Search This Blog

Friday, July 6, 2012

Control allowed to connect ActiveSync devices using ActiveSync delegation

As more and more people uses their mobiles to access their Exchange mailboxes the need of controlling which devices are allowed to be connected arise .

In this post I will explain how you can set up ActiveSync approval delegation for your helpdesk team , so whenever any user tries to connect to his / her mailbox using ActiveSync an approval request will be is required prior allowing syncing of mailbox data.

First of all , create a new mail-enabled security group that will be responsible for receiving ActiveSync devices requests which can be done either using Exchange Management Console  [ EMC ] or using Exchange Management Shell  [ EMS ] , as follow :

New-DistributionGroup -Name "ActiveSync Approvers" -Type "Security" -OrganizationalUnit "" -SamAccountName "Exchange ActiveSync Approvers" -Alias "ExASapprovers"

Now , enable Exchange ActiveSync quarantine and configure the notification email :

Set-ActiveSyncOrganizationSettings –DefaultAccessLevel Quarantine –AdminMailRecipients

Let’s now copy the management role that contains Set-CASMailbox –ActiveSyncAllowedDeviceIDs cmdlet/parameter :

New-ManagementRole -Parent "Organization Client Access" -Name "ExActiveSync Approval"

Then remove all other management role entries from the created management role “ExActiveSync Approval” :

Get-ManagementRoleEntry "ExActiveSync Approval\*" | Where {$_.Name -NotLike "Set-CASMailbox*"} | Remove-ManagementRoleEntry

Finally , create a role group and add the previously created security group [ ActiveSync Approvers ]

New-RoleGroup -Name "ActiveSync Device Management" –Roles ‘ExActiveSync Approval’ , ‘User Options’ -Members "Exchange ActiveSync Approvers" -Description "Members of this management role group have the rights to approve and deny ActiveSync devices"

Now, lets test what we had configured . For this I have created a user named User1 with an enabled for ActiveSync mailbox . In addition a user named IT Guy who is a member of ActiveSync Approvers group.

As soon as User1 tries to connect to his mailbox using ActiveSync , he received a similar to the below mail indicating that his device sync is temporarily blocked till access is granted by a admin.



An approval request is sent to ActiveSync Approvers group including the user’s device data and a link to Exchange Control Panel [ ECP ]


When an approver clicks the ECP link , ECP opens and allows the approver to approve , block or even wipe the device , and then click save


Once these actions were performed the user will be able to sync his device successfully Winking smile


No comments:

Post a Comment