With the meeting and log flooding issues caused by certain IOS 6.x versions still fresh in memory, one may prefer to adopt a more conservative strategy when it comes to new IOS releases interacting with your Exchange infrastructure – or any mobile OS for that matter.
After Apple released IOS 7.0 this week, some shops consider blocking or quarantining this version until it’s been approved after proper testing and monitor online communities for potential issues during a small waiting period.
In an earlier article, I mentioned how to accomplish (temporarily) blocking IOS 6.x on Exchange 2010 or TMG; here’s how to achieve this for IOS 7.0 on current platforms:
To distinguished IOS 7.0 from earlier versions, you need to check the DeviceOS field as returned by Get-ActiveSyncDevice (Exchange 2010) or Get-MobileDevice (Exchange 2013). For example, here’s how to return current partnered EAS devices:
#Exchange 2010:
Get-ActiveSyncDevice | Where {$_.DeviceOS -like"IOS 7.0*"}
#Exchange 2013:
Get-MobileDevice | Where {$_.DeviceOS -like "IOS 7.0*"}
To block or quarantine IOS 7.0 devices you can utilize Exchange’s Allow/Block/Quarantine (ABQ) mechanism using the New-ActiveSyncDeviceAccessRule cmdlet in conjunction with the DeviceOS, DeviceModel or UserAgent string. When using DeviceOS, it requires specifying the full device OS string, which can vary per device or IOS.
For example, when the DeviceOS is iOS 7.0 11A465 (meaning build 11A465) or 7.0.1 11A470a, the cmdlet for setting up the quarantine rule would be (for blocking replace Quarantine with Block):
New-ActiveSyncDeviceAccessRule -QueryString “iOS 7.0 11A465″ -Characteristic DeviceOS -AccessLevel Quarantine New-ActiveSyncDeviceAccessRule -QueryString “iOS 7.0.1 (11A470a)″ -Characteristic DeviceOS -AccessLevel Quarantine
For the exact strings consult Get-ActiveSyncDevice/Get-MobileDevice output.
For examples of alternative blocking methods using TMG or F5, check this article. More information on ABQ here. Note that users utilizing the OWA for iPhone or iPad apps won’t be blocked after implementing this measure.
Be advised there are already reports of issues with iOS 7.0 such as substantial reduction of battery life and slow devices. What’s far worse is that you can also bypass the lock screen, similar to the lock screen glitch in IOS 6.1.3. L’histoire se répète.
Update (21Sep): According to reports, iOS 7 allows you to make calls despite the lock. How’s that for a potential corporate smart phone.
Update (26sep): Apple has released security update iOS 7.0.2 (build 11A501, all devices) which fixes the lock screen glitch. Another good reason to block earlier iOS 7.0 / 7.0.1 versions, only allowing iOS 7.0.2 devices to retrieve company data.
EighTwOne (821) 
Keep an eye out for “iOS 7.0 11A466” and “iOS 7.0.1 11A470a” too.
The 5c ships with 466 and has an update to 7.0.1 available.
http://ios.e-lite.org/
LikeLike
Hm, that http://phobos.apple.com/version is nice, thanks. Though, don’t see 11A466 in there ..
LikeLike
Looks like 466 is the build shipping on the 5c and 5s by default … with an available update to 7.0.1 immediately available
LikeLike
Pingback: Blocking iOS7 from Exchange Server 2010/2013
Pingback: Dave Stork's IMHO : Blocking iOS 7 in Exchange 2010 & 2013 (updated)
Dear,
I ha ve a big problem
iOS 7 devices with certificate authentication stop 1 or 2 Times x day with the following error “cannot authenticate to the server.com because the certificate is not valide”. If the users disable and eneable the email, devices restart to work. Please HELP !
LikeLike
Pingback: Blocking Outlook App for iOS & Android | EighTwOne (821)
Pingback: Blocking iOS 7 in Exchange 2010 & 2013 (updated) » Dave Stork's IMHO
Pingback: iOS 8.2 fixes Exchange-related issues | EighTwOne (821)
Pingback: iOS 8.3 Exchange-related fixes | EighTwOne (821)
Pingback: iOS 9.3 fixes Multiple Response issue | EighTwOne (821)