Personal smartphones are becoming more and more common in business environments.  Companies have always struggled with managing who should have the ability to sync their phones and who can’t and what types of phones are allowed.  Exchange 2010 SP1 has made it very easy for the administrator (or any other appointed person) to approve or block specific users or phones from utilizing ActiveSync.  This post will not go into the specific feature policies, but will only examine connectivity policies.

By default ActiveSync is enabled for everyone and every type of device.  Let’s start off by configuring all devices that attempt to connect via ActiveSync into a quarantine for administrator approval.

From EMS we can run the following command to set the default access level to Quarantine for all devices and to notify the Administrator when a device tries to connect:

Set-ActiveSyncOrganizationSettings –DefaultAccessLevel Quarantine –AdminMailRecipients AdminEmailAddress


This can also be achieved through ECP:


Then selecting the Edit button:


When a device tries to connect, both the device/user receives a notice that their phone is in Quarantine and the Administrator get an email notifying them to take action on the device:

Device/User notification:


Administrator notification:


Once the administrator clicks the provided link to take action on the device, the ECP will launch and the administrator can decide to Allow or Block the device:


With the new ActiveSync Access controls, the administrator can also make rules to automatically allow or block specific types of devices.  The default organization settings will be applied if a specific rule does not match.  In our example, we will configure any “PocketPC” device to automatically get blocked.  The query string can be based off of the device type or device model.  From the EMC:

New-ActiveSyncDeviceAccessRule –AccessLevel Block –Characteristic DeviceType –QueryString PocketPC


This rule can also be created in the ECP:


Now when a user tries to connect their device that matches the new ActiveSync Access Rule, the device will not sync and the user receives an email:


From the partnership status in ECP, they can also see the details:


Exchange 2010 SP1 has allowed for much easier and granular management of ActiveSync device access control!