Tip

An overview of the Exchange 2010 ActiveSync Quarantine feature

As the mobile workforce continues to grow, it's important to control which devices connect to Exchange Server via ActiveSync. The Exchange 2010 ActiveSync Quarantine feature helps track new devices, but if implemented, may cause problems for previously allowed connections. Read all the ins and outs of the underused -- yet extremely helpful -- feature in this tip.

It's pretty easy to configure a device to communicate with Exchange via ActiveSync. If Exchange AutoDiscover is working properly, the user only needs his email address and credentials. Even if you don't use

    Requires Free Membership to View

Exchange AutoDiscover, most reasonably savvy users can work out the details based on their OWA or Outlook Anywhere configuration.

My point is that as users purchase smart phones and tablets for home use, many find it easy -- maybe too easy -- to hook their devices into your Exchange server and start downloading company information.

In Exchange 2010 and Exchange 2013, you can use the ActiveSync Quarantine feature to control which new devices connect to Exchange.

The ActiveSync Quarantine workflow

Figure 1: An overview of the ActiveSync Quarantine process

Before implementing any Exchange feature, it's important to understand how it impacts end users. To do so, test this feature in a lab environment so you can get some get some real experience. You also have the option to test the ActiveSync Quarantine feature using an Office 365 trial subscription.

Figure 2: After enabling Exchange 2010 ActiveSync Quarantine, users will receive a message stating they cannot connect.

Let's take a quick look at how Exchange 2010's ActiveSync Quarantine works in a practical sense. Figure 1 illustrates the ActiveSync Quarantine feature's workflow.

Figure 3: Use the Exchange Control Panel to allow or reject a new mobile device connection.

Once ActiveSync Quarantine is enabled, users will receive a message similar to the one seen in Figure 2 if they attempt to connect a device to Exchange ActiveSync.

At this point, the device will also display in your Exchange Control Panel's Quarantined Devices section. You will also receive an email stating that a new device has attempted to connect. Open the Exchange Control Panel (ECP) and you'll see the device. From the ECP, you can choose to approve or reject the device (Figure 3).

If you choose to approve the device, the user will begin synchronizing with Exchange Server. Behind the scenes, the device ID is always recorded against the user as an authorized device.

Figure 4: You can easily show the ActiveSync device ID for an authorized device

Note: If you look at the user's mailbox using the Get-CASMailbox cmdlet, you can see that there is a field to store an array -- or list -- of authorized devices (Figure 4).

Pre-approving existing ActiveSync devices

Many admins already allow numerous Exchange 2010 users to connect, but may want to enable ActiveSync Quarantine. While this is possible, there is a caveat.

Even though the devices are already connected, they will be unapproved by default after you turn ActiveSync Quarantine on. You must then go through the same approval process as new devices. Fortunately, there is a workaround.

Using some PowerShell code, you can pre-approve devices, thus allowing you to effectively draw a line in the sand and only enable the feature for new user devices.

To begin, you must search your environment for existing devices. To collect the list of ActiveSync devices, enter the following set of cmdlets into the Exchange Management Shell (EMS):

Get-CASMailbox -Filter {hasactivesyncdevicepartnership -eq $true -and -not displayname -like "CAS_{*"} -ResultSize Unlimited;

Next, take those the results and add the approved devices to users. For an individual user, the code looks similar to the following:

$DeviceIDs=@()
Get-ActiveSyncDeviceStatistics -Mailbox "Steve Goodman"|%{ $DeviceIDs+=$_.DeviceID } Set-CasMailbox "Steve Goodman" -ActiveSyncAllowedDeviceIDs $DeviceIDs

Using the EMS, you can automate the process into a small script that will find and approve multiple devices. The script below searches for all users with an ActiveSync device, then adds the device to that individual user's approval list:

Note: Test this script before placing it in your production environment.

# Retrieve mailboxes of users who have a connected ActiveSync Device
$CASMailboxes = Get-CASMailbox -Filter {hasactivesyncdevicepartnership -eq $true -and -not displayname -like "CAS_{*"} -ResultSize Unlimited;
# Approve each device 
foreach ($CASMailbox in $CASMailboxes)
{
	# Array to store devices
	$DeviceIDs = @();
	# Retrieve the ActiveSync Device Statistics for the associated user mailbox
	[array]$ActiveSyncDeviceStatistics = Get-ActiveSyncDeviceStatistics -Mailbox $CASMailbox.Identity;
	# Use the information retrieved above to store information one by one about each ActiveSync Device
	foreach ($Device in $ActiveSyncDeviceStatistics)
	{
		$DeviceIDs += $Device.DeviceID
	}
	Set-CasMailbox $CASMailbox -ActiveSyncAllowedDeviceIDs $DeviceIDs
    
    # Display Useful Output that can be piped to Export-CSV or just shown as the script runs
    $Output = New-Object Object
	$Output | Add-Member NoteProperty DisplayName $Mailbox.DisplayName
	$Output | Add-Member NoteProperty AllowedDeviceIDs $DeviceIDs
	$Output
}

Enabling ActiveSync Quarantine features

Figure 5: Editing ActiveSync Quarantine Settings

After approving the devices, the final step is to enable the quarantine features.

Figure 6: Select your ActiveSync Quarantine options.

Log into the ECP and navigate to Phone & Voice -> ActiveSync Access. Click Edit and you'll find the available Quarantine options (Figure 5).

Make sure to examine the options available, which include setting the notification email address, as well as any custom message you would like end users to see when attempting to add a new device (Figure 6).

Click Save to enable the Exchange 2010 ActiveSync Quarantine.

From this point onwards, new ActiveSync devices connecting to Exchange 2010 will be quarantined until they are approved. Existing Exchange ActiveSync devices will continue to access Exchange as normal.

About the author
Steve Goodman is an Exchange MVP and works as a technical architect for one of the UK's leading Microsoft Gold partners, Phoenix IT Group. Goodman has worked in the IT industry for 14 years and has worked extensively with Microsoft Exchange since version 5.5.

This was first published in January 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.