ABQ Management

Basic Terminology

Basic means of ABQ management:

  • Device access rules (ABQ Rules)
  • Device information (Characteristics) sent by a client via the Provision or Settings commands
  • Standard ABQ Rule is a triplet that consists of characteristic, its value and ABQ access state.
  • Characteristic is one of the following: Device Type, Device Model, Operating System
  • Value is a case insensitive string.
  • ABQ access state is one of the following: Allow, Block, Quarantine.
  • Standard ABQ rule can have a description, rules can be disabled.

Types of ABQ Rules

  • One mandatory simple ABQ rule without characteristic and its value (Global ABQ Rule)
  • Optional standard ABQ rules will be supported on server level only (Server ABQ Rules)
  • One optional simple (without characteristic and its value) ABQ rule for all domains and all users (Domain ABQ Rules and User ABQ Rules)

Determining Access State of NEW Devices

Requirements:

  • Current device is authenticated
  • ActiveSync is enabled for the current user
  • Policy enforcement criteria are met by the current mobile device
  • Is there an explicit rule to allow, block or quarantine the device on the user level (User ABQ Rule)? If so, grant full access or block access or quarantine the device. Else, go to the next step.
  • Is there an explicit rule to allow, block or quarantine the device on the domain level (Domain ABQ Rule)? If so, grant full access or block access or quarantine the device. Else, go to the next step.
  • Is this mobile device allowed, blocked or quarantined on the server level (Server ABQ Rule) by an Operating System characteristic rule? If so, grant full access or block access or quarantine the device. Else, go to the next step.
  • Is this mobile device allowed, blocked or quarantined on the server level (Server ABQ Rule) by a Device Model characteristic rule? If so, grant full access or block access or quarantine the device. Else, go to the next step.
  • Is this mobile device allowed, blocked or quarantined on the server level (Server ABQ Rule) by a Device Type characteristic rule? If so, grant full access or block access or quarantine the device. Else, go to the next step.
  • Is this mobile device allowed, blocked or quarantined on the server level by a global rule (Global ABQ Rule)? If so, grant full access or block access or quarantine the device.
  • How to match characteristic sent by a device with a Server Rule query value:
  • Comparison is case insensitive
  • If a query value is e.g. 'Android', then the characteristic sent by a device is compared step-by-step with the following: 'android', 'androi', 'andro', 'andr', 'and', 'an' and 'a'.

ABQ Access States

Allow:

  • All EAS features are enabled
  • Allowed devices can be blocked by administrator
  • Block:
  • Returns an "access forbidden" error to the device
  • Blocked devices are not displayed in WebClient
  • Blocked devices can be allowed by administrator
  • Do not confuse with the Blocked status when either Hard Wipe (Soft Wipe respectively) is set.
  • Quarantine:
  • Only default folders are synchronized
  • Only one-way sync (client to server) is enabled
  • User gets information mail about this state
  • Quarantined devices are not displayed in WebClient
  • Quarantined devices can be allowed or blocked by administrator