Controlling Exchange ActiveSync device access using the Allow/Block/Quarantine list
Published Nov 15 2010 04:38 PM 286K Views

What is the Allow/Block/Quarantine list?

In Exchange 2010 we added a feature called the Allow/Block/Quarantine list (or ABQ for short). This feature was designed to help IT organizations control which of the growing number of Exchange ActiveSync-enabled devices are allowed to connect to their Exchange Servers. With this feature, organizations can choose which devices (or families of devices) can connect using Exchange ActiveSync (and conversely, which are blocked or quarantined). Some of you may remember my previous post on this topic dealing with organizations that do not have Exchange 2010 and thus I wanted to show you the far better way you can do this in Exchange 2010 (which is also what you will see in Office 365 and Exchange Online if you are looking at our cloud-based offerings). It is important to understand that the ABQ list is not meant to displace policy controls implemented using Exchange ActiveSync policies. Policy controls allow you to control and manage device features (such as remote wipe, PIN passwords, encryption, camera blocking, etc.) whereas the ABQ list is about controlling which devices are allowed to connect (for example, there may be a lot of devices that support EAS PIN policies, but some IT departments only want to allow certain devices to connect to limit support or testing costs). The easy takeaway is that Exchange ActiveSync policies allow you to limit device access by capabilities while the Allow/Block/Quarantine list allows you to control device access by device type. If you're curious as to what devices OS support which policies, the Wikipedia article we blogged about is a good place to look.

Different device access models for different folks

When we designed the ABQ list, we talked to a lot of organizations to find out how all of you use (or wanted to use) this kind of technology. What we realized is that there is a continuum of organizations; from permissive organizations that let employees connect whatever device they have to their Exchange Server, all the way to restrictive organizations that only support specific devices. Since we always want to make our software as flexible for IT as possible (as we know there are a lot of you folks that are using our software in a lot of different ways) we created this feature so that no matter which type of organization you are (or even if you are one that is in between these two extremes) we could help meet your needs. Below are some descriptions and "how-to"s for using the ABQ list in these different ways.

The restrictive organization

Restrictive organizations follow a more traditional design where only a set of supported devices is allowed to connect to the Exchange server. In this case, the IT department will only choose to allow the particular devices they support and all other devices are blocked.

It's important to note that a restrictive organization is created by specifying a set of allowed devices and blocking the unknown.

The permissive organization:

Permissive organizations allow all (or most) to connect to their Exchange Server. In these cases, the ABQ list can help organizations block a particular device or set of devices from connecting. This is useful if there's a security vulnerability or if the device is putting a particularly heavy load on the Exchange server. In these cases, the IT department can identify the misbehaving device and block that device until a fix or update for that device brings it into compliance. All other devices, including the unknown devices, are given access.

The one off case:

Of course, if you are limiting the devices that connect to your organization, there's almost always a need for an exception. Whether it's testing a new device before rolling it out to the organization as a supported device, or an exception made for an executive, we wanted to give you the ability to make an exception without allowing all users with that device to access your organization's email and PIM data.

When to quarantine:

Quarantining devices is useful when an IT department wants to monitor new devices connecting to their organization. Both permissive and restrictive organizations may choose to employ this mechanism. In a permissive organization, quarantine can be used so that IT administrators know what devices, and which users, are making new connections. In restrictive organizations, this can be used to see who is trying to work around policy and also gauge demand from "Bring Your Own Device" (BYOD) users. Now that we've gone through the theory, let's talk about how we would do this in practice.

Accessing the ABQ settings:

  1. Log in to the Exchange Control Panel (ECP) (you can also access the ECP from Outlook Web App (OWA) by selecting Options > See all options)
  2. In the ECP, make sure you are managing My Organization (#1 in the screenshot below). Be aware that most users won't see the "My Organization" option — it's only visible to users with Exchange Administrator access.
  3. Select Phone & Voice (#2 in the screenshot below) > ActiveSync Access tab (#3 in the screenshot below). This is the Allow/Block/Quarantine configuration screen.
Note for all you Exchange Management Shell (EMS) gurus, you can also configure device access using PowerShell cmdlets if you prefer.

Creating a device (or a family of devices) rule:

To create a new rule, select New from the Device Access Rules section of the ABQ page (#5 in the screenshot above). When setting up a rule for a device, it is important to understand the difference between the "family" of the device and the specific device. This information is communicated as part of the EAS protocol and is reported by the device itself. In general, you can think of the deivce rule as applying only to the particular device type (like an HTC-ST7377 as shown in the image below) whereas a device family might be something more broad like "Pocket PC". This distinction between the specific (device type) and the general (device family) is important since many device manufacturers actually release the same device with different names on different carriers. To make it so that you don't have to make a separate rule for each device. For instance, the HTC Touch Pro was available on all four majour US carriers as well as some of the regional ones, and that's just the USA, not to mention the other versions around the world. As you can see, making a rule for each of those different devices (which are all in the same family and effectively the same device) could mean a lot of extra work for IT, so we added the family grouping to help you make good decisions about devices in bulk. It's important to note that when making a new rule you select the device family or the model but not both. Once you've selected the device or a device family, you can then choose what Exchange will do with that device (in this example, I'm just going to do a specific device). This brings you to the New Device Access Rule page. The easiest way to set the rule is to select Browse, which will show you a list of all the devices or device families that have recently connected to your Exchange Server. Once you've selected the device or family, you can choose the action to take. This is where you can choose to block the device if you are a permissive organization looking to limit a specific device for a specific reason or where you can set access rules if you are a restrictive organization (in such a case you would just create an allow rule for each supported device and then set the state for all unknown devices to block (we'll talk about how to set the action for unknown devices in the next section)). Once you select the action (Allow access, Block access, or Quarantine), click Save and you're done! You can repeat this process for each rule you want to create. You can also have both block and allow rules simultaneously.

Setting up a rule for unknown devices:

To access the rule for unknown devices, select Edit (#4 in Figure 5 above). On the Exchange ActiveSync Settings page, you can configure the action to take when Exchange sees a user trying to connect with a device that it does not recognize. By default, Exchange allows connections from all devices for users that are enabled for EAS. This example configures the Exchange organization to quarantine all unknown devices. This means that if there's no rule for the device (or device family) or if there's no exception for the particular user, then an unknown device will follow this behavior. Quarantine notifications We have the ability to specify who gets an email alert when a device is placed in quarantine. You can add one or more administrators (or users) or even a distribution group to this list of notified individuals. Anyone on this list will receive an email like the one shown in the screenshot below. The notification provides you information about who tried to connect the device, the device details and when the attempt was made. Custom quarantine message You can also set a custom message that will be delivered to the user in their Inbox and on their device. Although the device is in quarantine, we send this one message to the device so the user doesn't automatically call help desk because their device isn't syncing. The custom message is added to the notification email to the user that their device is in quarantine. The user and device will also now appear on the Quarantined Devices list on the ABQ configuration page.

Managing Quarantined Devices

The device will stay in quarantine until an administrator decides to allow or block the device in quarantine. This can be done by selecting the device and then clicking on the Allow or Block buttons in Quarantined Devices. This creates a personal exemption (the "one off case" mentioned earlier). If you wish to create an access rule that is to apply to all devices of the same family or model, you can select Create a rule for similar devices to open a new, prepopulated, rule.

Making changes:

Of course we realize that many organizations are dynamic and have changing requirements and policies. Any of the rules that have been set up can be changed dynamically by accessing the ABQ page in the ECP and editing, deleting, or adding the desired rule. Adam Glick (@MobileGlick) Sr. Technical Product Manager

P.S. To read about Microsoft's licensing of Exchange ActiveSync, check out this article on Microsoft NewsCenter. Julia White also put up a more business focused blog in the UC Blog about the importance of EAS to Exchange 2010 customers.

31 Comments
Not applicable
Is the ABQ feature only available in SP1?
Not applicable
This is awesome... I am a fan of EAS and its just becoming better n better....
Im sure MS is aware of EAS compatibility issues with Andriod phone's. Do we have any update on that??

Ratish Nair - MVP Exchange
Not applicable
@Ratish: Thanks for the feedback!


Please see previous post on the subject of EAS licensees and implementations:

Why all Exchange ActiveSync experiences aren’t the same… and how to know what you’re getting.



You can use device access rules, as explained in this post, to block or quarantine a particular model or family of devices.

Not applicable
Teşekkürler Adam Glick
Not applicable
Thank you for such a great article !!
That is my project's issue
Not applicable
Can we do something similar with Outlook Anywhere?  We only want corporate domain joined machines to be able to use it from the Internet, not just any users home machine.
Not applicable
Jason, I have written a Whitepaper which will provide that exact solution, and it is currently in final editorial review. We should be publishing it by the end of the year. That's the plan. I'll post on EHLO when it is released.
Not applicable
This is a must-have feature for mobile device management - thanks for adding it in Exchange 2010! You guys sure did a great job of keeping this feature hidden since RTM!! Thanks for an awesome post with great explanation and graphics - makes understanding this functionality super easy.
Not applicable
@Steve D. The user interface shown in this posting is new in Exchange 2010 SP1, the functionality was there in Exchange Server RTM.  So if you are a PowerShell user you can do everything shown here with the RTM release.  The information on how to use PowerShell can be found here: http://technet.microsoft.com/en-us/library/dd876923.aspx
Not applicable
This is functionality that only appears in ECP or EMS. Why is there a constant dumbing-down of the EMC? It's not that I don't like ECP or EMS, but if I can do it in one place, I should be able to do it in the others as well. Discoverability shouldn't just apply to legal and regulatory bodies finding e-mails! ;)

In any case, this is great functionality, and I can certainly understand why someone would want to block/quarantine the iPhone! lol ;)
Not applicable
Hi @GoodThings2Life



The reason you see this showing up in the ECP is that many organizations want to delegate functionality and the ECP makes that very easy to do without having to install EMC for every person who many need some of the administrator capabilities.  In addition, for users who choose to buy Exchange Server as an online service, having a web-based control panel makes it far easier for them to be able to administer their Exchange Server.

Not applicable
Awesome, nicely explained........Great...

EAS is ever expanding....
Not applicable
Great post!  How do you pull this off using Microsoft Exchange Online?  Does it work in BPOS-S and BPOS-D?
Not applicable
In regards to the Active-Sync, is it possible yet to be able to sync only contacts and calendars? i.e. exclude mail sync?
Not applicable
@Nick: BPOS currently runs on Exchange 2007. The new Office 365 service (beta) includes Exchange 2010. See Office 365 Transition Center for details.


@Keith: The EAS protocol doesn't *require* you to sync email. You can sync only Calendar or Contacts. It depends on the device OS/software.


@GoodThings2Life: Thanks for the feedback. Being web-based, the ECP offers great flexibility. You can also accomplish the same using the Shell.

Not applicable
We have set up a restrictive organization model and are looking to have our helpdesk perform "Allow" for individual users/devices that are blocked by default.  What would be best way to delegate the allow?

From this article:  (http://technet.microsoft.com/enus/library/dd638131.aspx) it looks as though organization manament and server management is required for "Exchange ActiveSync security settings".  We don't however want to make a tier1, tier2 helpdesk a member of those role groups.  So we would ideally want to add the specific role entries to one of the roles assigned to our tier2 group for example.

Any help on identifying those role entries would be much apprecieated.

Thank you,
Aaron Luna
Not applicable
Two questions:

1. The blog post linked early in this post for pre-2010 environments is from 2008 and suggests using ISA to filter devices. Any updated guidance since then or is this still the way to go? Still on 2007 here...
2. @Greg Taylor: Will the whitepaper cover 2010 only or 2010, 2007, and maybe even 2003?

