A mobile device that is connecting to Exchange Server 2010 using ActiveSync can be in one of five “access states” at any given time.

  • Device Discovery – when a mobile device connects to the Exchange server for the first time it will spend up to 14 minutes in a quarantined state (not quite the same as the quarantine state mentioned below) as the server works out what to do with it.
  • Allow – a device in the allow state can synchronize email, calendar, tasks and so on, as long as it is compliant with the ActiveSync mailbox policy in effect for that mailbox user.
  • Block– a device can be in the block state for two reasons:
    • A device access rule is preventing the device from connecting. When this happens the user will receive an email message (that is customizable by the administrator) in their inbox letting them know that their device has been blocked.
    • The device is not compliant with the ActiveSync mailbox policy in effect for that mailbox user.
  • Quarantine – similar to the block state, a device will be placed in a quarantine state if a device access rule is configured to quarantine the device type, or if the default access level is set to quarantine new mobile devices. When a device is quarantined the user will receive a customizable email message in their inbox, and will also receive the same message on their mobile device, letting them know that their device has been quarantined.
  • Mailbox Upgrade – this is a temporary state when a mailbox user is moved from an older version of Exchange Server to an Exchange 2010 mailbox server, so that the device can update itself for the new version of ActiveSync and be recognized by the server, after which the device will go into an allow, block, or quarantine state depending on the configuration policies in place.

The device discovery and mailbox upgrade states are both temporary, and are only applicable under certain circumstances. In most cases you will be concerned with the allow/block/quarantine states.

The Exchange server uses a 9-step process for determining the access state of a mobile device.

  1. Is the mobile device authenticated?
  2. Is the user enabled for ActiveSync?
  3. Does the device comply with the ActiveSync mailbox policy in effect for that user?
  4. Does the user have a personal exemption that blocks the mobile device?
  5. Does the user have a personal exemption that allows the mobile device?
  6. Is the device blocked by a matching device access rule?
  7. Is the device quarantined by a matching device access rule?
  8. Is the device allowed by a matching device access rule?
  9. Apply the default access level (allow/block/quarantine) specified in the ActiveSync organization settings.

This decision making process can be illustrated in the following flow chart, which helps to visualize some of the points at which an allow/block/quarantine decision can be made that negates any subsequent steps of the process.

For example, if a user is not ActiveSync enabled then they will not be able to connect regardless of whether their particular type of mobile device is allowed to connect, or whether the device meets the requirements of an ActiveSync mailbox policy.

Or as another example, a user who has a personal exemption that allows their particular mobile device to connect will be able to do so regardless of an organization-wide device access rule that quarantines or blocks that device type, and regardless of the default access level configured for the organization.

Exchange ActiveSync Device Access Flowchart

This sequence is important to understand, because at several points through the process an allow/block/quarantine decision can be made that supersedes all subsequent steps. Administrators need to make sure that they are seeing the process as a whole instead of looking at just one or two configurations that may be misleading because of another condition that is in effect at an earlier stage of the process.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Marco Dal Degan

    Hi Paul and thanks for your always useful insight.
    We have a weird issue that we (and MS, with which we have a long standing ticket) could not solve: when our user get to the office, and their device connects to the corporate wifi, their device gets quarantined. We are going crazy on this one, but unfortunately being on O365 we cannot access the ultimate Exchange logs that might shed some light (why is the bloody device q’tined???). We manage our devices through Intune, and we distribute our corporate WiFi access via a Conf Profile. We have +15 locations worldwide and a few of them (the smaller) are not affected by this issue. Any hint about where we should look at? We’re lost at the moment (network? Firewall? MS? devices?….)
    Thansk for any tip you might give….

  2. Ranjith

    Hi,

    No how do i allow a user by personal excemption

  3. Penny Bristow

    If a device issues a cmd=provision vs just trying to do a folder sync or sync, does that potentially put the device into an allow state automatically?

  4. Marta Nowakowska

    Hello,
    To whom should I apply to have by Iphone access unblocked? Today in the morning I received an email saying: Your mobile device won’t be able to synchronize your data because of an access policy defined on the server.
    Information about your device:
    Device model: Outlook for iOS and Android
    Device type: Outlook
    Device ID: c5411a3d36ddecd08c394d35bb6b6e6c
    Device OS: iOS 10.3.2
    Device user agent: Outlook-iOS/2.0
    Device IMEI:
    Device access state: Blocked
    Device access state reason: Individual

    What can I do to be able to use Outlook again?

    Thank you in advance,
    Marta

  5. osman

    Hi poul,

    We changed Exchange ActiveSync access settings from allowed to quarantine.
    But some mobile devices blocked by policy.
    we use default mobile device mailbox policy as you see below. We didn’t edit this default policy.
    What is the reason of block ? can we find detailed block reason in somewhere? is it possible differences of device model(one of them MI6) can cause block ?

    Default mailbox policy content:
    allow mobile devices that dont’t fully support policies to synchronize

    owa for devices supports all password policies and won’t block any devices
    password :
    optional
    Mobile device settings :
    Device encryption not required

  6. Kenan Akcan

    Hi Poul;
    we have a problem. We have Exchange Server 2013 CU13 and we use Iphone smart phone.
    Mails deleted and re-load again some users in smartphone.
    Have you encountered such a problem?
    could you please help use this issue?
    thanks…

  7. Candee

    Hello,
    So; will the devices show up in the quarantine for 14 minutes?
    I implemented this after adding personal exemptions for the allowed users, but every device that connected wound up in Quarantine, and they were sent the email that their phone was blocked.
    I have an open case with Microsoft, just wondering if you have any ideas.
    Thanks,
    Candee

Leave a Reply