Prevent an active sync user from using a diffirent mobile device to access exchange 2016 using outlook?

Ragman99 21 Reputation points
2021-02-22T13:04:59.557+00:00

I found that when a user (Android or iOS) uses the outlook app to access active sync. The user can use another device to access active sync bypassing quarantine as the mobile device registers either as an “Outlook” or “Outlook for iOS and Android device” under model and family. Thus, if a new user is quarantined and allowed email access via active sync by the admin, the user or any other user for that matter using the same credentials will be able to use another mobile device and be automatically allowed to access email bypassing quarantine.

How can I prevent this?

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,429 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 143.6K Reputation points MVP
    2021-02-23T13:06:17.907+00:00

    See if this works for you, not sure if you have tried this already :

    https://www.usmanghani.co/restrict-exchange-active-sync-devices-in-exchange/

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 143.6K Reputation points MVP
    2021-02-22T13:16:11.993+00:00

    What's the goal? Do you want users to have only one device?

    If so, you can set a global throttling policy:
    https://learn.microsoft.com/en-us/answers/questions/181962/error-with-your-new-mobile-phone-partnership-in-ex.html
    https://learn.microsoft.com/en-us/powershell/module/exchange/new-throttlingpolicy?view=exchange-ps

    Set-ThrottlingPolicy <policy_name> –EASMaxDevices 1  
    

    You could also just add that ActiveSync Allowed ID once the user is allowed access and not allow the others

    https://learn.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps

    TheActiveSyncAllowedDeviceIDs parameter specifies one or more Exchange ActiveSync device IDs that are allowed to synchronize with the mailbox. A device ID is a text string that uniquely identifies the device. Use the Get-MobileDevice cmdlet to see the devices that have Exchange ActiveSync partnerships with the mailbox.

    You can get that unique ID for Outlook Mobile:
    Upon initial account login, Outlook for iOS and Android establishes a connection to the Microsoft 365- or Office 365-based architecture. A unique device ID is generated, and this device ID is what appears in Active Directory device records (which can be retrieved with cmdlets such as Get-MobileDevice in Exchange Online Powershell) and which appears in HTTP request headers.

    https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-faq#q-does-each-users-instance-of-outlook-for-ios-and-android-have-a-unique-device-id-in-the-microsoft-365--or-office-365-based-architecture-how-is-the-device-id-generated-and-is-this-same-device-id-used-in-intune

    1 person found this answer helpful.