Exchange 2013 ActiveSync Administration from Exchange Admin Center

I am looking for a way to grant Help Desk technicians with access to only ActiveSync within the Exchange 2013 EAC. Basically management wants the Help Desk to be able to issue a Remote Wipe to devices after an employee is terminated, but not be able to manage mailboxes or anything else in Exchange.

I started by creating a copy of "View-Only Organization Management" in the Admin Roles. This at least allows them to log into EAC and view mailboxes but the "Mobile Devices" section is completely missing.

I then went into ADUC and into the Advanced Security Settings of the new Security Group and made the following changes which are probably completely wrong.

Highlighted Authenticated Users and clicked on Edit.
Selected - Applies to: Decendant msExchActiveSyncDevices objects
Added the following permissions.
Create msExchActiveSyncDevice objects
Delete msExchActiveSyncDevice objects
Write msExchMobileSettings


This doesn't do anything and I am unfortunately just guessing, but I suspect there must be some specific permissions that need to be selected in order for this to work. I know Active Directory is very granular, but I am not overly familiar with all the security settings.
Keith PratolaSenior Systems ArchitectAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
There was no need to go through ADUC at all.
The Exchange team blog has a walk through for your exact scenario:

http://blogs.technet.com/b/exchange/archive/2012/09/12/rbac-walkthrough-of-creating-a-role-that-can-wipe-activesync-devices.aspx

It is for Exchange 2010, but the process is identical in Exchange 2013.

Simon.
Keith PratolaSenior Systems ArchitectAuthor Commented:
Unfortunately that doesn't quite seem to work. In the end I have the following.

Admin Role: OnlyActiveSyncDeviceWipe
Roles: StrictlyRecipActiveSyncDeviceWipe and OrgClientAccessWipeDeviceOnly

The test account can log into EAC and view accounts, but you still can't even see the section Mobile Devices. I went through the instructions at the bottom.

new-managementrole -parent "Mail Recipients" -name StrictlyRecipActiveSyncDeviceWipe 
new-managementrole -parent "organization client access" -name OrgClientAccessWipeDeviceOnly 
get-managementroleentry "OrgClientAccessWipeDeviceOnly\*" |where{$_.name -notlike "*set-casm*"}| Remove-ManagementRoleEntry
get-managementroleentry "StrictlyRecipActiveSyncDeviceWipe\*" |where{$_.name -notlike "*activesync*"}| Remove-ManagementRoleEntry
add-ManagementRoleEntry "Mail Recipients\get-mailbox" -role StrictlyRecipActiveSyncDeviceWipe 
add-ManagementRoleEntry "Mail Recipients\get-user" -role StrictlyRecipActiveSyncDeviceWipe 
add-ManagementRoleEntry "Mail Recipients\get-recipient" -role StrictlyRecipActiveSyncDeviceWipe 
add-ManagementRoleEntry "Mail Recipients\get-casmailbox" -role StrictlyRecipActiveSyncDeviceWipe 
New-RoleGroup -Name "OnlyActiveSyncDeviceWipe" -Roles StrictlyRecipActiveSyncDeviceWipe,OrgClientAccessWipeDeviceOnly -members WipeTest

Open in new window


Any ideas? Would be awesome if I can get this working.
Simon Butler (Sembee)ConsultantCommented:
Exchange does cache permissions, so it could be a while before it takes full effect.

Have you tried creating a wipe command from EMS as one of the users, with the -whatif command at the end (which basically does everything but send the command).

That will confirm if the permission is correct.

Simon.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Will SzymkowskiSenior Solution ArchitectCommented:
I would start by referencing the Exchange 2013 Clients and Mobile Devices Management Role Assignment. This link illustrates the exact permissions your users will need to ensure they can access Activesync settings accordingly based on the tasks they are required to do.

https://technet.microsoft.com/en-us/library/dd638131%28v=exchg.150%29.aspx

Will.
Keith PratolaSenior Systems ArchitectAuthor Commented:
Simon,

The Exchange 2010 article was pretty close. I had to add the following roles.

