maher771
asked on
stop users from downloading mail on mobile phones
i have an owa server and the users are a ware of the link so they can access e mail out of office
https://mail.123.com
the problem is that some users are configuring this link one some smart phones i.e black bury, nokia & the are pulling the mails on their personal pones
is their a whey to restrict that or stop it
may exchange is 2003 - also thier is a certificate for accessing this https link so can i have a kind of certificate that will not open on windows mobile or symbian OS
https://mail.123.com
the problem is that some users are configuring this link one some smart phones i.e black bury, nokia & the are pulling the mails on their personal pones
is their a whey to restrict that or stop it
may exchange is 2003 - also thier is a certificate for accessing this https link so can i have a kind of certificate that will not open on windows mobile or symbian OS
About the only way is to allow them to use corporate devices only and enforce that by using some method that is only deployed to corporate machines. The same technical risk applies to smartphones as it does to laptops and home desktops - just the likelihood of the event occuring goes up the more portable the device becomes.
The downside of this is that people will be unhappy. How big of a deal that is will depend on your company.
The two main things that come to mind are:
1) Require VPN access that uses a certificate to authenticate. Make sure that the certificate is specified as being non-exportable when installed. This can be set via the CA template if you run your own CA, or you could have a specific administrator controlled workstation that creates the certificates and exports them - during the export the certificate and private key you can flag it as being non-exportable when you create the PKCS #12 (.pfx) file. When they go to import, then the non-exportable flag is already set and greyed out. Remember to delete the .pfx file from the user's machine after import so they can't use that on another machine (even if it is password protected... users have a nasty habit of eventually finding out default passwords for things that they need/want access to).
The cert could be imported into whatever device by an admin. If they are allowed to use a personal machine, they should sign something that they accept the responsibility for their actions, not save data (or protect it as if they were at work if they are allowed to save), etc. -- some kind of policy anyways that they are read and agree to by signing. Then they have to bring their computer in to get the cert installed or allow you to remote into their home desktop. If you're concerned about the legal aspects of dealing with home computers for a business environment, talk to a lawyer to set up an appropriate waiver and such - not my area of expertise.
So then their email is only accessible via the internal network - if they aren't on the internal network then they need to VPN or whatever to get in.
Another idea instead of VPN would be using citrix or a terminal server to allow internal access. With these, a smartcard could be used for windows logon as a requirement. Although technically there are smartcard readers out there for smartphones, they are spendy enough to keep most people from going that route (a couple hundred bucks or so). Technically there is a workaround due to this, so this might not be the best method for you, but is a thought.
2) Client authentication cerificates - have the website require client authentication certificates. This can be used instead of, but more commonly in addition to, their normal username/password logon page. Basically they need to authenticate using the cert then they get access to the normal logon page, etc. This is a setting with IIS (or most popular web server products like apache, for that matter). This is best done if issued from your own CA so you can declare that under the root trust list that is defined within this area (not the normal root certificate store for the rest of windows), so a similar type of certificate cannot be purchased by the user from a commercial CA.
Similar concept here for the non-exportable certs.
The downside of this is that people will be unhappy. How big of a deal that is will depend on your company.
The two main things that come to mind are:
1) Require VPN access that uses a certificate to authenticate. Make sure that the certificate is specified as being non-exportable when installed. This can be set via the CA template if you run your own CA, or you could have a specific administrator controlled workstation that creates the certificates and exports them - during the export the certificate and private key you can flag it as being non-exportable when you create the PKCS #12 (.pfx) file. When they go to import, then the non-exportable flag is already set and greyed out. Remember to delete the .pfx file from the user's machine after import so they can't use that on another machine (even if it is password protected... users have a nasty habit of eventually finding out default passwords for things that they need/want access to).
