Internet Related/Filtering/Firewall Thread, Controlling Access to Exchange ActiveSync in Technical; Hi, we are running Exchange 2003 (Ent) and have about 10 school owned devices which use ActiveSync on it to ...
15th February 2010, 06:40 PM #1
- Rep Power
Controlling Access to Exchange ActiveSync
Hi, we are running Exchange 2003 (Ent) and have about 10 school owned devices which use ActiveSync on it to sync emails. This is fine and we are happy to continue with this but my question is how to prevent others from connecting their personal phones to the server? Is this possible?!
Would welcome any thoughts and suggestions.
15th February 2010, 06:43 PM #2
In 2003 it is easy - just dont allow mobile messaging on the properties of users you don't want connecting (browse to the user in AD on the exchange box, right click, exchange tasks and disable mobile messaging.... something along those lines anyway - don't have a VM to hand!)
15th February 2010, 08:46 PM #3
- Rep Power
Thanks for your reply but i didn't word my q very well. Believe it or not there are some staff who have a school smartphone but still want the emails on their personal phone. Is it possible to do it on a per (authorised) device basis? Thanks.
15th February 2010, 09:11 PM #4
Can you then not just enable it for those staff? A quick email and you can enable it for them.
15th February 2010, 09:21 PM #5
I think I'm still missing something!
My previous post told you how you could enable or disable activesync for specific users. Have you tried it?
I'm curious why you want to prevent people connecting though...
If people were itching to connect i'd embrace it rather than look to flick it off.
15th February 2010, 10:25 PM #6
As others have said I would be happy about the staff buyin and want to encourage it however if you have issues with it are they based on the security of staff devices. If so you can setup security requirements for the devices which require them to have a password on the device along with it being a certain complexity. This page shows you the setup Exchange 2003 Mobile Messaging Part 2 - Uncovering the Device Security Policies
If you still need to block other devices one method, which would be manual would be to install and use the Activesync Admin tool as shown here Exchange 2003 Mobile Messaging Part 3 – Installing, Administering, and Using the Microsoft Exchange Server ActiveSync Web Administration tool & http://www.microsoft.com/downloads/d...DisplayLang=en this would let you see what devices are connecting and also delete their partnerships forcing them to re-setup the link. You can also remote wipe devices from it so be careful as I am sure it would make for a very angry staff member if you wiped and bricked their personal phone .
The only other way I can think of is using a non-public SSL certificate and not giving it out to staff so that their deviced dropped out with an encryption error unless they were provided the correct cert or grabbed it off a school device.
Would be interested to hear what the issue is with it though if you are able to give out that information as that level of staff buyin would be welcomed here.
15th February 2010, 10:30 PM #7
It could be as simple as per device licensing not covering personal devices.
Originally Posted by SYNACK
15th February 2010, 10:34 PM #8
That would make perfect sence and something that I had not considered
Originally Posted by Ric_
16th February 2010, 09:32 AM #9
- Rep Power
Hi all, thanks for the responses.
There are a couple of reasons for doing it
- it is against our school's AUP that personal devices are connected to the school's network
- if we say yes you can do it then we end up supporting their personal phones
- if they really need email on the go then the school provides them with a phone
- our data security policy requires phones to offer encryption and be able to be wiped remotely if lost or stolen to protect unauthorised access to emails which could potentially contain sensitive information. If a member of staff loses their personal phone we don't have the ability to do this
I completely agree that if staff are interested then they should be encouraged (my first reaction to requests is almost always 'yes we'll have a look and see if we can do that' and not 'no clear off!') but at the end of the day, the school pays for them to have email on a device and we are paid to maintain that device. They have to have their work phone on them so why do they really need it on a personal device too?
Again thanks for all your responses.
16th February 2010, 10:07 AM #10
Just to pick up on a couple of points:
Originally Posted by si84
- Completely understand personal device mention in AUP, but should that extend to phones when all they can do is access controlled services via specific ports?
- Not much support needed once working. Other than setting up initially, I can hand on heart say I've never been given a support task for mobile devices picking up email.
- Why take a chunk of money out of a dwindling budget if staff already have a decide which they are willing to use (normally also using their own data allowence!)
- Very valid point, and I can't recall whether you can do this with Exchange 2003. I know for a fact you can with Exchange 2010 so would also assume 2007? (It may be worth a Google search?)
Those are all meant for discussion / consideration, not as a "you're doing it wrong" kind of argument. What works well for one school may not suit another, and you know best what suits you
By browolf in forum Scripts
Last Post: 17th January 2011, 03:36 PM
By HMCTech in forum Windows
Last Post: 8th March 2010, 02:40 PM
By Divaldo in forum Windows
Last Post: 7th December 2009, 09:12 AM
By PiqueABoo in forum Windows
Last Post: 7th July 2006, 09:52 PM
By webman in forum Scripts
Last Post: 28th March 2006, 10:47 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread