+ Post New Thread
Results 1 to 10 of 10
Internet Related/Filtering/Firewall Thread, Controlling Access to Exchange ActiveSync in Technical; Hi, we are running Exchange 2003 (Ent) and have about 10 school owned devices which use ActiveSync on it to ...
  1. #1

    Join Date
    Apr 2009
    Posts
    11
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    12

    Controlling Access to Exchange ActiveSync

    Hi, we are running Exchange 2003 (Ent) and have about 10 school owned devices which use ActiveSync on it to sync emails. This is fine and we are happy to continue with this but my question is how to prevent others from connecting their personal phones to the server? Is this possible?!

    Would welcome any thoughts and suggestions.

    Thanks

    Si

  2. #2
    mb2k01's Avatar
    Join Date
    Jan 2007
    Posts
    1,151
    Thank Post
    191
    Thanked 235 Times in 199 Posts
    Rep Power
    94
    In 2003 it is easy - just dont allow mobile messaging on the properties of users you don't want connecting (browse to the user in AD on the exchange box, right click, exchange tasks and disable mobile messaging.... something along those lines anyway - don't have a VM to hand!)

  3. #3

    Join Date
    Apr 2009
    Posts
    11
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    12
    Thanks for your reply but i didn't word my q very well. Believe it or not there are some staff who have a school smartphone but still want the emails on their personal phone. Is it possible to do it on a per (authorised) device basis? Thanks.

  4. #4

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,459
    Thank Post
    408
    Thanked 672 Times in 614 Posts
    Rep Power
    192
    Can you then not just enable it for those staff? A quick email and you can enable it for them.

  5. #5
    mb2k01's Avatar
    Join Date
    Jan 2007
    Posts
    1,151
    Thank Post
    191
    Thanked 235 Times in 199 Posts
    Rep Power
    94
    Hi Si84,
    I think I'm still missing something!
    My previous post told you how you could enable or disable activesync for specific users. Have you tried it?

    I'm curious why you want to prevent people connecting though...
    If people were itching to connect i'd embrace it rather than look to flick it off.

  6. #6

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    As others have said I would be happy about the staff buyin and want to encourage it however if you have issues with it are they based on the security of staff devices. If so you can setup security requirements for the devices which require them to have a password on the device along with it being a certain complexity. This page shows you the setup Exchange 2003 Mobile Messaging Part 2 - Uncovering the Device Security Policies

    If you still need to block other devices one method, which would be manual would be to install and use the Activesync Admin tool as shown here Exchange 2003 Mobile Messaging Part 3 – Installing, Administering, and Using the Microsoft Exchange Server ActiveSync Web Administration tool & http://www.microsoft.com/downloads/d...DisplayLang=en this would let you see what devices are connecting and also delete their partnerships forcing them to re-setup the link. You can also remote wipe devices from it so be careful as I am sure it would make for a very angry staff member if you wiped and bricked their personal phone .

    The only other way I can think of is using a non-public SSL certificate and not giving it out to staff so that their deviced dropped out with an encryption error unless they were provided the correct cert or grabbed it off a school device.

    Would be interested to hear what the issue is with it though if you are able to give out that information as that level of staff buyin would be welcomed here.

  7. #7

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    Boston, MA
    Posts
    7,601
    Thank Post
    110
    Thanked 771 Times in 599 Posts
    Rep Power
    183
    Quote Originally Posted by SYNACK View Post
    Would be interested to hear what the issue is with it though if you are able to give out that information as that level of staff buyin would be welcomed here.
    It could be as simple as per device licensing not covering personal devices.

  8. #8

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    Quote Originally Posted by Ric_ View Post
    It could be as simple as per device licensing not covering personal devices.
    That would make perfect sence and something that I had not considered

  9. #9

    Join Date
    Apr 2009
    Posts
    11
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    12
    Hi all, thanks for the responses.

    There are a couple of reasons for doing it
    • it is against our school's AUP that personal devices are connected to the school's network

    • if we say yes you can do it then we end up supporting their personal phones

    • if they really need email on the go then the school provides them with a phone

    • our data security policy requires phones to offer encryption and be able to be wiped remotely if lost or stolen to protect unauthorised access to emails which could potentially contain sensitive information. If a member of staff loses their personal phone we don't have the ability to do this


    I completely agree that if staff are interested then they should be encouraged (my first reaction to requests is almost always 'yes we'll have a look and see if we can do that' and not 'no clear off!') but at the end of the day, the school pays for them to have email on a device and we are paid to maintain that device. They have to have their work phone on them so why do they really need it on a personal device too?

    Again thanks for all your responses.

    Si

  10. #10
    mb2k01's Avatar
    Join Date
    Jan 2007
    Posts
    1,151
    Thank Post
    191
    Thanked 235 Times in 199 Posts
    Rep Power
    94
    Quote Originally Posted by si84 View Post
    Hi all, thanks for the responses.

    There are a couple of reasons for doing it
    • it is against our school's AUP that personal devices are connected to the school's network

    • if we say yes you can do it then we end up supporting their personal phones

    • if they really need email on the go then the school provides them with a phone

    • our data security policy requires phones to offer encryption and be able to be wiped remotely if lost or stolen to protect unauthorised access to emails which could potentially contain sensitive information. If a member of staff loses their personal phone we don't have the ability to do this


    I completely agree that if staff are interested then they should be encouraged (my first reaction to requests is almost always 'yes we'll have a look and see if we can do that' and not 'no clear off!') but at the end of the day, the school pays for them to have email on a device and we are paid to maintain that device. They have to have their work phone on them so why do they really need it on a personal device too?

    Again thanks for all your responses.

    Si
    Just to pick up on a couple of points:

    - Completely understand personal device mention in AUP, but should that extend to phones when all they can do is access controlled services via specific ports?
    - Not much support needed once working. Other than setting up initially, I can hand on heart say I've never been given a support task for mobile devices picking up email.
    - Why take a chunk of money out of a dwindling budget if staff already have a decide which they are willing to use (normally also using their own data allowence!)

    - Very valid point, and I can't recall whether you can do this with Exchange 2003. I know for a fact you can with Exchange 2010 so would also assume 2007? (It may be worth a Google search?)

    Those are all meant for discussion / consideration, not as a "you're doing it wrong" kind of argument. What works well for one school may not suit another, and you know best what suits you



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 4
    Last Post: 17th January 2011, 03:36 PM
  2. Setting up Exchange ActiveSync
    By HMCTech in forum Windows
    Replies: 24
    Last Post: 8th March 2010, 02:40 PM
  3. Exchange 2007, ISA 2006 and ActiveSync
    By Divaldo in forum Windows
    Replies: 4
    Last Post: 7th December 2009, 09:12 AM
  4. ActiveSync 4.2
    By PiqueABoo in forum Windows
    Replies: 4
    Last Post: 7th July 2006, 09:52 PM
  5. Replies: 38
    Last Post: 28th March 2006, 10:47 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •