Thursday, January 19, 2012

Mobile Device Management

As we all know, Exchange 2010 brought many, many welcomed new features.

With the latest version of Exchange ActiveSync [EAS] 14.1 released with Exchange 2010 SP1, came a few more such as GAL photos or Information Rights Management over EAS. A major one was the addition of device and user information to the provision command of mobile devices. This allows administrators to create Allow, Block and Quarantine lists (known as ABQ lists) in order to control which mobile devices are allowed to access Exchange mailboxes.

Although this functionality was present in the RTM version of Exchange 2010 with version 14 of EAS, SP1 adds a user interface in Exchange Control Panel [ECP] for easier management of ABQ lists.

We can, for example, quarantine all or just specific devices based on their model:

In this case, we created a Device Access Rule to block all Samsung Galaxy S II devices. When I then tried to connect my phone to Exchange, I got the following message:

Because this is a new device, Exchange sent the following e-mail to the administrator so he was aware of it:

To read more about this new functionality, explore it in-depth and see a few examples on how to configure everything, please check the following posts on

Hope you find it interesting!


  1. Hi Nuno,

    I have a quick question regarding applying mobile device access policies. It mentions that this should be done by selecting entire organisation. Can mobile device policies be set at an OU level?
    If not, how does it cater for large organisations that have multiple regions?


    Anthony Collins

  2. Hi Anthony,

    Unfortunately there’s nothing you can do... Currently the MDM functionality in Exchange is global, meaning you can’t have different rules for different OUs, not even for different domains!... They either apply to specific device model for a particular user or to everyone.

    Although SP2 didn’t introduce any change regarding MDM, hopefully Microsoft will provide that functionality in the future!
    For large organizations with multiple regions, and if you need that flexibility, you will have to deploy another MDM solution that provides that capability...
    Sorry I couldn’t help...