Comments on: Restricting Exchange ActiveSync Access

By: Andreas

Andreas — Sun, 18 Jul 2010 09:45:35 +0000

This setting only controls what is synced down by default when a new mail arrives. For instance the default is 3kb which means only 3kb will be downloaded if you receive a 10kb mail. But you can open the mail and select that you want to download the rest as well. The theory behind the setting behind that if you receive a large html-formatted mail you will not bother to download it all, and thus save on the data traffic. So while you can save on the data download for your users you still can’t prevent them from reading emails in general.

By: V detta

V detta — Wed, 14 Jul 2010 14:32:03 +0000

Hi there,

great post!

To answer Swift question about limiting to calendar and contacts only during allowed device active sync, I was wondering (since I didn’t test it) as a workaround, to set the value of this Exchange 2010 ActiveSync policy “Maximum e-mail body truncation size” to 0 (it is in kb). It would allow you to sync emails but maybe only subjects which is closer to what we want there.

So, Andreas, if you have tested this, can you please share the results?

thanks!!

By: Jonas

Jonas — Wed, 30 Jun 2010 21:31:48 +0000

I still come back to this article now and then to refresh my memory. I upgraded my iPhone to 4.0 and wanted to try if anything happened to ActiveSync policies supported. So I went through them all and tested what worked and not. Here’s the post: http://www.sysadminlab.net/activesync/iphone-os-4-and-exchange-activesync-policies-what-really-works

By: Andreas

Andreas — Thu, 22 Apr 2010 16:32:47 +0000

I don’t know what I was thinking when I wrote that. Because I just tested the cmdlet, and it will only accept DeviceModel and DeviceType as characteristics. Maybe I had something else in mind while typing it all down.

So it seems TechNet is correct

Thanks for letting me know! I will correct the article.

By: Hans

Hans — Thu, 22 Apr 2010 11:46:21 +0000

Hi,

Great post. Are you sure though the access rules support all four named categories (Device Model, Device Type, Device OS, Device User Agent) to set restrictions?

As per Technet apparently they only do Device Model and Device Type: http://technet.microsoft.com/en-us/library/dd876923.aspx

By: Andreas

Andreas — Sat, 26 Dec 2009 12:47:11 +0000

I just tested with an HTC HD2 and it synced fine with the non-provisionable setting checked and unchecked.

I have however seen the same issue on an HTC Touch Pro running WM 6.1. It wasn’t with my user account, and I do not know if it is reproducible on the same device with another user account. I have however seen other strange effects regarding the EAS policies, (encryption being enforced even though it’s not checked for instance), so I believe there might be a bug or two. If the bugs are server side or client side I do not know.

By: Ratish

Ratish — Wed, 23 Dec 2009 10:30:19 +0000

Hi,

This is indeed a great post.
Are you aware of the compatibility issues with Win mobile 6.5 and the setting “Allow non-provisionable devices” ??

If we check that box – Allow non-provisionable devices, Mobile will sync fine… wont if we dont…

By: Andreas

Andreas — Tue, 03 Nov 2009 19:34:57 +0000

There isn’t really an Exchange feature to control which mailbox elements will be synced. You can make some workarounds device side if you provision the settings by other means than the user typing them in. I don’t know if you are familiar with xml provisioning, but building on this xml example:
http://msdn.microsoft.com/en-us/library/bb737364.aspx
By removing the “mail” characteristic it is not an option to synchronize mail. Keep in mind though that this will only work on Windows Mobile devices so unless you block other devices by some means there’s nothing preventing a user from picking up an iPhone and sync their mail.

If you’ve got a tech savvy user they might be able to work around this limitation as well, so it’s not “hackproof”.

The only “easy” solution I can think of is implementing a third-party middleware solution for syncing (will work on more than Windows Mobile devices too), or getting out your Visual Studio and coding. Well, actually, a variation of third-party software is to use middleware for Mobile Device Management – you can then enforce policies on the devices, and implement mechanisms that will not let devices sync if they are not compliant. Either way it involves some work.

By: Swift

Swift — Tue, 03 Nov 2009 16:34:18 +0000

Hi there,

our corporate policy doesnt allow unauthorized phones from syncing email per activesync.

Is there a method to enable only Calendar and
contacts?

Thanx for your help.

By: Andreas

Andreas — Tue, 06 Oct 2009 21:48:07 +0000

I never could quite figure out why ISA server could only provide blacklisting as an option. It is sort of a hassle to maintain a blacklist.

The RC of ForeFront TMG will be out soon, so I’ll have to research that option closer, as well as some other ideas I have on the block. I hope to make some progress on the next article – I sort of want it to be practical advice and not just a lot of theory on how it could be done.