February 6, 2017

With the widespread usage of devices such as iPhones and Androids in the business world, it pretty much goes without saying that E-Mail access is literally at everyone's fingertips. For an IT Professional, this can turn into a nightmare to manage as everyone with an E-Mail address will want E-Mail onto their mobile device, whether it be a company-provided device or a personal one. By default, Microsoft Exchange makes it trivial for a user with an E-Mail account to configure it onto their mobile device without needing assistance from IT. Even if you are a business that doesn't allow employees to use their own mobile devices for business-related work, you still cannot prevent them from adding corporate E-Mail onto their own device by default in Microsoft Exchange.

Thankfully, Microsoft provides an ActiveSync Quarantine feature that can be enabled that will allow you to manage all new ActiveSync connections within your Microsoft Exchange server. With this enabled, any new devices that are configured for E-Mail access will be quarantined until an administrator approves the device. Both the employee who is attempting to add E-Mail to their device, and the administrator will receive a notification of this.

In order to first verify that you do not currently have this feature enabled, you can run the following PowerShell command from within the Exchange Management Shell.

Get-ActiveSyncOrganizationSettings

If you do not currently have this feature enabled, then you should see the following for DefaultAccessLevel, UserMailInsert, and AdminMailRecipients.


Once it has been confirmed that this feature doesn't happen to already be enabled, we will need to run a script that will pre-approve all devices that are currently syncing with Microsoft Exchange. Were you to move forward with enabling the Exchange ActiveSync Quarantine without first doing this step, you would end up quarantining every single mobile device that is currently connected to your Exchange server. Chances are, this could end up fairly chaotic, as you probably have more than just a handful of employees with E-Mail on their mobile device. In order to pre-approve all existing devices, we can run a script that will determine the DeviceIDs for each device connected to every employee's E-Mail account, and then add those DeviceIDs to the ActiveSyncAllowedDeviceIDs object on each mailbox.

The script is as follows, and should be ran from the Exchange Management Shell:

# Retrieve mailboxes of users who have a connected ActiveSync Device
$CASMailboxes = Get-CASMailbox -Filter {hasactivesyncdevicepartnership -eq $true -and -not displayname -like "CAS_{*"} -ResultSize Unlimited;
# Approve each device
foreach ($CASMailbox in $CASMailboxes)
{
# Array to store devices 
$DeviceIDs = @();
# Retrieve the ActiveSync Device Statistics for the associated user mailbox 
[array]$ActiveSyncDeviceStatistics = Get-ActiveSyncDeviceStatistics -Mailbox $CASMailbox.Identity;
# Use the information retrieved above to store information one by one about each ActiveSync Device
foreach ($Device in $ActiveSyncDeviceStatistics)
{
$DeviceIDs += $Device.DeviceID
}
Set-CasMailbox $CASMailbox.Identity -ActiveSyncAllowedDeviceIDs $DeviceIDs
} 

After running this script, you can verify if it was successful by running the following PowerShell command against one of your employee mailboxes.

Get-CASMailbox -Identity mail@domain.com | fl *ActiveSync*

If they had a mobile device connected to Exchange, then its corresponding DeviceID should now be within the ActiveSyncAllowedDeviceIDs object. The images below show the output of this command before running the pre-approval script, and afterwards.

Before ActiveSync DeviceID approval.

After ActiveSync DeviceID approval. This employee has one device approved.

Now that all of the currently connected devices have been added to the ActiveSyncAllowedDeviceIDs object on each mailbox, you can move forward with enabling the ActiveSync Quarantine. In order to do this, you will need to determine what E-Mail address will be setup to receive the quarantine messages whenever a device has E-Mail configured onto it. It is recommended to use something like a Distribution Group, so that multiple individuals within your IT department will receive the E-Mail alerts. You also have the option of adding your own custom text to the E-Mail that employees will see in the event that they attempt to add E-Mail to a device themselves. Once you have determine those two details, you can move forward by running the following script (this example contains the optional custom text).

Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients mail@domain.com -UserMailInsert "Your mobile device has not yet been approved for E-Mail use. If you have any questions or concerns, please contact the IT Department of [Business Name] for further assistance."

Once this has ran, you will now have the ActiveSync Quarantine enabled within your Exchange server. Any new devices that are configured for E-Mail access will now be put into this quarantine, pending an Administrator's approval.

Stay tuned for Part II, where we go over the quarantine approval process, along with how to delegate access to this feature for your team.
Subscribe to RSS Feed Follow me on Twitter!