As more and more people uses their mobiles to access their Exchange mailboxes the need of controlling which devices are allowed to be connected arise .
In this post I will explain how you can set up ActiveSync approval delegation for your helpdesk team , so whenever any user tries to connect to his / her mailbox using ActiveSync an approval request will be is required prior allowing syncing of mailbox data.
First of all , create a new mail-enabled security group that will be responsible for receiving ActiveSync devices requests which can be done either using Exchange Management Console [ EMC ] or using Exchange Management Shell [ EMS ] , as follow :
New-DistributionGroup -Name "ActiveSync Approvers" -Type "Security" -OrganizationalUnit "itguydiaries.net/Security_Groups/" -SamAccountName "Exchange ActiveSync Approvers" -Alias "ExASapprovers"
Now , enable Exchange ActiveSync quarantine and configure the notification email :
Set-ActiveSyncOrganizationSettings –DefaultAccessLevel Quarantine –AdminMailRecipients ExASapprovers@itguydiaries.net
Let’s now copy the management role that contains Set-CASMailbox –ActiveSyncAllowedDeviceIDs cmdlet/parameter :
New-ManagementRole -Parent "Organization Client Access" -Name "ExActiveSync Approval"
Then remove all other management role entries from the created management role “ExActiveSync Approval” :
Get-ManagementRoleEntry "ExActiveSync Approval\*" | Where {$_.Name -NotLike "Set-CASMailbox*"} | Remove-ManagementRoleEntry
Finally , create a role group and add the previously created security group [ ActiveSync Approvers ]
New-RoleGroup -Name "ActiveSync Device Management" –Roles ‘ExActiveSync Approval’ , ‘User Options’ -Members "Exchange ActiveSync Approvers" -Description "Members of this management role group have the rights to approve and deny ActiveSync devices"
Now, lets test what we had configured . For this I have created a user named User1 with an enabled for ActiveSync mailbox . In addition a user named IT Guy who is a member of ActiveSync Approvers group.
As soon as User1 tries to connect to his mailbox using ActiveSync , he received a similar to the below mail indicating that his device sync is temporarily blocked till access is granted by a admin.
An approval request is sent to ActiveSync Approvers group including the user’s device data and a link to Exchange Control Panel [ ECP ]
When an approver clicks the ECP link , ECP opens and allows the approver to approve , block or even wipe the device , and then click save
Once these actions were performed the user will be able to sync his device successfully
No comments:
Post a Comment