It has been 5 years since Exchange 2010 was released and there is still a very common item that a lot of deployments have overlooked. This is the configuration of the ActiveSync Organization settings. These settings set the global options for devices connecting into Exchange 2010 and also Exchange 2013. They are a core part of Exchange 2010 & 2013's Allow/Block/Quarantine feature.
Rather than this post turning into a behemoth, it will be split into three parts
This post which covers background and my personal recommendations for ActiveSync global settings.
Exchange ActiveSync Organization Default Settings
The default ActiveSync Organization settings are shown below:
Note that the big red arrow indicates that by default the DefaultAccessLevel is set to Allow.
Also note that the UserMailInsert, AdminMailRecipients and OtaNotificationMailInsert fields are all empty by default.
What does DefaultAccessLevel set to Allow mean in the initial Exchange 2010/2013 configuration?
By default any user can connect any device…..
This behaviour can be modified with the addition of ActiveSync Device Access Rules, but since there are no rules by default then all devices will hit the ActiveSync Oranization Settings and inherit the DefaultAccesslevel. This is what allows all users to connect any device by default.
It is also worthwhile pointing out that all mailboxes are enable for ActiveSync by default. You can change this by running Set-CASMailbox
Set-CASMailbox sschnoll -ActiveSyncEnabled $False
These ActiveSync Organization settings may not be what you want for your business, so we need to review and possibly change them.
What Can/Should We Change
First up, the answer is the "consultant's answer". It depends….
This will depend upon several factors:
How open is your organisation to allowing users to synchronise different devices?
What support boundaries will you provide? Will you only support certain makes and models?
Will certain device types be whitelisted?
Will certain device types be blacklisted?
Do you want to manually review and approve every device?
Will you have a set of delegated administrators that will review and perform device approval?
You will need to review the following parameters of Set-ActiveSyncOrganizationSettings.
UserMailInsert, AdminMailRecipients and most importantly DefaultAccessLevel.
UserMailInsert allows you to insert custom text into the message sent to users when their device is quarantined. This could refer them to a FAQ which they can consult for more information, or provide the help desk phone number.
AdminMailRecipients allows you to specify which administrators are notified that there are users who have devices in a quarantine state.
DefaultAccessLevel as the name implies sets the default access level. This can be Allow, Block or Quarantine. Unless there is another rule or exemption this is the setting that will take effect.
My Personal Approach
Do not read this as prescriptive Microsoft guidance, as it is impossible to state that a single approach is the best one for all customers. Life is never normally that black and white.
What I personally like to do is:
Add custom text into the UserMailInsert. This shows that the IT cares and has placed a custom help message into the standard Microsoft text.
Set AdminMailRecipients to be a Distribution Group. Group membership is managed in the Distribution Group and we do not have to change the ActiveSyncOrganizationSettings when people join/leave.
Set DefaultAccesslevel to quarantine. This means that any unknown devices where there are no rules or exemptions will be caught by this global setting. Users will be notified that the device is in quarantine. Administrators will be notified that the device is in quarantine. Additionally if a brand new device is released, then it is not automatically allowed access. The administrators can review the request and determine how best to proceed.
An example of this configuration is shown below:
You will very well have a different approach/methodology and that is perfectly understandable!
When Should This Be Changed
Ideally the default Exchange ActiveSync organization settings should be changed immediately after deploying Exchange and prior to allowing users to access the service via Exchange 2010 or 2013. This ensures that unwanted devices are not allowed to connect into Exchange.
It also means that you are not introducing the issue that we will see in the next blog post…..