Start Free TrialLog in
Avatar of ARM2009
ARM2009Flag for United States of America

asked on 

Locking Active Sync in O365 for non-managed devices

can we lock active sync on mobile devices by ADFS using conditional access and work join option?

looking to lock non-work joined ios devices to block access to native email via ADFS or certificate...
PowershellMicrosoft 365iPhone
Avatar of undefined
Last Comment
ARM2009
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image
You can use device registration for that, but there are some prerequisites: https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-on-premises-setup/

Alternatively you can use Intune: https://technet.microsoft.com/en-us/library/dn818907.aspx
Avatar of ARM2009
ARM2009
Flag of United States of America image

ASKER

device registration does not lock active sync native mail on non-managed devices... any way around that?
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image
Device registration allows you to use the isregistereduser or registrationid, based on which you can allow/block specific or all applications. Or force MFA for them, etc.
Avatar of ARM2009
ARM2009
Flag of United States of America image

ASKER

understand but... does Active Sync connection even go through ADFS to check for isregisteredid? as I understand AS connection does not go ADFS route to do these checks
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image
If it's a federated account, it will pass through the AD FS at least once. That's the whole idea of having federation, your on-prem servers are responsible for authentication and partly authorization.
Avatar of ARM2009
ARM2009
Flag of United States of America image

ASKER

that was my thought process but from what I am told by MS and researching that Active Sync does not go via ADFS. do you know of any claim rule that can check for it at adfs level?
ASKER CERTIFIED SOLUTION
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image
Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of ARM2009
ARM2009
Flag of United States of America image

ASKER

testing this now and will update with results.
Avatar of ARM2009
ARM2009
Flag of United States of America image

ASKER

The claim rule you need is the "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",

this link you posted is a broken link... do you have a new link?
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image
That's not a link, it's the format used for claims rules, URI notation. Read the article above.
Avatar of ARM2009
ARM2009
Flag of United States of America image

ASKER

yes.. got it.

so testing with that claim rule as follows...

I am setting a rule in ADFS to allow all active sync connections without ding permit all.

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])
&& NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.ActiveSync"])
 => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");


or

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])
 && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.ActiveSync"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");

none work... any ideas?
Avatar of Kyle Santos
Kyle Santos
Flag of United States of America image
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
Avatar of ARM2009
ARM2009
Flag of United States of America image

ASKER

Solution logically is correct but i am unable to validate it works due to claims not passing correctly.
Avatar of ARM2009
ARM2009
Flag of United States of America image

ASKER

Solution logically is correct but i am unable to validate it works due to claims not passing correctly.
Powershell
Powershell

Windows PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language built on the .NET Framework. PowerShell provides full access to the Component Object Model (COM) and Windows Management Instrumentation (WMI), enabling administrators to perform administrative tasks on both local and remote Windows systems as well as WS-Management and Common Information Model (CIM) enabling management of remote Linux systems and network devices.

27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts

  • "Invaluable tool for our organization"

    Josh Regalski

  • "Your help has saved me hundreds of hours of internet surfing."

    @fblack61

  • "Just a dang good service!"

    @golferski

  • "Worth every penny."

    Steve Hougom

  • "It’s been a life saver."

    Maria Halt

  • "Best support site I’ve seen!"

    Bob Schneider

  • "I would be lost without them."

    @fblack61

  • "Saved my job multiple times."

    Walt Forbes

  • "I love this site."

    Maria Duwe

  • "Friendly respectful help."

    Andrew Kowtalo

  • "Such top-notch experts."

    @magento

  • "The best money I have ever spent."

    @rwheeler23

  • "Beyond any comprehensible value"

    George Morris

  • "Invaluable tool for our organization"

    Josh Regalski

Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo
© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent