The default ActiveSync organization setting in Exchange Server 2010 is to allow any mobile device to connect to an Exchange mailbox without requiring approval from an administrator.

Consider a scenario where the business has decided that mobile devices should be blocked or quarantined by default, requiring administrator approval before they are allowed to connect.

As an example, the ActiveSync organization setting is set to quarantine.

Dealing with Existing ActiveSync Device Associations when Changing Organization Settings

In this case there are several users already using their mobile device to connect to Exchange. With the new setting applied one of them, Mary Hayes, is no longer able to connect, while the other person, Vik Kirby, is still able to connect without any issues.

In the view of quarantined devices we can only see Mary Hayes. Vik Kirby’s device has not been quarantined.

Dealing with Existing ActiveSync Device Associations when Changing Organization Settings

If the desired outcome was to quarantine all existing users and have their devices reviewed and approved where appropriate, then we need to work out how to deal with users such as Vik Kirby who were not affected by the change in policy.

In the help information for Set-ActiveSyncOrganizationSettings we can see the following notes for DefaultAccessLevel option.

The DefaultAccessLevel parameter specifies whether new devices or existing devices are allowed, blocked, or quarantined.

Note: If you use the ActiveSyncDeviceAccessRule rule to define an access group of Exchange mobile devices together with their access level for a specific set of devices, those devices are not affected by the DefaultAccessLevel parameter.

While it does refer to mobile devices that are permitted by an ActiveSync device access rule, what it doesn’t say is what to expect for an individual user’s device that has been explicitly granted access (for example during a previous period when the default access level was set to block/quarantine).

If we use Get-CASMailbox to review mailboxes that have ActiveSync device associations we can see the difference between Mary and Vik.

[PS] C:\>Get-CASMailbox | where {$_.HasActiveSyncDevicePartnerShip} | select name,activesyncallowed*,activesyncblocked* | ft -auto

Name        ActiveSyncAllowedDeviceIDs         ActiveSyncBlockedDeviceIDs
----        --------------------------         --------------------------
Alan.Reid   {1249054091, androidc259148960}    {}
Mahera.Bawa {1249054091, Appl87941C1N3NS}      {}
Mary.Hayes  {}                                 {}
Vik.Kirby   {F04016EDD8F2DD3BD6A9DA5137583C5A} {}

Vik has a previously allowed device that is letting him continue to connect despite the change to the organization default access level.

To remove this approved device all we need to do is null the ActiveSyncAllowedDeviceIDs attribute for Vik.

Set-CASMailbox vik.kirby -ActiveSyncAllowedDeviceIDs $null

This change may take a short time to replicate through your environment. On next connection attempt we can see that Vik’s device becomes quarantined as intended.

Dealing with Existing ActiveSync Device Associations when Changing Organization Settings

 

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. ramkumar nagaraj

    i ran the command for null for my mialbox.
    will it keep blocking my device every time i connect to it

    1. Avatar photo
      Paul Cunningham

      If you’ve removed the allowed device from your mailbox, if the device tries to reconnect it will go through the Allow/Block/Quarantine process again. If you’ve set a device access rule or the organizational setting to block new devices, the device will be blocked.

  2. Alan

    Hello,

    Would it do any damage to Exchange 2010 to delete the CN=ExchangeActiveSyncDevices leaf container under a user’s object using, e.g., ADSI, FIM or MIIS?

    We have some users who have left. Although their mailbox was deleted months, the ExchangeActiveSyncDevices container still remains under their user object. That’s causing problems deleting the user account for our AD team. However, their user object was moved to a different “disabled” OU before the mailbox was deleted …

    Thanks for any advice,

    – Alan.

    1. Avatar photo
      Paul Cunningham

      I assume not, since you intend to delete the user object as well. But that is only my assumption.

  3. Manish

    Thanks for you quick response,

    That means I need to set ActiveSyncOrganizationSettings to Quarantine and mention device ID which i want to allow to sync in ActiveSyncAllowedDeviceIDs. No need to create Access or Block Rule right?

    Regards,
    Manish

  4. Manish

    Hi Paul,

    We used to allow only single activesync configuration per device for Exchange 2007 sp3 mailbox by using Set-Casmailbox field “ActiveSyncAllowedDeviceIDs”. But in Exchange 2013 somehow it is not working. Even when Exchange 2013 User account is bind with one device ID, he is able to configure multiple handsets.
    We have not created any Access or block rule yet and ActiveSyncOrganizationSettings is Allow.

    Let me know how we can achive single device configuartion per mailbox in Exchange 2013.

    Thanks in advance,
    Manish

    1. Avatar photo
      Paul Cunningham

      If there are no access rules blocking the device, and the org setting is set to allow, then they will be able to connect their device. So you will need to look at changing the org setting if you want to block/quarantine everything except those specific devices you wish to allow.

  5. Sahin Boluk

    Hi Paul,

    Occasionally we need to remove some of the users partnerships, when they get a new phone or device. using remove-activesyncdevice -Identity “GUID” removes it from Exchange. When we run a get-casmailbox -identity “user” | fl name, active*, it returns with the removed device id under activesyncalloweddeviceID. How do remove only the device ID that we just removed?

  6. David

    Disregard last post. I figured it out. Just used the $null parameter.

  7. David

    I have added devices to the ActiveSyncBlockedID list. I need to remove them so they are allowed. I tried to do set-casmailbo -identity -ActivesynceAllowedDeviceID and it added the device to the allowed list but now it shows up in both allow and blocked. I can’t seem to find how to remove devices from the blocked ID list at all. Thanks

    Dave

    1. Sahin Boluk

      This is what I am looking for as well….

  8. Jim

    Hi Paul,

    How do you remove a subset of approved ActiveSync devices without removing them all? For example, how do you remove Mahera’s Apple device while leaving the other device approved?

    Thanks!

    Jim

    1. neal

      Jim or Paul or whoever-

      did you figure this one out?

      i am looking to add a device to the allowed list, and remove a device from the blocked list, but I do not want to change the rest of the allowed or blocked devices in the lists.

      for example, if the blocked list is {xxx,yyy,zzz}, i’d like to remove yyy from the blocked list and add it to the allowed list. is there a command or script to handle this case?

  9. mike dunne

    Hi Paul.

    Great article. I was looking for something like this for a while as I have been dealt a similar scenario in my organisation at present. There are many existing users using devices that have the ActiveSync enabled. In fact, we have the default profile applied to every user on the domain which allows them to use ActiveSync.

    I want to make a new access rule so that anyone from now on will have to come to the I.T Helpdesk for us to grant them access. If I apply the new rule to all users, the existing connected users will no longer be able to receive their mail on their devices until they come to us. As there are well over 100 people that will be affected like this, what is the best way to leave the default access rule on their exchange account or what do you suggest doing? I will try and roll out the new access rule one by one on the existing users rather than having them all loose access to their mail all at once.

    Sorry about the long winded mail.

    I hope you can help me.

    Mike

      1. Thomas_A

        Hi Paul,

        does your answer mean that changing the organizational access does not have any effect on existing relationships

        Thanks

        Thomas

Leave a Reply