Now a days there are so many active sync enabled applications which end users can download, install on their mobile devices and access emails .
If we have any MDM solutions in place to control the end users mobile devices then we don’t need to worry about this part.
In most of the MDM solutions the implementation will be segregation of the devices own device policy ,corporate device policy and applications that can be downloaded and accessed from the devices.
The challenge comes when we do not have an MDM solution in place and users accessing the emails from their mobile devices without any active sync policies configured.
In this article lets have a look at some troubleshooting guidelines that we can perform to block users trying to access the emails from their mobile device through any third party active sync enabled application.
How to find the Active Sync connections coming from different mobile applications ?
You can filter and see the active-sync requests in the reverse-proxy/firewall.This is the best way and you can find them easily.
To find the users who are using any app to access emails via active-sync perform the following :-
1) Filter the active sync requests in your firewall or reverse proxy accordingly and start the query.
2) Usually in most of the firewall and reverse proxy it will show you the source,destination and the request after the filter.
You need to concentrate on the request alone
Below is an example of normal active sync request
If the user device is connected through any application Eg: cloudmagic you can see the word “cloud magic” in the request URL. By this way you can identify the users . It should be easy.
Also you can use the exchange commands query string parameter and filter device access rule.This will help you to identify what type of devices are connecting .Use the below command to see the type of the connections through Active-sync
Get-ActivesyncDeviceAccessRule | Format-Table Name, Characteristic, QueryString, Accesslevel -AutoSize
You will get any output of the above only if you have created any device access rule for the same.
In the Query String parameter you can see the type of the software that the active sync is used for connecting.
There is one more method to identify the type of devices that connect through active-sync from the IIS logs
Just an example below of how the log entry shows for the android device type.
Now how do we block all these types of connections and allow only Native client ?
I have mentioned few points which will definitely help in address these kind of issues
1) Create a new device access rule and block the applications through which end users should not connect through
In my example i have created a new device access rule to stop the connections coming from cloudmagic application.
New-ActiveSyncDeviceAccessRule -AccessLevel Block -Characteristic DeviceType -QueryString “CloudMagic”
2) Add a query string value in the web.config file to stop the connection from specific applications
Edit the EWS web.config file on the mailbox server and add the below string to block the users accessing the emails through application in my case its cloud-magic
Below is the location –
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ews
<add string=”CloudMagic” />
Better to add this value in the CAS front end proxy server as well
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\sync
do an iisreset after this
Note: Make sure that you take a backup of the web.config file before making this change.
Also additionally create a rule in the firewall,reverse proxy stating that any active-sync requests that come with the url “cloud magic” drop the connection and do not proceed.
After performing the above log into your reverse proxy perform a filter and see if this query type with cloud magic is getting blocked(definitely it should be).
Hope this helps
MVP – Exchange Server