Link to home
Start Free TrialLog in
Avatar of snowdog_2112
snowdog_2112Flag for United States of America

asked on

Exchange 2010/2013 enable Outlook Anywhere while disabling Activesync per user

Greetings,

Wondering if I can *guaranty* a user with ActiveSync DISABLED, will *only* be able to access their mailbox using Outlook over HTTPS.

I have tested this by disabling ActiveSync on my mailbox - immediately, my phone complained "cannot get mail", while Outlook over HTTPS continued to work.

The question is, HOW does IIS/Exchange know my Outlook client is really Outlook?

I can see in the IIS logs that the client OS is identified for Activesync.  But can an app either emulate Outlook, or simply screen scrape OWA, for that matter?

Can a 3rd party app "simulate" the Outlook connection process?  Does such an app already exist (on any mobile platform)?
Avatar of Amit
Amit
Flag of India image

These are protocols or set of rules design by MS. Which ever application fits to protocol can work with Exchange 2010.
Avatar of Julian123
Julian123

Exchange doesn't have a way to know that a client is really Outlook or not. It only knows two things:
1. The protocol that the client used to connect: this could be Outlook over HTTPs or ActiveSync. Typically the former is used by Outlook and the latter my mobile devices but since both protocols are publicly documented another client could potentially use them.
2. The information about the client provided by the client: when an ActiveSync client connects, it tells the server what kind of client it is (iPhone, etc). It's possible for the device to return whatever client type it wants so it could potentially providing correct information.

In short, there's unfortunately no way to 100% guarantee that the client is Outlook. It is also possible for a client to emulate a mobile device or screen scrape using OWA as you mentioned (BlackBerry devices have done this in the past).
To control it, you can use active sync policy.
Yes, but an activesync policy disables only activesync. Per the question above, Outlook over HTTPS is still allowed and that protocol could be used by Outlook or another client.
To answer this question, until user doesn't have AD account no one can login. This is the last option, remove AD account and nothing can be accessed.
I haven't seen anything other than Outlook use Outlook Anywhere. I don't believe that protocol is published. Not to say it isn't done, but I am not aware of anyone doing it.

However ActiveSync is licenced out, and the Mail Applet in Windows 8 RT for example uses it as do loads of other things.

If you want to really restrict things, then you will have to publish something in front of Exchange to control the traffic.

Simon.
Avatar of snowdog_2112

ASKER

Excellent information - thank you all!

Regarding Outlook over HTTPS - are you saying that the protocol is "protected" to the extent that a mobile device (or non-Outlook client, for that matter) can't tell the IIS server and Exchange "Hey, I'm really Outlook" and gain access to the mailbox?

Thanks in advance for followup
As far as i know, outlook anywhere is used by Outlook only not by handheld devices. For handheld devices Active Sync is designed and used.
Right, but is it *POSSIBLE* for a handheld to pose as Outlook?

Basically, I'm asking if I can allow only the Outlook client over https, while being certain no other application is able to connect and manipulate the mailbox.

Of course, OWA scraping may be the end-around I can't control.
ASKER CERTIFIED SOLUTION
Avatar of Simon Butler (Sembee)
Simon Butler (Sembee)
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Agreed - I'm looking for technical solutions to management issues!

(literally, employees removed their Exchange accounts from their phones because IT has the "ability" to wipe their phone - seriously people...back up your phone, then it won't be an issue!)