Comments on: Restricting Exchange ActiveSync Access http://mobilitydojo.net/2009/09/28/restricting-exchange-activesync-access/ place of the mobility way Fri, 11 May 2012 10:49:18 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Andreas http://mobilitydojo.net/2009/09/28/restricting-exchange-activesync-access/comment-page-1/#comment-18104 Andreas Fri, 19 Aug 2011 22:26:24 +0000 http://mobilitydojo.net/?p=856#comment-18104 withanHdammit, Thanks for the BIS tip! Yes, the Get/Set-ActiveSyncOrganizationSettings are new to Exchange 2010 - if you're running 2007 you're out of luck there. Pre-existing ActiveSync relationships will be blocked, but you may possible avoid that by manually adding the device id as allowed before you activate a policy. (Don't remember testing this however.) withanHdammit,

Thanks for the BIS tip!

Yes, the Get/Set-ActiveSyncOrganizationSettings are new to Exchange 2010 – if you’re running 2007 you’re out of luck there.

Pre-existing ActiveSync relationships will be blocked, but you may possible avoid that by manually adding the device id as allowed before you activate a policy. (Don’t remember testing this however.)

]]> By: withanHdammit http://mobilitydojo.net/2009/09/28/restricting-exchange-activesync-access/comment-page-1/#comment-18103 withanHdammit Fri, 19 Aug 2011 19:26:43 +0000 http://mobilitydojo.net/?p=856#comment-18103 Oh shoot, is this for 2010 only? I don't have the cmdlets Get-ActiveSyncOrganizationSettings or Set-ActiveSyncOrganizationSettings. Bummer! Oh shoot, is this for 2010 only? I don’t have the cmdlets Get-ActiveSyncOrganizationSettings or Set-ActiveSyncOrganizationSettings.

Bummer!

]]> By: withanHdammit http://mobilitydojo.net/2009/09/28/restricting-exchange-activesync-access/comment-page-1/#comment-18102 withanHdammit Fri, 19 Aug 2011 19:21:47 +0000 http://mobilitydojo.net/?p=856#comment-18102 @Andreas, What happens if there are pre-existing ActiveSync relationships? Will they get the message that their connection won't work until it gets approved, or will they be OK because they already exist? We have 6 or so execs with iPhones and we are planning on rolling out iPhones/Androids in the next 6 to 8 weeks. Right now I have ActiveSync only turned on for people who need it, but I'd like to be able to control what devices can connect. Thanks! h @Andreas,

What happens if there are pre-existing ActiveSync relationships? Will they get the message that their connection won’t work until it gets approved, or will they be OK because they already exist?

We have 6 or so execs with iPhones and we are planning on rolling out iPhones/Androids in the next 6 to 8 weeks. Right now I have ActiveSync only turned on for people who need it, but I’d like to be able to control what devices can connect.

Thanks!

h

]]> By: withanHdammit http://mobilitydojo.net/2009/09/28/restricting-exchange-activesync-access/comment-page-1/#comment-18101 withanHdammit Fri, 19 Aug 2011 18:42:56 +0000 http://mobilitydojo.net/?p=856#comment-18101 @kris you can block the BIS access (which comes through via OWA) by blocking the RIM IP addresses from connecting over port 80 & 443 on the inbound side. Outbound access is fine, it's because all BIS traffic goes through RIM's datacenter then goes to your mail server. By blocking inbound traffic from RIM then BIS cannot connect. BTW I have this set on my firewall and have had zero issues. The current RIM IP range can be found here http://bit.ly/oIqtxJ @kris you can block the BIS access (which comes through via OWA) by blocking the RIM IP addresses from connecting over port 80 & 443 on the inbound side. Outbound access is fine, it’s because all BIS traffic goes through RIM’s datacenter then goes to your mail server. By blocking inbound traffic from RIM then BIS cannot connect. BTW I have this set on my firewall and have had zero issues.

The current RIM IP range can be found here http://bit.ly/oIqtxJ

]]> By: Andreas http://mobilitydojo.net/2009/09/28/restricting-exchange-activesync-access/comment-page-1/#comment-17887 Andreas Wed, 08 Jun 2011 11:46:50 +0000 http://mobilitydojo.net/?p=856#comment-17887 Yes, as far as I can tell you can specify an external address. Not sure if this could be overriden by other policies in your Exchange configuration, but this specific cmdlet will let you specify external addresses without any errors, and an outbound mail is created when I attempt to set up a new device (using quarantine as the Access Level). Yes, as far as I can tell you can specify an external address. Not sure if this could be overriden by other policies in your Exchange configuration, but this specific cmdlet will let you specify external addresses without any errors, and an outbound mail is created when I attempt to set up a new device (using quarantine as the Access Level).

