Exchange 2010 has this feature in active sync where the admin can setup rules to allow certain devices to connect via ActiveSync Access Rules. Device Access Rules can be setup so that only certain devices can connect and all other devices will be quarantined until an admin can act on it.
This works well for companies that only issue certain devices (i.e. blackberries) and want to block all android/iPhones from using Active sync. However, there are always exceptions. Especially when the CEO wants to use his iPhone. So the Admin can explicitly allow the CEO’s iPhone to connect. However, the GUI interface does not report on what devices are allowed, which met policy, which are given individual exemptions.
Here’s how I discovered how to get that info using Exchange PowerShell:
This command will list all active ActiveSync devices that have been issued an individual examption.
Get-ActiveSyncDevice -filter {DeviceAccessStateReason -eq 'Individual'}
The DeviceAccessStateReason can also include:
DeviceAccessStateReason
The reason for the device’s access state. Available values include:
- Global Caused by to the global access setting
- DeviceRule Caused by a device access rule
- Individual Caused by an individual exemption.
- Policy Caused by Exchange ActiveSync security policies
- Upgrade Caused by the upgrade of the user’s mailbox. This is a temporary state that is designed to give the device a chance to upgrade prior to being controlled by the rules and access settings.
The same Cmdlet can be used to filter on any of the attributes of the Active Sync Item:
| Attribute | Description |
|---|---|
| FriendlyName | The name that the user called their mobile device |
| DeviceId | A unique identifier used by Exchange ActiveSync to identify each device’s partnership |
| DeviceImei | The International Mobile Equipment Identity (IMEI) number of the mobile device |
| DeviceMobileOperator | The mobile operator to which the mobile device was last connected |
| DeviceOS | The name and version number of the operating system that is running on the mobile device |
| DeviceOSLanguage | The language used by the operating system |
| DeviceTelephoneNumber | The last four digits of the phone number |
| DeviceType | The device family. If you want to control access for all device models in a device family, you can create a device access rule for that device family. See Create a New Device Access Rule. |
| DeviceUserAgent | The device’s network protocol name, which characterizes the client to the server |
| DeviceModel | The device model. If you want to control access for a specific device model, you can create a device access rule for that device model only. See Create a New Device Access Rule. |
| FirstSyncTime | The date and time the device first requested to connect with Exchange ActiveSync. This field provides an idea of how old the device partnership is. If you want to get more information about the latest device connections, you can view the mobile device information from the user’s mailbox or user settings, or use the Get-ActiveSyncDeviceStatistics cmdlet. For more information, see Get-ActiveSyncDeviceStatistics. |
| UserDisplayName | The name of the person who is using the device |
| DeviceAccessState | The access state of the device: Allowed, Blocked, Quarantined, or DeviceDiscovery. The last value indicated the device is temporarily quarantined while it is being identified by Exchange ActiveSync. |
| DeviceAccessStateReason | The reason for the device’s access state. Available values include:
|
| DeviceAccessControlRule | The name of the rule that is affecting the device’s current access state, if any |
| DeviceActiveSyncVersion | The version of the Exchange ActiveSync protocol used by the given device |
For a Summary of the Active Sync Devices, try the following command:
Get-ActiveSyncDevice | Group-Object -property DeviceType
To view a count of devices of each device model, run the following command:
Get-ActiveSyncDevice | Group-Object -property DeviceModel
All these values are stored in AD and could also be queried via an LDAP search or a well-formed dsquery|dsget command.
AD attribute for MSAccessState
Please provide a way to filter by user.
This generate information for all the phone connected to active sync