none
Blocking Mac Mail

    Question

  • Hi,

    I have a user who keeps using his personal Mac using the built in Mail client (not Entourage or Outlook).

    This breaks our policies, so i want to block him from doing this.

    It appears that the Mail client connects using OWA (EWS) rather than ActiveSync, and in the IIS logs I see that the user's UserAgent is:

    Mac+OS+X/10.6.8+(10K549);+ExchangeWebServices/1.3+(61);+Mail/4.5+(1084)

    I have entered this into the user's CASmailbox and I see the following:

    EwsApplicationAccessPolicy         : EnforceBlockList

    EwsAllowList                       :

    EwsBlockList                       : {Mac+OS+X/10.6.8+(10K549);+ExchangeWebServices/1.3+(61);+Mail/4.5+(1084)}

    However I can still see connections from that client in the IIS logs.

    What have I done wrong?

    Many thanks,

    Adfrad

    Thursday, March 01, 2012 1:37 PM

Answers

All replies

  • Not always easy to understand the rationality of corporate policies. But I don't think you can do this with Exchange 2010 alone. Mac mail uses EWS, so does Entourage 2008 EWS and Outlook 2011.

    You would need to block by signatures. For instance, TMG 2010 can handle this.

    How to configure HTTS Inspection in Forefront TMG 2010
    http://araihan.wordpress.com/2010/04/14/how-to-configure-htts-inspection-in-forefront-tmg-2010/

    How to block traffic with a HTTP Signature
    http://blogs.technet.com/b/isablog/archive/2006/07/03/439980.aspx

    Common Application Signatures
    http://technet.microsoft.com/library/cc302520.aspx


    MCTS: Messaging | MCSE: S+M


    Friday, March 02, 2012 5:27 AM
  • Might be worth trying some of the other options here:

    http://thoughtsofanidlemind.wordpress.com/2010/08/12/controlling-ews-access-in-exchange-2010-sp1/

    unless you already tried them?  if so, how about the

    Set-CASMailbox -Identity 'Joe Soap' -EWSEnabled $False

    option?


    Mobile OWA For Smartphone
    www.leederbyshire.com
    email a@t leederbyshire d.0.t c.0.m

    Friday, March 02, 2012 3:13 PM
  • Highly interesting! The Propose As Answer goes for the link to the not-so-idle Idle Mind, not to the disabling of EWS for 'Joe Soap'.

    Just paraphrasing Tony Redmond: This would set organization access up so that EWS is only enabled for Outlook (Windows), Entourage 2008 EWS, Outlook 2011 for Mac and a user agent that presents the string “OurGreatApp”. This should meet the asker's policy requirements:

    Set-OrganizationConfig –EWSEnabled $True –EWSAllowOutlook $True -EWSAllowEntourage $True -EWSAllowMacOutlook $True –EWSApplicationAccessPolicy: EnforceAllowList –EWSAllowList: {“OurGreatApp*”}

    I have not tested it yet, but will do so. With the wisdom of hindsight: it really makes sense to enable/disable EWS access at a fine-granular level, as this has become the preferred API for third-party applications.


    MCTS: Messaging | MCSE: S+M



    Friday, March 02, 2012 9:23 PM
  • Thanks Lee, Jon-Alfred

    At the moment I have the user's EWS disabled, but I agree that is it best practice to lock out the access at the lowest level as it'll only come back to bite me when we install some new function that uses EWS a few years down the line.

    I had already found Tony's website and tried a few options, but didn't notice the –EWSAllowList: {“OurGreatApp*”} bit. This imples that you can use wildcards in EWSAllowList (and by inference EWSBlockList). I have found other pages saying that it can't accept wildcards, so I guess I'll just have to give it a go and see what happens when they logon on Monday...

    set-CASMailbox -id username -ewsblocklist "*+Mail*"

    I'll let you know if it works.

    Adfrad


    Saturday, March 03, 2012 8:30 PM
  • Hi Adfrad

    Did you get Mac client to be blocked successfully via EWS? I have tried the above command but the Mac can still successfully connect to Exch 2010 server!


    ~Abdul Aziz

    Tuesday, July 24, 2012 10:27 AM