Recommendations For Exchange ActiveSync Organisation Settings


It has been 5 years since Exchange 2010 was released and there is still a very common item that a lot of deployments have overlooked.  This is the configuration of the ActiveSync Organization settings.  These settings set the global options for devices connecting into Exchange 2010 and also Exchange 2013.  They are a core part of Exchange 2010 & 2013’s Allow/Block/Quarantine feature.

Rather than this post turning into a behemoth, it will be split into three parts

  1. This post which covers background and my personal recommendations for ActiveSync global settings.

 

Exchange ActiveSync Organization Default Settings

The default ActiveSync Organization settings are shown below:

Exchange ActiveSync Organization Settings

Note that the big red arrow indicates that by default the DefaultAccessLevel is set to Allow.

Also note that the UserMailInsert, AdminMailRecipients and OtaNotificationMailInsert fields are all empty by default.

What does DefaultAccessLevel  set to Allow mean in the initial Exchange 2010/2013 configuration?

By default any user can connect any device…..

This behaviour can be modified with the addition of ActiveSync Device Access Rules, but since there are no rules by default then all devices will hit the ActiveSync Oranization Settings and inherit the DefaultAccesslevel.  This is what allows all users to connect any device by default. 

It is also worthwhile pointing out that all mailboxes are enable for ActiveSync by default.  You can change this  by running Set-CASMailbox

Set-CASMailbox sschnoll -ActiveSyncEnabled $False

 

These ActiveSync Organization settings may not be what you want for your business, so we need to review and possibly change them.

 

What Can/Should We Change

First up, the answer is the “consultant’s answer”.   It depends….

This will depend upon several factors:

  • How open is your organisation to allowing users to synchronise different devices?
  • What support boundaries will you provide?  Will you only support certain makes and models?
  • Will certain device types be whitelisted?
  • Will certain device types be blacklisted?
  • Do you want to manually review and approve every device?
  • Will you have a set of delegated administrators that will review and perform device approval?

 

You will need to review the following parameters of Set-ActiveSyncOrganizationSettings.

UserMailInsert, AdminMailRecipients and most importantly DefaultAccessLevel.

UserMailInsert allows you to insert custom text into the message sent to users when their device is quarantined.  This could refer them to a FAQ which they can consult for more information, or provide the help desk phone number.

AdminMailRecipients allows you to specify which administrators are notified that there are users who have devices in a quarantine state.

DefaultAccessLevel  as the name implies sets the default access level.  This can be Allow, Block or Quarantine.  Unless there is another rule or exemption this is the setting that will take effect.

 

My Personal Approach

Do not read this as prescriptive Microsoft guidance, as it is impossible to state that a single approach is the best one for all customers.  Life is never normally that black and white.

What I personally like to do is:

Add custom text into the UserMailInsert.  This shows that the IT cares and has placed a custom help message into the standard Microsoft text.

Set AdminMailRecipients to be a Distribution Group.  Group membership is managed in the Distribution Group and we do not have to change the ActiveSyncOrganizationSettings when people join/leave.

Set DefaultAccesslevel to quarantine.  This means that any unknown devices where there are no rules or exemptions will be caught by this global setting.  Users will be notified that the device is in quarantine.  Administrators will be notified that the device is in quarantine.  Additionally if a brand new device is released, then it is not automatically allowed access.  The administrators can review the request and determine how best to proceed.

An example of this configuration is shown below:

My Configuration Of Exchange ActiveSync Organisation Settings

 

You will very well have a different approach/methodology and that is perfectly understandable!

 

When Should This Be Changed

Ideally the default Exchange ActiveSync organization settings should be changed immediately after deploying Exchange and prior to allowing users to access the service via Exchange 2010 or 2013.  This ensures that unwanted devices are not allowed to connect into Exchange.

It also means that you are not introducing the issue that we will see in the next blog post…..

Cheers,

Rhoderick

Comments (5)

  1. anonymouscommenter says:

    Thanks
    always interesting
    I liked the "“consultant’s answer”. It depends…." 🙂

  2. Hopefully the follow up post is how this impacts existing users/devices?

  3. Yes it is – that is the second bullet in the list of three posts at the start of this post.

    Cheers,
    Rhoderick

  4. anonymouscommenter says:

    As mentioned in the previous posts in this services, the configuration of Exchange ActiveSync was something

Skip to main content