To manage new devices trying to connect to email for the first time, configure Exchange to either Block or Quarantine devices from an organizational level. Exchange can be configured through either an Exchange PowerShell session or web interface. For Office 365 and Microsoft Exchange 2010/2013/2016 users, access the web UI through an administrator’s Outlook Web Access (OWA) portal.

To configure Exchange through PowerShell:

  1. Configure your organizational settings so that they block or quarantine devices. Blocking devices blocks the device outright while quarantining provides you more visibility to unknown devices. However, quarantining also uses more processing power.
  2. Open the Exchange PowerShell command window from the Exchange Server and enter the following command to:
    1. Quarantine devices

      PS C:\Windows\system32> Set-ActiveSyncOrganizationSettings –DefaultAccessLevel quarantine
    2. Block devices
      PS C:\Windows\system32> Set-ActiveSyncOrganizationSettings –DefaultAccessLevel Block
Caution:

The preceding instructions block or quarantine new devices until they enroll in the UEM console, at which point, Workspace ONE UEM issues relevant PowerShell cmdlets to allow email access for the newly enrolled devices. Use caution while enforcing device block or quarantine at the Global level on the Exchange server. While using this setting in a production environment, ensure that all your devices are enrolled. Typically, this setting is not used during a trial or evaluation. The cmdlet might also temporarily block or quarantine enrolled devices until they check into AirWatch. Quarantining or blocking devices from accessing email over ActiveSync allows organizations to ensure that only approved (that is, Workspace ONE UEM managed) devices are allowed for email access. Without this enforcement, there is the possibility that unmanaged devices might gain temporary access to corporate email. The temporary access is until the next PowerShell sync process discovers and blocks them. Define a custom email message for users with blocked devices. Microsoft Exchange can then automatically send users a notification to enroll, when their blocked device attempts to access email.

For further information, refer http://blogs.technet.com/b/exchange/archive/2010/11/15/3411539.aspx.