© Copyright 2012 Paul Cunningham, LockLAN Systems Pty Ltd

The right of Paul Cunningham, LockLAN Systems Pty Ltd to be identified as author and copyright
owner of this work is asserted by Paul Cunningham, LockLAN Systems Pty Ltd in accordance with
Australian copyright laws as determined by the Australian Copyright Council.

Copyright extends to any and all countries in which this publication is purchased and/or viewed
and/or read.

The Beginner’s Guide to Exchange Server 2010 ActiveSync by Paul Cunningham is licensed under a
Creative Commons Attribution-Share Alike 2.5 Australia License.

You may keep a copy of this document for your own personal use. You may share this document
with your friends, family, colleagues, and other personal contacts.

You may share this document WITH ATTRIBUTION and WITHOUT MODIFICATION using email, web
forums, your blog, or website provided you do not charge any fee for this document.

ATTRIBUTION means attributing Paul Cunningham as the author and owner of this document and
providing a link to http://exchangeserverpro.com when sharing this document.

In other words, if you’re going to redistribute this document to other people I would appreciate it if
you link back to my website when doing so.

The purchaser of this publication indemnifies Paul Cunningham and LockLAN Systems Pty Ltd and its
directors, officers, employees and agents from and against all losses, claims, damages and liabilities
which arise out of any use of this publication and/or any application of its content.

About the Author

Paul is a Microsoft Exchange Server MVP and is the publisher of Exchange Server
Pro.

He is also an MCP, MCSA, MCSE, MCTS, and an MCITP for Exchange Server
2007/2010. Connect with Paul on Twitter, LinkedIn and Google+.
Table of Contents
About this Guide ..................................................................................................................................... 1
Introduction to Exchange ActiveSync ..................................................................................................... 2
Direct Push .......................................................................................................................................... 2
Autodiscover ....................................................................................................................................... 2
ActiveSync Mailbox Policies ................................................................................................................ 3
Exchange ActiveSync Compatible Devices .......................................................................................... 3
Where Are You Up to Now? .................................................................................................................... 4
Getting Started with ActiveSync Configuration ...................................................................................... 8
SSL Certificates .................................................................................................................................... 8
Do You Need a New SSL Certificate? .............................................................................................. 9
Creating an SSL Certificate Request .............................................................................................. 10
Obtaining the New SSL Certificate ................................................................................................ 14
Installing the New SSL Certificate ................................................................................................. 15
Importing the SSL Certificate to Additional Client Access Servers................................................ 17
Enabling the SSL Certificate for Exchange Services....................................................................... 18
Autodiscover Requirements for ActiveSync ..................................................................................... 21
DNS Records for Autodiscover ...................................................................................................... 22
Firewall Requirements for Autodiscover ...................................................................................... 23
External URL Configuration for ActiveSync ....................................................................................... 24
Firewall Requirements for ActiveSync .............................................................................................. 26
SSL Requirements for ActiveSync ..................................................................................................... 26
IIS and Authentication Requirements for ActiveSync ....................................................................... 27
Milestone – ActiveSync Passes the ExRCA Test ................................................................................ 27
Administering ActiveSync in Exchange Server 2010 ............................................................................. 28
Exchange Management Console....................................................................................................... 28
Exchange Control Panel .................................................................................................................... 30
Exchange Management Shell ............................................................................................................ 31
Controlling User and Device Access to Exchange ActiveSync ............................................................... 32
Device Access States ......................................................................................................................... 32
How Device Access State is Determined........................................................................................... 33
Configuring Authentication............................................................................................................... 34
Basic Authentication ..................................................................................................................... 34
 Certificate Authentication............................................................................................................. 37
Token-Based Authentication......................................................................................................... 37
Enabling/Disabling ActiveSync for Mailbox Users ............................................................................ 38
Enabling/Disabling ActiveSync using the Exchange Management Tools ...................................... 38
Using the Cmdlet Extension Agents to Disable ActiveSync by Default ......................................... 40
Configuring ActiveSync Mailbox Policies .......................................................................................... 41
Managing ActiveSync Mailbox Policies in the Exchange Management Tools .............................. 43
Examples of ActiveSync Mailbox Policies...................................................................................... 45
Configuring Personal Allow/Block Exemptions ................................................................................. 46
Allowing/Blocking a Mobile Device using the Exchange Control Panel ........................................ 47
Allowing/Blocking a Mobile Device using the Exchange Management Shell ............................... 48
Configuring Device Access Rules ....................................................................................................... 50
Managing Device Access Rules in the Exchange Management Tools ........................................... 50
Example of Device Access Rules ................................................................................................... 52
Configuring the Default Access Level ................................................................................................ 53
Dealing With Existing Devices When Changing the Default Access Level .................................... 55
Summary of Device Access ............................................................................................................... 56
Performing a Remote Wipe of a Mobile Device ................................................................................... 58
User-Initiated Remote Wipe ............................................................................................................. 58
Administrator-Initiated Remote Wipe .............................................................................................. 61
Performing a Remote Wipe Using the Exchange Management Console ..................................... 61
Performing a Remote Wipe Using the Exchange Control Panel ................................................... 63
Performing a Remote Wipe Using the Exchange Management Shell........................................... 64
Other Considerations for Remote Wipes ...................................................................................... 65
Exchange ActiveSync Reports ............................................................................................................... 68
Retrieving Individual Device Statistics .............................................................................................. 68
Retrieving Aggregate Usage Data Using the Exchange Management Shell ..................................... 69
Generating Reports with Log Parser Studio ...................................................................................... 70
Summary ............................................................................................................................................... 71
 Beginner’s Guide to Exchange Server 2010 ActiveSync

About this Guide

Today’s workforce is not the same as it was 10 years ago. Today many employees of businesses own
better technology and more powerful mobile devices than what a business is able to provide.

It is no surprise then that a “bring your own device” model is so attractive. Many IT departments are
feeling this pressure both from the top of the organization structure and from the bottom.

In particular, more and more staff want to use their personal smartphones and tablet computers for
convenient access to email while they are out of the office.

This trend presents some challenges for IT departments.

• Security – how can we allow personal devices to access the company network safely and
securely?
• Management – how can we manage the devices that are connected to the company
network?
• Costs – how can we make BYOD possible without expensive consulting services or vendor
products?

The good news for those of us who are running Microsoft Exchange Server 2010 is that we already
have a large portion of the solution already in place. Therefore we only need to work out how to
take an existing Exchange Server 2010 environment and use it to deliver secure mobile device
access.

This guide will show you how.

Because I am assuming that you already have Exchange Server 2010 deployed for your organization I
will not be describing how to install Exchange 2010 in this guide.

If you are planning to introduce Exchange 2010 into your existing Exchange organization I invite you
to check out these migration guides:

• Exchange Server 2003 to 2010 Migration Guide

• Exchange Server 2007 to 2010 Migration Guide

1
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Introduction to Exchange ActiveSync

Exchange ActiveSync is Microsoft’s solution for enabling mobile devices such as smart phones to
securely access their email, calendar, contacts and tasks from remote networks.

Exchange ActiveSync is a feature of Exchange Server 2010 that is installed by default when you install
the Client Access server role. The Client Access server role is mandatory, so all Exchange 2010
environments have at least one running.

This is one of the greatest strengths of Exchange ActiveSync; that it is a built-in feature of Exchange
that does not require additional licenses, servers, or software products to be installed in your
network or on the end user devices.

This is especially true for smaller organizations who want the convenience of mobile email access for
their staff without having to incur significant additional costs.

With Exchange ActiveSync businesses get the benefits of:

• Secure mobile access to email, calendar, contacts and tasks

• Policy-based control over devices and data, including features such as remote wipe
• Support for a wide range of consumer smart phones and devices, keeping costs down by
allowing users to utilize their own personal mobile devices

Let’s take a more detailed look at the features of Exchange ActiveSync.

Direct Push
Direct Push is an attractive feature for mobile users because it allows a device to be updated
instantly when new content is ready to be synchronized.

Although the name “Direct Push” suggests that the server initiates a connection when new content
is available, it is the mobile device itself that makes the initial HTTPS request but with a long timeout
period of 15 minutes.

If the mailbox receives a new item the server responds to the HTTPS request. If the 15 minute
timeout lapses the device simply opens a new HTTPS request and the process continues on like that.

Autodiscover
Similar to the way Autodiscover allows an Outlook profile to be automatically configured for a new
mailbox user, it also simplifies the configuration of a new mobile device for connectivity to a user’s
mailbox.

This helps reduce administrative effort and costs by allowing a user to set up their mobile device to
receive email simply by entering their email address and password. However, there are a few tasks
for the Exchange administrator to perform first to make sure that Autodiscover will work correctly.

2
 Beginner’s Guide to Exchange Server 2010 ActiveSync

ActiveSync Mailbox Policies

Exchange ActiveSync mailbox policies allow administrators to configure the same features and
security settings to apply to each group of users.

This includes settings such as whether email attachments can be downloaded to devices, whether
devices require a password to unlock them, and how many days’ worth of mailbox content to keep
synchronized on the device.

