Controlling Exchange Active Sync Device access

2017-12-01T17:18:13+00:00 October 19th, 2010|Exchange|

Many of my customers use Exchange Active Sync (EAS) to provide user’s access to their mailboxes whilst they’re on the move, as someone who is field based it’s invaluable, alongside this device policies are generally implemented to enforce a PIN code, encrypt the data on the device etc…

The main issue with the above is generally any user with an exchange account can use EAS to connect to their mailbox, this may or may not be a problem dependant on your organisation, for example if you require encryption to be used on the mobile device and a user connects a device claiming to support encryption (but it doesn’t, no prizes for pointing out which manufacturer fell foul of this) then you potentially have sensitive data on an easily lost mobile device.

We have a number of options to control EAS access, firstly if you’re using a reverse proxy such as TMG and you’re pre-authenticating your users at TMG you can restrict access based on Windows group membership – only allowing those users who have been issued with corporate mobile devices.  That’s a good start, however it doesn’t stop a user who is granted access from connecting any device they like.  To get device based control you need to break out Exchange PowerShell and use the Set-CasMailbox, Set-ActiveSyncOrganizationSettings and New-ActiveSyncDeviceAccessRule commandlets. 

In this scenario I am going to change the default settings for the organisation to quarantine a new EAS device, notify the administrator and then create specific rules for users who require EAS access (much the same as you would configure a firewall, start with no access and then grant it as required).

 

Firstly to set the Organisation policy to  quarantine new devices and notify my two administrators, Bob and Dave:

Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients bob@risual.com, dave@risual.com

Now when users connect using EAS to their mailbox they will not be permitted, as well as this they will receive and email from Exchange with the following subject:

“Your mobile phone is temporarily blocked from synchronizing with the server while permission to access is being verified.”

Our two administrators will also receive an email, with the following subject:

“The mobile phone that belongs to domainuser has been quarantined. Synchronization with the server via Exchange ActiveSync is blocked until you take action.”

In the body of this email the device ID of the EAS device which is trying to connect is listed, to allow our user to connect with that device the set-casmailbox commandlet should be used:

Set-CASMailbox –Identity user@domain.com –ActiveSyncAllowedDeviceIDs <deviceid from admin email>

Our user’s device will then be allowed to synchronise with Exchange and all will be well.  This is fine, except if you have 1000’s of users with devices, it quickly becomes very tedious for the Administrator, another solution is to allow access based on the Device Model and / or Device Type (for example your organisation probably issues largely the same devices to all users), this is achieved using the New-ActiveSyncDeviceAccessRule commandlet to allow all your specific devices, there are several way’s to find out what your device model / type is, in the email sent to a user informing them that their device cannot connect the body contains this information, another way is to use Get-ActiveSyncDeviceStatistics:

 

[PS] C:Windowssystem32>Get-ActiveSyncDeviceStatistics -Mailbox rob

RunspaceId                    : b30b569e-eee9-49a8-ac08-1a4a5ce3cc27

FirstSyncTime                 : 21/04/2010 08:58:08

LastPolicyUpdateTime          : 16/10/2010 18:12:05

LastSyncAttemptTime           : 19/10/2010 06:21:51

LastSuccessSync               : 19/10/2010 06:21:54

DeviceType                    : iPhone

DeviceID                      : Appl80917E29Y7H

DeviceUserAgent               : Apple-iPhone/704.11

DeviceWipeSentTime            :

DeviceWipeRequestTime         :

DeviceWipeAckTime             :

LastPingHeartbeat             : 600

RecoveryPassword              : ********

DeviceModel                   : iPhone

DeviceImei                    :

DeviceFriendlyName            :

DeviceOS                      :

DeviceOSLanguage              :

DevicePhoneNumber             :

MailboxLogReport              :

DeviceEnableOutboundSMS       : False

DeviceMobileOperator          :

Identity                      : robsdesk.com/Users/Rob Broughall/ExchangeActiveSyncDevices/iPhone§Appl80917E29Y7H

Guid                          : 48da4aee-6297-42e4-a0e0-55df40f7782a

IsRemoteWipeSupported         : True

Status                        : DeviceOk

StatusNote                    :

DeviceAccessState             : Allowed

DeviceAccessStateReason       : Global

DeviceAccessControlRule       :

DevicePolicyApplied           : Default

DevicePolicyApplicationStatus : AppliedInFull

LastDeviceWipeRequestor       :

DeviceActiveSyncVersion       : 14.0

NumberOfFoldersSynced         : 8

SyncStateUpgradeTime          :

As you can see in this example I have an iPhone conneected to my lab mailbox, the two fields that we’re interested in are device model and device type, you may have also noticed the DeviceID field, this is the same value which is used in my earlier example with set-casmailbox, another way of viewing the information is to use the Phone tab within ECP, you can drill down and view some of the information available in the above commandlet:

image

So to allow our device globally we use the New-ActiveSyncDeviceRule commandlet:

 

New-ActiveSyncDeviceRule –QueryString iPhone – Characteristic DeviceModel –AccessLevel Allow

This will create a rule allowing devices reporting their devicemodel as ‘iPhone’ to connect to Exchange using EAS.

Rob