Home » Exchange Server » Preventing New ActiveSync Device Types from Connecting to Exchange Server 2010

Preventing New ActiveSync Device Types from Connecting to Exchange Server 2010

In an Exchange Server 2010 organization where there are policies about which types of mobile devices can connect to the Exchange server using ActiveSync, the administrators may wish to prevent new device types from connecting without their knowledge.

Exchange 2010 provides the capability for administrators to control how a new device type is treated by Exchange thanks to the ActiveSync organization settings.

The default setting for this (perhaps unfortunately, from a security point of view) is “Allow”. You can see this using the Get-ActiveSyncOrganizationSettings cmdlet in the Exchange Management Shell.

With this default access level any new mobile device type can connect to the server.

Configuring the ActiveSync Organization Settings

The administrator can change this using the Set-ActiveSyncOrganizationSettings cmdlet so that new device types are quarantined instead, requiring administrator approval before they can be used to connect to the Exchange server.

Aside from setting the default access level there are two other useful options that we can make use of:

  • AdminMailRecipients specifies the email addresses of administrators who are notified when a new device type attempts to connect.
  • UserMailInsert specifies an additional text string that is appended to the end user notification email that is sent by Exchange to let them know that their device has been quarantined. This makes it possible to include some friendly instructions for the end user, such as who to contact about the matter.

Here is an example:

You can also configure these settings using the Exchange Control Panel, in the Phone & Voice section. I just happen to find the shell a bit faster to use.

Let’s take a look at what happens once these ActiveSync organization settings have been applied. The user Vik Kirby attempts to connect to Exchange ActiveSync with a new Windows Phone 7 device.

Vik receives an email notification that the mobile phone is temporarily blocked. This arrives in the mailbox, accessible via Outlook or OWA, but is also permitted to sync to the mobile device itself (although no other content will sync to the device).

You may notice the custom text string that was specified using the UserMailInsert parameter.

The administrator specified with the AdminMailRecipients parameter also receives a notification email.

Example of Allowing a Quarantined ActiveSync Device

Clicking the link “To perform an action for this device…” opens the Exchange Control Panel to manage the device. This can also be found if you open the Exchange Control Panel and navigate to the Phone & Voice section again.

Choosing Allow and then clicking Save (at the bottom of the window) would permit Vik to use the device. The specific device ID is shown as allowed for Vik’s mailbox, visible using Get-CASMailbox.

However another user with the same type of device will still not be allowed to connect, and will be placed in Quarantine.

For those mobile devices where upon reviewing the first quarantined device you decide you want to allow all matching devices to also connect, you can create a device access rule.

In the Exchange Control Panel, again in Phone & Voice, select the quarantined device and choose “Create a rule for similar devices…”.

The Device Family and Model are pre-populated based on the quarantined device you selected.

Save the policy and any subsequent new mobile device matching those criteria will be treated according to the rule you have configured.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

71 comments

  1. Stef Bearne says:

    I had implemented this a few months ago at the request of HR. The policy was required so that only an exempt employee should be granted access, rather than by device type. Once the policy was applied, all existing devices were quarantined too. Is there a way to grandfather in existing users (Exch 2003 Mobile Admin tools had an exclusion list)? It wasn’t a big problem as I had communicated the change prior, but it would have been nice to circumvent approving previously connected devices.

  2. Anil says:

    Hi Paul,

    In our organization the default access level is Quarantine

    How to achieve the below requirement

    “All devices in the quarantined list for more than a month should be purged from the list”

  3. Carol Ostos says:

    Is it possible to enable quarantine policy for a domain (limited scope) as opposed to enable this at the organization level?

  4. Kevin O'Brien says:

    Hi Paul,

    Is it possible to manage a device with ActiveSync policies but block the device from having email access?

    thank you,
    Kevin

    • Nobody has ever asked me that before.

      I’ve looked at what is available in ActiveSync policies and I don’t see anything that would fit that scenario.

      Why do you want to manage the device if it isn’t going to get email?

      • Kevin O'Brien says:

        Hi Paul,

        I have never been asked that before either. This is for a client. Some of their people have company iPad’s but don’t use email on them. The boss asked him if it was possible so I am not sure what the reasoning is. I am only assuming that they want the ability to remote wipe. Not sure what other reason you would have for this request. I found this article by Paul Robichaux about blocking devices:

        http://windowsitpro.com/exchange-server-2010/managing-exchange-activesync-device-access

        I tested it out by setting up my iPhone for email, and then running these commands to block the device. Email was blocked at the phone and the phone was still associated with my account. I am not about to wipe out my iPhone but it looks like this may work. I sent the info over to the client so they can play with it. Not sure I’ll ever see this kind of request again.

        Thanks!
        Kevin

        • Drew McNichol says:

          Hi Paul, I’ve read your posts with great interest. We have a immediate need to allow Calendar, Contacts and Tasks to sync but not Mail. We want to use the ZixOne app as the only way to access email. However, the ZixOne app’s Calendar, Contacts and Tasks features are not as robust. I’m greatful for any assistance you can provide.

  5. Joerg Renggli says:

    Hi Paul,

    Is it possible to create a ActiveSyncDeviceAccessRule that queries the “Device ID” and set it to “Allow”, without a mailbox bound to it?

    We have about 40 “lending” ipads in our company and would like to allow these on a Devise base.

    Thank you
    Joerg

  6. Ken M says:

    Paul, is it possible to PRE-Allow existing devices so that when we turn on the Quarantine mode they do not receive a notice?

    • Yes, if you know the device ID you can add it to the allowed device IDs for a mailbox by using Set-CASMailbox. For iPhones the device ID can be found in the OS and I think it is also on the packaging, it is displayed as the serial number but the device ID that it appears as in Exchange has some characters prepended, “Appl”.

      For other devices like Android and WinPho I don’t know exactly where to find the device ID/serial in advance.

  7. Kevin O'Brien says:

    Hi Paul,

    In setting up a new device access rule for Exchange 2010, is this rule set for the entire organization? What I mean is, we have 3 sites – us.company.com, asia.company.com, Europe.company.com. If I launch ECP for US.company.com and create an access rule, does the rule only apply to US or am I setting it for the entire organization, all three sites?

    Thank you!
    Kevin

  8. Svetoslav Nanchev says:

    Hi Paul,

    With quarantine policy enabled for the whole organization can it be achieved for some users all new devices to automaticaly be aproved/allowed?
    I want to restrict EAS for part of the company. The other part should be able to use it on all devices.

    Thank you!
    Slav.

  9. Dev Pradhan says:

    Hello,

    Is it possible to set up a rule/policy where every device/user requires administrator approval before they can be used to connect to the Exchange server.
    We have noticed that our users configure their accounts on any device one the they know the configuration settings and we don’t want that to happen.

  10. Fred Laidman says:

    Hi Paul,

    Just came across your article when searching for information, Although it’s an old posting I hope you get the chance to provide some suggestions. Our scenario is similar to some already mentioned here, we’ve implemented ActiveSync with about 350 devices already using it. We need to enable quarantine so we can control new device registration, how do we achieve this without impacting existing users who have similar device types? This is not only for new device types, as existing user might already have them. This would be for any user trying to use any type of ActiveSync capable device, to configure access to email and calendaring. I couldn’t find any info for this specific scenario, I’m hoping you can provide some suggestions. Thank you.

  11. Z says:

    Hi Paul,
    Is there a way you can restrict only “outlook” email client from connecting to the server using activesync ?
    So forcing device to only connect via outlook and not any other native client or installed app mail client.
    Thanks.

  12. Jorn says:

    Hi..
    Can this message be changed from default?