Exchange ActiveSync Compatible Devices

The consumer market for smartphones and tablets has led to a wide variety of devices being
available. Many of these support Exchange ActiveSync to varying degrees.

The big three mobile device operating systems are:

- Apple iOS (for iPhone and iPad)

- Google Android
- Microsoft Windows Phone

Each of these operating systems has multiple versions running in the hands of consumers today.

Although they all support the basic features of ActiveSync (e.g. direct push, Autodiscover, remote
wipe) they begin to vary in their support of other features (e.g. Windows Phone 7.5 supports tasks
sync, but 7.0 does not).

It would be an impossible task to describe all of the differences here, not to mention keep up to date
with the changes. However you can refer to this Wikipedia page if you need to find out more details.

- Comparison of Exchange ActiveSync Clients 1

To make things a little easier on us Microsoft has developed the Exchange ActiveSync Logo
Program 2.

“The program specifies features and management policies an OEM must include in its Exchange
ActiveSync client to ensure an enterprise-ready experience for end users. These functional
requirements can also help address the concerns of the IT professional, who must deal with an
increasing number of consumer-purchased devices connecting to Exchange.”

Aside from being a current licensee of Exchange ActiveSync, to qualify for the EAS Logo Program the
following feature requirements must be met by the vendor:

- Use Exchange ActiveSync v14 or later

- Direct Push email, contacts & calendar
- Accept, Decline & Tentatively Accept meetings
- Rich formatted email (HTML)
- Reply/Forward state on email

1
http://en.wikipedia.org/wiki/Comparison_of_Exchange_ActiveSync_Clients
2
http://technet.microsoft.com/en-us/exchange/gg187968.aspx
3
 Beginner’s Guide to Exchange Server 2010 ActiveSync

- GAL Lookup
- Autodiscover
- ABQ strings provided: device type and device model
- Remote Wipe
- Password Required
- Minimum Password Length
- Timeout without User Input
- Number of Failed Attempt

Read more about the Exchange ActiveSync logo program here.

Where Are You Up to Now?

Before we go any further let’s take a look at where your Exchange Server 2010 environment is up to
as far as ActiveSync configuration goes.

A quick way to get a feel for where you currently stand is to use the Microsoft Remote Connectivity
Analyzer (also known as the ExRCA), which can be found online at
https://www.testexchangeconnectivity.com/ 3.

To test your current configuration choose start the Exchange ActiveSync test.

3
https://www.testexchangeconnectivity.com/
4
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Fill out the email address, user name, and password details for a mailbox user in your Exchange
environment.

Some people don’t like the idea of entering password details into a website such as this. Be assured it
is genuinely owned and operated by Microsoft and I personally consider it safe to use.

However if it makes you feel more comfortable create a test user first, use it for the testing, and then
you can disable or delete it afterwards. In fact, that is exactly what Microsoft recommends, which
you should see written at the bottom of the ExRCA page.

There is also a CAPTCHA to fill out to prove that you are a human being.

When all the details have been filled out click on Perform Test to begin.

5
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Whoops! Something is wrong with my configuration.

This is where the ExRCA really shines, helping you to diagnose exactly where things went wrong with
the test.

Begin expanding the test results until you are able to drill right down to the reason for the failed
test.

In my case the root cause is this.

6
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Looks like my SSL certificate is not trusted.

A likely cause is that I am using a self-signed certificate, or perhaps one that was issued by my
private certificate authority and is not trusted by clients that aren’t members of my Active Directory
domain (which the ExRCA obviously is not).

In your own tests you might see other errors or warnings, or you might see a completely 100%
successful test.

In fact I can repeat my test, but this time I will tell the tool to ignore SSL trust issues.

Now my test is successful.

The SSL trust issue is one of the more common problems that a default Exchange Server
configuration will show up during the ExRCA test.

Another common issue is Autodiscover failure, which can be caused by a number of different default
or misconfigured settings.

7
 Beginner’s Guide to Exchange Server 2010 ActiveSync

But instead of trying to cover every possible reason you might be seeing ExRCA test failures, let’s use
the ExRCA test as a framework for walking through the configuration of ActiveSync in an Exchange
Server 2010 environment.

Getting Started with ActiveSync

Configuration
SSL Certificates
There are a lot of different parts to a working ActiveSync configuration but one of the most
important is the SSL certificate.

Without a valid SSL certificate installed you can expect ActiveSync to fail.

For an SSL certificate to be valid it has to meet the following three criteria:

• Match the name of the server that is being connected to (e.g. mail.exchangeserverpro.net)
• Be issued by a trusted certificate authority
• Be within its validity period (i.e. the time window between date of issue and expiration date)

Exchange Server 2010 makes several services available over HTTPS, and these services can have
different names (or URLs) associated with them.

The names on the SSL certificate installed on the Exchange server need to include all of those
internal and external names that clients and devices will be connecting to over HTTPS.

8
 Beginner’s Guide to Exchange Server 2010 ActiveSync

This includes:

• The fully qualified domain name (FQDN) of the server itself (e.g.
ex2010.exchangeserverpro.net)
• The Autodiscover name for each of the primary SMTP namespaces that are assigned to
mailbox users (e.g. autodiscover.exchangeserverpro.net)
• The names of any external URLs for services such as ActiveSync (e.g.
mail.exchangeserverpro.net)

In the simplest scenario of a single server named “ho-ex2010-mb1”, using the same external URL for
all of the services, and a single primary SMTP namespace of “exchangeserverpro.net”, the SSL
certificate would need to include at a minimum these names:

• mail.exchangeserverpro.net
• ho-ex2010-mb1.exchangeserverpro.net
• autodiscover.exchangeserverpro.net

Do You Need a New SSL Certificate?

If the SSL certificate currently installed on your Exchange server does not meet all of the
requirements then you will need to generate a new SSL certificate request, submit it to a certificate
authority, and install the certificate they issue to you on your Exchange server.

In this example the server HO-EX2010-MB1, which is currently the internet-facing Client Access
server, only has the default self-signed SSL certificate from when Exchange was first installed on the
server.

9
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Opening the properties of the certificate and looking at the “Subject Alternative Name” details we
can see it does not have all of the required names.

So the next step will be to install a valid SSL certificate on the Exchange server.

Creating an SSL Certificate Request

In the Exchange Management Console navigate to Server Configuration, then right-click the server
and start the New Exchange Certificate wizard.

10
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Give the certificate a friendly name and click Next to continue.

Do not choose to configure a wildcard certificate 4, and click Next to continue.

An expandable series of settings are presented for you to enter the names that you want to be
included in the certificate request.

Note that even though we are only discussing ActiveSync in this guide, the SSL certificate also needs
to include any other Client Access server names or names for external URLs of other services if you
are choosing to publish them on different names (e.g. OWA on webmail.exchangeserverpro.net and
ActiveSync on mobile.exchangeserverpro.net).

If you aren’t sure about this then the general rule is to use as few names as possible. Unless you
have identified a specific need to publish different services using different external names then using
the same name should be fine.

4
http://exchangeserverpro.com/exchange-2010-wildcard-ssl-certificates
11
 Beginner’s Guide to Exchange Server 2010 ActiveSync

When you click Next to continue a consolidated list of names is presented for final review. If you
have a single server the list will be fairly short, but if you have multiple servers then there will be
more names on the list.

In my example below I’ve included all of the Client Access servers in my organization, including an
Exchange 2007 server that still exists.

You can also consider provisioning separate SSL certificates for each individual server, however it is
generally recommended to use a few certificates as possible. This will tend to be less effort as well as
a lower cost to your organization.

When you’re happy with the names click Next to continue.

Enter the organization details, and then click Browse. Choose a folder and file name to save the
certificate request file. You’ll need to remember where it is so that you can locate it during one of
the next steps.

Click Next to continue. Then click New to generate the request with all of the details you chose
during the wizard.

12
 Beginner’s Guide to Exchange Server 2010 ActiveSync

You’ll notice that after generating the certificate request the wizard briefly outlines the next steps
that need to be performed. We’ll continue with those next.

Finally, click Finish to close the wizard.

13
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Obtaining the New SSL Certificate

There are two options when it comes to choosing a certificate authority for obtaining your new SSL
certificate.

• Use a commercial certificate authority

• Use a private certificate authority

A lot of organizations run their own PKI infrastructure already and may be tempted to use their
private CA to issue the SSL certificate for their Exchange server.

While this may save some money for the business, it creates a few problems as well.

The main issue is that the private CA is not trusted by the mobile devices that your end users are
using to access their email, so the device will prompt the user with a certificate warning.

You could tell your end users to ignore the warning, but that sets a terrible precedent and trains
them to ignore legitimate security warnings.

You could also import the root certificate from your CA into each device, but that is a lot of effort
and therefore is not very cost effective.

The recommended approach is to purchase a certificate from a commercial certificate authority. You
can shop around for one that suits you, but I generally recommend Digicert 5 for their pricing
structure, licensing terms, as well as flexibility with the process for re-issues of certificates if you
make a mistake.

