Exchange Online and Exchange 2010-2016 can block a device from accessing ActiveSync using a policy. To do so, first grab a list of all operating systems you’d like to block. To do so, first check which ones are out there using the Get-ActiveSyncDevice command, and looking at devicetype, deviceos, and deviceuseragent. This can be found using the following command:
Get-ActiveSyncDevice | select devicetype,deviceos,deviceuseragent
The command will show each of the operating systems that have accessed the server, including the user agent. You can block access based on each of these. In the following command, we’ll block one that our server found that’s now out of date:
New-ActiveSyncDeviceAccessRule -Characteristic DeviceOS -QueryString "iOS 8.1 12A369" -AccessLevel Block
To see all blocked devices, use
Get-ActiveSyncDeviceAccessRule | where {$_.AccessLevel -eq 'Block'}
If you mistakenly block a device, remove the block by copying it into your clipboard and then pasting into a Remove-ActiveSyncDeviceAccessRule commandlet:
Remove-ActiveSyncDeviceAccessRule -Characteristic DeviceOS -QueryString "iOS 8.1 12A369" -AccessLevel Block
Or to remove all the policies:
Get-ActiveSyncDeviceAccessRule | Remove-ActiveSyncDeviceAccessRule