Blocking iOS 7 in Exchange 2010 & 2013 (updated)
Now that iOS 7 available, it might be interesting to know how to block this version. In the past there were some issues with the Exchange ActiveSync implementation in specific iOS DeviceOS versions (read this and this). Please note that I did not encountered or heard of any ActiveSync issues with iOS 7, but it might be prudent to be prepared.
But first we have to find out which DeviceOS versions are already present, or how they are presented to Exchange. For Exchange 2013 you'll have to use this powershell one-liner:
Get-MobileDevice | Where-Object {$_.DeviceOS -like "iOS 7*"} | ft FriendlyName, DeviceOS, DeviceModel -A
The cmdlet Get-MobileDevice is specific for Exchange 2013 (and Office 365 v15), for 2010 (and Office 365 v14) use the cmdlet Get-ActivesyncDevice. This will give you an output like this:
FriendlyName DeviceOS DeviceModel
———— ——– ———–
Zwart iPhone 4S iOS 7.0 11A465 iPhone4C1
Zwart iPad iOS 7.0 11A465 iPad3C1
iPhone 5 iOS 7.0 11A465 iPhone5C2
Zwart iPad mini iOS 7.0 11A4449d iPad2C5
Wit iPhone 4 iOS 7.0 11A4400f iPhone3C1
Wit iPhone 4 iOS 7.0 11A4414e iPhone3C1
Wit iPhone 4S iOS 7.0 11A465 iPhone4C1
Wit iPhone 4 iOS 7.0 11A4449d iPhone3C1
Zwart iPhone 4S iOS 7.0 11A4449d iPhone4C1
Wit iPhone 4 iOS 7.0 11A4400f iPhone3C1
Wit iPhone 4 iOS 7.0 11A4414e iPhone3C1
The DeviceOS column already shows several different versions, even within the same DeviceModel. I found these DeviceOS values for iOS7:
- iOS 7.0 11A465
- iOS 7.0 11A4449d
- iOS 7.0 11A4400f
- iOS 7.0 11A4414e
- iOS 7.0
For iOS 7.0.2, I found (iPad, iPhone alike):
- iOS 7.0.2 11A501
Please note that there are possibly more versions, but these where the versions I could found on a live Exchange 2013 environment. This method only works when devices already have an relationship with Exchange, it could very well be that this information will not show up in your environment. It also means you cannot block these devices via the Exchange Control Panel or the Exchange Admin Center as this management tools can only select already present models etc. (well, you can't select DeviceOS at the moment, so the shell has to be used anyway).
You can block or quarantine these via the ABQ using the cmdlet New-ActiveSyncDeviceAccessRule (for Exchange 2010, 2013 and Office 365 via Remote PowerShell). This will also work when these particular DeviceOS aren't present already. In the example below I quarantine a specific iOS 7 DeviceOS:
New-ActiveSyncDeviceAccessRule -QueryString "iOS 7.0 11A465" -Characteristic DeviceOS -AccessLevel Quarantine
Please read more about the Allow/Block/Quarantine option in Exchange 2010/2013 before implementing this. And again: I haven't encountered or heard of any ActiveSync issues with any iOS7 version, but I already wanted to provide some DeviceOS numbers and a short tutorial on how to find them yourselves and consequently block or quarantine them.
Office 365 users are lucky, they can use the OWA app for iPad/iPhone which doesn't have the "classic" ActiveSync issues. You can still block (specific) iOS versions but it doesn't affect this app as it doesn't work via ActiveSync.
Also it seems that Office 365 Federated users can use the OWA App for iPad/iPhone on an on-prem Exchange 2013 CU2 mailbox. There is no hybrid config required, just (as it seems) federation towards O365. I've only could test it in one situation, so I do no know the specific requirements. It might be necessary for the tenant to be v15, this link shows you how to check. A note of caution: at the moment only Office 365 users are supported, but on-prem support has been announced.
If you find any new DeviceOS numbers, you are welcome to leave those behind in the comments.
Update 27 September 2013: Added DeviceOS for iOS 7.0.2. Please note that there might be an issue with this specific version, as Exchange MVP Paul Robichaux suspects. Also added remark about the OWA App can already be used on-prem in certain cases.
Also check out The UC Architects fellows Paul Cunningham's post and Michel de Rooij's post on this EAS/iOS7 subject.