Quarantine email

You use the ActiveSync Device Quarantining option to enable automatic quarantining of user accounts for iOS and Android devices when a device is not enrolled. While the device is quarantined, its user has limited access to the Exchange server account’s email, calendar, contacts, and Notes folders. When a device is enrolled , its user has full access to the folders.

The CyberArk Identity uses the standard Quarantine and Allow List Exchange ActiveSync access states to block access except to those who enroll their devices. When the device is enrolled , the connector adds it to the Allowed List; when the device is unenrolled , the connector removes it from this list. If you are unfamiliar with the quarantine and allow access states, go to technet.microsoft.com for an introduction.

Important: For enrolled devices, access is limited to the native OS mail client. For example, only the iOS native mail client is accessible on enrolled iOS devices; the MS Outlook iOS mobile application is still blocked.

If you have multiple Exchange servers, you enable automatic quarantining on a server-by-server basis. As soon as you enable this feature on a server, account access from all of the mobile devices that use that Exchange server is blocked until users enroll their devices.

Requirement: You must have an Exchange profile defined for device quarantining to work (Admin Portal > Core Services > Endpoint Policies > Endpoint Policies > configure Exchange profiles for the relevant device type). See Exchange profiles for more information.

To specify an Exchange or Office365 server for quarantining:

  1. Log in to the Admin Portal.
  2. Click Settings > Endpoints > ActiveSync Device Quarantining > Add.
  3. Select the either Exchange 2010 or higher or Office365 as your server type.
  4. Enter the host name (the URL for the Exchange Web Services endpoint for your server) for the connection endpoint.

    For Exchange servers the connection endpoint has this form:


    For Office 365 the connection endpoint has this form:


  5. Select the authentication type.

    Select Basic if you enabled Basic Authentication rather than Windows Authentication. (Office 365 always uses Basic Authentication.)

  6. Enter the user name and password for an account that has permission to modify the Exchange or Office 365 server settings.

  7. Click OK.

To manually remove a quarantine from an account:

  1. Log in to the computer on which you installed the CyberArk Identity Connector.
  2. Find the device ID of the quarantined device.

    The device ID is generated by the mail client (for example, iOS Mail or Touchdown). You unblock a device by adding its device ID to a list of devices that are not quarantined.

    The following PowerShell script retrieves the device ID

    Get-ActiveSyncDeviceStatistics -mailbox <username> | where {$_.DeviceAccessState -eq 'Quarantined'} | select DeviceID

  3. Add the device ID to the list of devices that are allowed access.

    Admin Portal quarantines all devices when you enable blocking except for those devices identified in -ActiveSyncAllowedDeviceIDs. Use the following PowerShell script to update the list.

    Set-CasMailBox -identity <username> -ActiveSyncAllowedDeviceIds <device IDs>

    To specify multiple devices, separate each device ID with a comma.

    To re-enable blocking, update the list again but remove the device ID.

    This procedure is required for Exchange Servers only if you want to use the account quarantining feature. Quarantining blocks user access to the email account when the device is not enrolled in CyberArk Identity. Skip this procedure if you do not plan to enable quarantining.

Blocking is available to Exchange 2010 or higher and Office 365 servers. It is not available to Exchange 2007 servers. Exchanges 2010 servers must have SP1 installed.

You must enable Remote PowerShell on the Exchange or Office 365 server. After you enable Remote PowerShell, the Exchange server creates an Internet Information Services (IIS) application named PowerShell. You need to enable an authentication method for this application. (By default no authentication method is selected.) Use the following procedure to enable an authentication method for the PowerShell application.

To enable the authentication method for the PowerShell application:

  1. Start IIS Manager.
  2. On the left pane, select Site > Default Web Site > PowerShell.
  3. On the right pane, select IIS > Authentication, right-click and select Open Feature.
  4. Select either Windows Authentication or Basic Authentication, right-click, and select Enable.

    If you select Basic Authentication, be sure to select the check box when you enable the Exchange server in the Admin Portal settings.

  5. Back up your original settings. In this case, you would use a PowerShell script to extract the original settings.