Blocking Mac Mail
-
Thursday, March 01, 2012 1:37 PM
Hi,
I have a user who keeps using his personal Mac using the built in Mail client (not Entourage or Outlook).
This breaks our policies, so i want to block him from doing this.
It appears that the Mail client connects using OWA (EWS) rather than ActiveSync, and in the IIS logs I see that the user's UserAgent is:
Mac+OS+X/10.6.8+(10K549);+ExchangeWebServices/1.3+(61);+Mail/4.5+(1084)
I have entered this into the user's CASmailbox and I see the following:
EwsApplicationAccessPolicy : EnforceBlockList
EwsAllowList :
EwsBlockList : {Mac+OS+X/10.6.8+(10K549);+ExchangeWebServices/1.3+(61);+Mail/4.5+(1084)}
However I can still see connections from that client in the IIS logs.
What have I done wrong?
Many thanks,
Adfrad
All Replies
-
Friday, March 02, 2012 5:27 AM
Not always easy to understand the rationality of corporate policies. But I don't think you can do this with Exchange 2010 alone. Mac mail uses EWS, so does Entourage 2008 EWS and Outlook 2011.
You would need to block by signatures. For instance, TMG 2010 can handle this.
How to configure HTTS Inspection in Forefront TMG 2010
http://araihan.wordpress.com/2010/04/14/how-to-configure-htts-inspection-in-forefront-tmg-2010/How to block traffic with a HTTP Signature
http://blogs.technet.com/b/isablog/archive/2006/07/03/439980.aspxCommon Application Signatures
http://technet.microsoft.com/library/cc302520.aspx
MCTS: Messaging | MCSE: S+M
- Edited by Jon-Alfred Smith Friday, March 02, 2012 5:28 AM
-
Friday, March 02, 2012 3:13 PM
Might be worth trying some of the other options here:
http://thoughtsofanidlemind.wordpress.com/2010/08/12/controlling-ews-access-in-exchange-2010-sp1/
unless you already tried them? if so, how about the
Set-CASMailbox -Identity 'Joe Soap' -EWSEnabled $Falseoption?Mobile OWA For Smartphone
www.leederbyshire.com
email a@t leederbyshire d.0.t c.0.m- Proposed As Answer by Jon-Alfred Smith Friday, March 02, 2012 9:23 PM
- Marked As Answer by wendy_liuMicrosoft Contingent Staff, Moderator Friday, March 09, 2012 10:36 AM
-
Friday, March 02, 2012 9:23 PM
Highly interesting! The Propose As Answer goes for the link to the not-so-idle Idle Mind, not to the disabling of EWS for 'Joe Soap'.
Just paraphrasing Tony Redmond: This would set organization access up so that EWS is only enabled for Outlook (Windows), Entourage 2008 EWS, Outlook 2011 for Mac and a user agent that presents the string “OurGreatApp”. This should meet the asker's policy requirements:
Set-OrganizationConfig –EWSEnabled $True –EWSAllowOutlook $True -EWSAllowEntourage $True -EWSAllowMacOutlook $True –EWSApplicationAccessPolicy: EnforceAllowList –EWSAllowList: {“OurGreatApp*”}
I have not tested it yet, but will do so. With the wisdom of hindsight: it really makes sense to enable/disable EWS access at a fine-granular level, as this has become the preferred API for third-party applications.
MCTS: Messaging | MCSE: S+M
- Edited by Jon-Alfred Smith Friday, March 02, 2012 9:30 PM
- Edited by Jon-Alfred Smith Friday, March 02, 2012 9:30 PM
- Proposed As Answer by wendy_liuMicrosoft Contingent Staff, Moderator Friday, March 09, 2012 10:35 AM
-
Saturday, March 03, 2012 8:30 PM
Thanks Lee, Jon-Alfred
At the moment I have the user's EWS disabled, but I agree that is it best practice to lock out the access at the lowest level as it'll only come back to bite me when we install some new function that uses EWS a few years down the line.
I had already found Tony's website and tried a few options, but didn't notice the –EWSAllowList: {“OurGreatApp*”} bit. This imples that you can use wildcards in EWSAllowList (and by inference EWSBlockList). I have found other pages saying that it can't accept wildcards, so I guess I'll just have to give it a go and see what happens when they logon on Monday...
set-CASMailbox -id username -ewsblocklist "*+Mail*"
I'll let you know if it works.
Adfrad
-
Tuesday, July 24, 2012 10:27 AM
Hi Adfrad
Did you get Mac client to be blocked successfully via EWS? I have tried the above command but the Mac can still successfully connect to Exch 2010 server!
~Abdul Aziz
.png)