Choose a CA that suits you and go through their purchasing process, submitting the certificate
request you created on your Exchange server.

5
http://www.digicert.com/unified-communications-ssl-tls.htm
14
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Installing the New SSL Certificate

Download the certificate that your chosen CA issues to you and copy it to a location where you’ll be
able to access it for the next steps.

Return to the Exchange Management Console and look for the certificate that has a status of “This is
a pending certificate signing request (CSR)”.

Right-click the certificate and choose Complete Pending Request.

Browse to the folder where the certificate is located and select it, then click Complete.

15
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Click Finish to close the wizard.

The certificate status should change to “The certificate is valid for Exchange Server usage”.

If it does not, refer to the following article for one possible cause and solution:

• Exchange Server 2010 “The Certificate is Invalid for Exchange Server Usage” Error 6

6
http://exchangeserverpro.com/exchange-server-2010-certificate-invalid-for-exchange-server-usage-error
16
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Importing the SSL Certificate to Additional Client Access

Servers
If you chose to include other Client Access server names in the certificate then you can also import
the new certificate to those servers. If you only have a single Client Access server then you can skip
this section.

Right-click the certificate and choose Export Exchange Certificate.

Click Browse and choose a location and filename to export the certificate to. Enter a password, and
then click Export.

When the export has completed click Finish.

Next, right-click one of the other Client Access servers and choose Import Exchange Certificate.

17
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Click Browse and select the exported certificate. Enter the password that you used during the
export, and click Next to continue.

If you want to import the certificate to more than one Client Access server you can click Add and
choose the additional servers as well. When you’ve added all of the desired servers click Next to
continue.

Click Import to continue.

When the import has completed successfully click Finish.

Enabling the SSL Certificate for Exchange Services

With the new certificate installed the final step is to enable it for services on the Exchange Server.
Right-click the certificate and choose Assign Services to Certificate.

18
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Again if you have multiple servers you can click Add to perform the configuration on all of them at
once.

For ActiveSync the only required service to select is Internet Information Services (IIS). You can
choose other services as well if the certificate also includes the names you are using for them. Click
Next to continue.

19
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Click Assign to continue.

Click Finish to close the wizard.

The new SSL certificate has now been assigned to the Exchange services that you specified.

20
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Autodiscover Requirements for ActiveSync

Mobile devices that are connecting to Exchange ActiveSync are able to use the Autodiscover service
to detect and automatically configure the correct server settings.

The ExRCA website gives us the option to use Autodiscover or to use manual server settings (some
organizations prefer not to publish Autodiscover externally, while others may simply not have gotten
around to publishing it yet).

When Autodiscover is working, on a device such as an iPhone all the end user needs to do is enter
their email address, username and password when adding a new email account to their mobile
device.

Here is an example of the iPhone screen where these settings are entered.

After tapping Next the iPhone connects to Autodiscover to determine which server settings the
account should be configured with. In the screenshot below the iPhone has automatically
determined that “mail.exchangeserverpro.net” is the server name to connect to for this user

21
 Beginner’s Guide to Exchange Server 2010 ActiveSync

But how does it know where to connect?

DNS Records for Autodiscover

The device simply takes the email address “alan.reid@exchangeserverpro.net” and uses the domain
name from that as the basis for an Autodiscover lookup. We can see this in the output of the ExRCA
test.

As you can see, first the device will check for a DNS A record for the domain name itself, eg
“exchangeserverpro.net”.

If it can’t find one, or if the A record is found but an Autodiscover service can’t be located at that
URL (which is not unusual considering many domain names point to a the IP of the server hosting the
organization’s website), then it will next try to find an DNS A record for “autodiscover”, in this case
“autodiscover.exchangeserverpro.net”.

22
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Check your public DNS zone for an “Autodiscover” record. If one doesn’t exist then add an A record of
“autodiscover” in your public DNS zone and point it at the public IP address of your Exchange server.

If mobile devices can’t use Autodiscover then end users will need to manually configure their devices
each time they set up a new email account.

Firewall Requirements for Autodiscover

After the Autodiscover name is resolved in DNS that the next step is connecting on TCP port 443.

23
 Beginner’s Guide to Exchange Server 2010 ActiveSync

So you will also need to make sure in your firewall settings that HTTPS (TCP port 443) is open and
published or NATed to the internet facing Client Access server.

Make sure your firewall is configured so that requests on TCP port 443 on the public IP address used
for “autodiscover” are published to the internet facing Client Access server.

External URL Configuration for ActiveSync

When an Exchange Server 2010 Client Access server is installed the setup wizard offers the option to
configure an external host name for the server. This external host name is then automatically
populated into the External URL for various web services such as OWA and ActiveSync.

However, because it is optional it may not have been entered, and the External URLs would then
need to be manually configured.

So you will also need to make sure in your firewall settings that HTTPS (TCP port 443) is open and
published or NATed to the internet facing Client Access server.

It is perfectly acceptable to not enter an external host name during Exchange setup, and to configure
it manually later.

In fact the External URL should be left blank for non-Internet facing Client Access servers.

You can view the External URL in the Exchange Management Console by choosing Server
Configuration  Client Access, and highlighting the internet facing server.

24
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Select the Exchange ActiveSync tab, right-click the Microsoft-Server-ActiveSync virtual directory and
choose Properties.

The External URL setting is in the lower section of the General tab.

If this field is blank then Autodiscover will not know which external host name to provide back to the
mobile device’s query.

So, even if you have Autodiscover itself published correctly to the internet, you also need this
External URL configured for the Autodiscover process to be successful.

When this has been configured correctly the ExRCA will show the URL for ActiveSync that was
returned by Autodiscover, and will then perform a DNS lookup of that name to find the IP address.

Check your public DNS zone for an A” record matching the name you’re using for your external URL. If
one doesn’t exist then add a new record in your public DNS zone and point it at the public IP address

25
 Beginner’s Guide to Exchange Server 2010 ActiveSync

of your Exchange server.

If mobile devices receive a server name from Autodiscover that they can’t resolve in DNS then they
will fail to connect.

Firewall Requirements for ActiveSync

If the ActiveSync URL has been successfully resolved in DNS the ExRCA will attempt a connection on
TCP port 443.

In most cases Autodiscover and the ActiveSync URL will be resolving to the same IP address, so the
same firewall access you’ve configured for Autodiscover will result in a pass for this stage of the
connection attempt as well.

However if for some reason you’ve got the two DNS records pointing to different IP addresses then
you may need to perform further configuration of your firewall to allow the connection to the
ActiveSync URL as well.

SSL Requirements for ActiveSync

Next the ExRCA checks the SSL certificate to make sure it is valid. If you’ve been through the steps in
the earlier section for configuring a valid SSL certificate then this step should also pass.

However, if anything is wrong with your SSL certificate configuration then the ExRCA will tell you
exactly where it encountered a problem, which should lead you to the root cause pretty quickly.

26
 Beginner’s Guide to Exchange Server 2010 ActiveSync

IIS and Authentication Requirements for

ActiveSync
The remaining tests include checking for client certificate requirements, HTTP authentication
methods, and finally an ActiveSync session is attempted.

On a default installation of Exchange Server 2010 these should pass with no errors. If you’ve made
any configuration changes that cause an error, again the ExRCA will tell you exactly where it
encountered a problem which should lead you to the root cause quickly.

Milestone – ActiveSync Passes the ExRCA Test

If the ExRCA ActiveSync tests are passing then congratulations! You’ve got a working ActiveSync
configuration.

If you have a mobile device you should now be able to configure an email account on it and have it
successfully connect and download email messages.

Next we’ll dive into some of the other features and configurations available in Exchange Server 2010
ActiveSync, and how you can apply them to meet your business requirements.

27
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Administering ActiveSync in Exchange

Server 2010
Exchange Server 2010 provides a number of different ways to perform ActiveSync administration
tasks. Some tasks can be performed using multiple tools, while a few tasks can only be performed in
one particular tool. Therefore it is important to be aware of all of your administration options.

Exchange Management Console

Within the Exchange Management Console there are a few different places where ActiveSync
administration tasks are performed.

At the Organization level there are the ActiveSync Mailbox Policies.

At the Server level there are the SSL certificates, and ActiveSync virtual directory configurations.

28
 Beginner’s Guide to Exchange Server 2010 ActiveSync

And at the Recipient level there are the mobile device management tasks for individual mailboxes.

There is also the ability to enable/disable ActiveSync on a per-mailbox basis.

29
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Exchange Control Panel

The Exchange Control Panel is a web-based administration console that can be accessed via any
Client Access server, for example https://ho-ex2010-mb1.exchangeserverpro.net/ecp

The Exchange Control Panel allows you to manage the organization-wide device access policy,
quarantined devices, device access policies, and ActiveSync mailbox policies.

30
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Exchange Management Shell

Finally there is the Exchange Management Shell that delivers all the benefits of PowerShell and lets
you perform any administrative task for ActiveSync.

