snowdog_2112
asked on
Exchange 2010/2013 enable Outlook Anywhere while disabling Activesync per user
Greetings,
Wondering if I can *guaranty* a user with ActiveSync DISABLED, will *only* be able to access their mailbox using Outlook over HTTPS.
I have tested this by disabling ActiveSync on my mailbox - immediately, my phone complained "cannot get mail", while Outlook over HTTPS continued to work.
The question is, HOW does IIS/Exchange know my Outlook client is really Outlook?
I can see in the IIS logs that the client OS is identified for Activesync. But can an app either emulate Outlook, or simply screen scrape OWA, for that matter?
Can a 3rd party app "simulate" the Outlook connection process? Does such an app already exist (on any mobile platform)?
Wondering if I can *guaranty* a user with ActiveSync DISABLED, will *only* be able to access their mailbox using Outlook over HTTPS.
I have tested this by disabling ActiveSync on my mailbox - immediately, my phone complained "cannot get mail", while Outlook over HTTPS continued to work.
The question is, HOW does IIS/Exchange know my Outlook client is really Outlook?
I can see in the IIS logs that the client OS is identified for Activesync. But can an app either emulate Outlook, or simply screen scrape OWA, for that matter?
Can a 3rd party app "simulate" the Outlook connection process? Does such an app already exist (on any mobile platform)?
These are protocols or set of rules design by MS. Which ever application fits to protocol can work with Exchange 2010.
Exchange doesn't have a way to know that a client is really Outlook or not. It only knows two things:
1. The protocol that the client used to connect: this could be Outlook over HTTPs or ActiveSync. Typically the former is used by Outlook and the latter my mobile devices but since both protocols are publicly documented another client could potentially use them.
2. The information about the client provided by the client: when an ActiveSync client connects, it tells the server what kind of client it is (iPhone, etc). It's possible for the device to return whatever client type it wants so it could potentially providing correct information.
In short, there's unfortunately no way to 100% guarantee that the client is Outlook. It is also possible for a client to emulate a mobile device or screen scrape using OWA as you mentioned (BlackBerry devices have done this in the past).
1. The protocol that the client used to connect: this could be Outlook over HTTPs or ActiveSync. Typically the former is used by Outlook and the latter my mobile devices but since both protocols are publicly documented another client could potentially use them.
2. The information about the client provided by the client: when an ActiveSync client connects, it tells the server what kind of client it is (iPhone, etc). It's possible for the device to return whatever client type it wants so it could potentially providing correct information.
In short, there's unfortunately no way to 100% guarantee that the client is Outlook. It is also possible for a client to emulate a mobile device or screen scrape using OWA as you mentioned (BlackBerry devices have done this in the past).
To control it, you can use active sync policy.
Yes, but an activesync policy disables only activesync. Per the question above, Outlook over HTTPS is still allowed and that protocol could be used by Outlook or another client.
To answer this question, until user doesn't have AD account no one can login. This is the last option, remove AD account and nothing can be accessed.
I haven't seen anything other than Outlook use Outlook Anywhere. I don't believe that protocol is published. Not to say it isn't done, but I am not aware of anyone doing it.
However ActiveSync is licenced out, and the Mail Applet in Windows 8 RT for example uses it as do loads of other things.
If you want to really restrict things, then you will have to publish something in front of Exchange to control the traffic.
Simon.
However ActiveSync is licenced out, and the Mail Applet in Windows 8 RT for example uses it as do loads of other things.
If you want to really restrict things, then you will have to publish something in front of Exchange to control the traffic.
Simon.
ASKER
Excellent information - thank you all!
Regarding Outlook over HTTPS - are you saying that the protocol is "protected" to the extent that a mobile device (or non-Outlook client, for that matter) can't tell the IIS server and Exchange "Hey, I'm really Outlook" and gain access to the mailbox?
Thanks in advance for followup
Regarding Outlook over HTTPS - are you saying that the protocol is "protected" to the extent that a mobile device (or non-Outlook client, for that matter) can't tell the IIS server and Exchange "Hey, I'm really Outlook" and gain access to the mailbox?
Thanks in advance for followup
As far as i know, outlook anywhere is used by Outlook only not by handheld devices. For handheld devices Active Sync is designed and used.
ASKER
Right, but is it *POSSIBLE* for a handheld to pose as Outlook?
Basically, I'm asking if I can allow only the Outlook client over https, while being certain no other application is able to connect and manipulate the mailbox.
Of course, OWA scraping may be the end-around I can't control.
Basically, I'm asking if I can allow only the Outlook client over https, while being certain no other application is able to connect and manipulate the mailbox.
Of course, OWA scraping may be the end-around I can't control.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Agreed - I'm looking for technical solutions to management issues!
(literally, employees removed their Exchange accounts from their phones because IT has the "ability" to wipe their phone - seriously people...back up your phone, then it won't be an issue!)
(literally, employees removed their Exchange accounts from their phones because IT has the "ability" to wipe their phone - seriously people...back up your phone, then it won't be an issue!)