An overview of the Exchange 2010 ActiveSync Quarantine feature

Underused but important, the Exchange 2010 ActiveSync Quarantine feature helps restrict which devices connect to Exchange. Here's what you need to know.

As the mobile workforce continues to grow, it's important to control which devices connect to Exchange Server via...

ActiveSync. The Exchange 2010 ActiveSync Quarantine feature helps track new devices, but if implemented, may cause problems for previously allowed connections. Read all the ins and outs of the underused -- yet extremely helpful -- feature in this tip.

It's pretty easy to configure a device to communicate with Exchange via ActiveSync. If Exchange AutoDiscover is working properly, the user only needs his email address and credentials. Even if you don't use Exchange AutoDiscover, most reasonably savvy users can work out the details based on their OWA or Outlook Anywhere configuration.

My point is that as users purchase smart phones and tablets for home use, many find it easy -- maybe too easy -- to hook their devices into your Exchange server and start downloading company information.

In Exchange 2010 and Exchange 2013, you can use the ActiveSync Quarantine feature to control which new devices connect to Exchange.

The ActiveSync Quarantine workflow

Exchange 2010 ActiveSync Quarantine workflow
Figure 1: An overview of the ActiveSync Quarantine process

Before implementing any Exchange feature, it's important to understand how it impacts end users. To do so, test this feature in a lab environment so you can get some get some real experience. You also have the option to test the ActiveSync Quarantine feature using an Office 365 trial subscription.

The ActiveSync Quarantine has restricted access.
Figure 2: After enabling Exchange 2010 ActiveSync Quarantine, users will receive a message stating they cannot connect.

Let's take a quick look at how Exchange 2010's ActiveSync Quarantine works in a practical sense. Figure 1 illustrates the ActiveSync Quarantine feature's workflow.

A look at ActiveSync access settings
Figure 3: Use the Exchange Control Panel to allow or reject a new mobile device connection.

Once ActiveSync Quarantine is enabled, users will receive a message similar to the one seen in Figure 2 if they attempt to connect a device to Exchange ActiveSync.

At this point, the device will also display in your Exchange Control Panel's Quarantined Devices section. You will also receive an email stating that a new device has attempted to connect. Open the Exchange Control Panel (ECP) and you'll see the device. From the ECP, you can choose to approve or reject the device (Figure 3).

If you choose to approve the device, the user will begin synchronizing with Exchange Server. Behind the scenes, the device ID is always recorded against the user as an authorized device.

PowerShell code to identify ActiveSync device IDs
Figure 4: You can easily show the ActiveSync device ID for an authorized device

Note: If you look at the user's mailbox using the Get-CASMailbox cmdlet, you can see that there is a field to store an array -- or list -- of authorized devices (Figure 4).

Pre-approving existing ActiveSync devices

Many admins already allow numerous Exchange 2010 users to connect, but may want to enable ActiveSync Quarantine. While this is possible, there is a caveat.

Even though the devices are already connected, they will be unapproved by default after you turn ActiveSync Quarantine on. You must then go through the same approval process as new devices. Fortunately, there is a workaround.

Using some PowerShell code, you can pre-approve devices, thus allowing you to effectively draw a line in the sand and only enable the feature for new user devices.

To begin, you must search your environment for existing devices. To collect the list of ActiveSync devices, enter the following set of cmdlets into the Exchange Management Shell (EMS):

Get-CASMailbox -Filter {hasactivesyncdevicepartnership -eq $true -and -not displayname -like "CAS_{*"} -ResultSize Unlimited;

Next, take those the results and add the approved devices to users. For an individual user, the code looks similar to the following:

Get-ActiveSyncDeviceStatistics -Mailbox "Steve Goodman"|%{ $DeviceIDs+=$_.DeviceID } Set-CasMailbox "Steve Goodman" -ActiveSyncAllowedDeviceIDs $DeviceIDs

Using the EMS, you can automate the process into a small script that will find and approve multiple devices. The script below searches for all users with an ActiveSync device, then adds the device to that individual user's approval list:

Note: Test this script before placing it in your production environment.

# Retrieve mailboxes of users who have a connected ActiveSync Device
$CASMailboxes = Get-CASMailbox -Filter {hasactivesyncdevicepartnership -eq $true -and -not displayname -like "CAS_{*"} -ResultSize Unlimited;
# Approve each device 
foreach ($CASMailbox in $CASMailboxes)
	# Array to store devices
	$DeviceIDs = @();
	# Retrieve the ActiveSync Device Statistics for the associated user mailbox
	[array]$ActiveSyncDeviceStatistics = Get-ActiveSyncDeviceStatistics -Mailbox $CASMailbox.Identity;
	# Use the information retrieved above to store information one by one about each ActiveSync Device
	foreach ($Device in $ActiveSyncDeviceStatistics)
		$DeviceIDs += $Device.DeviceID
	Set-CasMailbox $CASMailbox -ActiveSyncAllowedDeviceIDs $DeviceIDs
    # Display Useful Output that can be piped to Export-CSV or just shown as the script runs
    $Output = New-Object Object
	$Output | Add-Member NoteProperty DisplayName $Mailbox.DisplayName
	$Output | Add-Member NoteProperty AllowedDeviceIDs $DeviceIDs

Enabling ActiveSync Quarantine features

Edit ActiveSync access settings.
Figure 5: Editing ActiveSync Quarantine Settings

After approving the devices, the final step is to enable the quarantine features.

Successfully adding an ActiveSync device
Figure 6: Select your ActiveSync Quarantine options.

Log into the ECP and navigate to Phone & Voice -> ActiveSync Access. Click Edit and you'll find the available Quarantine options (Figure 5).

Make sure to examine the options available, which include setting the notification email address, as well as any custom message you would like end users to see when attempting to add a new device (Figure 6).

Click Save to enable the Exchange 2010 ActiveSync Quarantine.

From this point onwards, new ActiveSync devices connecting to Exchange 2010 will be quarantined until they are approved. Existing Exchange ActiveSync devices will continue to access Exchange as normal.

About the author
Steve Goodman is an Exchange MVP and works as a technical architect for one of the UK's leading Microsoft Gold partners, Phoenix IT Group. Goodman has worked in the IT industry for 14 years and has worked extensively with Microsoft Exchange since version 5.5.

This was last published in January 2013

Dig Deeper on Mobile Devices



Find more PRO+ content and other member only offers, here.

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

There is an error in the script in this article. It should be Set-CASMailbox $CASMailbox.Identity instead. Otherwise the script will fail
There is another error in the script.
$Output | Add-Member NoteProperty DisplayName $Mailbox.DisplayName
should be replaced with:
$Output | Add-Member NoteProperty DisplayName $CASMailbox.DisplayName
It should also be noted that the device ID returned by get-activesyncdevicestatistics can be incorrect if the user was moved into a different OU than when they paired their device. The correct device ID is returned from get-activesyncdevice.
There is another error in the script. 
if deviceids array contains multiple id , script will fail. this user's allowed list will not update.
it should be as follows
$DeviceIDs=$DeviceIDs|Sort-Object|Get-Unique -AsString