How to Block iOS 6.1 ActiveSync Devices from Exchange Server 2010

How to Block iOS 6.1 ActiveSync Devices from Exchange Server 2010

It seems there’s a new bug with Apple iOS 6.1 devices (iPhones and iPads) that causes excessive transaction log growth on the Exchange server.

As reported in Windows IT Pro:

Some forums have started to register problems with excessive growth of transaction logs for databases hosting the mailboxes of iOS devices that have been upgraded to iOS 6.1 For example, this note describes a situation where upgraded devices seemed to go into a loop and ended up by generating some 50 GB of transaction logs.

Another interesting report indicating that some form of synchronization loop can happen was posted to the forum used by folks who support the F5 load balancers that are often used to front-end large Microsoft Exchange Server deployments.

If past experience is anything to go by there won’t be a rapid fix available, so Exchange admins should explore their options for blocking iOS 6.1 devices from connecting to their Exchange servers.

Update: reports are that removing the device association and letting it re-establish itself on next connection resolves the issue for that user. More details on the cmdlets you can use to perform this for all iOS 6.1 device users here at Tony Redmond’s blog. Microsoft has included that suggested workaround in their KB 2814847 as well.

Update 2: Apple has released a support article that some are saying is this issue. Given the specific nature of the problem description, the simplistic solution, and the feedback I’m hearing from others that this simple solution doesn’t fix the issue in most cases, it would seem this is not the end of the matter.

For Exchange Server 2010 (and Exchange 2013) customers can use ActiveSync device access rules to block specific device types from connecting to Exchange. In this scenario we have two options available using the New-ActiveSyncDeviceAccessRule cmdlet.

Before we proceed you should be aware that blocking devices that were previously able to connect may not go down very well with your user base. Please consider how best to communicate the change to your key customers and other support staff. Also consider whether a block or quarantine action is more suitable for your environment. For more information on the difference between the two read this.

When a device that was previously connected is suddenly blocked by a device access rule it will present a prompt to the user that the credentials may not be correct, which is possibly going to confuse them.


However they will also receive an email to their inbox advising of the block.


Identifying iOS 6.1 Devices

In my own test environment I have a limited subset of the possible iOS 6.1 device types available to me. So the examples I’m about to give below are specifically for iPhone 4S and the 3rd generation iPad.

In your own environment you can check which ActiveSync devices running iOS 6.1 have connected to your Exchange servers with the following command.

[PS] C:\>Get-ActiveSyncDevice | where {$_.deviceos -match "iOS 6.1"} | select devicetype,deviceos,deviceuseragent DeviceType DeviceOS DeviceUserAgent

Добавить комментарий

Заполните поля или щелкните по значку, чтобы оставить свой комментарий:


Для комментария используется ваша учётная запись Выход /  Изменить )

Google+ photo

Для комментария используется ваша учётная запись Google+. Выход /  Изменить )

Фотография Twitter

Для комментария используется ваша учётная запись Twitter. Выход /  Изменить )

Фотография Facebook

Для комментария используется ваша учётная запись Facebook. Выход /  Изменить )


Connecting to %s