[PS] C:\>get-command -noun *ActiveSync*

CommandType Name Definition

----------- ---- ----------
Function Clear-ActiveSyncDevice ...
Function Export-ActiveSyncLog ...
Function Get-ActiveSyncDevice ...
Function Get-ActiveSyncDeviceAccessRule ...
Function Get-ActiveSyncDeviceClass ...
Function Get-ActiveSyncDeviceStatistics ...
Function Get-ActiveSyncMailboxPolicy ...
Function Get-ActiveSyncOrganizationSettings ...
Function Get-ActiveSyncVirtualDirectory ...
Function New-ActiveSyncDeviceAccessRule ...
Function New-ActiveSyncMailboxPolicy ...
Function New-ActiveSyncVirtualDirectory ...
Function Remove-ActiveSyncDevice ...
Function Remove-ActiveSyncDeviceAccessRule ...
Function Remove-ActiveSyncDeviceClass ...
Function Remove-ActiveSyncMailboxPolicy ...
Function Remove-ActiveSyncVirtualDirectory ...
Function Set-ActiveSyncDeviceAccessRule ...
Function Set-ActiveSyncMailboxPolicy ...
Function Set-ActiveSyncOrganizationSettings ...
Function Set-ActiveSyncVirtualDirectory ...
Function Test-ActiveSyncConnectivity ...

We’ll be using all of these administrative tools as we go through the rest of this guide.

One thing you may notice if you skim through a few of the settings in each administrative interface is
a few inconsistencies in the naming of things.

For example, in the Exchange Management Console the ActiveSync Mailbox Policies control such
things as whether devices need passwords, and how much calendar and email content is synced to
the device.

However, in the Exchange Control Panel those same settings are located in a section named
ActiveSync Device Policies.

This won’t cause us any real problems; it is just something to be aware of. As long as you are using
the administrative tool being shown at any stage of this guide then the terminology being used
should be correct.

31
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Controlling User and Device Access to

Exchange ActiveSync
Whether or not a user in your Exchange organization is able to access their email using a mobile
device relies on a number of different configurations and policies that can be applied in Exchange
Server.

Device Access States

A mobile device can be in one of five “access states” at any given time.

• Device Discovery – when a mobile device connects to the Exchange server for the first time
it will spend up to 14 minutes in a quarantined state (not quite the same as the quarantine
state below) as the server works out what to do with it.
• Allow – a device in the allow state can synchronize email, calendar, tasks and so on, as long
as it is compliant with the ActiveSync mailbox policy in effect for that mailbox user.
• Block – a device can be in the block state for two reasons:

o A device access rule is preventing the device from connecting. When this happens
the user will receive an email message (that is customizable by the administrator) in
their inbox letting them know that their device has been blocked. We’ll look closer
at device access rules later in this guide.
o The device is not compliant with the ActiveSync mailbox policy in effect for that
mailbox user. We’ll also look closer at mailbox policies later in this guide.

• Quarantine – similar to the block state, a device will be placed in a quarantine state if a
device access rule is configured to quarantine the device type, or if the default access level is
set to quarantine new mobile devices.

When a device is quarantined the user will receive a customizable email message in their
inbox, and will also receive the same message on their mobile device, letting them know
that their device has been quarantined. Again, we’ll take a closer look at device access rules
later in this guide, and also cover the default access level.
• Mailbox Upgrade – this is a temporary state when a mailbox user is moved from an older
version of Exchange Server to an Exchange 2010 mailbox server, so that the device can
update itself for the new version of ActiveSync and be recognized by the server, after which
the device will go into an allow, block, or quarantine state depending on the configuration
policies in place.

The device discovery and mailbox upgrade states are both temporary, and are only applicable under
certain circumstances. Furthermore, they are not states that you directly control through
configurations and policies in Exchange.

32
 Beginner’s Guide to Exchange Server 2010 ActiveSync

So for the remainder of the guide we will only be looking in more detail at the allow, block, and
quarantine access states for mobile devices.

How Device Access State is Determined

Exchange uses a 9-step process for determining the access state of a mobile device.

1. Is the mobile device

authenticated?

2. Is the user enabled for

ActiveSync?

3. Does the device comply with

the ActiveSync mailbox policy in
effect for that user?

4. Does the user have a

personal exemption that allows
the mobile device?

5. Does the user have a

personal exemption that blocks
the mobile device?

6. Is the device blocked by a

matching device access rule?

7. Is the device quarantined by a

matching device access rule?

8. Is the device allowed by a

matching device access rule?

9. Apply the default access level

(allow/block/quarantine)
specified in the organization
settings.

This sequence is important to understand, because at several points through the process an
allow/block/quarantine decision can be made that supersedes all subsequent steps.

33
 Beginner’s Guide to Exchange Server 2010 ActiveSync

For example, if a user is not ActiveSync enabled then they will not be able to connect regardless of
whether their particular type of mobile device is allowed to connect.

Or as another example, a user who has a personal exemption that allows their particular mobile
device to connect will be able to do so regardless of an organization-wide device access rule that
quarantines or blocks that device type, and regardless of the default access level configured for the
organization.

Let’s step through the stages of determining device access state in a bit more detail, and explore
some of the configuration options that are available to you for controlling each stage of the process.

Configuring Authentication
The first step in determining the device access state is to authenticate the mobile device. There are
three authentication types available for Exchange 2010 ActiveSync:

• Basic Authentication
• Certificate Authentication
• Token-based Authentication

Each has pros and cons associated with it due to the different levels of administrative effort and
financial costs.

Basic Authentication
By default an Exchange 2010 Client Access server is configured to use Basic authentication for
ActiveSync. This means that the user’s login credentials are transmitted in clear text, but as long as
you are using SSL then the credentials are protected by an encrypted communication channel
between the mobile device and the server.

Fortunately SSL is required by default, but some organizations are tempted to disable the
requirement for SSL because they do not want to spend money on a certificate for the server. On top
of that, some mobile devices will allow the user to disable SSL.

This presents a serious risk of the login credentials being compromised when the users are
connecting to Exchange with their mobile devices from an insecure public network, such as a free
wireless connection in a hotel or airport.

My strong recommendation to you is to not disable the SSL requirement for ActiveSync.

34
 Beginner’s Guide to Exchange Server 2010 ActiveSync

You can check your authentication settings in the Exchange Management Console by navigating to
Server Configuration  Client Access, selecting the server you want to configure, and opening the
properties of the ActiveSync virtual directory.

The first thing you should see is the SSL Enabled set to True, and the two URLs using the https://
prefix.

On the Authentication tab you can also confirm that Basic authentication is enabled.

35
 Beginner’s Guide to Exchange Server 2010 ActiveSync

If you see Basic authentication enabled but SSL not required, then user login credentials will be
transmitted in clear text over an unencrypted channel and could be easily compromised on public
networks.

To make your configuration more secure you can re-enabled the SSL requirement using the IIS
Manager in Administrative Tools on the server.

Before you proceed with re-enabling the SSL requirement you should verify that your SSL certificate is
the correct type. If you have not already read the chapter of this guide that covers SSL certificates
then I suggest you go back and review it before you proceed with any changes to SSL configurations
in IIS.

Open IIS Manager and navigate to the Microsoft-Server-ActiveSync virtual directory in the Default
Web Site. Look for the SSL Settings icon and double-click to open.

Re-enable the Require SSL checkbox and click Apply.

36
 Beginner’s Guide to Exchange Server 2010 ActiveSync

After this change has been made any clients that were not using SSL will no longer be able to
connect to ActiveSync until they are configured correctly to use SSL. You may receive some support
calls from users who need assistance updating their mobile devices with the correct settings.

This would be a good time to test your ActiveSync configuration again using the ExRCA. 7

Certificate Authentication
Although many organizations will be satisfied with the security that is provided by using SSL for
ActiveSync connections, some will want a higher level of assurance that only authorized users and
mobile devices will be able to connect to Exchange. This is where certificate authentication comes in.

Rather than cover certificate authentication in depth here, I’m going to recommend that you check
out the article series 8 by Exchange Server MVP Steve Goodman on Configuring Certificate-Based
Authentication for Exchange 2010 ActiveSync.

He includes detailed steps and screenshots to walk you through the complete process.

Token-Based Authentication
Token-based authentication systems can provide two-factor authentication for ActiveSync client
connections as an additional layer of security.

If your organization has an existing token-based authentication system for other external access
(such as OWA or VPN access), you can check the documentation for that system to determine
whether it can also be used with ActiveSync.

Because some token-based systems can’t be used with ActiveSync you may need to make a business
decision about whether to exempt ActiveSync from an existing two-factor authentication security
policy in your organization.

7
http://www.testexchangeconnectivity.com
8
http://msexchange.org/articles_tutorials/exchange-server-2010/mobility-client-access/configuring-
certificate-based-authentication-exchange-2010-activesync-part1.html
37
 Beginner’s Guide to Exchange Server 2010 ActiveSync

You may choose instead to mitigate the security risks by using certificate authentication (mentioned
in the previous section), limiting ActiveSync to only those devices that support device encryption
features (covered in the later section on mailbox policies), or by limiting ActiveSync access to specific
users (covered in the next section).