]]> By: Thin http://mobilitydojo.net/2009/09/28/restricting-exchange-activesync-access/comment-page-1/#comment-17884 Thin Wed, 08 Jun 2011 07:41:51 +0000 http://mobilitydojo.net/?p=856#comment-17884 When is set up "–AdminMailRecipients admin@contoso.com", can be specified an external email address? When is set up “–AdminMailRecipients admin@contoso.com“, can be specified an external email address?

]]> By: Andreas http://mobilitydojo.net/2009/09/28/restricting-exchange-activesync-access/comment-page-1/#comment-17574 Andreas Wed, 16 Feb 2011 19:23:47 +0000 http://mobilitydojo.net/?p=856#comment-17574 I'm not a BlackBerry expert (have tried out a couple devices - didn't like them), but as I remember it BIS access Exchange through POP/IMAP or OWA (not sure if they have implemented Exchange Web Services with 2010). POP/IMAP are easy to disable if you don't need it, but then you can't control any other parameters than username/password. OWA can also be disabled of course, but if you want your users to have access to webmail you usually don't want this :) I do not know if BIS connections identify themselves in a manner that would let you block them (I'm thinking something like blocking based on the user agent), but I'd try and run a connection with a device if you have one available and run WireShark on Exchange at the same time to try and see if you catch some parameter that is unique to the BB devices. I’m not a BlackBerry expert (have tried out a couple devices – didn’t like them), but as I remember it BIS access Exchange through POP/IMAP or OWA (not sure if they have implemented Exchange Web Services with 2010). POP/IMAP are easy to disable if you don’t need it, but then you can’t control any other parameters than username/password.

OWA can also be disabled of course, but if you want your users to have access to webmail you usually don’t want this :) I do not know if BIS connections identify themselves in a manner that would let you block them (I’m thinking something like blocking based on the user agent), but I’d try and run a connection with a device if you have one available and run WireShark on Exchange at the same time to try and see if you catch some parameter that is unique to the BB devices.

]]> By: kris http://mobilitydojo.net/2009/09/28/restricting-exchange-activesync-access/comment-page-1/#comment-17573 kris Tue, 15 Feb 2011 22:19:18 +0000 http://mobilitydojo.net/?p=856#comment-17573 Is it possible to block Blackberry BIS accounts from accessing Exchange 2010.....please? Thanx! Is it possible to block Blackberry BIS accounts from accessing Exchange 2010…..please?

Thanx!

]]> By: Andreas http://mobilitydojo.net/2009/09/28/restricting-exchange-activesync-access/comment-page-1/#comment-15636 Andreas Sun, 18 Jul 2010 09:45:35 +0000 http://mobilitydojo.net/?p=856#comment-15636 This setting only controls what is synced down by default when a new mail arrives. For instance the default is 3kb which means only 3kb will be downloaded if you receive a 10kb mail. But you can open the mail and select that you want to download the rest as well. The theory behind the setting behind that if you receive a large html-formatted mail you will not bother to download it all, and thus save on the data traffic. So while you can save on the data download for your users you still can't prevent them from reading emails in general. This setting only controls what is synced down by default when a new mail arrives. For instance the default is 3kb which means only 3kb will be downloaded if you receive a 10kb mail. But you can open the mail and select that you want to download the rest as well. The theory behind the setting behind that if you receive a large html-formatted mail you will not bother to download it all, and thus save on the data traffic. So while you can save on the data download for your users you still can’t prevent them from reading emails in general.

]]> By: V detta http://mobilitydojo.net/2009/09/28/restricting-exchange-activesync-access/comment-page-1/#comment-15378 V detta Wed, 14 Jul 2010 14:32:03 +0000 http://mobilitydojo.net/?p=856#comment-15378 Hi there, great post! To answer Swift question about limiting to calendar and contacts only during allowed device active sync, I was wondering (since I didn't test it) as a workaround, to set the value of this Exchange 2010 ActiveSync policy "Maximum e-mail body truncation size" to 0 (it is in kb). It would allow you to sync emails but maybe only subjects which is closer to what we want there. So, Andreas, if you have tested this, can you please share the results? thanks!! V Hi there,

great post!

To answer Swift question about limiting to calendar and contacts only during allowed device active sync, I was wondering (since I didn’t test it) as a workaround, to set the value of this Exchange 2010 ActiveSync policy “Maximum e-mail body truncation size” to 0 (it is in kb). It would allow you to sync emails but maybe only subjects which is closer to what we want there.

So, Andreas, if you have tested this, can you please share the results?

thanks!!

V

]]>