Keith Pratola
asked on
Exchange 2013 ActiveSync Administration from Exchange Admin Center
I am looking for a way to grant Help Desk technicians with access to only ActiveSync within the Exchange 2013 EAC. Basically management wants the Help Desk to be able to issue a Remote Wipe to devices after an employee is terminated, but not be able to manage mailboxes or anything else in Exchange.
I started by creating a copy of "View-Only Organization Management" in the Admin Roles. This at least allows them to log into EAC and view mailboxes but the "Mobile Devices" section is completely missing.
I then went into ADUC and into the Advanced Security Settings of the new Security Group and made the following changes which are probably completely wrong.
Highlighted Authenticated Users and clicked on Edit.
Selected - Applies to: Decendant msExchActiveSyncDevices objects
Added the following permissions.
Create msExchActiveSyncDevice objects
Delete msExchActiveSyncDevice objects
Write msExchMobileSettings
This doesn't do anything and I am unfortunately just guessing, but I suspect there must be some specific permissions that need to be selected in order for this to work. I know Active Directory is very granular, but I am not overly familiar with all the security settings.
I started by creating a copy of "View-Only Organization Management" in the Admin Roles. This at least allows them to log into EAC and view mailboxes but the "Mobile Devices" section is completely missing.
I then went into ADUC and into the Advanced Security Settings of the new Security Group and made the following changes which are probably completely wrong.
Highlighted Authenticated Users and clicked on Edit.
Selected - Applies to: Decendant msExchActiveSyncDevices objects
Added the following permissions.
Create msExchActiveSyncDevice objects
Delete msExchActiveSyncDevice objects
Write msExchMobileSettings
This doesn't do anything and I am unfortunately just guessing, but I suspect there must be some specific permissions that need to be selected in order for this to work. I know Active Directory is very granular, but I am not overly familiar with all the security settings.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Exchange does cache permissions, so it could be a while before it takes full effect.
Have you tried creating a wipe command from EMS as one of the users, with the -whatif command at the end (which basically does everything but send the command).
That will confirm if the permission is correct.
Simon.
Have you tried creating a wipe command from EMS as one of the users, with the -whatif command at the end (which basically does everything but send the command).
That will confirm if the permission is correct.
Simon.
I would start by referencing the Exchange 2013 Clients and Mobile Devices Management Role Assignment. This link illustrates the exact permissions your users will need to ensure they can access Activesync settings accordingly based on the tasks they are required to do.
https://technet.microsoft.com/en-us/library/dd638131%28v=exchg.150%29.aspx
Will.
https://technet.microsoft.com/en-us/library/dd638131%28v=exchg.150%29.aspx
Will.
ASKER
Simon,
The Exchange 2010 article was pretty close. I had to add the following roles.
Get-MobileDevice
Get-MobileDeviceStatistics
Clear-MobileDevice
Remove-MobileDevice
The "Mobile Devices" still didn't show up on the right, but if you go to edit a mailbox, you can access the Mobile Device settings in there and wipe the data. I guess the main difference between 2010 and 2013 was calling it MobileDevice instead of ActiveSync.
The Exchange 2010 article was pretty close. I had to add the following roles.
Get-MobileDevice
Get-MobileDeviceStatistics
Clear-MobileDevice
Remove-MobileDevice
The "Mobile Devices" still didn't show up on the right, but if you go to edit a mailbox, you can access the Mobile Device settings in there and wipe the data. I guess the main difference between 2010 and 2013 was calling it MobileDevice instead of ActiveSync.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The original solution provided only works on Exchange 2010. I have provided the correct steps to get this to work for Exchange 2013.
ASKER
Admin Role: OnlyActiveSyncDeviceWipe
Roles: StrictlyRecipActiveSyncDev
The test account can log into EAC and view accounts, but you still can't even see the section Mobile Devices. I went through the instructions at the bottom.
Open in new window
Any ideas? Would be awesome if I can get this working.