Restrict ActiveSync Connections to iPhone and iPad Only

All replies

• 

  

  0

  Sign in to vote

  I think you'll have to use something like ISA:

  http://msexchangeteam.com/archive/2008/09/05/449757.aspx

   

   

  • Marked as answer by Elvis Wei Monday, August 9, 2010 5:55 AM

  Tuesday, August 3, 2010 7:29 PM
• 

  

  0

  Sign in to vote

  Yeah.. we do not have ISA

  Tuesday, August 3, 2010 8:33 PM
• 

  

  0

  Sign in to vote

  Hi RevoBasher,

   

  I would suggest you deploy an ISA if you would like to achieve the goal. If your current firewall can set the rule blocking according to User-Agent String, you also can do the trick. Please refer to the article provided by Andy.

   

  If you can’t restrict in firewall, you need to go to the next solution:

   

  Custom ISAPI filter:
  Since creating a custom ISAPI filter is both time consuming (you have to write custom code) and not a best practice, I'm not going to talk too much about it except mentioning that it is a possible solution. More details can be found here for those interested in exploring this option.  

   

  A related thread for your reference: http://social.technet.microsoft.com/Forums/en-US/exchangesvrmobility/thread/c1545ebf-8bdb-4c1f-9b60-a645d4fdd419

   

  Thanks,

   

  Elvis

  • Marked as answer by Elvis Wei Monday, August 9, 2010 5:55 AM

  Wednesday, August 4, 2010 3:11 AM
• 

  

  0

  Sign in to vote

  You can achieve this through policy. Turn off Activesync for everyone and then only turn it on for those you allow. If that is iphones and ipads, so be it.

   

  ---

  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. If the post wasn't the exact answer or was helpful in leading you to the answer, please vote it as helpful. This can be beneficial to other community members reading the thread.

  Wednesday, August 4, 2010 3:19 AM
• 

  

  0

  Sign in to vote

  You can achieve this through policy. Turn off Activesync for everyone and then only turn it on for those you allow. If that is iphones and ipads, so be it.

   

  ---

  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. If the post wasn't the exact answer or was helpful in leading you to the answer, please vote it as helpful. This can be beneficial to other community members reading the thread.

  
  But the policy applies to users, not devices.

  Wednesday, August 4, 2010 11:11 AM
• 

  

  0

  Sign in to vote

  ^^ right... what Scott posted will not work. I guess I am stuck unless we use ISA

  Wednesday, August 4, 2010 5:49 PM
• 

  

  0

  Sign in to vote

  Depends on how you write the policy, yes it is a turn on turn off policy per user, but if your written policy is that the only supported devices on for activesync is iphones and ipads then that is written in the policy. It is up to the users to comply or be in a non-supported state if they choose to use a different device.

  I have this going on now with another client. They support WM and Iphone but not driod or anything else. If the user says i want access, IT turns it on. If the user then connects a driod to it, IT doesn't immediately know, but when they run the script below they will and then they can turn it off and send the user a nasty gram.

  Here is the policing script:

  Get-Mailbox -server -ResultSize:Unlimited |ForEach {Get-ActiveSyncDeviceStatistics -Mailbox:$_.Identity} | ft identity,devicemodel,LastSuccessSync

  Or last option would be to deploy ISA.

  ---

  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. If the post wasn't the exact answer or was helpful in leading you to the answer, please vote it as helpful. This can be beneficial to other community members reading the thread.

  Wednesday, August 4, 2010 5:59 PM
• 

  

  0

  Sign in to vote

  Makes sense.. However, the problem is being in a non-supported state is not good enough.. we need to prevent anything other than iPhones and iPads from connecting at all.

  Wednesday, August 4, 2010 6:08 PM
• 

  

  0

  Sign in to vote

  ISA seems like the best bet then or upgrade to Exchange 2010 and you could do something like this

  http://blog.brightpointuk.co.uk/restricting-access-exchange-2010-activesync

  You might be able to configure a powershell script that runs on a set interval that looks for something like this

  if($_.DeviceType -ne "iPhone")

  set-casmailbox -activesyncenabled $false

  Where the script looks through all the activesync connections and if it finds something outside of iphone or ipad it disables the user's activesync access. But this too would leave a small window of access between the time the sync was started and the script ran.

   

  ---

  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. If the post wasn't the exact answer or was helpful in leading you to the answer, please vote it as helpful. This can be beneficial to other community members reading the thread.

  • Proposed as answer by Scott H. Robinson Thursday, August 5, 2010 1:24 AM
  • Marked as answer by Elvis Wei Monday, August 9, 2010 5:54 AM

  Wednesday, August 4, 2010 6:22 PM
• 

  

  0

  Sign in to vote

  Perfect.. thanks all!

  Wednesday, August 4, 2010 6:37 PM
• 

  

  0

  Sign in to vote

  Problem solved ! Found a cool manual How to Jailbreak iPad with Redsn0w 0.9.7 Untethered Jailbreak for iOS 4.2.1 ! I recommend , I have all turned out : )

  ---

  http://ipadshouse.com

  Thursday, December 30, 2010 3:08 PM