Blocking iOS 7.0 in Exchange Server and Office365 Exchange Online

by Arman Obosyan 27. September 2013 08:46

Now that iOS 7.0.2 available, it might be good idea to block previous iOS 7.0 version, you probably see many news right after iOS7 release about bugs that allowed access to locked iPhone/iPAD. Now when Apple fixes this two iOS 7 bug, you might be interested to know how to block version iOS 7.0 devices from accessing you corporate email.

In fact that you cannot block specific Device OS via the Exchange Control Panel or the Exchange Admin Center as this management tools can only select already present models we will use PowerShell, please also note that this method only works when devices already have an relationship with Exchange.

Let find out what Devices OS are currently are registered on our Exchange, for Exchange 2013 and Office 365 Exchange Online you'll have to use this powershell (About how to connect to Office 365 you can read here)

Get-MobileDevice| ft FriendlyName, DeviceOS, DeviceModel -A 

Get-MobileDevice| ft FriendlyName, DeviceOS, DeviceModel -A

We can see few DeviceOS, but we need only iOS 7.0 so lets filter output

Get-MobileDevice | Where-Object {$_.DeviceOS -like "iOS 7*"} | ft FriendlyName, DeviceOS, DeviceModel –A

Get-MobileDevice | Where-Object {$_.DeviceOS -like "iOS 7*"} | ft FriendlyName, DeviceOS, DeviceModel -A

Note: Please note that there are possibly more versions, iOS 7.0 11A465, iOS 7.0 11A4449d, iOS 7.0 11A4400f, iOS 7.0 11A4414e, etc.

Note: The cmdlet Get-MobileDevice is specific for Exchange 2013/Office 365, for Exchange 2010 use the cmdlet Get-ActivesyncDevice

Now when we get DeviceOS we can block or quarantine this devices using the cmdlet New-ActiveSyncDeviceAccessRule (works on Exchange 2010, 2013, Office365). This will also work when these particular DeviceOS aren't present already.

In the example below we quarantine a specific iOS 7 DeviceOS:

New-ActiveSyncDeviceAccessRule -QueryString “iOS 7.0 11A465″ -Characteristic DeviceOS -AccessLevel Quarantine

New-ActiveSyncDeviceAccessRule -QueryString “iOS 7.0 11A465″ -Characteristic DeviceOS -AccessLevel Quarantine

Immediately after ActiveSync Device Access Rule is created users will not be able to sync iPAD/iPhone running on iOS 7.0, they will get an email about mobile device was quarantined.

Your mobile device is temporarily blocked from synchronizing using Exchange ActiveSync until your administrator grants it access.

Only after users update their devices to latest version of iOS 7.0.2 (currently available for download) they will be able to sync again, after update you can see the updated DeviceOS in the list

Get-MobileDevice | Where-Object {$_.DeviceOS -like "iOS 7*"} | ft FriendlyName, DeviceOS, DeviceModel –A

Get-MobileDevice | Where-Object {$_.DeviceOS -like "iOS 7*"} | ft FriendlyName, DeviceOS, DeviceModel -A

That it for now, keep safe, block and quarantine, do not anyone unpatched to use you corporate data ;)

----

Some additional links to read

Forbes: iOS 7 Bug Lets Anyone Bypass iPhone's Lockscreen To Hijack Photos, Email, Or Twitter
Forbes: Another iOS 7 Bug Lets Anyone Make Calls From Locked iPhones--And This One Has No Quick Fix
Apple: About the security content of iOS 7.0.2

Comments are closed

© 2008-2012, Arman Obosyan, Postmaster.GE
Powered by BlogEngine.NET 2.6.0.18
Hosted on Windows Azure and IIS8

About the author

Arman Obosyan is an experienced IT Pro. with over 15 years work experience in Information Technologies sector.

Certified since 2003 year, passed following certifications MCP, MCSA, MCSE, MCTS, MCITP, Exin ITIL and VMware Certified Professional (VCP)

In 2010 Was awarded a Microsoft Most Valuable Professional (MVP)

--------

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent anyone else's view in any way, including those of my employer.



Live Trafic

 

Calendar

<<  July 2014  >>
MoTuWeThFrSaSu
30123456
78910111213
14151617181920
21222324252627
28293031123
45678910

View posts in large calendar

TextBox