In an Exchange Server 2010 organization where there are policies about which types of mobile devices can connect to the Exchange server using ActiveSync, the administrators may wish to prevent new device types from connecting without their knowledge.

Exchange 2010 provides the capability for administrators to control how a new device type is treated by Exchange thanks to the ActiveSync organization settings.

The default setting for this (perhaps unfortunately, from a security point of view) is “Allow”. You can see this using the Get-ActiveSyncOrganizationSettings cmdlet in the Exchange Management Shell.

[PS] C:\>Get-ActiveSyncOrganizationSettings | select DefaultAccessLevel | fl

DefaultAccessLevel : Allow

With this default access level any new mobile device type can connect to the server.

Configuring the ActiveSync Organization Settings

The administrator can change this using the Set-ActiveSyncOrganizationSettings cmdlet so that new device types are quarantined instead, requiring administrator approval before they can be used to connect to the Exchange server.

Aside from setting the default access level there are two other useful options that we can make use of:

  • AdminMailRecipients specifies the email addresses of administrators who are notified when a new device type attempts to connect.
  • UserMailInsert specifies an additional text string that is appended to the end user notification email that is sent by Exchange to let them know that their device has been quarantined. This makes it possible to include some friendly instructions for the end user, such as who to contact about the matter.

Here is an example:

[PS] C:\>Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients administrator@exchan
geserverpro.net -UserMailInsert "Your mobile device type has not yet been approved for use. Please contact the Help Desk for further assistance."

You can also configure these settings using the Exchange Control Panel, in the Phone & Voice section. I just happen to find the shell a bit faster to use.

Preventing New ActiveSync Device Types from Connecting to Exchange Server 2010

Let’s take a look at what happens once these ActiveSync organization settings have been applied. The user Vik Kirby attempts to connect to Exchange ActiveSync with a new Windows Phone 7 device.

Vik receives an email notification that the mobile phone is temporarily blocked. This arrives in the mailbox, accessible via Outlook or OWA, but is also permitted to sync to the mobile device itself (although no other content will sync to the device).

Preventing New ActiveSync Device Types from Connecting to Exchange Server 2010

You may notice the custom text string that was specified using the UserMailInsert parameter.

Preventing New ActiveSync Device Types from Connecting to Exchange Server 2010

The administrator specified with the AdminMailRecipients parameter also receives a notification email.

Preventing New ActiveSync Device Types from Connecting to Exchange Server 2010

Example of Allowing a Quarantined ActiveSync Device

Clicking the link “To perform an action for this device…” opens the Exchange Control Panel to manage the device. This can also be found if you open the Exchange Control Panel and navigate to the Phone & Voice section again.

Preventing New ActiveSync Device Types from Connecting to Exchange Server 2010

Choosing Allow and then clicking Save (at the bottom of the window) would permit Vik to use the device. The specific device ID is shown as allowed for Vik’s mailbox, visible using Get-CASMailbox.

[PS] C:\>Get-CASMailbox vik.kirby | select displayname,ActiveSyncAllowedDeviceIDs | fl

DisplayName                : Vik Kirby
ActiveSyncAllowedDeviceIDs : {F04016EDD8F2DD3BD6A9DA5137583C5A}

However another user with the same type of device will still not be allowed to connect, and will be placed in Quarantine.

For those mobile devices where upon reviewing the first quarantined device you decide you want to allow all matching devices to also connect, you can create a device access rule.

In the Exchange Control Panel, again in Phone & Voice, select the quarantined device and choose “Create a rule for similar devices…”.

Preventing New ActiveSync Device Types from Connecting to Exchange Server 2010

The Device Family and Model are pre-populated based on the quarantined device you selected.

Preventing New ActiveSync Device Types from Connecting to Exchange Server 2010

Save the policy and any subsequent new mobile device matching those criteria will be treated according to the rule you have configured.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Wouter

    Is there a way to let an end users allow their own device? (just for themselves)4
    (Exchange 2016/2019 onpremise)

  2. bryan changaris

    We are migrating from exchange 2010 to exchange 2016.
    when we had to add a phone we would receive a email with a link :

    To perform an action for this device, go to the following page in the Exchange Control Panel:
    https://getmymail.trinitas.org/ecp/UsersGroups/EditEASMailbox.aspx?id=cbec20e2-8d68-44
    NOW : NO LINK
    To perform an action for this device, select the device from among the quarantined devices displayed on the ActiveSync Access tab in the Exchange Control Panel. <== NOLINK

    How do we get the link back .. it is very inconvenient to have to open up ecp to allo the users phone… Please help .. I cant find my answer anywhere……….

  3. Subhash

    Dear Paul,

    As of now we have default polices for Exchange ActiveSync Access Settings, however if i configure to quarantine devices. Would this impact my existing users as well. I mean users who are already configured mailbox access through mobile.

    IF yes , then is there any way out to put exception for those users.

    1. Joe Mallen

      I would like to know the answer to the same question. How do we apply this setting without affecting existing users? I turned it on, but it immediately blocked access to all my devices including mine.

  4. Jackson Philips

    Hi Paul,

    I really need some help to save one of my team members.
    We got our Exchange admin accusing the Service Desk person of running a script “Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Allow” , but this Service Desk person does not do anything on Powershell and all his tasks are done via the Exchange GUI.
    There was a request on that day to give authorize a Mobile Phone to access emails.

    Is there any way where we can find out what exactly happened ?
    Can working on the GUI cause the script to execute in error ?

  5. Andy

    Hello Paul, can you tell me why a device would appear as unknown in the status as opposed to Quarantined? we have a small number of devices exhibiting this behavior and do not have the option to Allow/Block.
    Thanks

  6. Javier

    Hi Paul,

    It is possible to prevent end users to get that email “Your Mobile Device is temporarily blocked” you mentioned we can edit the text but I was wondering a way to not send this email to end users?

      1. Joerg Renggli

        I never tried it, but what about an Exchange transport rule to catch and remove those mails?

  7. Frank

    At our organization, we have about 15 people who can authorize devices (by choosing “Allow” then “Save”).

    Days later, we see a device that should NOT have been Allowed. We want to track down which administrator authorized the device. Is there a way to view this info in the ECP (or anywhere else)?

  8. Heidi

    I accidentally blocked a user and I need to allow them. How do I unblock them?

  9. Nankumba Joanna

    This has been helpful Paul. My Server is now fully protected

  10. Tom

    Is it possible to prevent user from getting the email notification “Your mobile phone is temporarily blocked from synchronizing using Exchange ActiveSync until your administrator grants it access.” when his/her device is quarantined?

  11. Shabber Shaik

    Hi can anybody let me know, How to know who enable or disabled ActiveSync and OWA features to the user in Exchnage 2010.

  12. Adnan Siddiqui

    One more thing I would like to add is in Exchange I have not configured anything for Active Sync and it is all Allowed. From Mobile Iron it is not blocking or quarantine any device. We don’t have the Mobile iron server – we are only using the Core system to install mobile iron on the client device and manage emails of our company. We can only Retire and wipe our users phone via mobile iron but we don’t have any blocking from mobile iron.

    1. Paul Cunningham

      I’m not at all familiar with that way of using MobileIron. If you’re not using a MobileIron server, and clients hit Exchange directly for ActiveSync, then yes you’ll need to use the ActiveSync controls in Exchange to manage who can and can’t access it.

      1. Adnan Siddiqui

        Perfect! Thank you so much Paul for your reply and I am very much pleased to see your quick response to my issue. It’s an honor to get some knowledge from you. You are the BEST! I am going to download the Active Sync guide of yours to have some more understanding on this feature. Just wanted to know if you are come up with any guidance about Exchange 2016 in future – please let us know.

        Thank you once again for your help and support.

        1. Adnan Siddiqui

          One more thing – in your early comments you said that you can add the existing device ID in allow list which eliminate the impact on that users once we turn on the Quarantine option. Do we have to add one by one through CAS MAILBOX command or can we do it via console?

  13. Adnan Siddiqui

    Hello Paul,
    I believe that you are amazing and a very helpful guider for exchange admins. I have a question, we have a MobileIron in place for our mobile devices and we are looking forward to block our Active Sync via exchange – I see the script but in assumptions it says no MDM in place. What can we do to in place exchange active sync with third party MDM and not interrupting existing users when we enable the policy.
    Thank you

    1. Paul Cunningham

      MobileIron relies on ActiveSync, so if you try to block ActiveSync at the Exchange level you’re likely to disrupt MobileIron users.

      The short answer is, your ActiveSync service should not be externally accessible. It should only be accessible by the MobileIron servers.

      1. Adnan Siddiqui

        Thank you for your reply Paul. It means that we should configure Active Sync in Mobile iron not in Exchange? If we enable Quarantine in Exchange it will disrupt existing users correct?
        Thank you

  14. Chris Cheung

    Dear Paul,

    I would like to setup “IF the user associate a new mobile device (provided that the default policy is not quarantine), then send a email to the corresponding user”?

    How can I accomplish it? many thanks.

    1. Paul Cunningham

      You’d need to write a custom script and have it poll for new mobile device associations and send the email notifications.

  15. Andy

    Good day Paul,
    we have seen that user devices moving from one user to another (e.g. if someone leaves the company)and there has been no cleanup… So if the “new” user has this devices in its block list and the old user has the device in the allowed list, the new user is able to connect.
    My question would be: What is the leading Attribute to see if a user (better the device) is allowed to connect?
    (Exchange 2013).

    best regards,
    Andy

    1. Paul Cunningham

      That doesn’t sound right to me. If the new user has that specific device ID in their blocked list (viewed in Get-CASMailbox) then they shouldn’t be able to connect with it, even if someone else could.

      1. Andy

        Hi Paul,
        that’s the point. I understand it exactly as you do: It should be blocked for the user which has this DeviceID in its blocked list.
        But we saw that while testing and a guy from our Exchange Usergroup confirmed it.

        best regards,
        Andy

        1. Paul Cunningham

          You can send me the full output of Get-CASMailbox for the users, and Get-MobileDevice for the users, and can take a look. Send it to paul at this domain.

  16. CB

    Paul we used to get the https link included in the email to approve the device ….it is no longer showing up?
    Do you know how to fix this?
    Thanks

      1. CB

        The Exchange ActiveSync service has quarantined the mobile phone listed below. It won’t be able to synchronize Exchange content until you take action.

        To perform an action for this device, go to the following page in the Exchange Control Panel:

        >>>> this is the link we used to get in email alerts about quarantined devices<<<>>>https://domainname.com/ecp/UsersGroups/EditEASMailbox.aspx?id=75bd258f-06e6-437f-a48e-bb62b571fda0<<<<&lt;

        Information about the device that triggered this notice:
        User:
        user@domain.com
        Device model:
        MotoMilestoneX45
        Device type:
        MotoMilestoneX45
        Device ID:
        4130303030303243324232363041
        Device OS:

        Device user agent:
        Moto-Milestone X/4.5.1
        Device phone number:

        Device IMEI:

        Exchange ActiveSync version:
        12.1
        Device policy applied:
        Legacy MotoBlur
        Device policies status:
        PartiallyApplied
        Device access state:
        Quarantined
        Device access state reason:
        Global
        Device access control rule:

        Any Ideas?

        1. CB

          hmmm been awaiting moderation since Jan 14? Did I get lost?

  17. Jorn

    Hi..
    Can this message be changed from default?

    The Exchange ActiveSync service has quarantined the mobile phone listed below. It won’t be able to synchronize Exchange content until you take action”

    to something that you find more related to your organization?
    I know that you can add text, but I would like to change this as well

      1. Jorn

        Thanks for answer

  18. Z

    Hi Paul,
    Is there a way you can restrict only “outlook” email client from connecting to the server using activesync ?
    So forcing device to only connect via outlook and not any other native client or installed app mail client.
    Thanks.

  19. Fred Laidman

    Great, thanks a lot for your help.

  20. Fred Laidman

    Hi Paul,

    Just came across your article when searching for information, Although it’s an old posting I hope you get the chance to provide some suggestions. Our scenario is similar to some already mentioned here, we’ve implemented ActiveSync with about 350 devices already using it. We need to enable quarantine so we can control new device registration, how do we achieve this without impacting existing users who have similar device types? This is not only for new device types, as existing user might already have them. This would be for any user trying to use any type of ActiveSync capable device, to configure access to email and calendaring. I couldn’t find any info for this specific scenario, I’m hoping you can provide some suggestions. Thank you.

    1. Paul Cunningham

      Do you want to pre-approve all current devices for individuals? Or pre-approve certain device types from being quarantined?

      1. Fred Laidman

        The ideal end result would be for us to be able to use the quarantine functionality to approve any new device registrations, regardless of the device type. Right now we can’t implement quarantine on specific devices, without impacting existing users. I suppose pre-approving all current devices for individual might have to be done, in order to implement quarantine; however our concern is to prevent any impact on those existing users, this would need to be transparent to the them including any notification of their device being blocked. Is there a way that you know of that can allow us to achieve this? Thank you.

  21. Dev Pradhan

    Hello,

    Is it possible to set up a rule/policy where every device/user requires administrator approval before they can be used to connect to the Exchange server.
    We have noticed that our users configure their accounts on any device one the they know the configuration settings and we don’t want that to happen.

    1. Paul Cunningham

      Yes, set the default access level to Quarantine. The article above shows how to manage the default access level.

  22. Svetoslav Nanchev

    Hi Paul,

    With quarantine policy enabled for the whole organization can it be achieved for some users all new devices to automaticaly be aproved/allowed?
    I want to restrict EAS for part of the company. The other part should be able to use it on all devices.

    Thank you!
    Slav.

  23. Kevin O'Brien

    Hi Paul,

    In setting up a new device access rule for Exchange 2010, is this rule set for the entire organization? What I mean is, we have 3 sites – us.company.com, asia.company.com, Europe.company.com. If I launch ECP for US.company.com and create an access rule, does the rule only apply to US or am I setting it for the entire organization, all three sites?

    Thank you!
    Kevin

      1. Kevin O'Brien

        Thanks for the info Paul!

        -Kevin

  24. Ryan

    Really enjoyed this write-up.

    Is there anyway to stop the notification emails to the User?

    1. Paul Cunningham

      You could probably block the messages with a Transport rule if you configure one that looks for some of the text strings in the notification email.

      1. Spencer E

        Is that the only way to stop the notification?

  25. Ken M

    Paul, is it possible to PRE-Allow existing devices so that when we turn on the Quarantine mode they do not receive a notice?

    1. Paul Cunningham

      Yes, if you know the device ID you can add it to the allowed device IDs for a mailbox by using Set-CASMailbox. For iPhones the device ID can be found in the OS and I think it is also on the packaging, it is displayed as the serial number but the device ID that it appears as in Exchange has some characters prepended, “Appl”.

      For other devices like Android and WinPho I don’t know exactly where to find the device ID/serial in advance.

  26. Lars

    Hi Paul,

    many thanks for the great article. Do I need a Standard or an Enterprise CAL?

    Best regards
    Lars

  27. Joerg Renggli

    Hi Paul,

    Is it possible to create a ActiveSyncDeviceAccessRule that queries the “Device ID” and set it to “Allow”, without a mailbox bound to it?

    We have about 40 “lending” ipads in our company and would like to allow these on a Devise base.

    Thank you
    Joerg

    1. Paul Cunningham

      No. Device access rules can be created based on one of four characteristics – DeviceType, DeviceModel, DeviceOS, UserAgent.

  28. Kevin O'Brien

    Hi Paul,

    Is it possible to manage a device with ActiveSync policies but block the device from having email access?

    thank you,
    Kevin

    1. Paul Cunningham

      Nobody has ever asked me that before.

      I’ve looked at what is available in ActiveSync policies and I don’t see anything that would fit that scenario.

      Why do you want to manage the device if it isn’t going to get email?

      1. Kevin O'Brien

        Hi Paul,

        I have never been asked that before either. This is for a client. Some of their people have company iPad’s but don’t use email on them. The boss asked him if it was possible so I am not sure what the reasoning is. I am only assuming that they want the ability to remote wipe. Not sure what other reason you would have for this request. I found this article by Paul Robichaux about blocking devices:

        http://windowsitpro.com/exchange-server-2010/managing-exchange-activesync-device-access

        I tested it out by setting up my iPhone for email, and then running these commands to block the device. Email was blocked at the phone and the phone was still associated with my account. I am not about to wipe out my iPhone but it looks like this may work. I sent the info over to the client so they can play with it. Not sure I’ll ever see this kind of request again.

        Thanks!
        Kevin

        1. Drew McNichol

          Hi Paul, I’ve read your posts with great interest. We have a immediate need to allow Calendar, Contacts and Tasks to sync but not Mail. We want to use the ZixOne app as the only way to access email. However, the ZixOne app’s Calendar, Contacts and Tasks features are not as robust. I’m greatful for any assistance you can provide.

  29. Carol Ostos

    Is it possible to enable quarantine policy for a domain (limited scope) as opposed to enable this at the organization level?

    1. Paul Cunningham

      No. For that type of granularity I’d say look at third party MDM solutions.

      1. Carol Ostos

        We are looking at Good for Enterprise but I have been asked to research about implementing quarantine devices for Activesync. Seems like you have to be careful if enabling this once Avctivesync is already used in Production. I hope to convince Senior Management that MDM is a more robust solution that Activesync. Wish me luck!

        1. Abdelaziz

          We already have Active Sync in production, and users are already using it on the their devices. we want to enable quarantine for new devices , what will happen for the already added devices? are they going to be quarantined ? if yes how can we exclude them from being quarantined?

  30. Steven

    Hi Paul,

    I have also setup Exchange 2013 to Always quarantine mobile devices, So that I can manage who is allowed to connect.
    Since this configuration change , I see
    – Mobile Mailbox Settings
    – EASProbeDeviceType
    also being quarantined.
    Can you eplain something more about those 2 ‘devices’
    Thank You !
    Regards, Steven

  31. Anil

    Hi Paul,

    In our organization the default access level is Quarantine

    How to achieve the below requirement

    “All devices in the quarantined list for more than a month should be purged from the list”

  32. Stef Bearne

    I had implemented this a few months ago at the request of HR. The policy was required so that only an exempt employee should be granted access, rather than by device type. Once the policy was applied, all existing devices were quarantined too. Is there a way to grandfather in existing users (Exch 2003 Mobile Admin tools had an exclusion list)? It wasn’t a big problem as I had communicated the change prior, but it would have been nice to circumvent approving previously connected devices.

    1. varandian

      @Stef Bearne, were you able to find a solution to grandfathering the existing users?

        1. varandian

          Thanks Paul!

          I was almost done with a similar script but was missing the piece about putting the Device IDs into an array.

  33. Turbomcp

    Thanks paul
    always interesting stuff

Leave a Reply