To manage new devices trying to connect to email for the first time, configure Exchange to either Block or Quarantine devices from an organizational level. Exchange can be configured through either an Exchange PowerShell session or web interface. For Office 365 and Microsoft Exchange 2010/2013/2016 users, access the web UI through an administrator’s Outlook Web Access (OWA) portal.
To configure Exchange through PowerShell:
- Configure your organizational settings so that they block or quarantine devices. Blocking devices blocks the device outright while quarantining provides you more visibility to unknown devices. AirWatch recommends using quarantining, however, this also uses more processing power.
- Open the Exchange PowerShell command window from the Exchange Server and enter the following command to:
PS C:\Windows\system32> Set-ActiveSyncOrganizationSettings –DefaultAccessLevel quarantine
- Block devices
PS C:\Windows\system32> Set-ActiveSyncOrganizationSettings –DefaultAccessLevel Block
The above instructions block or quarantine new devices until they enroll in the AirWatch Console, at which point, AirWatch issues relevant PowerShell cmdlets to allow email access for the newly enrolled devices. Use caution while enforcing device block or quarantine at the Global level on the Exchange server. While using this setting in a production environment, please ensure that all your devices are enrolled. Typically, this setting is not used during a trial or evaluation. The cmdlet might also temporarily block or quarantine enrolled devices until they check into AirWatch. Quarantining or blocking devices from accessing email over ActiveSync allows organizations to ensure that only approved (i.e. AirWatch managed) devices are allowed for email access. Without this enforcement, there is the possibility that un-managed devices may gain temporary access to corporate email until the next PowerShell sync process discovers and blocks them. AirWatch recommends defining a custom email message for users with blocked devices. Microsoft Exchange can then automatically send users a notification to enroll, when their blocked device attempts to access email.
For further information, refer http://blogs.technet.com/b/exchange/archive/2010/11/15/3411539.aspx .