We help IT Professionals succeed at work.

How can I delegate Exchange 2010 ActiveSync Device Approval through Exchange Control Panel

DonYoung
DonYoung asked
on
Have recently deployed Exchange 2010.  We have set up an ActiveSync Rule that all new devices are quarantined by default.

I would like to delegate the approval of these devices to a non-admin user, allowing them to go to the ECP and allowing the devices after the appropriate paperwork has been submitted.

I am creating a custom management role to assign to these non-admin users.  However, I don't know which Role to base it on, and what subset commands of that role need to remain in place.

Any help appreciated.
Comment
Watch Question

Jian An LimSolutions Architect
CERTIFIED EXPERT
Top Expert 2016

Commented:
hmm...


refer to http://msdn.microsoft.com/en-us/library/dd638131.aspx


it is modifying Exchange ActiveSync device settings and it will need Recipient Management role.

in ECP, goto phone & voice, then activesync Access

it will allow you to allow a quarantine devices
DonYoungSr. Enterprise Architect

Author

Commented:
I actually started there.  Assigning the Mail Recipient Role gives the ActiveSync Device Policy Tab, but NOT the ActiveSync Access tab.  So that's not it.

So far I have found that assigning the following two roles gives access; "Organization Client Access" and "User Options" - but too much access.  I don't want the non-admin users to be able to edit the user options as exposed on the Users tab.
Jian An LimSolutions Architect
CERTIFIED EXPERT
Top Expert 2016

Commented:
http://www.networksteve.com/exchange/topic.php/Delegate_permissions_to_helpdesk_administrators_to_change_recipi/?TopicId=27494&Posts=6

okay, according to this page, you should assign the custom Management Role to the user or the Role Group. You need to do it thru RBAC role group.
DonYoungSr. Enterprise Architect

Author

Commented:
Been there too.  It's not ActiveSync Policy assignment I need them to manage.  In fact, I do NOT want them to be able to change what policy the user has.  I sdimply need to allow them to "Allow" or "Block" a device.
AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
Hi there,


I am not claiming I already did it but I have experience with RBAC and I am willing to give it a try if you are ready to bare with me.

is there any role you found that will give you this permission through ECP ? if yes can you please tell me which role and give me a screenshot about how it shows in ecp?

When you give me this I will sort it out for you
AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
OK I just found the info i need is already in the question will be back to you
DonYoungSr. Enterprise Architect

Author

Commented:
Akhater...  I have time.  :)  I just have to have an admin do it until I get it properly set up.  Here is what I have done so far:

Created a new Management Role Group (EAS Device Management) and found that if I assign "Organization Client Access" and "User Options" to that group, the non-admin user can allow or block the devices.  However they can aloe edit user settings, which I do not want.  Here are two screen shots:

 Screen Shot 1
 Screen shot 2
AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
Well I don't promise anything but this is a quite interesting challenge for me so I will give it a try :o)
AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
OK please try this for me


New-ManagementRole "ActiveSync User Options" –Parent 'User Options'

New-ManagementRole "ActiveSync Client Access" –Parent 'Organization Client Access'



Get-ManagementRoleEntry –Identity 'ActiveSync User Options\*' | Where {$_.Name –notlike "*activesync*"} | Remove-ManagementRoleEntry –Confirm:$False

Get-ManagementRoleEntry –Identity 'ActiveSync Client Access\*' | Where {$_.Name –notlike "*activesync*"} | Remove-ManagementRoleEntry –Confirm:$False


Remove-ManagementRoleEntry 'ActiveSync Client Access\Set-ActiveSyncOrganizationSettings'
Remove-ManagementRoleEntry 'ActiveSync Client Access\Set-ActiveSyncDeviceAccessRule'
Remove-ManagementRoleEntry 'ActiveSync Client Access\Remove-ActiveSyncDeviceAccessRule'
Remove-ManagementRoleEntry 'ActiveSync Client Access\New-ActiveSyncDeviceAccessRule'


New-RoleGroup 'ActiveSync Access Admins' –Roles 'ActiveSync User Options', 'ActiveSync Client Access' 


Add-RoleGroupMember "ActiveSync Access Admins" -Member user@domain.com

Open in new window

AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
wait it is too restrictive :)
DonYoungSr. Enterprise Architect

Author

Commented:
While I don't currently have a quarantined device to test with, It only shows the correct tab...  What part is too restrictive?
AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
The Allow and Block options are not showing next to quarantined devices
DonYoungSr. Enterprise Architect

Author

Commented:
Ah.  Yes.  That would be a problem.  :)
DonYoungSr. Enterprise Architect

Author

Commented:
Backing out.
Solutions Architect
CERTIFIED EXPERT
Commented:
OK You just need to add to the above


Add-ManagementRoleEntry –Identity 'ActiveSync Client Access\Get-CASMailbox'
Add-ManagementRoleEntry –Identity 'ActiveSync Client Access\Set-CASMailbox'


and you should be good to go.

Give it a spin and let me know
DonYoungSr. Enterprise Architect

Author

Commented:
Perfect!  Thank you VERY much!
AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
Thank you for the challenge and the points.

If when you put it in action you have issues just update this thread and I will follow it up with you
Is it also possible to send approval mails only for certain ou users? Right now all admins will be informed about all devices but some of them only need to approve (are allowed to approve) devices from certain Organizational Units.

Thank you very much!!