Enabling/Disabling ActiveSync for Mailbox Users

After the mobile device has been successfully authenticated, the next item to be assessed is whether
ActiveSync is enabled for the mailbox user.

By default ActiveSync is an enabled feature of all mailboxes in the Exchange organization. However
you may choose to enable or disable it on a per-mailbox basis to meet your security requirements.

Enabling/Disabling ActiveSync using the Exchange

Management Tools
Each of the Exchange management tools allows you to enable or disable ActiveSync for a mailbox.

In the Exchange Management Console navigate to Recipient Configuration  Mailbox and open the
properties of the mailbox that you want to configure.

On the Mailbox Features tab you can enable/disable individual mailbox features such as ActiveSync,
by simply highlighting the feature and clicking Disable.

38
 Beginner’s Guide to Exchange Server 2010 ActiveSync

You can also click the Properties button to choose the ActiveSync mailbox policy that applies to the
user. We’ll cover mailbox policies a little later in this guide.

The same management can be performed in the Exchange Control Panel. In the Users & Groups
section search for the mailbox you want to manage, and double-click or highlight and click Details to
open.

This time the setting is not actually in the Mailbox Features section, rather it is in the Phone & Voice
Features section. Again you can enable/disable ActiveSync for the mailbox using the available
buttons.

39
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Clicking the Details button will also let you set the ActiveSync mailbox policy (called an “Exchange
ActiveSync device policy” in the Exchange Control Panel), as well as manage the mobile devices
associated with the user. We’ll look further at device management later in this guide.

Finally you can use the Exchange Management Shell and the Set-CASMailbox cmdlet to
enable/disable ActiveSync for a mailbox user.

To disable ActiveSync for a mailbox user:

Set-CASMailbox alan.reid -ActiveSyncEnabled $false

To enable ActiveSync for a mailbox user:

Set-CASMailbox alan.reid -ActiveSyncEnabled $true

Using the Cmdlet Extension Agents to Disable ActiveSync by

Default
For those organizations that would like to disable ActiveSync for all users, and then only enable it for
those specific mailboxes that are authorized to use it, it is rather unfortunate that the default setting
on a new mailbox is for ActiveSync to be enabled.

Although this does make sense from the point of view that BYoD is a growing trend, and the easier it
is to deploy technologies such as ActiveSync the lower the cost to businesses, there will always be
those who prefer it the other way around.

Fortunately this need is catered for by a powerful feature of Exchange Server 2010 called the Cmdlet
Extension Agents.

There is a detailed explanation of the Cmdlet Extension Agents on Microsoft TechNet 9, but all you
really need to know is that they are a method for appending additional actions on to existing
Exchange 2010 cmdlets.

A perfect example is appending an action to disable ActiveSync after the New-Mailbox or Enable-
Mailbox cmdlet is run. Effectively this would disable ActiveSync for any new mailbox that is created
in the organization.

9
http://technet.microsoft.com/en-us/library/dd335067.aspx
40
 Beginner’s Guide to Exchange Server 2010 ActiveSync

This is actually simpler than you might be thinking, and Michel de Rooij has written an article that
demonstrates quickly and easily how to do it.

• Cmdlet Extension Agents Part 2: Postconfiguring Mailboxes 10

Just pay careful attention to Michel’s example, as he also enables the Single Item Recovery feature
for new mailboxes. If you want to use Michel’s article just for the ActiveSync configuration then you
will need to remove this line from the example XML file that he has published.

Set-Mailbox $alias -SingleItemRecoveryEnabled $true

Configuring ActiveSync Mailbox Policies

As the name suggests, ActiveSync mailbox policies allow you to apply the same settings to multiple
mailbox users. Think of it as being like Group Policy for mobile devices and the users who are
connecting via ActiveSync.

Policy settings can be divided into two groups; those available with the Standard Client Access
License (CAL) for Exchange, and those available with the Enterprise CAL.

There is also a wide variety in the level of support for different policy settings depending on the
mobile device operating system that is being used, and you should refer to the comparison table on
Wikipedia for guidance 11 (however be aware it may not be 100% accurate at all times).

The complete set of mailbox policy items is available on TechNet:

• Understanding Exchange ActiveSync Mailbox Policies 12

There are two groups of policy items available; those for Standard Client Access Licenses (CALs), and
those for Enterprise CALs. Exchange will not enforce the availability of the standard vs enterprise
CAL features of ActiveSync mailbox policies; the onus is purely on you to ensure you are using the
features in a license-compliant manner.

Standard CAL Policy Items

• Allow non-provisionable devices

• Refresh interval (hours)
• Require password
• Require alphanumeric password
• Enable password recovery
• Require encryption on device
• Require encryption on storage card
• Allow simple password

10
http://eightwone.com/2012/06/19/postconfiguring-mailboxes-cmdlet-extension-agents-part-2/
11
http://en.wikipedia.org/wiki/Comparison_of_Exchange_ActiveSync_Clients
12
http://technet.microsoft.com/en-us/library/bb123484.aspx
41
 Beginner’s Guide to Exchange Server 2010 ActiveSync

• Number of failed attempts allowed

• Minimum password length
• Time without user input before password must be re-entered (in minutes)
• Password expiration (days)
• Enforce password history
• Include past calendar items
• Include past e-mail items
• Limit e-mail size to (KB)
• Allow Direct Push when roaming
• Allow HTML-formatted e-mail
• Allow attachments to be downloaded to device
• Maximum attachment size (KB)

Enterprise CAL Policy Items:

• Allow removable storage

• Allow camera
• Allow Wi-Fi
• Allow infrared
• Allow Internet sharing from device
• Allow remote desktop from device
• Allow desktop synchronization
• Allow Bluetooth
• Allow browser
• Allow consumer mail
• Allow unsigned applications
• Allow unsigned installation packages
• Allowed Applications
• Blocked Applications

As you consider each available policy item for your own organization make sure that you clearly
understand:

• What the policy item does

• How the policy item is configured in the Default ActiveSync mailbox policy that ships with
Exchange, if you were to make no adjustments to it
• What the default setting of the policy item is if you leave it undefined in an ActiveSync
mailbox policy

One of the most important policy items to pay attention to is whether to allow non-provisionable
devices.

42
 Beginner’s Guide to Exchange Server 2010 ActiveSync

A non-provisionable device is one that does not enforce some policy settings will still be allowed to
connect to ActiveSync.

Allowing non-provisionable devices can introduce security risks to your environment. For example if
your policy requires a device password, but also allows non-provisionable devices, then a mobile
device may still be able to connect even though it does not have a device password.

Managing ActiveSync Mailbox Policies in the Exchange

Management Tools
Each of the Exchange management tools allows you to create and manage ActiveSync mailbox
policies.

In the Exchange Management Console navigate to Organization Configuration  Client Access, and
select the Exchange ActiveSync Mailbox Policies tab.

43
 Beginner’s Guide to Exchange Server 2010 ActiveSync

New policies can be created using the New Exchange ActiveSync Mailbox Policy wizard.

However you will notice that only a subset of the policy items are available in the wizard. The
remaining settings are configurable after the policy has been created.

New policies can also be created in the Exchange Management Shell using the New-
ActiveSyncMailboxPolicy cmdlet.

New-ActiveSyncMailboxPolicy -Name 'International Users EAS Policy' -

AllowNonProvisionableDevices $false -DevicePasswordEnabled $true -
AlphanumericDevicePasswordRequired $true -MaxInactivityTimeDeviceLock '00:03:00' -
MinDevicePasswordLength '4' -PasswordRecoveryEnabled $false -RequireDeviceEncryption $true
-AttachmentsEnabled $true -AllowSimpleDevicePassword $true -DevicePasswordExpiration
'unlimited' -DevicePasswordHistory '0'

44
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Policies can also be configured in the Exchange Control Panel, in the Phone & Voice section.
However you will notice that they are called “ActiveSync Device Policies” instead.

Almost all policy items are configurable in the Exchange Control Panel.

Examples of ActiveSync Mailbox Policies

Although some organizations will only ever need a single ActiveSync mailbox policy, and can simply
modify the Default policy to suit their needs, other organizations will find it necessary to configure
multiple policies and assign to them different classes of user.

For example, you may find that three policies are required to meet your various business and
security needs:

Policy Purpose
Default Standard mailbox users. Requires provisionable devices and a 4
character password.
Non-Provisionable Devices Exceptions list for approved users of non-provisionable devices.
A written agreement may be used to require the user to
manually configure and maintain their device settings to meet
corporate security requirements.
High Security Devices Mailbox users who have access to highly sensitive data in their
email, for example executives. Requires provisionable devices, a
6 character password derived from 3 character sets, and device
encryption.

As you can see it is possible to come up with a series of policies to suit your organization’s needs.
Just be aware that policies such as requiring device encryption will impact the variety of devices that
can be used by those users, as not all consumer mobile devices support device encryption.

Also be aware that only one policy can be the default policy assigned to new mailbox users. You may
find it necessary to set the most secure policy as the default and only assign a less secure policy once
the user’s access to sensitive data has been assessed.

45
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Configuring Personal Allow/Block Exemptions

Personal allow/block exemptions are assessed by the process for determining device access state
before any device access rules or the default organization setting are assessed.

However it is often the case that personal allow/block exemptions are only configured when a new
mobile device is blocked or quarantined by either a device access rule, or by the default organization
setting.

In a permissive organization where no such block or quarantine rules exist, personal exemptions are
not required to allow a user to connect their mobile device to the server.

In this example the user Mary Hayes has an iPhone configured to connect to Exchange ActiveSync.
Notice that the device state is “Allowed” and the reason is “Global”, meaning that the default
organization setting of “Allow” is responsible for the current access state.

Get-ActiveSyncDeviceStatistics -Mailbox Mary.Hayes | select device*

DeviceType : iPhone
DeviceID : Appl87941C1N3NS
DeviceUserAgent : Apple-iPhone2C1/1001.403
DeviceWipeSentTime :
DeviceWipeRequestTime :
DeviceWipeAckTime :
DeviceModel : iPhone2C1
DeviceImei :
DeviceFriendlyName : White iPhone 3GS
DeviceOS : iOS 6.0 10A403
DeviceOSLanguage : en-GB
DevicePhoneNumber :
DeviceEnableOutboundSMS : False
DeviceMobileOperator :
DeviceAccessState : Allowed
DeviceAccessStateReason : Global
DeviceAccessControlRule :
DevicePolicyApplied : Default
DevicePolicyApplicationStatus : AppliedInFull
DeviceActiveSyncVersion : 14.1

46
 Beginner’s Guide to Exchange Server 2010 ActiveSync

As another example, the user Alan Reid has an Android device that has a reason of “Individual”,
meaning a personal exemption has been granted for that device.

Get-ActiveSyncDeviceStatistics -Mailbox Alan.Reid | select device*

DeviceType : Android
DeviceID : androidc259148960
DeviceUserAgent : Android/4.0.4-EAS-1.3
DeviceWipeSentTime :
DeviceWipeRequestTime :
DeviceWipeAckTime :
DeviceModel : sdk
DeviceImei :
DeviceFriendlyName :
DeviceOS : Android 4.0.4
DeviceOSLanguage :
DevicePhoneNumber :
DeviceEnableOutboundSMS : False
DeviceMobileOperator :
DeviceAccessState : Allowed
DeviceAccessStateReason : Individual
DeviceAccessControlRule :
DevicePolicyApplied : Default
DevicePolicyApplicationStatus : AppliedInFull
DeviceActiveSyncVersion : 14.1

Other possible access state reasons include device access rules, which we’ll take a look at in a later
section of this guide.

Allowing/Blocking a Mobile Device using the Exchange Control

Panel
Personal exemptions can be configured in the Exchange Control Panel. In the Users & Groups
section search for the mailbox user that you wish to wipe the device for.

Double-click the user in the search results and expand the Phone & Voice Features section.

47
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Double-click Exchange ActiveSync.

Choose Allow or Block and then click Save.

Allowing/Blocking a Mobile Device using the Exchange

Management Shell
If we wanted to change Mary’s device access reason to a personal exemption we can do that by
using the Set-CASMailbox cmdlet.

First, let’s take a look at Mary’s current settings. You can see that there are no allowed device IDs for
Mary at the moment.

Get-CASMailbox mary.hayes | select activesync*

ActiveSyncAllowedDeviceIDs : {}
ActiveSyncBlockedDeviceIDs : {}
ActiveSyncMailboxPolicy : Default
ActiveSyncMailboxPolicyIsDefaulted : False
ActiveSyncDebugLogging :
ActiveSyncEnabled : True

48
 Beginner’s Guide to Exchange Server 2010 ActiveSync

To explicitly allow her iPhone to access Exchange via ActiveSync we would run:

Set-CASMailbox Mary.Hayes -ActiveSyncAllowedDeviceIDs "Appl87941C1N3NS"

Now we can see the device ID in the list of allowed devices for Mary’s mailbox.

Get-CASMailbox mary.hayes | select activesync*

ActiveSyncAllowedDeviceIDs : {Appl87941C1N3NS}
ActiveSyncBlockedDeviceIDs : {}
ActiveSyncMailboxPolicy : Default
ActiveSyncMailboxPolicyIsDefaulted : False
ActiveSyncDebugLogging :
ActiveSyncEnabled : True

And the access state reason has changed to “Individual” as well.

Get-ActiveSyncDeviceStatistics -Mailbox Mary.Hayes | select device*

DeviceType : iPhone
DeviceID : Appl87941C1N3NS
DeviceUserAgent : Apple-iPhone2C1/1001.403
DeviceWipeSentTime :
DeviceWipeRequestTime :
DeviceWipeAckTime :
DeviceModel : iPhone2C1
DeviceImei :
DeviceFriendlyName : White iPhone 3GS
DeviceOS : iOS 6.0 10A403
DeviceOSLanguage : en-GB
DevicePhoneNumber :
DeviceEnableOutboundSMS : False
DeviceMobileOperator :
DeviceAccessState : Allowed
DeviceAccessStateReason : Individual
DeviceAccessControlRule :
DevicePolicyApplied : Default
DevicePolicyApplicationStatus : AppliedInFull
DeviceActiveSyncVersion : 14.1

49
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Blocking a device ID for a specific user is achieved in much the same manner.

Set-CASMailbox Mary.Hayes -ActiveSyncBlockedDeviceIDs "Appl87941C1N3NS"

That device ID now appears as a blocked device for Mary.

Get-CASMailbox mary.hayes | select activesync*

ActiveSyncAllowedDeviceIDs : {}
ActiveSyncBlockedDeviceIDs : {Appl87941C1N3NS}
ActiveSyncMailboxPolicy : Default
ActiveSyncMailboxPolicyIsDefaulted : False
ActiveSyncDebugLogging :
ActiveSyncEnabled : True

With device access being allowed or blocked via a personal exemption it will ensure that the device
is still able to connect even if a device access rule or the default organization setting is configured to
block or quarantine devices.

Configuring Device Access Rules

Device access rules allow an organization to allow, block, or quarantine mobile devices based on
their characteristics such as make, model, and user agent.

This flexibility means they can be deployed to suit the needs of almost any scenario. For example, if
you wanted to block all Android devices that run older versions of the operating system, while still
allowing the latest versions to connect, you can achieve that with device access rules.

Similarly, you could configure a default access level for the organization of block or quarantine, but
then use a device access rule to allow all iPhones. Because the device access rules are assessed first,
an iPhone user will be allowed to connect while any other device will be subject to the default access
level for the organization.

Managing Device Access Rules in the Exchange Management

Tools
Device access rules can be managed in the Exchange Control Panel or in the Exchange Management
Shell.

50
 Beginner’s Guide to Exchange Server 2010 ActiveSync

In the Exchange Control Panel navigate to Phone & Voice, and then scroll down to the Device Access
Rules section. By default there are no device access rules.

Click on New to create a new rule. Rules created in the Exchange Control Panel are limited to the
device family or model characteristics, and you can only pick from a list of already discovered values
(i.e., devices that have already connected to Exchange).

You can either configure a rule to block a specific family (i.e. all models under that family), or a
specific model. The rule action can be either allow, block or quarantine.

51
 Beginner’s Guide to Exchange Server 2010 ActiveSync

To configure a device access rule in the Exchange Management Shell you use the New-
ActiveSyncDeviceAccessRule cmdlet.

New-ActiveSyncDeviceAccessRule takes a few parameters; the most important ones for this example
are the -QueryString and -Characteristic parameters.

The characteristic can be either:

• DeviceType (referred to as “device family” in the Exchange Control Panel)

• DeviceModel (referred to as “model” in the ECP)
• DeviceOS (not available in the ECP)
• UserAgent (not available in the ECP)

If you already know the specific characteristic you want to base the rule on then you can configure a
device access rule via the Exchange Management Shell regardless of whether a device matching that
characteristic has connected to the server or not.

You can look at the characteristics of devices that have already connected to the server using the
following command in the Exchange Management Shell.

[PS] C:\>Get-ActiveSyncDevice | select devicetype,devicemodel,deviceos,deviceuseragent | ft

DeviceType DeviceModel DeviceOS DeviceUserAgent

---------- ----------- -------- ---------------
WP HTC Windows Phone7.10.8107
iPhone iPhone2C1 iOS 6.0 10A403 Apple-iPhone2C1/1001.403
iPhone iPhone2C1 iOS 6.0 10A403 Apple-iPhone2C1/1001.403
iPhone iPhone Apple-iPhone4C1/902.206
iPhone iPhone Apple-iPhone4C1/902.206
WP HTC Windows Phone7.10.8107
Android sdk Android 4.0.4 Android/4.0.4-EAS-1.3
Android Android Android/0.3
Android sdk Android 4.0.4 Android/4.0.4-EAS-1.3
iPad iPad Apple-iPad3C3/902.206

Example of Device Access Rules

Here is an example of a device access rule to demonstrate how they are configured. This rule will
quarantine a device that is running iOS 6.0.

