How can I delegate Exchange 2010 ActiveSync Device Approval through Exchange Control Panel
Have recently deployed Exchange 2010. We have set up an ActiveSync Rule that all new devices are quarantined by default.
I would like to delegate the approval of these devices to a non-admin user, allowing them to go to the ECP and allowing the devices after the appropriate paperwork has been submitted.
I am creating a custom management role to assign to these non-admin users. However, I don't know which Role to base it on, and what subset commands of that role need to remain in place.
Any help appreciated.
I would like to delegate the approval of these devices to a non-admin user, allowing them to go to the ECP and allowing the devices after the appropriate paperwork has been submitted.
I am creating a custom management role to assign to these non-admin users. However, I don't know which Role to base it on, and what subset commands of that role need to remain in place.
Any help appreciated.
ASKER
I actually started there. Assigning the Mail Recipient Role gives the ActiveSync Device Policy Tab, but NOT the ActiveSync Access tab. So that's not it.
So far I have found that assigning the following two roles gives access; "Organization Client Access" and "User Options" - but too much access. I don't want the non-admin users to be able to edit the user options as exposed on the Users tab.
So far I have found that assigning the following two roles gives access; "Organization Client Access" and "User Options" - but too much access. I don't want the non-admin users to be able to edit the user options as exposed on the Users tab.
http://www.networksteve.com/exchange/topic.php/Delegate_permissions_to_helpdesk_administrators_to_change_recipi/?TopicId=27494&Posts=6
okay, according to this page, you should assign the custom Management Role to the user or the Role Group. You need to do it thru RBAC role group.
okay, according to this page, you should assign the custom Management Role to the user or the Role Group. You need to do it thru RBAC role group.
ASKER
Been there too. It's not ActiveSync Policy assignment I need them to manage. In fact, I do NOT want them to be able to change what policy the user has. I sdimply need to allow them to "Allow" or "Block" a device.
Hi there,
I am not claiming I already did it but I have experience with RBAC and I am willing to give it a try if you are ready to bare with me.
is there any role you found that will give you this permission through ECP ? if yes can you please tell me which role and give me a screenshot about how it shows in ecp?
When you give me this I will sort it out for you
I am not claiming I already did it but I have experience with RBAC and I am willing to give it a try if you are ready to bare with me.
is there any role you found that will give you this permission through ECP ? if yes can you please tell me which role and give me a screenshot about how it shows in ecp?
When you give me this I will sort it out for you
OK I just found the info i need is already in the question will be back to you
ASKER
Akhater... I have time. :) I just have to have an admin do it until I get it properly set up. Here is what I have done so far:
Created a new Management Role Group (EAS Device Management) and found that if I assign "Organization Client Access" and "User Options" to that group, the non-admin user can allow or block the devices. However they can aloe edit user settings, which I do not want. Here are two screen shots:
Created a new Management Role Group (EAS Device Management) and found that if I assign "Organization Client Access" and "User Options" to that group, the non-admin user can allow or block the devices. However they can aloe edit user settings, which I do not want. Here are two screen shots:
Well I don't promise anything but this is a quite interesting challenge for me so I will give it a try :o)
OK please try this for me
New-ManagementRole "ActiveSync User Options" –Parent 'User Options'
New-ManagementRole "ActiveSync Client Access" –Parent 'Organization Client Access'
Get-ManagementRoleEntry –Identity 'ActiveSync User Options\*' | Where {$_.Name –notlike "*activesync*"} | Remove-ManagementRoleEntry –Confirm:$False
Get-ManagementRoleEntry –Identity 'ActiveSync Client Access\*' | Where {$_.Name –notlike "*activesync*"} | Remove-ManagementRoleEntry –Confirm:$False
Remove-ManagementRoleEntry 'ActiveSync Client Access\Set-ActiveSyncOrganizationSettings'
Remove-ManagementRoleEntry 'ActiveSync Client Access\Set-ActiveSyncDeviceAccessRule'
Remove-ManagementRoleEntry 'ActiveSync Client Access\Remove-ActiveSyncDeviceAccessRule'
Remove-ManagementRoleEntry 'ActiveSync Client Access\New-ActiveSyncDeviceAccessRule'
New-RoleGroup 'ActiveSync Access Admins' –Roles 'ActiveSync User Options', 'ActiveSync Client Access'
Add-RoleGroupMember "ActiveSync Access Admins" -Member user@domain.com
wait it is too restrictive :)
ASKER
While I don't currently have a quarantined device to test with, It only shows the correct tab... What part is too restrictive?
The Allow and Block options are not showing next to quarantined devices
ASKER
Ah. Yes. That would be a problem. :)
ASKER
Backing out.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Perfect! Thank you VERY much!
Thank you for the challenge and the points.
If when you put it in action you have issues just update this thread and I will follow it up with you
If when you put it in action you have issues just update this thread and I will follow it up with you
Is it also possible to send approval mails only for certain ou users? Right now all admins will be informed about all devices but some of them only need to approve (are allowed to approve) devices from certain Organizational Units.
Thank you very much!!
Thank you very much!!
refer to http://msdn.microsoft.com/en-us/library/dd638131.aspx
it is modifying Exchange ActiveSync device settings and it will need Recipient Management role.
in ECP, goto phone & voice, then activesync Access
it will allow you to allow a quarantine devices