Controlling device access to Exchange server

Hello, we are running Exchange 2010 that is accessed by Outlook on Win7 and a variety of handheld devices (Active Sync). All these clients can be setup just by using username/password, which means that if I have someone's credentials I can setup a connection to the server and access their email. The question is: Is there a way to add an additional level of security so that only "approved" devices will be able to access the server? What are my options? Thanks. -Christos
criskritAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

adez12Commented:
Sounds like you're looking for a MDM (Mobile Device Management) solution.  Namely: Maas360, MobileIron, or the  free MDM from Cisco called Meraki.
0
Travis MartinezSmoke JumperCommented:
Enable a Device for Exchange ActiveSync

Restricting mobile handsets based on Device ID:

http://technet.microsoft.com/en-us/library/bb266947%28v=exchg.141%29.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steven WellsSystems AdministratorCommented:
I use a combination for MDM and alloweddeviceids to prevent unauthorised devices.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

criskritAuthor Commented:
Hello and thanks for the answers. Just to clarify, I am not looking for network device management, I assume clients (laptops, smartphones) connect from anywhere on the planet through their home internet, a coffee shop WiFi, or their mobile provider. This is strictly between Exchange & the client. So yes, something like Device ID would be a good approach. Also has anyone heard of certificate-based authorization? ie Exchange accepting a device only if a manually-installed certificate is present. Many thanks!
0
Steven WellsSystems AdministratorCommented:
A certificate option wouldn't work very well as the device can be configured to use untrusted Certs.
0
Travis MartinezSmoke JumperCommented:
You're correct but a 3rd part integrated system like BrotherSoft or Nitro Desk could.

Get out your checkbook though.  Anytime you see the "key management" it'll be the gift that annually keeps saying "you scratch my back and I'll tell you when to stop"...  

I guess the follow on question back is; what are you either trying to attain/accomplish or restrict/deny?

If the specific device target the employ has is of concern then this might help:  anything is possible, absolutely without a doubt it us...  however, highly unlikely thus the associated design costs, runrate, and support buckets - all tallied up equals, don't sweat it and continue with the standards of environment patch, release levels, reference architectures and the security umbrellas provided with each.

Remember, locks on your house are to keep those of us honest - remaining honest.  If an individual is capable and of the mindset to get in; the lock isn't going to stop them.

Similar with nework penitration and compromise.  Most all crimes are those of ease and opportunity.  With open source tools freely available and purpose built POSIX images with simple front ends.  The caliber of "attackers" is actually pretty low and to be fair insulting.

Anyone with $100 to buy a "Pineapple" doesn't have to know anything about Linux, networking,  how a Wireless signal works, none of it.  Follow the flash cards and set the dioseitches and viola - you're a "hacker".

Change defaults to one off and 99% will disappear having no clue what to do next.

Someone who's truly skilled and of the mindset and for whatever reason you've fallen inside their focus...  you can't defend against that type of person.  There's too many variables and attack surfaces.  Its a matter of time. I don't care who you, you're gonna get got.

My experience though is they're not scoundrels and more than likely; there's a real reason and nor just destruction or thievery.

If the other way and you want control of the asset.  Force provide it to your base and between you and the carrier you can harden however you'd like.  But. $$$$
0
criskritAuthor Commented:
Okay guys, thanks. :-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.