52
 Beginner’s Guide to Exchange Server 2010 ActiveSync

New-ActiveSyncDeviceAccessRule -Characteristic DeviceOS -QueryString "iOS 6.0 10A403" -

AccessLevel Quarantine

The results are as follows. Notice that there are two devices currently known to the Exchange server
that are running iOS 6.0. One of the devices has been quarantined by the device access rule, but the
other is still allowed due to an individual exemption (which is assessed before device access rules).

Get-ActiveSyncDevice | where {$_.deviceos -eq "iOS 6.0 10A403"} | select deviceaccess*

DeviceAccessState DeviceAccessStateReason DeviceAccessControlRule

----------------- ----------------------- -----------------------
Allowed Individual
Quarantined DeviceRule iOS 6.0 10A403 (DeviceOS)

Configuring the Default Access Level

Exchange 2010 provides the capability for administrators to control how a new device type is treated
by Exchange thanks to the ActiveSync organization setting called the “default access level”.

The default setting for this (perhaps unfortunately, from a security point of view) is “Allow”.

There are two ways you can view this setting. The first is using the Exchange Control Panel. In the
Phone & Voice section click the Edit button in the ActiveSync Access area.

53
 Beginner’s Guide to Exchange Server 2010 ActiveSync

The first settings control how the Exchange servers will treat mobile devices.

The three options are self-explanatory; either allow the device user to access their email, block
them, or quarantine the device for further attention.

You can choose to block or quarantine such devices, so that only those that you have approved for a
specific user or created an organization-wide device access rule for will be able to.

If a device is blocked the user receives an email to their mailbox, but not to their mobile device,
advising that the block has occurred. The email can include custom text if you wish to add some
additional instructions.

When devices are quarantined the user receives the email message to their own mailbox and to the
mobile device itself, and you can also notify administrators by adding their mailboxes or a
distribution group.

These settings will take effect even for end users’ mobile devices that are currently accessing
mailboxes. If you change to block/quarantine and the device has no exception rule in place for that
user, or a device access rule for the organization, then it will be blocked/quarantined.

54
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Even the ExRCA tool is blocked from accessing mailbox data if the block/quarantine setting is
enabled (though it can still record a “pass” for the test in general).

Therefore this is a very powerful setting that can be used to reign in a previous “anything goes”
ActiveSync configuration. If you do plan to begin blocking or quarantining devices you should make
sure that the change is clearly communicated to those end users that will be impacted.

Dealing With Existing Devices When Changing the Default

Access Level
When the default access level is changed from allow to block/quarantine you may discover that
some existing ActiveSync users are still successfully connecting to Exchange with their mobile
devices.

This can happen if one of two conditions exist:

• A device access rule exists for their mobile device type

• The device ID is configured as an allowed device for that specific user, possibly from a
previous block/quarantine approval that was granted

Device Access Rules

ActiveSync device access rules can be viewed in the Exchange Control Panel.

In the example above anybody with an iPhone will be able to connect, or continue connecting, to
Exchange despite a block/quarantine default access level because the device access rule allows that
type of device.

If there are any device access rules interfering with the intended outcome of your change in settings
then you can remove them in the Exchange Control Panel.

55
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Allowed Device ID for Specific User

Users with allowed device IDs can be identified using PowerShell.

Get-CASMailbox | where {$_.HasActiveSyncDevicePartnerShip} | select

name,activesyncallowed*,activesyncblocked* | ft -auto

Name ActiveSyncAllowedDeviceIDs ActiveSyncBlockedDeviceIDs

---- -------------------------- --------------------------
Alan.Reid {1249054091, androidc259148960} {}
Mahera.Bawa {1249054091, Appl87941C1N3NS} {}
Mary.Hayes {} {}
Vik.Kirby {F04016EDD8F2DD3BD6A9DA5137583C5A} {}

In the above example several users have allowed device IDs. These can be removed individually by
nulling the ActiveSyncAllowedDeviceIDs attribute.

Set-CASMailbox vik.kirby -ActiveSyncAllowedDeviceIDs $null

Summary of Device Access

Let’s recap the process for determining whether a mobile device will be allowed to access the
Exchange server using ActiveSync.

1. Is the mobile device authenticated?

2. Is the user enabled for ActiveSync?
3. Does the device comply with the ActiveSync mailbox policy in effect for that user?
4. Does the user have a personal exemption that allows the mobile device?
5. Does the user have a personal exemption that blocks the mobile device?
6. Is the device blocked by a matching device access rule?
7. Is the device quarantined by a matching device access rule?
8. Is the device allowed by a matching device access rule?
9. Apply the default access level (allow/block/quarantine) specified in the organization
settings.

56
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Remember that the steps are followed in order, and if at any stage a decision is made to allow, block
or quarantine a device, then the remaining steps of the process are not performed.

So when you are planning your configuration you need to take into consideration:

• The process above

• Whether you want to be a permissive or restrictive organization
• How much administrative effort will be required for maintaining configurations for each step
of the process

For example, a permissive organization that wishes to keep administrative effort to a minimum may
configure:

• A default access level of Allow

• Device access rules to block/quarantine only under exceptional circumstances, for example a
known security vulnerability with a new version of a mobile operating system
• A single ActiveSync mailbox policy to enforce a few security settings such as device
passwords

A restrictive organization that wishes to keep administrative effort to a moderate level may
configure:

• A default access level of Quarantine

• Device access rules to allow known safe makes/models/operating systems of mobile device
• Some personal exemptions for users with devices outside of that known safe list

While a highly restrictive organization that is willing to live with an administrative burden may
configure:

• A default access level of block

• Cmdlet extension agents to disable ActiveSync on all new user accounts
• A process for enabling ActiveSync and configuring personal exemptions for specific devices
on a case by case basis
• A variety of ActiveSync mailbox polices to apply different security requirements depending
on the level of access to confidential data that the user may have

57
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Performing a Remote Wipe of a Mobile

Device
When you allow end users to access email from their own personal mobile device is opens up the
issue of what happens to their device if it becomes lost or the person leaves the company.

When a user in the organization has a mobile device configured for ActiveSync, Exchange Server
2010 provides the capability to perform a remote device wipe. This is useful in scenarios such as a
lost or stolen mobile phone.

However, it will wipe out not only the email data but also all of the person’s personal data on the
device.

That is something they might not be very happy about, so it is important to get their agreement
upfront about remote wipe scenarios and the loss of personal data in the process.

There are a few caveats as well.

The mobile device also needs to make a connection to the Exchange server for the remote wipe to
occur. There are a number of ways that a lost or stolen device may never contact the server again,
such as:

• the device isn’t configured for push email, so doesn’t automatically connect to the server
• the thief disables 3G/wireless to prevent connections being made
• the mobile carrier disables the SIM card
• the user changes their password in Active Directory
• the device is blocked by a device access rule

So with all of that in mind, let’s take a look at the process for a user-initiated remote wipe.

User-Initiated Remote Wipe

The owner of the mobile device can often perform the remote wipe themselves faster than if they
had to contact their IT support.

However, they need to be aware that the capability exists, and either be trained or be able to access
help documentation for the process.

This means your user education needs to be performed in advance, or alternatively your help
documentation needs to already exist and be available somewhere that you can direct the user if
they contact you for support.

Exchange makes this functionality available to the end user via the Exchange Control Panel.

58
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Users can access the Exchange Control Panel by first logging in to Outlook Web App, clicking Options
in the upper-right corner, and then choosing See All Options.

Clicking on Phone on the left-hand side displays the list of mobile devices associated with the user.

Select the device you wish to wipe and click on Wipe Device.

59
 Beginner’s Guide to Exchange Server 2010 ActiveSync

A warning box appears to confirm that the user wishes to wipe their device. Click Yes to confirm.

The device status changes to Wipe Pending. The user has the opportunity to cancel the device wipe
before it completes, otherwise they can continue to monitor the status here.

The next time the device connects to Exchange (if it ever does), the remote wipe is initiated.

To the person in possession of the device there are no warnings or other messages before the
remote wipe begins. In the case of the iPhone I’m using to demonstrate this, the device reverts to
factory defaults and goes through the initial configuration steps when it starts up again.

The user receives a confirmation email letting them know that the remote device wipe has
completed.

60
 Beginner’s Guide to Exchange Server 2010 ActiveSync

They can also check the status of the wipe request in the Exchange Control Panel.

Finally, they can remove the device from their list of associated mobile devices by highlighting it and
clicking the Delete button.

Administrator-Initiated Remote Wipe

An administrator can also perform the remote wipe for a mobile device using the Exchange
management tools.

Performing a Remote Wipe Using the Exchange Management

Console
In the Exchange Management Console navigate to Recipient Configuration -> Mailbox. Right-click
the user’s mailbox and choose Manage Mobile Phone.

61
 Beginner’s Guide to Exchange Server 2010 ActiveSync

If there are multiple mobile devices associated with the user select the correct device first, then
select “Perform a remote wipe…” and then click on Clear.

Confirm that you wish to proceed with the wipe request by clicking Yes.

You can go back to the Manage Mobile Phone wizard for the user and view the status of the remote
wipe request, as well as cancel it if you need to (if the mobile device has not already connected and
initiated the wipe).

62
 Beginner’s Guide to Exchange Server 2010 ActiveSync

If the wipe request has been acknowledged by the mobile device you will see the timestamp.

Performing a Remote Wipe Using the Exchange Control Panel

The remote wipe can also be initiated from the Exchange Control Panel. In the Users & Groups
section search for the mailbox user that you wish to wipe the device for.

Double-click the user in the search results and expand the Phone & Voice Features section.

63
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Double-click Exchange ActiveSync.

Click on Wipe Device and then click Save.

If you double-click Exchange ActiveSync again you can return to the same page and cancel the
device wipe if necessary.

Performing a Remote Wipe Using the Exchange Management

Shell
To issue the remote wipe from the Exchange Management Shell, first get the device ID for the user’s
mobile device.

$deviceid = (Get-ActiveSyncDeviceStatistics -mailbox:mary.hayes).Identity

Then issue the remote wipe command.

Clear-ActiveSyncDevice $deviceid

Confirm
Are you sure you want to perform this action?
Clearing mobile phone "exchangeserverpro.net/Company/Head
Office/Users/Mary.Hayes/ExchangeActiveSyncDevices/iPhone§Appl87941C1N3NS". All the data on
the phone will be permanently deleted.

[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y

64
 Beginner’s Guide to Exchange Server 2010 ActiveSync

You can check the status of the remote wipe in the Exchange Management Shell as well.

Get-ActiveSyncDevice | Get-ActiveSyncDeviceStatistics | where {$_.status -match "Wipe"} |

select deviceid,status

DeviceID Status
-------- ------
Appl87941C1N3NS DeviceWipePending

When the wipe has completed the status will change to report the result.

Get-ActiveSyncDevice | Get-ActiveSyncDeviceStatistics | where {$_.status -match "Wipe"} |

select deviceid,status

DeviceID Status
-------- ------
Appl87941C1N3NS DeviceWipeSucceeded

Other Considerations for Remote Wipes

After you have successfully remote wiped a mobile device, if the same user reconnects the same
mobile device to the server it will immediately begin the remote wipe process again, and will
continue doing so until the device is removed from Exchange entirely.

It also puts the device in a “Blocked” state.

Get-ActiveSyncDeviceStatistics -Mailbox "mary.hayes" | select *state*,statusnote | fl

DeviceAccessState : Blocked
DeviceAccessStateReason : Policy
SyncStateUpgradeTime :
StatusNote : To sync with the server, you need to remove your device from the
list after the wipe completes successfully. For security reasons,
your device will continue clearing data if you try to synchronize
again.

65
 Beginner’s Guide to Exchange Server 2010 ActiveSync

However it does not change whether the device is allowed or blocked as a personal exemption.

Get-CasMailbox mary.hayes | select *active*

ActiveSyncAllowedDeviceIDs : {Appl87941C1N3NS}
ActiveSyncBlockedDeviceIDs : {}
ActiveSyncMailboxPolicy : Default
ActiveSyncMailboxPolicyIsDefaulted : False
ActiveSyncDebugLogging :
ActiveSyncEnabled : True
HasActiveSyncDevicePartnership : True

So after the wiped device has been removed from Exchange, if the user retains their personal
exemption then they will be able to reconnect the device regardless any other device access rules or
default access state configurations that exist.

If you want to be absolutely sure that the device is not reconnected then leave the wiped device in
Exchange. You may also consider disabling ActiveSync entirely for the user if you want them to be
unable to connect any devices to Exchange.

You can remove the device in the Exchange Management Console by going back in to the Manage
Mobile Phone wizard for the mailbox user, selecting the device, and choosing “Remove a mobile
phone partnership”. Then click the Remove button to process the request.

66
 Beginner’s Guide to Exchange Server 2010 ActiveSync

If you want to use the Exchange Control Panel go back into the Exchange ActiveSync properties for
the mailbox user, highlight the device and then click the Delete button.

Or, in the Exchange Management Shell use the Remove-ActiveSyncDevice cmdlet.

$deviceid = (Get-ActiveSyncDeviceStatistics -Mailbox "Mary.Hayes").Identity

Remove-ActiveSyncDevice $deviceid

Confirm
Are you sure you want to perform this action?
Removing mobile phone "exchangeserverpro.net/Company/Head
Office/Users/Mary.Hayes/ExchangeActiveSyncDevices/iPhone§Appl87941C1N3NS". All data about
the phone will be removed.
The phone must be re-synchronized.
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y

67
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Exchange ActiveSync Reports

A number of reports are available for Exchange ActiveSync, made up of a mix of PowerShell output
and text log parsing.

Retrieving Individual Device Statistics

For individual mailbox users you can run the Get-ActiveSyncDeviceStatistics to see the current stats
for their mobile device. These represent a view of the “current state” for that particular device.

[PS] C:\>Get-ActiveSyncDeviceStatistics -Mailbox "Mahera.Bawa"

RunspaceId : 18c518c4-7bb2-4315-84eb-3c4384acae28
FirstSyncTime : 10/1/2012 11:33:28 AM
LastPolicyUpdateTime : 11/9/2012 12:29:28 PM
LastSyncAttemptTime : 11/9/2012 12:35:52 PM
LastSuccessSync : 11/9/2012 12:35:52 PM
DeviceType : iPhone
DeviceID : Appl87941C1N3NS
DeviceUserAgent : Apple-iPhone2C1/1001.403
DeviceWipeSentTime :
DeviceWipeRequestTime :
DeviceWipeAckTime :
LastPingHeartbeat : 900
RecoveryPassword : ********
DeviceModel : iPhone2C1
DeviceImei :
DeviceFriendlyName : White iPhone 3GS
DeviceOS : iOS 6.0 10A403
DeviceOSLanguage : en-GB
DevicePhoneNumber :
MailboxLogReport :
DeviceEnableOutboundSMS : False
DeviceMobileOperator :
Identity :
exchangeserverpro.net/Company/Branch
Office/Users/Mahera.Bawa/ExchangeActiveSyncDevices
/iPhone§Appl87941C1N3NS
Guid : fbd1e684-388a-4767-b575-3a21cc8b7b20
IsRemoteWipeSupported : True
Status : DeviceOk
StatusNote :
DeviceAccessState : Blocked
DeviceAccessStateReason : Policy
DeviceAccessControlRule :
DevicePolicyApplied : Default
DevicePolicyApplicationStatus : AppliedInFull
LastDeviceWipeRequestor :
DeviceActiveSyncVersion : 14.1
NumberOfFoldersSynced : 5
SyncStateUpgradeTime :

68
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Retrieving Aggregate Usage Data Using the

Exchange Management Shell
You can also use the Export-ActiveSyncLog cmdlet to parse the IIS log files and produce multiple CSV
files containing aggregate usage data for ActiveSync.

Get-ChildItem C:\inetpub\logs\LogFiles\W3SVC1\*.log | Export-ActiveSyncLog -OutputPath

C:\admin

Mode LastWriteTime Length Name

---- ------------- ------ ----
darhs 1/1/1601 10:00 AM Users.csv
darhs 1/1/1601 10:00 AM Servers.csv
darhs 1/1/1601 10:00 AM Hourly.csv
darhs 1/1/1601 10:00 AM StatusCodes.csv
darhs 1/1/1601 10:00 AM PolicyCompliance.csv
darhs 1/1/1601 10:00 AM UserAgents.csv

For example, you can view the policy compliance stats for the connecting mobile devices.

You can see which user agents are generating the most hits on the server.

69
 Beginner’s Guide to Exchange Server 2010 ActiveSync

And you can view the devices associated with each user and the amount of load they are each
putting on the server.

Generating Reports with Log Parser Studio

Microsoft has also released Log Parser Studio 13, a tool that ships with a large number of
preconfigured reports for ActiveSync and other Exchange workloads.

13
http://blogs.technet.com/b/exchange/archive/2012/03/07/introducing-log-parser-studio.aspx
70
 Beginner’s Guide to Exchange Server 2010 ActiveSync

Some of the Log Parser Studio reports can also be produced as graphs if you need to provide easy to
read reports to management.

Summary
At this point you may be wondering what to do next. Here are my suggestions.

1. If you provide no mobile access to your users at the moment, consider whether ActiveSync is
the right solution for your organization, and then plan your requirements and policies and
begin the deployment.
2. If you have users connecting to ActiveSync right now, but no control or visibility over the
devices that are connecting and the policies in place, then begin analysing your current
configuration and decide if and where improvements can be made.
3. If you have ActiveSync in use and you’re satisfied with the way it is all configured, explore
some of the reporting that is available so that you can regularly validate that all is well.

If you have further questions or run into problems with your ActiveSync then feel free to post in the
Exchange Server Pro Forums for assistance from the community.

71