The default settings in Exchange 2010 and 2013 allow any user to synchronise any device. Depending upon your organisation's viewpoint this default may not be optimal. Ideally this should have been changed when Exchange 2010 or 2013 was first deployed. Doing so would have ensured that the appropriate device rules were created and that unwanted devices would never have been able to connect to Exchange.
Normally that is not how the cookie has crumbled…..
This is the second post in a three part series. The other posts are:
-
Impact of changing ActiveSync DefaultAccesslevel (this post
Default ActiveSync Organization Settings
The default ActiveSync settings which look like the below, are left untouched on many customers that I visit. These customers are not availing themselves of Exchange 2010 & 2013’s Allow/Block/Quarantine features. This is a shame as they are potentially opening themselves up to issues where unwanted devices can connect to the corporate infrastructure.
Note that the big red arrow indicates that the DefaultAccessLevel is set to Allow. This is the default. Also note that the UserMailInsert, AdminMailRecipients and OtaNotificationMailInsert fields are all empty by default.
Life is all good and devices are connecting without issue until at some point there is an issue, or a discussion happens where the organization then wants to change the settings Allow to either Quarantine or Block.
What happens then to devices that were previously connected? Do they continue to work as before? Do you think they will be locked out?
Let’s find out….
Initial Starting Point
Our guinea pig test account user-50@tailspintoys.ca has a Windows Phone 8.1 device that was configured when the default ActiveSyncOrganization settings were at the default value of Allow. This allowed them to successfully connect and synchronise their mobile phone.
User-50@tailspintoys.ca has successfully setup their own device using EAS and the device was configured using Autodiscover. We can see the process in the below screenshots from the device.
If we use Get-ActiveSyncDevice cmdlet the device details are shown below. Note that the IMEI and DeviceID have been edited/redacted.
At this point the device is connected, and the user can send and receive email.
Let’s change the default AccessLevel from Allow to Quarantine, and see what happens.
What will happen if we change it? Will existing devices still continue to work since they were already connected to Exchange?
Changing Default Access level From Allow To Quarantine
As noted above the default access level is Allow. This will allow any user to synchronise any device.
At a later point management decides that only individually approved devices should be connected to the environment, but all existing ones are to be grandfathered in.
The admins made the following changes in Exchange Management Shell to tweak additional EAS settings;
Set-ActiveSyncOrganizationSettings -UserMailInsert "Welcome to Tailspintoys. Your request is being reviewed."
Set-ActiveSyncOrganizationSettings -AdminMailRecipients EASAadmins@Tailspintoys.ca
Set-ActiveSyncOrganizationSettings -OtaNotificationMailInsert "Please update to Windows Phone!!!"
And then they make the change the DefaultAccessLevel. This is the critical aspect of this post:
Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine
The change is highlighted in the above red box.
To ensure that CAS immediately reloads the configuration, IISRESET was executed.
Now that the DefaultAccessLevel was changed from Allow to Quarantined, what was the Impact?
Impact Of Changing DefaultAccessLevel
Some may think that since the device was previously synchronising, it should continue to do so even after changing the DefaultAccesslevel. However there is currently no rule which allows the device to connect as the DefaultAccessRule no longer allows the device to access Exchange, thus the device is now in a quarantine state. Get-ActiveSyncDevice reflects the change:
And the end user is also informed. Note that the highlighted red text is the custom quarantine message that was configured above. This does not exist by default.
Why did this happen, and why should we expect to behave this way?
Exchange 2010 ActiveSync Access Process
Exchange has a deterministic process which is used to control device access. Every device can be either allowed, blocked, or quarantined (ABQ). Administrators can define the access state of each device through an organizational rule or through an exemption. An exemption is a rule that's applied to a single user or single device.
These checks occur each time an Exchange ActiveSync request is received from a mobile device that's trying to synchronize data. The sequence of challenges includes the following steps:
-
Is the mobile device authenticated? If not, challenge the mobile device for the correct credentials. Otherwise, go on to the next step.
-
Is Exchange ActiveSync enabled for the current user? If not, return an "access restricted" error to the device. Otherwise, go on to the next step.
-
Are the mobile policy enforcement criteria met by the current mobile device? If not, block access. Otherwise, go on to the next step.
-
Is this mobile device blocked by a personal exemption for the user? If so, block access. Otherwise, go on to the next step.
-
Is this mobile device allowed by a personal exemption for the user? If so, grant full access. Otherwise, go on to the next step.
-
Is this mobile device blocked by a device access rule? If so, block access. Otherwise, go on to the next step.
-
Is this mobile device quarantined by a device access rule? If so, quarantine the device. Otherwise, go on to the next step.
-
Is this mobile device allowed by a device access rule? If so, grant full access. Otherwise, go on to the next step.
-
Apply the default access state per the Exchange ActiveSync organizational settings. This grants access, blocks access, or quarantines the current device, depending on the organizational settings.
If there are no device rules or personal exemptions, all device access is controlled by step # 9 in the above list. This is the reason that any user can synchronise any device by default, and also the reason why changing it has impact against all devices that are currently synchronising against Exchange.
Access to Exchange ActiveSync can be controlled by either:
- Personal exemptions for a given user.
- Device rules which apply organization-wide and allow mobile device families or specific models.
- Global default access state for all devices that don't belong in another category.
How do you know which one applied to a given user? Look at the DeviceAccessStateReason, it will provide the necessary details.
One final aspect to mention is that Get-ActiveSyncDevice is being depreciated. The cmdlet is in Exchange 2013, but we should start to transition to Get-MobileDevice now. This post uses the older cmdlet as it is present in both Exchange 2010 and 2013.
In the third instalment of this series we will look at how to change DefaultAccesslevel with minimal impact to users and the devices that they have connected to Exchange.
Cheers,
Rhoderick
Your articles for implementing Mobile Device whitelisting were extremely helpful and would have been easy to follow even an amateur. You have a gift for explaining things well.
Thank you very much for the sharing!