for IOS violates our policies – can you advise options for exchange 2007 ?

    We use Isa as a reverse proxy as an option too ?

    Reply
    • Paul Cunningham says

      February 7, 2015 at 3:36 pm

      Look at using ISA to block the user agent or some other identifier such as the source IPs. I couldn’t tell any specifics though, haven’t touched ISA in a long time.

      Reply
  30. David Knudson says

    February 7, 2015 at 1:16 am

    Paul, in your example you had a specific client used in the get-mobile…statement. is there way to see if anyone in the store has enabled this without knowing a specific user? I use 2010 exchange.

    Reply
    • Ian says

      February 7, 2015 at 7:57 am

      David, I don’t have any results to verify but try the following:
      Get-ActiveSyncDevice | where-object {$_.DeviceModel -like ‘*Outlook for iOS and Android*’}
      or
      Get-ActiveSyncDevice | where-object {$_.DeviceAccessStateReason -like ‘*DeviceRule*’}

      Reply
    • Paul Cunningham says

      February 7, 2015 at 8:12 am

      Use Get-EASDeviceReport.ps1

      https://practical365.com/powershell-script-activesync-device-report/

      Reply
      • David Knudson says

        February 12, 2015 at 5:11 am

        Paul,
        i am a little confused about the output of this report when using the -age 30. I was thinking that would setup for seeing all done in the last thirty days. apparently its for any sync’s beyond 30 days??

        In one instance, i see under lastsyncattempttime and lastsuccesssync it shows a return value of april 2014 . i know this person gets their email on the phone currently and has all along.

        In the case of my phone (have three listings for different phones associated with my name)the last one has me way back to 12/8/2013. (that might have been when i got my current phone)

        What does that LSAT and LSS fields really tell us? What are they really recording?? is this recording the last time they interacted with the sync process or the last time they “registered” with the system?? is there a way to see ongoing sync’s so we can see who is communicating currently?

        thanks
        dave

        Reply
        • Paul Cunningham says

          February 12, 2015 at 9:54 am

          The -Age parameter specifies “Devices that have not synced in more than X days”. So it is a way to only report on old/stale devices that haven’t recently synced.

          Reply
  31. Sahin Boluk says

    February 5, 2015 at 8:28 am

    One last question, if I only have the default organization setting, is the indiviual access state coming from Mass360?

    Reply
    • Paul Cunningham says

      February 5, 2015 at 3:19 pm

      Not all MDMs operate the same way and I haven’t worked with Mass360 so I couldn’t say either way.

      Reply
  32. Sahin Boluk says

    February 5, 2015 at 1:08 am

    Thank you Paul! You’ve been a great help.

    Reply
  33. Sahin Boluk says

    February 4, 2015 at 2:51 pm

    Hi Paul, below is the output. At first I used powershell to create the rules, then i deleted those and used to gui to create it. I put the output of that at the end of this comment as well. Also, I just did an IISReset on all of our CAS servers, and it still looks like it didn’t help. Thanks in advance for all your help!

    [PS] C:SCRIPTS>Get-ActiveSyncDeviceStatistics -Mailbox bolukrsw | fl FriendlName,Device*,Client*,Is*

    DeviceType : Outlook
    DeviceID : C62DDA89E034BB93
    DeviceUserAgent : Outlook-iOS-Android/1.0
    DeviceWipeSentTime :
    DeviceWipeRequestTime :
    DeviceWipeAckTime :
    DeviceModel : Outlook for iOS and Android
    DeviceImei :
    DeviceFriendlyName : Outlook for iOS and Android
    DeviceOS : Outlook for iOS and Android 1.0
    DeviceOSLanguage :
    DevicePhoneNumber :
    DeviceEnableOutboundSMS : False
    DeviceMobileOperator :
    DeviceAccessState : Allowed
    DeviceAccessStateReason : Individual
    DeviceAccessControlRule :
    DevicePolicyApplied : WindowsPhoneNoPassword
    DevicePolicyApplicationStatus : AppliedInFull
    DeviceActiveSyncVersion : 14.1
    IsRemoteWipeSupported : True

    DeviceType : Toggle
    DeviceID : d36a7cc005f99e9d7124337829c55fc5
    DeviceUserAgent : Toggle/3.0
    DeviceWipeSentTime :
    DeviceWipeRequestTime :
    DeviceWipeAckTime :
    DeviceModel : SM-T800
    DeviceImei :
    DeviceFriendlyName : SM-T800
    DeviceOS : Android 4.4.2
    DeviceOSLanguage :
    DevicePhoneNumber :
    DeviceEnableOutboundSMS : False
    DeviceMobileOperator :
    DeviceAccessState : Allowed
    DeviceAccessStateReason : Individual
    DeviceAccessControlRule :
    DevicePolicyApplied : WindowsPhoneNoPassword
    DevicePolicyApplicationStatus : AppliedInFull
    DeviceActiveSyncVersion : 14.1
    IsRemoteWipeSupported : True

    DeviceType : Touchdown
    DeviceID : 3939303030343437363831383835
    DeviceUserAgent : TouchDown(MSRPC)/8.4.00086/
    DeviceWipeSentTime :
    DeviceWipeRequestTime :
    DeviceWipeAckTime :
    DeviceModel : SM-G900P
    DeviceImei : 99000447681885
    DeviceFriendlyName : Android_ynhh_bolukrsw
    DeviceOS : Android 4.4.4
    DeviceOSLanguage : English
    DevicePhoneNumber : ******0820
    DeviceEnableOutboundSMS : False
    DeviceMobileOperator :
    DeviceAccessState : Allowed
    DeviceAccessStateReason : Individual
    DeviceAccessControlRule :
    DevicePolicyApplied : WindowsPhoneNoPassword
    DevicePolicyApplicationStatus : AppliedInFull
    DeviceActiveSyncVersion : 14.1
    IsRemoteWipeSupported : True

    [PS] C:SCRIPTS>Get-ActiveSyncDeviceAccessRule

    RunspaceId : f30cf520-9f0e-441f-974d-4ac0d6895665
    QueryString : Outlook for iOS and Android
    Characteristic : DeviceModel
    AccessLevel : Block
    Name : Outlook for iOS and Android (DeviceModel)
    AdminDisplayName :
    ExchangeVersion : 0.10 (14.0.100.0)
    DistinguishedName : CN=Outlook for iOS and Android (DeviceModel),CN=Mobile Mailbox Settings,CN=xxxxxxxCN=Microsoft Exchange,CN=Services,CN=Configuration,DC=YNHHSC,DC=ORG
    Identity : Outlook for iOS and Android (DeviceModel)
    Guid : 3bab0fa7-8659-4280-9d35-99c78c126745
    ObjectCategory : xxxxxxx/Configuration/Schema/ms-Exch-Device-Access-Rule
    ObjectClass : {top, msExchDeviceAccessRule}
    WhenChanged : 2/2/2015 4:45:01 PM
    WhenCreated : 2/2/2015 4:44:09 PM
    WhenChangedUTC : 2/2/2015 9:45:01 PM
    WhenCreatedUTC : 2/2/2015 9:44:09 PM
    OrganizationId :
    OriginatingServer : xxxxx
    IsValid : True

    Reply
    • Paul Cunningham says

      February 4, 2015 at 3:11 pm

      DeviceAccessState : Allowed
      DeviceAccessStateReason : Individual

      That means the device has been allowed as a personal exemption for your mailbox.

      Run this:

      Get-CASMailbox yourmailboxname | fl

      You’ll see an ActiveSyncAlloweDeviceIDs attribute. There will be one or more device IDs in there. You need to remove the one for Outlook for iOS and Android.

      Once it is removed as a personal exemption it will be caught be the device access rule instead.

      You can learn more about that here:
      https://practical365.com/existing-activesync-device-associations-when-changing-organization-default-access-level/

      If you want to learn more about how ActiveSync works please consider this ebook:
      https://practical365.com/ebooks/the-beginners-guide-to-exchange-server-2010-activesync/

      Reply
  34. Sahin Boluk says

    February 4, 2015 at 1:35 am

    Hi Paul, I posted a comment on your other article, https://practical365.com/creating-activesync-device-access-rules-exchange-server-2010/#comment-154032 about this same thing, then came accross this article as this is what I am looking for.

    I created the rule, but the devices or application is not getting blocked. I do have another mail application, Touchdown, on the same device, not sure if that is the issue. We do use Mass360 as well to enforce policy’s to devices, maybe that is the issue.

    any thoughts?

    Reply
    • Paul Cunningham says

      February 4, 2015 at 8:44 am

      You’ll need to show me the output of this command:

      Get-MobileDevice -Mailbox yourmailboxname | fl FriendlName,Device*,Client*,Is*

      And then show me exactly what command you ran to create the device access rule.

      Reply
  35. Tim says

    January 31, 2015 at 1:46 am

    Thanks for getting this out there. I bet a lot of enterprise customers will be scrambling to block due the caching of email and passwords to the cloud. Not particularly happy with how MS handled this acquisition.

    Reply
    • Paul Cunningham says

      January 31, 2015 at 1:08 pm

      Giving customers the choice to allow or block the app (which we have) is the most important thing. Microsoft is already committed to making the app more enterprise-friendly and I expect we’ll see a lot of updates over the next 12 months to get us there.

      Reply
      • Ahmed says

        February 1, 2015 at 4:44 pm

        Dear paul,

        if i want to go back to after blocking “Outlook for iOS and Android App”. should i have to delete these new created rule form EMS, if yes can u please provide me command

        Thz

        Reply
        • Paul Cunningham says

          February 1, 2015 at 4:47 pm

          Use Remove-ActiveSyncDeviceAccessRule or do it via the Exchange Admin Center/Console.

          Reply
        • Ahmed says

          February 1, 2015 at 5:37 pm

          where can i find ActivesyncDeviceRule via EMC, i unable to find the newly created rule.

          I’m using exchange 2010 SP3

          thz

          Reply
        • Ahmed says

          February 1, 2015 at 6:43 pm

          Thz paul i got it

          Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • The Practical 365 Weekly Update: S2, Ep 9 – Controversial Teams guest changes and a roundup of important Microsoft 365 announcements and features
  • Hands-on SharePoint Syntex Blog Series – Part I
  • The Practical 365 Weekly Update: S2, Ep 8 – What to expect in 2021, Solarigate, TLS in Exchange and new Teams updates
  • Security updates released for Exchange and SharePoint Servers 2010 to 2019
  • The Practical 365 Weekly Update: S2, Ep 7 – Urgent Exchange security updates, new Teams features launch
Practical 365

Related Posts

Related Posts

Training Courses

  • Configuring and Managing Office 365 Security
  • Office 365 Admin Playbook
  • Exchange 2016 Exam 70-345
  • Managing Exchange Mailboxes and Distribution Groups in PowerShell
  • More Training Courses...

Recommended Resources

  • Office 365 Security Resources
  • Office 365 Books
  • Exchange Server Books
  • Exchange Server Migrations
  • Exchange Analyzer
  • Digicert SSL Certificates

About This Site

Practical 365 is a leading site for Office 365 and Exchange Server news, tips and tutorials. Read more...

Find out more about advertising with us.

Contact us


Subscribe to our newsletter
  • Facebook
  • Twitter
  • RSS
  • YouTube

Copyright © 2021 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland