Mobile devices are not quarantined as expected after they're removed in Exchange Online
Original KB number: 4090814
In Microsoft Exchange Online, some mobile devices are not quarantined as expected.
For example, consider the following scenario:
In the Office 365 tenant, Exchange ActiveSync access settings are configured to Quarantine - Let me decide to block or allow later. A quarantined device is then Allowed. When the device is allowed, the
Get-CASMailboxcmdlet shows Allowed and Blocked devices in the
Later, you want to remove the device. You can do this by using either of the following methods:
- Locate Exchange Admin Center > recipients > mailboxes.
- On the right side under Mobile Devices, select View details, and then remove the device from the list of all mobile devices.
After the device is removed, the user tries to add or configure the same device.
In this scenario, the device is not quarantined and is allowed to connect. In the Office 365 Exchange admin center, mobile device details for the user show a status of Access granted, and the
Get-MobileDevice cmdlet shows that the
DeviceAccessState parameter value is Allowed. This is not the expected result. Instead, you expect the device to be quarantined.
When the device is removed (either from the Office 365 Exchange Admin Center or through PowerShell by using the
Remove-MobileDevice cmdlet), the
ActiveSyncBlockedDeviceIDs parameters are not cleared. Therefore, when the user tries to connect by using the device that was previously removed, the device ID is still populated in the
ActiveSyncAllowedDeviceIDs parameter, so the device is not quarantined and is allowed to connect.
To prevent the device from connecting, set the
ActiveSyncBlockedDeviceIDs parameters to $null after you remove the device. For example, run the following cmdlet:
Set-CASMailbox email@example.com -ActiveSyncAllowedDeviceIDs $null
When these parameters are set to $null, the device is quarantined when it tries to connect.
Still need help? Go to Microsoft Community.