Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-10-03
Microsoft Exchange Server 2010 Service Pack 1 (SP1) and Microsoft Exchange ActiveSync offer many different features for both users and administrators. As an administrator, you can create allow lists, block lists, and quarantine lists specifying which mobile devices are allowed to access your Exchange mailboxes. A quarantine list lets you allow only a user's assigned device to connect to the Exchange server.
|Throughout this topic, the term mobile device refers to mobile devices with and without cellular telephone service. All mobile phones and devices are assumed to have some form of Internet connectivity, either with a cellular data plan or with wireless Internet access.|
Determining a Mobile Device’s Access State
Exchange 2010 SP1 servers follow a simple, logical sequence to determine the access state of each mobile device. Every device can be either allowed, blocked, or quarantined. You can define the access state of each device through an organizational rule or through an exemption. An exemption is a rule that's applied to a single user or single device. This occurs each time an Exchange ActiveSync request is received from a mobile device that's trying to synchronize data from a mailbox stored on an Exchange 2010 server. The sequence of challenges includes the following steps:
- Is the mobile device authenticated? If
not, challenge the mobile device for the correct credentials.
Otherwise, go on to the next step.
- Is Exchange ActiveSync enabled for the current
user? If not, return an "access restricted"
error to the device. Otherwise, go on to the next step.
- Are the mobile policy enforcement criteria met by the
current mobile device? If not, block access.
Otherwise, go on to the next step.
- Is this mobile device blocked by a personal exemption for
the user? If so, block access. Otherwise, go
on to the next step.
- Is this mobile device allowed by a personal exemption for
the user? If so, grant full access. Otherwise,
go on to the next step.
- Is this mobile device blocked by a device access
rule? If so, block access. Otherwise, go on to
the next step.
- Is this mobile device quarantined by a device access
rule? If so, quarantine the device. Otherwise,
go on to the next step.
- Is this mobile device allowed by a device access
rule? If so, grant full access. Otherwise, go
on to the next step.
- Apply the default access state per the Exchange ActiveSync
organizational settings. This grants access,
blocks access, or quarantines the current device, depending on the
Understanding Device Access States
A device access state is the status of a particular device. The access state of a device can be one of the following: allowed, blocked, or quarantined. You can control device access states in several ways. A mobile device will behave differently in each access state.
The Allow Access State
In the allow access state, a mobile device can synchronize through Exchange ActiveSync and connect to the Exchange server to retrieve e-mail and manipulate calendar information, contacts, tasks, and notes. This will continue as long as the device complies with the Exchange ActiveSync mailbox policies that you've configured.
For more information, see View or Configure Exchange ActiveSync Mailbox Policy Properties.
The Block Access State
A mobile device that's blocked because of a device access setting you configured won't be allowed to connect to the Exchange server and will receive HTTP 403 Forbidden errors. The user will receive an e-mail message from the Exchange server telling them that the mobile device was blocked from accessing their mailbox. You can add customized text to this message to provide instructions for users whose devices are blocked.
A mobile device may also be blocked because it fails to apply the Exchange ActiveSync mailbox policies. If this is the case, the user won't receive an e-mail message that tells them that the mobile device was blocked from accessing their mailbox. However, the mobile device information displayed in Outlook Web App will show that it's blocked due to the failure by the device to apply the Exchange ActiveSync mailbox policies.
The Quarantine Access State
When a mobile device is quarantined, the mobile device is allowed to connect to the Exchange server. However, it is given only limited access to data. The user can add content to their own Calendar, Contacts, Tasks, and Notes folders but the server won't allow the device to retrieve any content from the user's mailbox. The user will receive a single e-mail message that tells them that the mobile device is quarantined. This message will be received by the device and will also be available in the user's mailbox. You can add customized text to this message to provide instructions for users whose devices are quarantined.
When you configure the Exchange ActiveSync organizational settings, you can specify one or more administrators who will receive an e-mail message the first time a quarantined device tries to connect to the Exchange server. The administrators can then decide whether to release the mobile device from quarantine by creating a personal exemption, block the device completely, or create a rule that will take action on the mobile device and other similar mobile devices.
Note A default Upgrade Grace Period allows quarantined devices to continue to sync with mailboxes that have been moved from previous versions of Exchange to Exchange Server 2010. The default Upgrade Grace Period is seven (7) days, beginning when the device synchronization state is upgraded. The device access state is upgraded only when a device contacts the Exchange server. Therefore, if the device does not contact a server, its access state is not upgraded.
Also, if a synchronization state is not detected for the device before the upgrade when it is running on the previous version of Exchange, the device does not receive an Upgrade Grace Period.
The Device Discovery Access State
When a mobile device first connects to Exchange ActiveSync, the device is momentarily in the device-discovery access state. In this state, the device is quarantined until it's recognized by the server. This state can last from 1 to 14 minutes. No email message is sent to administrators or to the user when a mobile device is in this state.
The Mailbox Upgrade Access State
When a mobile device is in the mailbox upgrade access state, it's granted full access to the user's mailbox. The mailbox upgrade access state is the same as the allowed state, except that it lasts no more than seven days from the first time the device connects to an Exchange 2010 server after a mailbox move from an earlier version of Microsoft Exchange. This state is necessary to give mobile devices time to correctly upgrade their information and communication protocols to the latest Exchange ActiveSync version and be recognized by the device access management system. As soon as a mobile device is recognized, Exchange applies the appropriate access based on the Exchange 2010 configuration.
Controlling Device Access
You can control device access by configuring the following:
- Personal exemptions for users.
- Organization-wide rules for mobile device families or specific
- A default access state for all devices that don't belong in
Creating Personal Exemptions
You can assign a particular mobile device to a particular user. This assignment allows you to explicitly grant access for a particular device or explicitly block a particular device regardless of the rules and other device access settings. If a mobile device is not explicitly granted or blocked for the particular user, then the device’s access will be determined according to the numbered steps discussed previously.
|Unlike Microsoft Exchange Server 2007, explicitly granting access for a specific device for a user doesn't implicitly deny access for other devices. If a user tries to connect a different device, that device's access state will be determined by the organization's device access settings.|
Personal exemptions can be created by using the Set-CASMailbox cmdlet or the Exchange Control Panel (ECP).
Creating Organization Access Rules
Organizational access rules let you set the type of access available to a particular group of devices based on some properties of the device, such as model. To create these rules, you need to know the device model and family information. This information can be obtained after a mobile device has successfully synchronized with the Exchange server.
Organizational access rules can be created by using the Set-CASMailbox cmdlet or through the ECP, as shown in the following figure.
When you set up a rule for a device, it’s important to understand the difference between the device “family” and the specific device. This information is communicated as part of the EAS protocol, and it’s reported by the device itself. For example, a device rule applies only to a specific device type. A device family represents a range of similar devices, such as a Pocket PC. This distinction is important because many device manufacturers release the same device by using different names on different carriers. When you create a rule, you select the device family or the specific model, but not both.
On the New Device Access Rule page, click Browse, to display a list of all the devices or device families that have recently connected to your Exchange server. Then, select the action to take. You can select any of the following actions:
Quarantine notifications let you specify who receives an email alert when a device is placed in quarantine. You can add one or more administrators, users, or distribution groups to the list. Anyone who is on this list receives an email notification that provides information about the device, the person who tried to connect the device, and the time that the attempt was made.
Setting the Default Organizational Access State
The default organizational access state for Exchange ActiveSync determines the access level that's granted to mobile devices that aren't managed by organizational rules or personal exemptions. The default organizational access state can be set by using the Set-CASMailbox cmdlet or the ECP.
Configuring Common Access Management Strategies
Before you specify the level of access for mobile devices, you might want to get a list of all mobile phones and devices within your organization. You can get this list by using the Get-CASMailbox cmdlet with the Get-ActiveSyncDeviceStatistics cmdlet. For more information, see Get-ActiveSyncDeviceStatistics.
Creating an Allow List
You can use an allow list to grant access to a list of known devices and restrict access for everything else. To do this, you must create rules so that the specific devices you want are allowed to access users' mailboxes. As soon as you create such a rule, you must set the organization’s default access state to block all other devices. To add a new device to the allow list, create a new rule.
Creating a Block List
You can use a block list to grant access to all devices by default, but to block access for a set of devices that you don't want to access your organization. You create a block list by creating block rules for the devices that you don't want to synchronize with the organization’s mailboxes. The organizational settings should be set to allow everything by granting access to all devices that aren't explicitly blocked by the existing rules. To add a new device or set of devices to the block list, create a new rule.
Mixed Allow and Block List Environments
In addition to creating allow and block lists, you can quarantine new mobile devices as they're introduced into the organization while you evaluate them. For example, if you have a block list for mobile devices that aren't allowed within your organization, and an allow list for mobile devices that are allowed within the organization, you can set the default organizational access setting to quarantine. All other devices will automatically be quarantined, which lets you discover new devices as they're introduced to the organization and decide whether to add them to the allow list or the block list. The following figure shows a mobile device that's been quarantined for a specific user.
You can use live auditing to discover all the devices that are currently synchronizing with the Exchange server in your organization. You set up live auditing by setting the default organizational access setting to quarantine.
A list of quarantined devices will be generated within a few minutes of time the default organizational access setting is switched to quarantine. You can use that list to create your allow and block lists. All users will be prevented from synchronizing with the Exchange server until the allow and block lists have been created.