Blocking the Windows 8 Mail app in Exchange 2010 & 2013

I think I might start a new tradition: every time a major/important OS or update is released, I try find out how to block it from Exchange Smile.

Now, I know the Mail app has been around for some time now. If you recollect, I did some research on how Exchange ActiveSync (EAS) within the Mail app works in general and how it implements security settings in Windows 8. But especially since Windows 8.1 RT has been released yesterday with Outlook 2013 RT in it (woohoo!), there could be valid reasons admins want to prevent users configuring and using the Windows 8 Mail app. So, what are our options?

The process is basically the same as with my previous post Blocking iOS 7 in Exchange 2010 & 2013, although it will be a bit more tricky when there is a need to differentiate between “normal” Windows 8 and Windows RT. But let’s just see what we can see.

First I listed all mobile device partnerships with Get-MobileDevice (for Exchange 2013 or Get-ActiveSyncDevice for 2010) and look at important values. An example of one partnership is shown below, some irrelevant values have been stripped and I’ve highlighted interesting ones. The interesting ones are based on the possible values we can base our device access rules on (DeviceType, DeviceModel, DeviceOS and UserAgent).

FriendlyName            : GHORRT
DeviceId                : 7C35CB29F19565EDXCXDXXXXXDBXXBDX
DeviceOS                : WINDOWS
DeviceOSLanguage        : English
DeviceType              : WindowsMail
DeviceUserAgent         : WindowsMail/17.4.9600.16384
DeviceModel             : Microsoft Surface with Windows RT Surface_RT_1_IDP
FirstSyncTime           : 17-Oct-13 19:18:02
UserDisplayName         : dmstork
DeviceAccessState       : Allowed
DeviceAccessStateReason : Global
DeviceAccessControlRule :
ClientVersion           : 14.1
ClientType              : EAS

This is my Surface RT, in this instance already upgraded to Windows RT 8.1. Parameter DeviceOS has the value “WINDOWS”, unfortunately there is no difference between any versions of Windows 8. You could block all of Windows 8/RT if that is sufficient, but I wonder what would happen with Windows vNext (i.e. Windows 9). Other thought is whether a specific (non-Microsoft) app that uses ActiveSync will also be blocked (or quarantined). Something to consider.

The parameter DeviceType has the “WindowsMail”, which stand to reason that this is the Windows 8 Mail app. I did not see any variations.

Like iOS, it’s theoretically possible that certain updates of the Mail app can have issues. It seems if you wanted to block certain versions, the DeviceUserAgent parameter is the one to choose. Do note that I’ve seen at least 8 different version numbers, from “WindowsMail/16.4.4206.0722” to “WindowsMail/17.5.9600.20279

And last but not least, the DeviceModel parameter. With these values I would suspect you could differentiate between the Surface Pro and the Surface RT for instance. And indeed there are distinct values: “Microsoft Surface with Windows RT Surface_RT_1_IDP” for the Surface RT and “Microsoft Corporation Surface with Windows 8 Pro Surface_PRO_1” for the Surface Pro. I haven’t seen any variations, but the upcoming Surface 2 and Surface Pro 2 will probably/hopefully have different values.

If you want a nice overview with relevant values of all Windows 8/RT clients within your Exchange organization, use this cmdlet oneliner:

Get-MobileDevice|Where-Object {$_.DeviceUserAgent -like “Windows*”}|ft DeviceOS, DeviceType, DeviceUserAgent, DeviceModel -a

As said, you can block or quarantine these via the ABQ using the cmdlet New-ActiveSyncDeviceAccessRule (for Exchange 2010, 2013 and Office 365 via Remote PowerShell). This will also work when these particular parameter aren’t present already. In the example below I quarantine all Surface RTs:

New-ActiveSyncDeviceAccessRule -QueryString “Microsoft Surface with Windows RT Surface_RT_1_IDP? –Characteristic DeviceModel -AccessLevel Quarantine

This also works in Office 365/Exchange Online, if you were wondering.

Conclusion

Yes, you can block (or quarantine) the Windows 8 Mail app. However, you cannot distinguish between the different versions of Windows 8, RT included. You could differentiate between versions of the Mail app, but that is quite cumbersome due to the great variation of versions (and the new autopdating of apps in 8.1) and the version strings seem to be independent of Windows version. You could choose to block the Surface RT in order to force the use of Outlook 2013 RT, but that does not block other tablets with Windows RT (albeit they are becoming more rare). Basically, it’s all or nothing for the Mail app.

19 October 2013 Update: The Microsoft Exchange Team published a blog post yesterday about Windows 8.1 Mail app: Supporting Windows Mail 8.1 in your organization

One comment

  • http://

    Hi Dave
    Nice post, yesterday my customer asks me how to block Kiosk users who have the Mail app on Win 8 😉
    Thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *