Compliance rules do allow for blocking devices that are in a "Not Enrolled" state. This can be leveraged in lieu of auto quarantine, the downside here being that since it's via our systems and not a rule on the mail server side, there would be a brief period where users will have access to the mailbox before it is blocked.
I would also leverage our admin roles to make sure that only people with a certain access level can see the "approve" option.
------------------------------
Matt Shaver
System Architect
IBM
mshaver@us.ibm.com------------------------------
Original Message:
Sent: Thu March 12, 2020 01:10 PM
From: JAMES DALY
Subject: AD Enrollemt
Hi Guys,
Got any ideas?
Have any of you ever had this experience?
How can you prevent ActiveSync approvals for non-enrolled devices without using the auto-quarantine function. For example, is there a check box in the admin settings that lets us disable the Exchange ActiveSync 'Approve' button when the device status is not 'Enrolled'.
Many thanks,
Jim
------------------------------
JAMES DALY
------------------------------