Active Sync Device Rule not working (Network Steve Forum)

Active Sync Device Rule not working

Hello, wer are running Exchagne 2010 SP3 RU8v2 in our enviornment. In light of some security issues with the new Outlook for iOS and Android, we decided to block any device trying to sync with this application.

I created an Active Sync rule, based on the UserAgent first, and seemed to not work, so i created on based on DeviceOS (see blow) and that doesn't seem to work either. It's been about 2 hours since I created these, so not sure if it's a timing thing either.

as you can see from the below output, I'm expecitng the device to be blocked but it is still in the allowed state.

Am I missing something? Anyone have any insight?

DeviceId                : C62DDA89E034BB93
DeviceImei              :
DeviceMobileOperator    :
DeviceOS                : Outlook for iOS and Android 1.0
DeviceOSLanguage        :
DeviceTelephoneNumber   :
DeviceType              : Outlook
DeviceUserAgent         : Outlook-iOS-Android/1.0
DeviceModel             : Outlook for iOS and Android
DeviceAccessState       : Allowed
DeviceAccessStateReason : Individual
DeviceAccessControlRule :
DeviceActiveSyncVersion : 14.1

February 2nd, 2015 11:45am

Not sure what command you ran to create the device access rule, but try this one...

New-ActiveSyncDeviceAccessRule -QueryString 'Outlook for iOS and Android' -Characteristic DeviceModel -AccessLevel Block

Free Windows Admin Tool Kit Click here and download it now

February 2nd, 2015 1:36pm

Hi Hinte, I ran the commands below. I will try yours as well, but seems the same to me.

New-ActiveSycDeviceAccessRule -AccessLevel Block -Characteristic UserAgent -QueryString "Outlook-iOS-Android/1.0"

New-ActiveSyncDeviceAccessRule -AccessLevel Block -Characteristic DeviceOS -QueryString "Outlook for iOS and Android 1.0"

February 2nd, 2015 1:50pm

still no luck, is there a refresh interval or something? I would think it would have blocked my device with that application by now.

Free Windows Admin Tool Kit Click here and download it now

February 2nd, 2015 2:46pm

Can you do Get-ActiveSyncDeviceRule and post the output?

February 3rd, 2015 9:02am

Hi Hinte, here it is. I created a new rule yesterday using the GUI this time:

[PS] C:\SCRIPTS>Get-ActiveSyncDeviceAccessRule

RunspaceId        : 2e7f62e9-b7f3-405c-b9a1-7a014b5ccd23
QueryString       : Outlook for iOS and Android
Characteristic    : DeviceModel
AccessLevel       : Block
Name              : Outlook for iOS and Android (DeviceModel)
AdminDisplayName :
ExchangeVersion   : 0.10 (14.0.100.0)
DistinguishedName : CN=Outlook for iOS and Android (DeviceModel),CN=Mobile Mailbox Settings,CN=xxxx,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=xxxx,DC=xxxx
Identity          : Outlook for iOS and Android (DeviceModel)
Guid              : 3bab0fa7-8659-4280-9d35-99c78c126745
ObjectCategory    : xxxxxx/Configuration/Schema/ms-Exch-Device-Access-Rule
ObjectClass       : {top, msExchDeviceAccessRule}
WhenChanged       : 2/2/2015 4:44:09 PM
WhenCreated       : 2/2/2015 4:44:09 PM
WhenChangedUTC    : 2/2/2015 9:44:09 PM
WhenCreatedUTC    : 2/2/2015 9:44:09 PM
OrganizationId    :
OriginatingServer : xxxxxxxx
IsValid           : True

Free Windows Admin Tool Kit Click here and download it now

February 3rd, 2015 9:13am

Can you give an IIS reset a shot?

That should force an update for EAS.

February 3rd, 2015 10:11am

IISReset did not help.

Free Windows Admin Tool Kit Click here and download it now

February 3rd, 2015 11:56pm

This topic is archived. No further replies will be accepted.