Some organizations have a mobile device policy where they only permit company-owned phones to connect to their email server. They want to prevent employee-owned or rogue devices from establishing an active-sync connection.

Exchange 2010 and Office 365 provide the ability to quarantine phones that attempt to enroll in an active-sync relationship. This permits an administrator to review the device before approving.

The process works very well because the user receives an email letting them know that their device is pending administrator approval. The administrator receives an email letting them know a new device requires approval.

Configuring it is also very simple. Just sign into the Exchange Control Panel (ECP) and click a few boxes.

Note: this setting will apply to all existing phones, so you will need to be prepared to perform a one-time mass approval for existing phones that are already connected. An email will be generated to users that their phone is in quarantine, which might be unsettling to some users, so I recommend sending an email in advance to inform them they can ignore the email. Perhaps there is a way to prevent this behavior from occurring for existing devices and only allow it to occur for new devices, but I have not found that option yet.

After this has been configured, you may want to delegate fine-grained RBAC rights to your mobile phone administrators so that they can approve these devices without having too much additional privs within Exchange.

ActiveSyncDeviceManagementNew-ManagementRole “ActiveSync User Options” –Parent ‘User Options’

New-ManagementRole “ActiveSync Client Access” –Parent ‘Organization Client Access’

Get-ManagementRoleEntry –Identity ‘ActiveSync User Options\*’ | Where {$_.Name –notlike “*activesync*”} | Remove-ManagementRoleEntry –Confirm:$False

Get-ManagementRoleEntry –Identity ‘ActiveSync Client Access\*’ | Where {$_.Name –notlike “*activesync*”} | Remove-ManagementRoleEntry –Confirm:$False

Remove-ManagementRoleEntry ‘ActiveSync Client Access\Set-ActiveSyncOrganizationSettings’
Remove-ManagementRoleEntry ‘ActiveSync Client Access\Set-ActiveSyncDeviceAccessRule’
Remove-ManagementRoleEntry ‘ActiveSync Client Access\Remove-ActiveSyncDeviceAccessRule’
Remove-ManagementRoleEntry ‘ActiveSync Client Access\New-ActiveSyncDeviceAccessRule’

New-RoleGroup ‘ActiveSync Access Admins’ –Roles ‘ActiveSync User Options’, ‘ActiveSync Client Access’

Add-RoleGroupMember “ActiveSync Access Admins” -Member [email protected]

The delegated administrator should then see quarantined devices in the Exchange Control Panel.

The link to my original blog post with pictures is available here:

http://blogs.catapultsystems.com/IT/archive/2012/11/30/how-to-quarantine-unauthorized-smartphones-with-exchange-2010-or-office-365.aspx