The cert could be imported into whatever device by an admin. If they are allowed to use a personal machine, they should sign something that they accept the responsibility for their actions, not save data (or protect it as if they were at work if they are allowed to save), etc. -- some kind of policy anyways that they are read and agree to by signing. Then they have to bring their computer in to get the cert installed or allow you to remote into their home desktop. If you're concerned about the legal aspects of dealing with home computers for a business environment, talk to a lawyer to set up an appropriate waiver and such - not my area of expertise.
So then their email is only accessible via the internal network - if they aren't on the internal network then they need to VPN or whatever to get in.
Another idea instead of VPN would be using citrix or a terminal server to allow internal access. With these, a smartcard could be used for windows logon as a requirement. Although technically there are smartcard readers out there for smartphones, they are spendy enough to keep most people from going that route (a couple hundred bucks or so). Technically there is a workaround due to this, so this might not be the best method for you, but is a thought.
2) Client authentication cerificates - have the website require client authentication certificates. This can be used instead of, but more commonly in addition to, their normal username/password logon page. Basically they need to authenticate using the cert then they get access to the normal logon page, etc. This is a setting with IIS (or most popular web server products like apache, for that matter). This is best done if issued from your own CA so you can declare that under the root trust list that is defined within this area (not the normal root certificate store for the rest of windows), so a similar type of certificate cannot be purchased by the user from a commercial CA.
Similar concept here for the non-exportable certs.
ASKER
thanks Mestha but i don't think this will apply in my environment because already we have a black bury server & phones are given to some of the managers - so i oddment want to disturb them
also i cant control the active sync features i need to enforce something from the server level
Paranormastic this comment is a bit long - i just need to know if someone had implemented such i thing before so can till us how
thanks
also i cant control the active sync features i need to enforce something from the server level
Paranormastic this comment is a bit long - i just need to know if someone had implemented such i thing before so can till us how
thanks
Either which way, certs are the answer. For legit BB devices, you can deploy certs via the desktop manager software - probably just want to have an enrollment day and have the managers swing by to have their cert imported to their BB.
Assuming you already have a VPN solution, check its documentation to see if it supports certificate authentication.
For configuring Client Certificate Authentication in IIS:
http://www.windowsecurity.com/articles/Client-Certificate-Authentication-IIS6.html#
If anything is really that important, you might also start considering looking into an email encryption method.
Assuming you already have a VPN solution, check its documentation to see if it supports certificate authentication.
For configuring Client Certificate Authentication in IIS:
http://www.windowsecurity.com/articles/Client-Certificate-Authentication-IIS6.html#
If anything is really that important, you might also start considering looking into an email encryption method.
If you have a Blackberry server, then making the changes would not affect the devices connecting in that way. All it would do is stop the devices that are connecting through BIS.
Simon.
Simon.
ASKER
ok gents again i need to find a complete solution for this -
if i am going to use certificates then i will place the cert on the server so the users will authenticate when they access the OWA using their company laptops wail they are out off office
ok so if the user is going to use his personal mobile or smart phone sure the cert will be downloaded & installed and he can use another software to store the company e mails on his personal phone
so the magic part here is that i wanted to find a way to make the server understand the platform of the mobile phones OS and deny access to the OWA then only they wont be able to authenticate and they also cant pull e mails to their phones - so encryption has nothing to do with this its a bout blocking access to owa on mobiles OSs t
if i am going to use certificates then i will place the cert on the server so the users will authenticate when they access the OWA using their company laptops wail they are out off office
ok so if the user is going to use his personal mobile or smart phone sure the cert will be downloaded & installed and he can use another software to store the company e mails on his personal phone
so the magic part here is that i wanted to find a way to make the server understand the platform of the mobile phones OS and deny access to the OWA then only they wont be able to authenticate and they also cant pull e mails to their phones - so encryption has nothing to do with this its a bout blocking access to owa on mobiles OSs t
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
this is what i wanted to know
For devices that use ActiveSync you can disable the feature.
However Blackberry is designed to use OWA as the interface, so stopping it is quite hard. You would have to block access from the Blackberry IP address range to the server. That is best done with an ISA server.
Simon.