Wednesday, September 1, 2010

ActiveSync Device Access Rules in Exchange 2010 SP1

Personal smartphones are becoming more and more common in business environments.  Companies have always struggled with managing who should have the ability to sync their phones and who can’t and what types of phones are allowed.  Exchange 2010 SP1 has made it very easy for the administrator (or any other appointed person) to approve or block specific users or phones from utilizing ActiveSync.  This post will not go into the specific feature policies, but will only examine connectivity policies.

By default ActiveSync is enabled for everyone and every type of device.  Let’s start off by configuring all devices that attempt to connect via ActiveSync into a quarantine for administrator approval.

From EMS we can run the following command to set the default access level to Quarantine for all devices and to notify the Administrator when a device tries to connect:

Set-ActiveSyncOrganizationSettings –DefaultAccessLevel Quarantine –AdminMailRecipients AdminEmailAddress

EAS-OrgSetting-Quar

This can also be achieved through ECP:

EAP-PolicyECP

Then selecting the Edit button:

EAP-PolicyDefault

When a device tries to connect, both the device/user receives a notice that their phone is in Quarantine and the Administrator get an email notifying them to take action on the device:

Device/User notification:

EAP-ClientBlockEAP-ClientBlock-Email

Administrator notification:

EAP-AdminEmail

Once the administrator clicks the provided link to take action on the device, the ECP will launch and the administrator can decide to Allow or Block the device:

EAP-AdminECP-markup

With the new ActiveSync Access controls, the administrator can also make rules to automatically allow or block specific types of devices.  The default organization settings will be applied if a specific rule does not match.  In our example, we will configure any “PocketPC” device to automatically get blocked.  The query string can be based off of the device type or device model.  From the EMC:

New-ActiveSyncDeviceAccessRule –AccessLevel Block –Characteristic DeviceType –QueryString PocketPC

EAP-DevicePolicyBlock

This rule can also be created in the ECP:

EAP-DevicePolicyBlock-ECP

Now when a user tries to connect their device that matches the new ActiveSync Access Rule, the device will not sync and the user receives an email:

EAP-BlockEmail

From the partnership status in ECP, they can also see the details:

EAP-Block-partnershipstatus-markup

Exchange 2010 SP1 has allowed for much easier and granular management of ActiveSync device access control!

3 comments:

  1. Hey Tim...I have a question for you that I haven't been able to find yet.

    Is it possible to restrict the TIME that a user can access ActiveSync? I have some users that I need to be able to use ActiveSync, but their boss only wants them to get e-mail from 7am-7pm.

    Is that even possible?

    ReplyDelete