    The Exchange ActiveSync service has quarantined the mobile phone listed below. It won’t be able to synchronize Exchange content until you take action”

    to something that you find more related to your organization?
    I know that you can add text, but I would like to change this as well

  13. CB says:

    Paul we used to get the https link included in the email to approve the device ….it is no longer showing up?
    Do you know how to fix this?
    Thanks

  14. Andy says:

    Good day Paul,
    we have seen that user devices moving from one user to another (e.g. if someone leaves the company)and there has been no cleanup… So if the “new” user has this devices in its block list and the old user has the device in the allowed list, the new user is able to connect.
    My question would be: What is the leading Attribute to see if a user (better the device) is allowed to connect?
    (Exchange 2013).

    best regards,
    Andy

    • That doesn’t sound right to me. If the new user has that specific device ID in their blocked list (viewed in Get-CASMailbox) then they shouldn’t be able to connect with it, even if someone else could.

      • Andy says:

        Hi Paul,
        that’s the point. I understand it exactly as you do: It should be blocked for the user which has this DeviceID in its blocked list.
        But we saw that while testing and a guy from our Exchange Usergroup confirmed it.

        best regards,
        Andy

  15. Chris Cheung says:

    Dear Paul,

    I would like to setup “IF the user associate a new mobile device (provided that the default policy is not quarantine), then send a email to the corresponding user”?

    How can I accomplish it? many thanks.

  16. Adnan Siddiqui says:

    Hello Paul,
    I believe that you are amazing and a very helpful guider for exchange admins. I have a question, we have a MobileIron in place for our mobile devices and we are looking forward to block our Active Sync via exchange – I see the script but in assumptions it says no MDM in place. What can we do to in place exchange active sync with third party MDM and not interrupting existing users when we enable the policy.
    Thank you

    • MobileIron relies on ActiveSync, so if you try to block ActiveSync at the Exchange level you’re likely to disrupt MobileIron users.

      The short answer is, your ActiveSync service should not be externally accessible. It should only be accessible by the MobileIron servers.

      • Adnan Siddiqui says:

        Thank you for your reply Paul. It means that we should configure Active Sync in Mobile iron not in Exchange? If we enable Quarantine in Exchange it will disrupt existing users correct?
        Thank you

  17. Adnan Siddiqui says:

    One more thing I would like to add is in Exchange I have not configured anything for Active Sync and it is all Allowed. From Mobile Iron it is not blocking or quarantine any device. We don’t have the Mobile iron server – we are only using the Core system to install mobile iron on the client device and manage emails of our company. We can only Retire and wipe our users phone via mobile iron but we don’t have any blocking from mobile iron.

    • I’m not at all familiar with that way of using MobileIron. If you’re not using a MobileIron server, and clients hit Exchange directly for ActiveSync, then yes you’ll need to use the ActiveSync controls in Exchange to manage who can and can’t access it.

      • Adnan Siddiqui says:

        Perfect! Thank you so much Paul for your reply and I am very much pleased to see your quick response to my issue. It’s an honor to get some knowledge from you. You are the BEST! I am going to download the Active Sync guide of yours to have some more understanding on this feature. Just wanted to know if you are come up with any guidance about Exchange 2016 in future – please let us know.

        Thank you once again for your help and support.

        • Adnan Siddiqui says:

          One more thing – in your early comments you said that you can add the existing device ID in allow list which eliminate the impact on that users once we turn on the Quarantine option. Do we have to add one by one through CAS MAILBOX command or can we do it via console?

  18. Tom says:

    Is it possible to prevent user from getting the email notification “Your mobile phone is temporarily blocked from synchronizing using Exchange ActiveSync until your administrator grants it access.” when his/her device is quarantined?

  19. Frank says:

    At our organization, we have about 15 people who can authorize devices (by choosing “Allow” then “Save”).

    Days later, we see a device that should NOT have been Allowed. We want to track down which administrator authorized the device. Is there a way to view this info in the ECP (or anywhere else)?

Leave a Reply

Your email address will not be published. Required fields are marked *