Exchange 2010 ActiveSync Device Access Policies, Quarantine and more!

by Ed Sparks

Exchange ActiveSync (EAS) is Microsoft's excellent protocol that most vendors have adopted as the standard for direct-push email to mobile devices.  Thankfully, the softies have dramatically improved the ability to manage devices and restrict access to the Exchange or Office 365 environment in the latest versions.

This article highlights various common options and settings, with implementation details we've put together for clients.

Device Review and Statistics
Before starting on this project it is best to audit the existing Exchange environment, as many organizations are simply allowing all devices to connect. 

This list can be generated at any time from an Exchange Management Shell, by executing the following one-liner PowerShell command.  Using the Get-ActiveSyncDevice command is the easiest way to retrieve up-to-date device information for all devices that have ever connected in one step.   The LastSuccessSync field is a good indication of whether the device is currently in use, as an old timestamp often indicates abandonded devices that are no longer used, but still approved for access.

Get-ActiveSyncDevice | Get-ActiveSyncDeviceStatistics | select-object identity, deviceid, devicetype, deviceuseragent, deviceactivesyncversion, firstsynctime,lastsuccesssync | Export-CSV devices.csv

Another  useful audit ActiveSync tool is the Export-ActiveSyncLog command.  This uses a single IIS log file as a source, and aggregates all related entries for ActiveSync connections into a default set of six exported CSV files.  The generated users.csv file will show the username format each user is connecting with, along with their device IDs and how many times they connected in the course of that log file (a day or week for example). The command is as follows (substituting the appropriate filenames and paths):

Export-ActiveSyncLog -Filename: C:\inetpub\logs\LogFiles\W3SVC1\u_ex120521.log -OutputPath c:\EAS

The other files generated also provide useful information such as the busiest times of day, etc.

Device Access Approval
New to Exchange 2010 is the ability to more broadly approve and reject devices in various ways, adding to the original functionality of allowing overall ActiveSync access for individual users.  This new functionality is known as the “Allow/Block/Quarantine” or ABQ list.

An overall device access policy can be created for the Exchange organization. This policy can default to approving or quarantining all new devices that access the server for the first time.  If the Quarantine option is chosen, then a list of Administrators can automatically be emailed with the details of the user and device attempting access.  The individual device can then easily be approved by the help desk via the Exchange Management Shell, or through the Exchange Control Panel in Outlook Web App. The administrator email even includes the command the help desk personnel would run to approve the device.  At this time, the end user would also receive a notification on their device that they are temporarily blocked from accessing the server until approved.

If desired, it is also possible to create broad policies that would automatically approve various classes of device, such as all “iPhone 4C1” devices, or all iPhones with a certain iOS version. 

Implement the ABQ list - or "Device Policies" - by following these steps:
1.       Review and pre-approve a list of existing devices for users
2.       Assign the help desk staff the appropriate Exchange roles to approve devices
3.       Plan an outage time, as implementation will temporarily block all existing devices, and users may receive a message that their device is temporarily blocked from syncing
4.       Use the EMS Set-CasMailbox command to script approval rules for each existing user and device
5.       Set the Default Organizational Access state to Quarantine using Set-CasMailbox, and define the list of help desk or administrators that will receive notifications
6.       Monitor the ABQ list in the OWA ECP and approve devices as necessary

Mailbox Policies
Once a particular device is allowed, and a user’s mailbox is enabled for Exchange ActiveSync, mailbox policies then allow for the application of a common set of policy or security settings to a user or group of users.  These policy settings include items like enforcing passcode locks, device encryption, auto-device wipes after password failures, etc. 

Different Exchange ActiveSync mailbox policies can be created with various settings depending on the requirements.

At a minimum device locking and encryption should be enabled, and generally is done as a default policy.  In addition, it is common practice to disable access for “non-provisionable” devices.  This blocks access by devices that are unable to accept these policy settings for any reason.

These policies are easily created through the Exchange Management Console GUI under Organization Configuration/Client Access, and can immediately apply to all users by editing the default policy.  Newly created policies can be assigned to users or groups of users using the Exchange Management Shell.

Two-Factor Authentication
A final option to dramatically enhance the security of mobile devices is to enable multi-factor authentication – as opposed to just using traditional passwords.  Two-factor authentication improves security by ensuring that whoever and whatever is accessing the Exchange server has something, and knows something (two factors).

This extra security, which is native to Blackberries, is enabled on other devices by utilizing Client SSL Certificates.  These certificates are generated by a domain-based trusted certificate authority, and matched to an individual user.  The certificate is then deployed to each device manually, or via a special website that the end-user visits on their device.  Additionally, the ActiveSync servers are configured to demand a client certificate is presented by the device along with their domain password before access is permitted.

This implementation requires significant effort but generally involves the following steps:
1.       Implement an AD-based domain Certificate Authority
2.       Generate client certificates for each user in AD the requires remote access
3.       For Apple devices, use the iPhone Configuration Utility to create iPhone Configuration Profiles containing the client certificate, and deploy the new profiles to the devices
4.       Update the ActiveSync IIS settings and TMG to require Client Certificates


There is a wealth of information available online about these topics, or we'd be happy to help you implement a solution at your site!

Further Reading:

Confused?  Let us design a solution for you!  Contact us today.