A mobile device that is connecting to Exchange Server 2010 using ActiveSync can be in one of five “access states” at any given time.
- Device Discovery – when a mobile device connects to the Exchange server for the first time it will spend up to 14 minutes in a quarantined state (not quite the same as the quarantine state mentioned below) as the server works out what to do with it.
- Allow – a device in the allow state can synchronize email, calendar, tasks and so on, as long as it is compliant with the ActiveSync mailbox policy in effect for that mailbox user.
- Block– a device can be in the block state for two reasons:
- A device access rule is preventing the device from connecting. When this happens the user will receive an email message (that is customizable by the administrator) in their inbox letting them know that their device has been blocked.
- The device is not compliant with the ActiveSync mailbox policy in effect for that mailbox user.
- Quarantine – similar to the block state, a device will be placed in a quarantine state if a device access rule is configured to quarantine the device type, or if the default access level is set to quarantine new mobile devices. When a device is quarantined the user will receive a customizable email message in their inbox, and will also receive the same message on their mobile device, letting them know that their device has been quarantined.
- Mailbox Upgrade – this is a temporary state when a mailbox user is moved from an older version of Exchange Server to an Exchange 2010 mailbox server, so that the device can update itself for the new version of ActiveSync and be recognized by the server, after which the device will go into an allow, block, or quarantine state depending on the configuration policies in place.
The device discovery and mailbox upgrade states are both temporary, and are only applicable under certain circumstances. In most cases you will be concerned with the allow/block/quarantine states.
The Exchange server uses a 9-step process for determining the access state of a mobile device.
- Is the mobile device authenticated?
- Is the user enabled for ActiveSync?
- Does the device comply with the ActiveSync mailbox policy in effect for that user?
- Does the user have a personal exemption that blocks the mobile device?
- Does the user have a personal exemption that allows the mobile device?
- Is the device blocked by a matching device access rule?
- Is the device quarantined by a matching device access rule?
- Is the device allowed by a matching device access rule?
- Apply the default access level (allow/block/quarantine) specified in the ActiveSync organization settings.
This decision making process can be illustrated in the following flow chart, which helps to visualize some of the points at which an allow/block/quarantine decision can be made that negates any subsequent steps of the process.
For example, if a user is not ActiveSync enabled then they will not be able to connect regardless of whether their particular type of mobile device is allowed to connect, or whether the device meets the requirements of an ActiveSync mailbox policy.
Or as another example, a user who has a personal exemption that allows their particular mobile device to connect will be able to do so regardless of an organization-wide device access rule that quarantines or blocks that device type, and regardless of the default access level configured for the organization.
This sequence is important to understand, because at several points through the process an allow/block/quarantine decision can be made that supersedes all subsequent steps. Administrators need to make sure that they are seeing the process as a whole instead of looking at just one or two configurations that may be misleading because of another condition that is in effect at an earlier stage of the process.