Thanks guys.
Not applicable
ABQ is a 2010 feature. If your mailboxes are still on 2007 then using the ISA approach is still the way to go Michael.

The paper will work for all versions of Exchange, there's really nothing Exchange involved, it's just I love Exchange, and it's written from that perspective.
Not applicable
It's really important to controlling exchange sync devices because it help secure data...
Not applicable
I have the same Question as Aaron Luna! Wich Permissions we must set for a Helpdesk to manage/Allow quarantined unique Devices?

If we need to assign Org-/Servermanagment rigths to Helpdesk then this Feature is not designed for bigger Companys.

Not applicable
Greg, as far as outlook anywhere goes, and special configuration needed on the TMG to do this?  We are debating one vs. two nics, domain member or workgroup, and other TMG details at the moment, but want to start building the servers soon.
Not applicable
Jason, ping me offline, grtaylor @ the company that make Exchange and I'll try and help out with some additional details.
Not applicable
Oh! Some improvements on the EAS area, great news!

Question 1:
Is it so that you can restrict only the device by device name on the URL? And not e.g. certain software level?

Question/comment 2:
Still waiting that you block the DoS hole: Currently, everybody is able to knock all companies EAS services. And start guessing the passwords on the company. E.g. I can take Greg's account and setup that to my emulator and check if I can find his password. This is possible, because the first handshake on the EAS is the authentication.

I would like to see, that we can setup the device ID for certain user and if that user is trying to access EAS service s/he will get nothing unless user ID and DeviceID are correct. Not even the password request. This is possible because the first URL contains user ID and device ID.

We can write own code for better security, but that is not supported by MS, so we have to let the EAS service unprotected, which is pretty sad.
Not applicable
Will turning on the quarantine block existing phones that are already syncing?
Not applicable
@Stephen - if you change the default to quarantine and don't have allow rules to override for devices, or for users, all devices would enter quarantine. So be careful to have all the existing devices mapped to rules before changing the default behaviour for unknown devices.

@Petri - Agreed on one hand, but on the other, we haven't recommended using account lockout policies for a long time. The approach we recommend is strong password/phrases, monitoring for password DoS or cracking attempts (which would pick up your scenario), and taking action on them, not locking accounts out after a small number of incorrect logon attempts.

Another approach is stop using username/passwords altogether, and move to certificate based authentication.

Not applicable
Great. Thanks for this article.
Not applicable
Greg:
You must remember that everything are not as homogeneous as it could/should. Believe or not, there are other companies and policies as well ;D

So question is more like: don't you have to do all to protect your users and environments, why to allow anyone come to your living room for trying to open your safety box? In my mind, it is not right to close your eyes and offer "change your pwd policy" as the only solution. But perhaps we are so old fashion company, and all others has change their policies :-o

Certificate authentication is great idea (the best in my mind) and we keep our eyes open for it, but certificate management with the multiple different device platforms is not the easy task.

(we haven't published OWA, so no need to compare to that)
Not applicable
We have set all devices to be quarantined to make sure no personal devices are attached to ActiveSync. We have noticed that devices seem to be quarantined at different times. Some devices will connect to EAS for a week and then all of a sudden be quarantined while others will be quarantined within minutes. Note, we are migrating users to 2010 so it is upon migration that we see this behavior. I would expect devices to be quarantined on first EAS connection after migration, is that not the case?
Not applicable
Is it possible to get a view of what mobile devices are already syncing to Exchange?
Not applicable
@Dave: You can use Get-ActiveSyncDevice and

Get-ActiveSyncDeviceStatistics cmdlets to retrieve device information.


See View a List of Devices for a User in docs and

List Exchange ActiveSync users and device information.

Copper Contributor

Whats the use? Exchange Online's ABQ does not work!!!

 

I have raised a Service request :

MakeTrumpATrumpetAgain_0-1621410713425.png

 

It has been going for 1 month, and I am still unable to access mails on mobile.

Version history
Last update:
‎Jul 01 2019 03:55 PM
Updated by: