EAS Lock Down - Part 1

     You have an Exchange 2010 environment and users are using activesync devices, now your organization decide to lock down the EAS and allow the access only for those user who have signed some sort of consent form.

Below is the method to achieve this through ECP.

Now the first thing you need to do is edit "Exchange ActiveSync Settings" and you can do it through ecp.
1) Login to the ecp
2) Select "Manage My Organization"
3) Go to "Phone & Voice" Tab.
4) Under "ActiveSync Access" you will have "Edit" option to edit "Exchange ActiveSync Settings".
5) You will then get a pop to edit the settings.
       So you will have three below self explanatory options (but still I'll add some detail to it ) :
              a) "Connection settings
              When a device that isn't managed by a rule or personal exemption connects to Exchange" :
                     Select the option "Quaratine - Let me decide to block or allow later" which will quarantine all the activesync devices

              b)  "Quarantine notification e-mails Select administrators to receive e-mail when a device is quarantined." :
                    Add the administrators details so that email is received by the administrators once device     gets quarantined. Personally I would recommended that you mention the administrators detail here, will explain why it's recommended.


             c) "Enter text to include in e-mails sent to users who have a device in quarantine, blocked, or in the process of being identified" :
                      Here you can enter any custom message that you want to provide in an email which is received by the users' who's ActiveSync device is quarantined or blocked.

             d) Click Save to accept the settings.


Refer below figures for more details :

Figure 1: Managing EAS Settings

Figure 2: Exchange ActiveSync Settings

Once the above setting is applied then all the users who are using activesync on their device will receive the email message saying that their device has been quarantined.

Administrator will also receive an email which would contain the users' activesync device details and direct ecp link for managing users' device.
Administrator then can click on the link given in the email to either block or allow the device from syncing the emails depending on if that user has signed the consent form or not.

     Besides from the email you will also get the list of quarantined devices  under "Quarantined Devices"(6) to manage the users' activesync devices. You can then select the desired user and allow or block the activesync access(6a) accordingly.
If in your organization you have more than 500 users then you will get random 500 activesync devices in the quarantined devices list, so you may or may not get the desired user in the list who has signed the consent form and you want to allow the activesync access for that user.

If you want to allow access only for users' who has signed the consent form and for only particular device (like iOS devices) then you should also check "Device Type" and "Model" while allowing or blocking the activesync access.