Exchange Server - Exchange 2010 ABQ questions

Asked By RAM on 22-Apr-11 02:32 PM

We are beginning to issue iPhone 4 devices to users and using
ActiveSync for their company email on the phones. We want to lock
things down so that they can only use this one device. I have been
using the "set-casmailbox <user> -activesyncalloweddeviceids" cmdlet
to do this, but have recently discovered that this DOES NOT WORK; i've
even found 2 postings that confirm others have discovered this as
well. The devices sync, but i can change the value of the
activesyncalloweddeviceids and the devices STILL sync with no problem.

I was going to try using the Allow/Block/Quarantine (ABQ) in Exchange
Control Panel, but I cannot find it; I log into Exchange 2010's OWA as
the admin user, go to Options, select to manage My Organization - and
all I see is "Users and Groups" and "Reporting", I do not see the
Quarantine List" (http://blogs.technet.com/b/exchange/archive/
2010/11/15/3411539.aspx). Can someone tell me why I am not seeing this?

Also, does the ABQ just set the same properties
(activesyncalloweddeviceids)? If so, then this will not resolve my issue
of locking down ActiveSync to specified devices. Any other
suggestions?

Thanks in advance.
-RAM

RAM replied to RAM on 26-Apr-11 02:57 PM

Found my own answers:

First, the ABQ interface in ECP apparently is not there until you apply
SP1 for Exchange 2010 (we will be doing that shortly).

Second, you can do the ABQ-thing via PowerShell using the Set-
ActiveSyncOrganizationSettings cmdlet: this is a global setting, and
seems to be set to Allow by default - hence why you could have any
number of devices connect once you enabled a user for ActiveSync,
despite what you put in the ActiveSyncAllowedDevceIDs property.

I set our ActiveSyncOrganizationSettings to Quarantine - the user
trying to sync now gets an email saying the device is temporarily
blocked while permissions are being checked. Once I put their device
ID in the ActiveSyncAllowedDeviceIDs property, they can sync and they
also get a message saying their device has been granted full access.

As a test, afte I set the global setting to quarantine, i entered a
bogus Device Id in my ActiveSyncAllowedDeviceIDs. Bingo! my device
could no longer sync. Once i put in the correct device id, all was
well.

There are several other properties on the
ActivesyncOrganizationSettings, like AdminEmailRecipients - the email
addresses you specify for this are supposed to get notifications that
a user is trying to sync a device. Unfortunately, that is not working
for me consistenly (worked when my own device was quarantined, but not
anyone else's). If anyone has any insight about this little quirk, I'd
love to hear it.

-RAM

INSTANTLY dtSearch TERABYTES OF POPULAR DATA TYPES; hundreds of reviews, etc.!