locked
Restrict Outlook Access Only To Domain Joined PCs? RRS feed

  • Question

  • We have contractors that use their employers laptops to access various LAN resources on our network such as access to shared network drives, printers, Remote Desktop and access to our Intranet sites.  They have mailboxes on our Exchange servers and we would like their mailbox access to be restricted to EAS and OWA, not Outlook unless they are using one of our domain-joined computers.  

    The main reason for this is to restrict these users from downloading their mailbox contents into into a personal folder.  We can create PST restrictions on our domain-joined PCs via group policy, but these policies would not apply to computers not joined to our domain.

    Of course we would also like to prevent Outlook access to their mail from their home PCs that they may have installed Outlook on, but we still need seamless remote access to Outlook on domain-joined laptops used remotely.

    How can this be done?

    Sunday, January 19, 2014 11:54 PM

Answers

All replies

  • Do not enable Outlook Anywhere and ensure that CAS Array FQDN is not resolvable on the internet.


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Monday, January 20, 2014 2:47 PM
  • From outside LAN, see above. Inside LAN might be difficult if users know the Exchange server settings and attempt to connect manually. I think the user is being authenticated - not the computer.

    http://social.technet.microsoft.com/Forums/exchange/en-US/19082443-a6ba-4f55-9f4e-0312a511820f/only-allow-outlook-client-from-pc-joined-to-the-domain?forum=exchangesvrclientslegacy


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Monday, January 20, 2014 5:22 PM
  • Take a read at this:

    http://www.microsoft.com/en-us/download/details.aspx?id=23708

    There is nothing native in Exchange to block this, so look at IPSEC which can base a policy off domain membership. 


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, January 20, 2014 7:11 PM
  • PS -- Andy are you going to MEC ?

    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, January 20, 2014 7:12 PM
  • Do not enable Outlook Anywhere and ensure that CAS Array FQDN is not resolvable on the internet.


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.



    If we disable Outlook Anywhere, wouldn't that also prevent our domain joined laptops from connecting remotely unless they use VPN?
    Tuesday, January 21, 2014 12:50 AM
  • Do not enable Outlook Anywhere and ensure that CAS Array FQDN is not resolvable on the internet.


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.



    If we disable Outlook Anywhere, wouldn't that also prevent our domain joined laptops from connecting remotely unless they use VPN?

    If your goal is to ensure only authorized workstations connect to your domain, then I would think you want them to only use VPN and look at the IPSEC info that Rhoderick posted.


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Tuesday, January 21, 2014 12:21 PM
  • PS -- Andy are you going to MEC ?

    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    I will be there will bells on!


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Tuesday, January 21, 2014 12:21 PM
  • Groovy - I'll make a point of coming to find you :)

    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, January 21, 2014 1:08 PM