Hi. Task: Add new mobile devices to quarantine. What is the reason why this may not work ? I have changed the global parameter and also created a rule in the ecp. I added a third app. It is quarantined. How does it work ? What could be the cache? I removed the devices via Remove-MobileDevice. IIS restarted. I even rebooted the servers.

Likely it's whitelisted on some user, check the DeviceAccessStateReason value. Or filter against the DeviceID to confirm: Get-CASMailbox -Filter {ActiveSyncAllowedDeviceIDs -eq '111111111'}

Hi @ Андрей Михалевский , I noticed your comment that you said this is a new user, here are some things you can check: Make sure the new account has sufficient permissions to add devices and perform related operations. Check if the account is correctly assigned the required roles and permissions. Some third-party applications may interfere with the device's isolation process. Confirm whether these applications are compatible with the current system or whether there is an updated version that can resolve the compatibility issue. Check the overall configuration of the system to ensure that no necessary settings are missed. For example, confirm that all required services and features are enabled.

Can't add new devices to the quarantine

Андрей Михалевский 3,356

Hi.

Task: Add new mobile devices to quarantine.

What is the reason why this may not work ? I have changed the global parameter and also created a rule in the ecp.

Карантин-01

I added a third app. It is quarantined. How does it work ? What could be the cache? I removed the devices via Remove-MobileDevice. IIS restarted. I even rebooted the servers.

Карантин-2

2 answers

Vasil Michev 108.9K Reputation points MVP

2024-10-29T17:05:52.09+00:00
Likely it's whitelisted on some user, check the DeviceAccessStateReason value. Or filter against the DeviceID to confirm:

Get-CASMailbox -Filter {ActiveSyncAllowedDeviceIDs -eq '111111111'}
Please sign in to rate this answer.
Андрей Михалевский 3,356 Reputation points

2024-10-30T07:26:30.2366667+00:00

It's a new account. There are no rules
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Jake Zhang-MSFT 7,155 Reputation points Microsoft Vendor

2024-10-30T10:11:55.5866667+00:00
Hi @Андрей Михалевский,

I noticed your comment that you said this is a new user, here are some things you can check:

Make sure the new account has sufficient permissions to add devices and perform related operations. Check if the account is correctly assigned the required roles and permissions.

Some third-party applications may interfere with the device's isolation process. Confirm whether these applications are compatible with the current system or whether there is an updated version that can resolve the compatibility issue.

Check the overall configuration of the system to ensure that no necessary settings are missed. For example, confirm that all required services and features are enabled.
Please sign in to rate this answer.
Андрей Михалевский 3,356 Reputation points

2024-10-30T12:43:18.45+00:00

It's an old user. I was referring to the new application, i.e. the mail client.

Jake Zhang-MSFT 7,155 Reputation points Microsoft Vendor

2024-11-01T09:55:05.0766667+00:00

Hi @Андрей Михалевский,

Then you should first make sure that the device meets the requirements of the quarantine area. Some devices may not support the quarantine function.

Андрей Михалевский 3,356 Reputation points

2024-11-01T09:56:49.3466667+00:00

What are these requirements?

Jake Zhang-MSFT 7,155 Reputation points Microsoft Vendor

2024-11-05T09:30:30.36+00:00

Quarantine conditions refer to the specific requirements and rules that you set for device access that determine whether the device is allowed to access the corporate network or specific resources. When devices don't meet these criteria, they're quarantined. Common quarantine conditions include the following:

For example, only allow certain brands or models of devices to access the network.

For example, the device is required to be running a specific version of the operating system (e.g., iOS, Android, Windows, etc.) or above.

Whether the device is jailbroken or rooted. Some policies may not allow access to jailbroken or rooted devices.

For example, whether the device has passcode lock enabled, whether encryption is enabled, etc.

Whether the device complies with the company's predefined compliance policies, such as installing the latest security patches or antivirus software.

Whether the device is properly enrolled and authenticated in the corporate management system.

Jake Zhang-MSFT 7,155 Reputation points Microsoft Vendor

2024-11-12T05:23:40.3666667+00:00

Is there any update on this thread? If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well. Thanks for your understanding.

Андрей Михалевский 3,356 Reputation points

2024-11-12T13:39:01.5366667+00:00

@Jake Zhang-MSFT Hi. This does not work if the devices are added to ActiveSyncAllowedDeviceIDs. It is prioritized.

Jake Zhang-MSFT 7,155 Reputation points Microsoft Vendor

2024-11-14T09:32:45.99+00:00

You are correct. If devices are added to the ActiveSyncAllowedDeviceIDs list, they will take precedence and be allowed to connect, thus bypassing the quarantine rule. This list essentially whitelists specific devices, giving them precedence over other policies.

To fix this, you need to remove them from the allow list. You can do this with a command of the following format:

Set-CASMailbox -Identity <UserIdentity> -ActiveSyncAllowedDeviceIDs @{Remove="<DeviceID>"}
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Can't add new devices to the quarantine

2 answers

Your answer