Wednesday, 5 May 2010

The Client Access Server Role Pt3

Exchange 2010 and Mobile Devices

Mobile devices like PDAs and mobile phones can connect to Exchange 2010 to send/read email messages and other items such as calendar, contacts and tasks. The technology behind this is ActiveSync. ActiveSync is based on HTTP/HTTPS and is designed to connect mobile devices across the Internet.
Enabling/Disabling ActiveSync

ActiveSync is on by default  but you can turn it off by configuring IIS on the CAS. To do this do the following:

   1. Open IIS Manager from Administrative Tools
   2. In the console tree open the Application Pools node
   3. Locate MSExchangeSyncApplicationPool
   4. Select Stop from the Actions Menu
    This will disable ActiveSync. Conversely, choosing 'Start' will enable ActiveSync

    Enabling/Disabling ActiveSync per User

    ActiveSync can be enabled/disabled on a per user basis by performing the following steps:

    [PS] Set-CASMailbox "Andrew Stevens" -ActiveSyncEnabled $True
    [PS] Set-CASMailbox "Andrew Stevens" -ActiveSyncEnabled $False

    Restrict Mobile Devices

    By default users can synchronize any ActiveSync capable device with Exchange. You can prevent users from connecting with specific devices by using a devices 'Device ID'. However, you should understand that you can only determine this value once an ActiveSync device has connected and synchronized with Exchange.

    The device ID can be determined by using the Get-ActiveSyncDeviceStatistics:

    [PS] Get-ActiveSyncDeviceStatistics -MailBox: [alias] | ft DeviceModel, DeviceID, DevicePhoneNumber

    The DeviceID is based on International Mobile Equipment Identity. As mentioned this can be obtained once synchronization has ocurred. You can get the number by typing *#06# on the mobile device.
    You can add the device to a block list by typing the following:

    [PS] Set-CASMailbox [alias] -ActiveSyncBlockDeviceIDs 356059038180488

    You can block every device except the device you want to use by the following command:

    [PS] Set-CASMailbox [alias] -ActiveSyncAllowedDeviceIDs 356059038180488

    With the above command every device is blocked except this one.
    To clear the device id from the block list and the allowed list type the above commands but use $null  instead of the IMEI number:

    [PS] Set-CASMailbox [alias] -ActiveSyncBlockDeviceIDs $Null

    Mobile Device Policies

    Different devices used by your users have different features and settings. You can define which features and settings are provided for your users by establishing Mobile Device Polices. By default, a single policy is built and is visible:

       1. In the EMC, browse to Organization Configuration, Client Access node
       2. Select Exchange ActiveSync Mailbox Policies
       3. You should see a policy called default

    This policy is applied to all your users.

    Create A New Mobile Device Policy
    You can create a new policy in the EMS by typing the following:

    [PS] New-ActiveSyncMailboxPolicy "Managers"

    This creates a new policy with default settings and in this scenario the policy will be used for company managers.

    Set the New Policy to Users and Groups 

    You can define which groups/users should use the new policy by the following:

    [PS] Get-Mailbox andrew | Set-CASMailbox -ActiveSyncMailboxPolicy Managers

    Disable/Enable Mobile Device Features

    Once users and groups have been assigned you can control which features you want to be enabled/disabled.

    These include the following features:
    • Removable storage
    • Camera
    • Wireless network adapter
    • Infrared port
    • Internet sharing
    • Remote desktop
    • Synchronization with a PC
    • Bluetooth functionality
    These features can be turned off using the EMS. For example,

    [PS] Set-ActiveSyncMailboxPolicy "Managers" -AllowCamera $false

    This will turn off the use of the camera on the mobile device. However, this does depend on the device model and only really applies to Windows Mobile Devices.

    Manage Synchronization Settings

    You can also control synchronization settings. This would include the following items:
    How old emails and calendar items have to be before they are no longer synchronized
    Maximum size of email attachments
    Direct Push which pushes email to devices and does not require manual or pre-defined time synchronization at the device end
    Formatting of messages to HTML or text

    This can all be done using the EMS. For example,

    [PS] Set-ActiveSyncMailboxPolicy "Managers" -MaxEmailBodyTruncationSize 75 -AttachmentsEnabled $false

    This will allow maximum email size to be 75KB and disable attachments.

    Protection of Mobile Devices

    Protection of devices is essential. A first step is ensuring password protection on the device. The password requirements can be quite granular:

    As you can see the password setup can be quite involved. You can see from the above diagram that the number of failed attempts is set to 8. Anymore than this and the device is wiped clean destroying all data stored on the device! So I suggest you select Enable Password Recovery. If you do this a secondary password is generated and maintained on Exchange. An administrator can obtain this password as can the user via OWA.

    If the administrator requires access to the recovery password simply select the users mailbox using the EMC and in the action pane click the Manage Mobile Phone option. The recovery password is displayed which can then be given to the user.

    A user that has forgotten her password can determine the recovery password by going through control panel in OWA.

    The recovery password can also be obtained using the EMS. You will need to enable the ShowRecoveryPassword parameter in order for the password to be displayed. Try the following:

    [PS] Get-ActiveSyncDeviceStatistics -Mailbox "Andrew" -ShowRecoveryPassword | fl DevicePhoneNumber, RecoveryPassword

    Remote Wipe

    You can perform a remote wipe of a lost or stolen device. When I say wipe I really mean WIPE! Data on the device and any storage cards will be erased. The process can be performed using both console and shell. To perform a wipe using the shell, perform the following 2 steps:

    1. Get a list of devices for the unfortunate user

    [PS] Get-ActiveSyncDeviceStatistics -Mailbox "Andrew" | fl Identity

    2. Wipe the device using the returned device ID

    [PS] Clear-ActiveSyncDevice -Identity [DeviceIdentity]

    You can also perform the same thing and send a notification email to inform the person of the wipe (just to keep them happy!)

    3. [PS] Clear-ActiveSyncDevice -Identity [DeviceIdentity] -NotificationEmailAddresses ""

    1 comment:

    1. very informative post when i read i found the new things. thanks for sharing.PCEF on the Client Device