(http://www.msexchange.

org)
Tweet 0 4 7
Home Articles & Tutorials Exchange 2010 Articles Management & Administration
by Nuno Mota [Published on 17 Jan. 2012 / Last Updated on 17 Jan. 2012]
In this article we will explore the new Mobile Device Management capabilities of Exchange 2010 and the possibility of creating allow, block and quarantine lists to control which mobile
devices are allowed to connect to Exchange.
If you would like to read the first part in this article series please go to Mobile Device Management (Part 1) (http://www.msexchange.org/articles_tutorials/exchange-server-
2010/management-administration/mobile-device-management-part1.html).
In the first part of this article we explored the basics of the new Mobile Device Management capabilities of Exchange 2010. We saw all the possible access states and how Exchange
determines the state each device should be assigned.
This second and final part will be hands-on as we will see how to configure and manage all aspects of Mobile Device Management.
(http://www.packtpub.com/microsoft-exchange-2013-high-availability/book)
Mobile Device Management (Part 2)
0 Me gusta
I ntr oducti on
Contr ol l i ng Access States
Home Articles & Tutorials KBase Tips Products Reviews Free Tools Blogs Tech Topics Forums White Papers Contact Us

As we saw in the first part of this article, there are 3 ways of controlling the access state for mobile devices. Administrators can configure:
1. Exchange ActiveSync [EAS] organization settings;
2. Organization access rules for mobile device families or specific models;
3. Personal exemptions for users.
Although I will explain each method in this order for simplicity, remember that they are applied in the reverse order as explained in the Determining Access States section.
Before we start, it is better to clarify the difference between a device family and model and how to get this information.
The devices family and model is communicated by the device itself to Exchange as part of the EAS protocol. Basically, the difference is that family is broader like Pocket PC while the
model is more specific like HTC HD2 T8585 or Palm Treo 850. This distinction exists because many device manufacturers release the same device with different names on different
carriers.
There are several methods which administrators can use to obtain information regarding device families and models. As EAS uses HTTP, every request is recorded in the IIS web logs, by
default saved in C:\inetpub\logs\logfiles\W3SVC1\. In there, we can search for ActiveSync entries where we will have entries similar to the one below where we can see the username,
DeviceID and DeviceType among other information:

Figure 2-1: Exchange ActiveSync IIS logs
As normally these logs have thousands of entries, it might not be easy to search them. A more effective method is to use the Exchange Management Shell [EMS] and the Export-
ActiveSyncLog, Get-ActiveSyncDeviceStatistics or Get-ActiveSyncDevice cmdlets. The first reads a single IIS log file and exports the relevant information regarding EAS into 6 different CSV
files. The ones we are interested in are the UserAgents and Users files as they include device models and families.

Figure 2-2: Export-ActiveSyncLog results
The last two cmdlets provide slightly different information, but for the purpose of this article both provide the information we are looking for: DeviceId, DeviceMobileOperator, DeviceOS,
DeviceType, DeviceUserAgent and DeviceModel. We can easily collect the information for every user that has used EAS at least once, export it to a CSV file and then analyze the results:
(Get-CASMailbox ResultSize Unlimited -Filter {HasActiveSyncDevicePartnership -eq $True} | Get-Mailbox) | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox $_} | Export-Csv
E:\Logs\EAS.csv -NoType
We can automatically group the statistics by DeviceModel, for example:

Figure 2-3: Sort Exchange ActiveSync Stats by Device Model
Or simply check the details for a single user:

Figure 2-4: User's ActiveSync Device Statistics
The final method is to use the Exchange Control Panel [ECP] as we will see later in this article.
EAS Or gani zati on Setti ngs
This is the first step into configuring access levels. When Exchange 2010 is first installed, the default access level is set to Allow, which means that any device is able to automatically
connect to Exchange as long as they comply with the EAS policy. This value can be set to Allow, Block or Quarantine by using the EMS or the ECP.
With the EMS, we use the Set-ActiveSyncOrganizationSettings cmdlet with the DefaultAccessLevel parameter.
This cmdlet also allows us to configure two other useful settings using the following parameters:
AdminMailRecipients - specifies the e-mail address(es) of the administrator(s) (can also be a distribution list) that will receive an e-mail when a device is quarantined;
UserMailInsert - specifies the text to be added to the e-mail message sent to users when their mobile device is blocked or quarantined.
Set-ActiveSyncOrganizationSettings DefaultAccessLevel Quarantine -AdminMailRecipients adminmotan@letsexchange.com, (mailto:adminmotan@letsexchange.com,)
messaging.team@letsexchange.com (mailto:messaging.team@letsexchange.com) UserMailInsert Your mobile device is temporarily blocked from synchronizing with the server while
permissions are verified.
To use the ECP, follow these steps:
1. Log in to the ECP;
2. Make sure you are managing My Organization (you will only see this option if you have Exchange Administrator access);
3. Select Phone & Voice -> ActiveSync Access tab;
4. Click on the Edit button and you will be presented with the following screen where we will see all the options we set up using the EMS:

Figure 2-5: The ActiveSync Access page

Figure 2-6: Configuring EAS Organization Settings through the ECP
In this picture we can confirm the settings we configure using the EMS and the text that the user received when the mobile device was quarantined (Figure 1-2).
Note:
The default organization settings will be applied only if a rule specific for a device or user does not match!
Setting the access level to Quarantine at the organizational level, allows administrators to monitor which devices and users are making new connections to Exchange. This means that if
there is no rule for a device or if there is no exemption for the particular user, then any unknown device will be quarantined. This process might be useful in cases where administrators
want to gradually allow only particular devices that are supported and block all other devices.
These rules allow administrators to control the access level of a group of devices based on their family or model. The easiest way to create a new rule is to use to the ECP by clicking in
New... under Device Access Rules on the ActiveSync Access tab where we configured the EAS organization settings previously.

Or gani zati on Access Rul es
Figure 2-7: New Device Access Rule
In here you can click on Browse to see a list of all the device families and models that have already connected to Exchange. If this is a brand new installation of Exchange and no device
has ever connected, these lists will be empty.

Figure 2-8: Device families and models

Figure 2-9: New Device Access Rule for Device Samsung GT-I9100
Once you have selected the family or model (have in mind that when creating rules you can only select the devices family or model, not both!), you can choose to allow, block or quarantine
it. After you select the desired action and click Save, the rule is created:

Figure 2-10: Device Access Rule created
In this case, the rule we just created is redundant as we already set the access level to Quarantine at the EAS organizational level settings.
We can also create these rules from the list of quarantined devices. When a device is quarantined, we can select it from the list of Quarantined Devices and then click in Create a rule for
similar devices.... This will open a window similar to Figure 2-9 where we can choose to Allow or Block similar devices.

Figure 2-11: Quarantined Devices
After we choose to Allow the device, the rule will automatically allow all devices that are in quarantine, as well as identical devices that connect from this moment on, that match the device
family or model (in our case model) covered by the new rule:

Figure 2-12: New Device Access Rule created
It is also possible to create a rule based on a users device that has already connected or tried to connect to Exchange:
1. Select Manage My Organization and then click on Users & Groups;
2. Search the user for whom you want to base your rule on, and then select Details;
3. Under Phone & Voice Features, select Exchange ActiveSync and then select Edit;
4. Under Mobile Devices, select the device that you want to create a rule for, and then select Create a rule for similar devices...;
5. Select whether you want this rule to apply to the selected device family or model;
6. Select whether to allow, block or quarantine the chosen devices;
7. Click Save to create the rule.
The rule will now appear in the main screen as the examples above. However, note that these rules dont apply just for that user, but for everyone with identical devices!
To create these rules using the EMS, you use the New-ActiveSyncDeviceAccessRule cmdlet with the AccessLevel (the state for the device), Characteristic (either DeviceType or
DeviceModel) and QueryString (which device type) parameters:

Figure 2-13: Creating New Device Access Rule through EMS
To check for any created rules, we use the ECP or the Get-ActiveSyncDeviceAccessRule cmdlet which will provide the exact same information as seen in Figure 2-13.
Note:
Remember that if a device tries to connect to Exchange and there is no access rule in place that matches the user or the device, the default organization settings will be applied.
Per sonal Exempti ons for User s
The final method of controlling mobile devices is by creating rules that only apply to specific users. These rules allow administrators to either allow or block (you cannot quarantine)
particular devices (based on the DeviceID) for a user regardless of EAS organizational settings or access rules. If a user tries to connect a different device that does not match an
exemption, that device's access state will be determined by the EAS organizational settings or access rules.
As with all previous methods, this one can be achieved through the ECP and through the EMS with the Set-CASMailbox cmdlet and the ActiveSyncAllowedDeviceIDs and
ActiveSyncBlockedDeviceIDs parameters.
To use the ECP, the method is similar to the last one demonstrated in the Organization Access Rules section. To perform it, you must ask the user to attempt to synchronize the device
with Exchange so that it appears in the users ECP. As an administrator (not as the user), login to the ECP:
1. Select Manage My Organization and then click on Users & Groups;
2. Search the user for whom you want to create the exemption for, and then select Details;
3. Under Phone & Voice Features, select Exchange ActiveSync and then select Edit;
4. Under Mobile Devices, select the device that you want to exempt and then click either Allow or Block;
5. Click Save to create the exemption.

Figure 2-14: Creating Personal Exemption Rule through ECP
To achieve the same result from the EMS, we must know the DeviceID which we get from the e-mail we as an administrator receive when a device is quarantined or by using any of the
methods explained in the beginning of this article. After we know the DeviceID, creating the rule is straightforward:
Set-CASMailbox nuno ActiveSyncAllowedDeviceIDs SAMSUNG1355310041884853
To verify any of these methods, we can again use the ECP by following the previous steps until step 4 and by clicking on Details instead of Allow or Block. A new window with details about
the selected mobile device will open. The Access state and Access set by tell us what the access level is and how it was assigned. As we can see, the device was granted access by an
Individual Assignment (exemption):

Figure 2-15: Mobile Device Details window
To check using the ECP there are 3 cmdlets we can use: Get-ActiveSyncDevice, Get-ActiveSyncDeviceStatistics (identical output for the information we want) or Get-CASMailbox:

Figure 2-16: Check Personal Exemption through EMS
In the picture above, we can see that the Samsung device has been allowed to connect to Exchange because of the exemption we just created while the iPod is also allowed but because
of a device rule instead.
Unfortunately, there is no GUI to check for exemptions. We can use EMS to search for users that have either ActiveSyncAllowedDeviceIDs or ActiveSyncBlockedDeviceIDs set up with the
following cmdlet:

Nuno is an Exchange MVP working
as a Senior Microsoft Messaging
Consultant for a UK IT Services
Provider in London. He specializes in
Exchange, Lync, Active Directory and
PowerShell.
Figure 2-17: Searching for Personal Exemptions
The new Mobile Device Management functionality of Exchange 2010 is a big step forward. However, with so many new MDM solutions out there, Microsoft should improve this even more.
Maybe the next steps will be an easier way to control what applications can be installed on devices or being able to geographically locate a device if a user reports it as stolen.
If you would like to be notified of when Nuno Mota releases the next part in this article series please sign up to our MSExchange.org Real Time Article Update newsletter
(http://www.msexchange.org/pages/newsletter.asp).
If you would like to read the first part in this article series please go to Mobile Device Management (Part 1) (http://www.msexchange.org/articles_tutorials/exchange-server-
2010/management-administration/mobile-device-management-part1.html).
Concl usi on
See Also
Mobile Device Management (Part 1)
(http://www.msexchange.org/articles-tutorials/exchange-
server-2010/management-administration/mobile-device-
management-part1.html)
Using Exchange Control Panel (ECP) to manage an
Exchange Organization (Part 4)
(http://www.msexchange.org/articles-tutorials/exchange-
server-2010/management-administration/using-exchange-
control-panel-ecp-manage-exchange-organization-
part4.html)
Exchange 2003 Mobile Messaging Part 2 - Uncovering the
Device Security Policies
(http://www.msexchange.org/articles-tutorials/exchange-
server-2003/mobility-client-access/Exchange-2003-
Mobile-Messaging-Part2-Uncovering-Device-Security-
Policies.html)
Load Balancing Exchange 2010 Client Access Servers
using an Hardware Load Balancer Solution (Part 1)
(http://www.msexchange.org/articles-tutorials/exchange-
The Author Nuno Mota
Latest Contributions
Exchange 2013 with Rights Management Connector (Part
1) (http://www.msexchange.org/articles-
tutorials/exchange-server-2013/security-message-
hygiene/exchange-2013-rights-management-connector-
part1.html) on 19 June 2014 (2014-06-19 11:48)
Of f ice 365 with Internet Explorer 8
(http://www.msexchange.org/kbase/ExchangeServerTips
/Microsof tOf f ice365/ExchangeOnline/of f ice-365-internet-
explorer-8.html) on 18 June 2014 (2014-06-18 15:49)
Of f ice 365 Multi-Factor Authentication (Part 3)
TechGenix Ltd is an online media
company which sets the standard
for providing free high quality
technical content to IT
professionals.
(http://www.techgenix.com)
Windows Server 2012 / 2008 / 2003 &
Windows 8 / 7 networking resource site
(http://www.windowsnetworking.com/)
Network Security & Information Security
resource for IT administrators
(http://www.windowsecurity.com/)
The essential Virtualization resource site
for administrators
(http://www.virtualizationadmin.com/)
The No.1 Forefront TMG / UAG and ISA
Server resource site
(http://www.isaserver.org/)
Cloud Computing Resource Site for IT
Pros
(http://www.cloudcomputingadmin.com/)
Networking & Server software / hardware
for Windows 2003, 2000, NT & Linux
(http://www.wservernews.com/)
About Us Advertise With Us Contact Us
server-2010/high-availability-recovery/load-balancing-
exchange-2010-client-access-servers-using-hardware-
load-balancer-solution-part1.html)
Designing a Site Resilient Exchange 2010 Solution (Part 1)
(http://www.msexchange.org/articles-tutorials/exchange-
server-2010/high-availability-recovery/designing-site-
resilient-exchange-2010-solution-part1.html)
Designing a Site Resilient Exchange 2010 Solution (Part 2)
(http://www.msexchange.org/articles-tutorials/exchange-
server-2010/high-availability-recovery/designing-site-
resilient-exchange-2010-solution-part2.html)
The Garage Series f or Of f ice 365: Extending Exchange,
Outlook and OWA across platf orms and devices with the
new app model
(http://www.msexchange.org/blogs/patricio/get-
news/garage-series-of f ice-365-extending-exchange-
outlook-and-owa-across-platf orms-and-devices-new-
app-model.html)
Designing a Site Resilient Exchange 2010 Solution (Part 3)
(http://www.msexchange.org/articles-tutorials/exchange-
server-2010/high-availability-recovery/designing-site-
resilient-exchange-2010-solution-part3.html)
System Center Capacity Planner 2006 Overview (Part 2)
(http://www.msexchange.org/articles-tutorials/exchange-
server-2003/planning-architecture/System-Center-
Capacity-Planner-2006-Overview-Part2.html)
Uncovering the new RPC Client Access Service in
Exchange 2010 (Part 4)
(http://www.msexchange.org/articles-tutorials/exchange-
server-2010/high-availability-recovery/uncovering-new-
rpc-client-access-service-exchange-2010-part4.html)
(http://www.msexchange.org/articles-tutorials/of f ice-
365/exchange-online/of f ice-365-multi-f actor-
authentication-part3.html)
on 5 June 2014 (2014-06-05 11:55)
Product Review: Netwrix Auditor
(http://www.msexchange.org/articles-tutorials/product-
reviews/product-review-netwrix-auditor.html)
on 4 June 2014 (2014-06-04 13:44)
Of f ice 365 Multi-Factor Authentication (Part 2)
(http://www.msexchange.org/articles-tutorials/of f ice-
365/exchange-online/of f ice-365-multi-f actor-
authentication-part2.html)
on 22 May 2014 (2014-05-22 11:52)
MSExchange.org is in no way affiliated with Microsoft Corp.
Copyright 2014, TechGenix Ltd (http://www.techgenix.com/). All rights reserved. Please read our Privacy Policy (/pages/privacy.html) and Terms & Conditions (/pages/terms.html).