Get-MobileDevice
Get-MobileDeviceStatistics
Clear-MobileDevice
Remove-MobileDevice

The "Mobile Devices" still didn't show up on the right, but if you go to edit a mailbox, you can access the Mobile Device settings in there and wipe the data. I guess the main difference between 2010 and 2013 was calling it MobileDevice instead of ActiveSync.
Keith PratolaSenior Systems ArchitectAuthor Commented:
OK, slight modification for Exchange 2013. The Set-CASMailbox actually gives the tech access to disabled IMAP, POP3, and MAPI. Not exactly something I would want them touching. Here are the commands I used that work for just performing a remote wipe.

new-managementrole -parent "Mail Recipients" -name StrictlyMobileDeviceWipe
get-managementroleentry "StrictlyMobileDeviceWipe\*" |where{$_.name -notlike "*Get-CASMailbox*"}| Remove-ManagementRoleEntry
add-ManagementRoleEntry "Mail Recipients\get-mailbox" -role StrictlyMobileDeviceWipe
add-ManagementRoleEntry "Mail Recipients\get-user" -role StrictlyMobileDeviceWipe
add-ManagementRoleEntry "Mail Recipients\get-recipient" -role StrictlyMobileDeviceWipe
add-ManagementRoleEntry "Mail Recipients\Get-MobileDevice" -role StrictlyMobileDeviceWipe
add-ManagementRoleEntry "Mail Recipients\Get-MobileDeviceStatistics" -role StrictlyMobileDeviceWipe
add-ManagementRoleEntry "Mail Recipients\Clear-MobileDevice" -role StrictlyMobileDeviceWipe
New-RoleGroup -Name "ActiveSync Management" -Roles StrictlyMobileDeviceWipe -members  ExchangeTest

Open in new window


And to verify.

Get-ManagementRoleEntry "StrictlyMobileDeviceWipe\*"

Name                           Role                      Parameters
----                           ----                      ----------
Clear-MobileDevice             StrictlyMobileDeviceWipe  {Cancel, Confirm, Debug, DomainController, ErrorAction, Err...
Get-MobileDeviceStatistics     StrictlyMobileDeviceWipe  {ActiveSync, Debug, DomainController, ErrorAction, ErrorVar...
Get-MobileDevice               StrictlyMobileDeviceWipe  {ActiveSync, Debug, DomainController, ErrorAction, ErrorVar...
Get-Recipient                  StrictlyMobileDeviceWipe  {Anr, BookmarkDisplayName, ErrorAction, ErrorVariable, Filt...
Get-User                       StrictlyMobileDeviceWipe  {Anr, Credential, Debug, DomainController, ErrorAction, Err...
Get-Mailbox                    StrictlyMobileDeviceWipe  {Anr, Archive, Credential, Debug, DomainController, ErrorAc...
Get-CASMailbox                 StrictlyMobileDeviceWipe  {ActiveSyncDebugLogging, Anr, Credential, Debug, DomainCont...

Open in new window


If you want to also remove the mobile device, then you can add Remove-MobileDevice.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith PratolaSenior Systems ArchitectAuthor Commented:
I spoke too soon. So without the Set-CASMailbox permission, you can click on Wipe Data, but there is no Save button to actually issue the command. So unfortunately Set-CASMailbox is also required. This gives the tech the following additional abilities at a mailbox level.

Disable/Enable Exchange ActiveSync
Disable/Enable OWA for Devices
Disable/Enable Outlook Web App
Disable/Enable IMAP
Disable/Enable POP3
Disable/Enable MAPI
Keith PratolaSenior Systems ArchitectAuthor Commented:
The original solution provided only works on Exchange 2010. I have provided the correct steps to get this to work for Exchange 2013.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.