Blocking iOS 7.0 in Exchange Server and Office365 Exchange Online

by Arman Obosyan 27. September 2013 08:46

Now that iOS 7.0.2 available, it might be good idea to block previous iOS 7.0 version, you probably see many news right after iOS7 release about bugs that allowed access to locked iPhone/iPAD. Now when Apple fixes this two iOS 7 bug, you might be interested to know how to block version iOS 7.0 devices from accessing you corporate email.

In fact that you cannot block specific Device OS via the Exchange Control Panel or the Exchange Admin Center as this management tools can only select already present models we will use PowerShell, please also note that this method only works when devices already have an relationship with Exchange.

Let find out what Devices OS are currently are registered on our Exchange, for Exchange 2013 and Office 365 Exchange Online you'll have to use this powershell (About how to connect to Office 365 you can read here)

Get-MobileDevice| ft FriendlyName, DeviceOS, DeviceModel -A 

Get-MobileDevice| ft FriendlyName, DeviceOS, DeviceModel -A

We can see few DeviceOS, but we need only iOS 7.0 so lets filter output

Get-MobileDevice | Where-Object {$_.DeviceOS -like "iOS 7*"} | ft FriendlyName, DeviceOS, DeviceModel –A

Get-MobileDevice | Where-Object {$_.DeviceOS -like "iOS 7*"} | ft FriendlyName, DeviceOS, DeviceModel -A

Note: Please note that there are possibly more versions, iOS 7.0 11A465, iOS 7.0 11A4449d, iOS 7.0 11A4400f, iOS 7.0 11A4414e, etc.

Note: The cmdlet Get-MobileDevice is specific for Exchange 2013/Office 365, for Exchange 2010 use the cmdlet Get-ActivesyncDevice

Now when we get DeviceOS we can block or quarantine this devices using the cmdlet New-ActiveSyncDeviceAccessRule (works on Exchange 2010, 2013, Office365). This will also work when these particular DeviceOS aren't present already.

In the example below we quarantine a specific iOS 7 DeviceOS:

New-ActiveSyncDeviceAccessRule -QueryString “iOS 7.0 11A465″ -Characteristic DeviceOS -AccessLevel Quarantine

New-ActiveSyncDeviceAccessRule -QueryString “iOS 7.0 11A465″ -Characteristic DeviceOS -AccessLevel Quarantine

Immediately after ActiveSync Device Access Rule is created users will not be able to sync iPAD/iPhone running on iOS 7.0, they will get an email about mobile device was quarantined.

Your mobile device is temporarily blocked from synchronizing using Exchange ActiveSync until your administrator grants it access.

Only after users update their devices to latest version of iOS 7.0.2 (currently available for download) they will be able to sync again, after update you can see the updated DeviceOS in the list

Get-MobileDevice | Where-Object {$_.DeviceOS -like "iOS 7*"} | ft FriendlyName, DeviceOS, DeviceModel –A

Get-MobileDevice | Where-Object {$_.DeviceOS -like "iOS 7*"} | ft FriendlyName, DeviceOS, DeviceModel -A

That it for now, keep safe, block and quarantine, do not anyone unpatched to use you corporate data ;)


Some additional links to read

Forbes: iOS 7 Bug Lets Anyone Bypass iPhone's Lockscreen To Hijack Photos, Email, Or Twitter
Forbes: Another iOS 7 Bug Lets Anyone Make Calls From Locked iPhones--And This One Has No Quick Fix
Apple: About the security content of iOS 7.0.2

Comments are closed

© 2008-2012, Arman Obosyan, Postmaster.GE
Powered by BlogEngine.NET
Hosted on Windows Azure and IIS8

About the author

Arman Obosyan have more than 20+ years’ work experience in Information Technologies sector.

Last few years he working on a position Technology Strategist at Microsoft Corporation, In the past Arman was Head of IT Infrastructure in Governmental Central Bank of Georgia (National Bank of Georgia).

Nowadays Arman is supporting C-Level and enabling business, visionary with a passion of technology, trends.


Certified since 2003 year, passed following certifications MCP, MCSA, MCSE, MCTS, MCITP, Exin ITIL and VMware Certified Professional (VCP)

Founder / Lead of Microsoft Certified Professionals (MCP) Club Tbilisi and Community GE project 

In 2010 Was awarded a Microsoft Most Valuable Professional (MVP)

2017 MVP Reconnect


The opinions expressed herein are my own personal opinions and do not represent anyone else's view in any way, including those of my employer.

Live Trafic



<<  January 2021  >>

View posts in large calendar