The goal is to restrict which mobile devices can connect.  We do have allow only activesync traffic selected already.  The problem is twofold - android (sucks) does not properly identify itself and the ssl vpn does not provide a way to collect / display user agents for activesync.  It's a very manual and time cosuming process that could be much easier.

So digging deeper (added useragent to logs) - we are seeing the following:

MSFT-WP/7.10.8773

MSFT-WP/7.10.8860

Apple-iPhone5C1/1001.405

Apple-iPhone5C1/1002.329

Apple-iPhone5C1/1002.350

motorola-DROIDRAZRHD/1.0

Which looks nothing like the user agent we get when using sites like http://whatsmyuseragent.com

I've done it before and it works with a few caveats. The filtering is configured under: User Roles, <role name>, General, Restrictions, Browser.

Your example user-agent strings don't look correct. EAS user-agents strings are different from device type or browser user-agents. For iPhone, the EAS user-agent will be something like "Apple-iPhone/703.144". If you wanted to allow all iPhones regardless of iOS version allowing "Apple-iPhone*" would work. Apple is pretty straightforward. Android EAS lacks standardization and will be a lot more work. Using TouchDown will make your life much easier for filtering.

Microsoft updated the EAS spec in Exchange2010 and it allows devices to stop sending the user-agent in the HTTP header after the initial connection setup. Even though this goes against HTTP RFC recommendations, Microsoft chose to make this change to reduce bandwidth consumption. To accomodate Windows devices that use this new EAS spec, I changed my user-agent filtering from a whitelist to a greylist where I denied some strings and allowed others.

The final caveat is that user-agent can be changed on some devices. I believe there are Android apps/hacks that allow the user to change user-agent.

We did browser restrictions for Junos Pulse. If yot turn on web requests you can see them. Turn off because they are big.