Wednesday, February 13, 2013

Assigning a Throttling Policy to all iOS 6.1 Devices in Exchange 2010

UPDATE 14-Feb-2013: After being linked to from Ars Technica, I felt the need to improve the script. My original version of the script tried to use the UserDisplayName field that is returned from Get-ActiveSyncDevice.  However, that field had a maximum number of characters, and a number of longer user DNs got cut off, which would make the script fail for that user. I figured out a way around it, and the script has been updated.

If you're an Exchange administrator, you have probably heard about the issues caused by Apple's iOS 6.1 on Exchange servers.  It seems that screwy calendar code in iOS 6.1 ends up generating tons of transaction logs in Exchange, and can bring CAS servers to its knees.

As an aside, its rather timely that this has come up just after the new Blackberry 10 came out.  Coincidence??????  Heh.

The temporary workarounds that MS recommends were to either apply a throttling policy to affected users, or block iOS 6.1 devices completely.  Since an all-out block is generally a Bad Thing, throttling policy is the way to go.  However, determining who is using iOS 6.1 and applying a throttling policy to them was not provided.

A company I do work for experienced the exact issue.  Exchange transaction logs were being generated at a prodigious rate.  So, rather than blocking them, we went the throttling route.  First, I created a throttling policy called iOS61 and set the ActiveSync throttling to the lowest recommended values:
New-ThrottlingPolicy -Name iOS61 -EASPercentTimeInCAS 10 -EASPercentTimeInAD 10 -EASPercentTimeInMailboxRPC 10
Then, I created a short Powershell script to apply the policy to any user with a device using iOS 6.1:
$DeviceList = Get-ActiveSyncDevice -ResultSize Unlimited | Where {$_.DeviceOS -match "iOS 6.1"}
foreach ($Device in $DeviceList)
$DeviceDN = $Device.DistinguishedName
Set-Mailbox $MBName -ThrottlingPolicy iOS61
The script will likely throw up some warnings about completing the command but not making any changes.  This happens because users may have more than one device, and the script tries to update the mailbox for every device it finds.  Nothing to be alarmed about.

Quick and dirty, but gets the job done.

Once Apple comes up with a solution, you can remove the throttling policy like this (assumes the users didn't have a throttling policy before this whole debacle):
Get-Mailbox -ResultSize Unlimited | Where {$_.ThrottlingPolicy -eq 'iOS61'} | Set-Mailbox -ThrottlingPolicy $NULL