Tuesday, February 21, 2012

Exchange 2010 SP1 ActiveSync device lockdown

The other day I began working on locking down ActiveSync so that only pre-approved devices could sync.  I found that there where a lot of things available that gave portions of the solutions or hinted at parts, but none that gave the full solution (excuding one site which I didn't find until later). 

I'm not going to give a full layout of all the options, but below I intend to layout the method that I'm using.  From this it can easily be modified to do add rules for the needs or your organization.

ActiveSync in Exchange 2010 SP1 can control devices by allowing (default), blocking, and quarantine of the device.  This is handled by identifying the device via the Device ID.  The Device ID appears to differ depending on the device type, but for example with Apple's iPad the id is the Serial Number with Appl appended to the begining. So, ApplDFGGYUDVBFJ2 is what one might look like if your serial number was DFGGYUDVBFJ2.  My understanding is that Andoid is not generated from the serial number.

I'm going to cover doing this through Powershell. It can also be done through the Exchange ECP via this excellent post by the exchange team (this is the one I found after I was done doing it through Powershell)

  1. Open the Exchange Management Shell
  2. Get-ActiveSyncOrganizationSettings | fl DefaultAccessLevel
    1. This will report your current default level, most likely it's set to Allow
  3. Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients admin@didyourestart.com
    1. Here we are setting the default level to Quarantine and then specifying an email address to be notified when a device is quarantined. You will want this so that you can see what the DeviceID is of new devices (makes for easier adding of devices for allow access)
  4. You'll now find that if you try to connect your iPad it will be quarantined. Quarantined devices can be found via the Exchange ECP as described in the link above to blogs.technet.com or via Powershell
    1. Get-ActiveSyncDevice | where {$_.deviceaccessstate -eq 'Quarantined'} | ft DistinguishedName
    2. This can also be used to find the DeviceID.  On iPad this results in simular to following
      1. CN=iPad§ApplDFGGYUDVBFJ2,CN=ExchangeActiveSyncDevices,.....
  5. Next step is to allow this device access for the user
    1. Set-CASMailbox -Identity username -ActiveSyncAllowedDeviceIDs "ApplDFGGYUDVBFJ2 "
  6. You can view the list of allowed devices at anytime by using the following
    1. Get-CASMailbox -Identity aarons | fl ActiveSyncAllowedDeviceIDs
To set a user to have multiple devices seperate with a comma:
Set-CASMailbox -Identity aarons -ActiveSyncAllowedDeviceIDs "ApplDFGGYUDVBFJ2","ApplDFGGYUDVBFJ3"

To set a user back to no allowed devices use the following:
Set-CASMailbox -Identity aarons -ActiveSyncAllowedDeviceIDs $Null

Note: I found that sometimes it could take awhile for a device in quarantine to generate an email stating it was in quarantine.  This appeared to be because it didn't actually go to quarantine, but it was just straight out denied.  In my tests this occured when the mailbox was large or contained a large number of messages.

The other part of this controlled setup that we origninally implemented was to also disable ActiveSync for all users and then explicitely enable it for users at the time of need, but if all devices go to quarantine or are blocked this no longer matters and stands in as a way to disable ActiveSync for all users without actually disabling ActiveSync (in case someone still wants to disable ActiveSync: Get-CASMailbox -identity username | Set-CASMailbox -ActiveSyncEnabled $False , you can exclude the -identity username to make it apply to all users)