king daddy
asked on
Disabling OWA in powershell not working - user still gets email on mobile
I ran Set-CASMailbox -Identity "upn" -OWAEnabled $false but it still shows enabled in exchange admin center.
weird thing is when I run Get-CasMailbox -identity "upn" -Filter {OWAEnabled -eq $false} in powershell it shows disabled (enabled = false)
I ran Set-CasMailbox -Identity "upn" -ActiveSyncEnabled $false and it does show disabled in exchange admin center and powershell.
The user is still getting emails on the iphone through the iPhone email app.
I need to do this for about 200 users (disable EAS/OWA on non-company phones). I have a text file with all of the email addresses to import but the OWA command doesn't seem to be working on my test user so I can't proceed.
Any help much appreciated.
weird thing is when I run Get-CasMailbox -identity "upn" -Filter {OWAEnabled -eq $false} in powershell it shows disabled (enabled = false)
I ran Set-CasMailbox -Identity "upn" -ActiveSyncEnabled $false and it does show disabled in exchange admin center and powershell.
The user is still getting emails on the iphone through the iPhone email app.
I need to do this for about 200 users (disable EAS/OWA on non-company phones). I have a text file with all of the email addresses to import but the OWA command doesn't seem to be working on my test user so I can't proceed.
Any help much appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't think you can do so with powershell because you need to find out each user device and disable only specific once
https://docs.microsoft.com/en-us/powershell/module/exchange/devices/remove-mobiledevice?view=exchange-ps
https://docs.microsoft.com/en-us/powershell/module/exchange/devices/remove-mobiledevice?view=exchange-ps
ASKER
Ok I do have that info in excel. Maybe I could import it in. Thanks.
the best thing to do is turn off active sync on the user mailbox. that way emails wont get delivered to the device. in regards to the outlook app the REST API is for exchange online and not Exchange on-prem unless on-prem is exchange 2016 and in a Hybrid Config with O365. if you are not on exchange 2016 in a hybrid config you can just disable active sync on that mailbox and be good.
ASKER
Hey Tim thanks again for your help on this. Test user shows active sync disabled but still gets emails. I was thinking of just outright blocking mobiles for users not allowed but cant find or figure out a powershell script to do that.
You can to quarantine via the Exchange Admin Center. also if you are using the iphone native app and if active sync is disabled they user should not be getting mail to the device. I would suggest you confirm all of that, but that will be the first I have ever seen with that. double check that, make sure its active sync and not OWA.
ASKER
Thanks Tim. I need to do this through powershell as it's about 200 or so users that have personal devices. We are blocking all personal devices until employees sign a doc with HR stating we have the right to wipe the device (account only unless that is not supported).
One test user has a personal device and is using the iPhone native app. She initially replied to one of my emails from the phone but a subsequent test email I sent to her did not get delivered to the phone as she replied and told me this from Outlook. She also reported that the iPhone email app displayed a connection error to the server. The other test user is using Outlook for iOS and is still getting emails. He has a company iPhone though that shouldn't make a difference. I ran the powershell commands (activesync disable and OWA disable (or enable=$false) against an imported text file with just those two.
I have been reading about this. I ran across blocking EWS, per Mahesh's link, as well as some info about activesyncblockeddevices.
This is going down tomorrow night whether I can do it with powershell or if I have to sit up all of tomorrow night and block them manually through EAC.
Thanks
One test user has a personal device and is using the iPhone native app. She initially replied to one of my emails from the phone but a subsequent test email I sent to her did not get delivered to the phone as she replied and told me this from Outlook. She also reported that the iPhone email app displayed a connection error to the server. The other test user is using Outlook for iOS and is still getting emails. He has a company iPhone though that shouldn't make a difference. I ran the powershell commands (activesync disable and OWA disable (or enable=$false) against an imported text file with just those two.
I have been reading about this. I ran across blocking EWS, per Mahesh's link, as well as some info about activesyncblockeddevices.
This is going down tomorrow night whether I can do it with powershell or if I have to sit up all of tomorrow night and block them manually through EAC.
Thanks
oh ok, see the below link. it will assist in qaurantinig all devices until you allow them to access:
http://itprocentral.com/how-to-enable-quarantine-for-mobile-devices-in-ex2013/
the policy will be set on exchange an any device will he quarantined until you allow it.
http://itprocentral.com/how-to-enable-quarantine-for-mobile-devices-in-ex2013/
the policy will be set on exchange an any device will he quarantined until you allow it.
ASKER
Thanks. I also read about quarantine but was concerned that it would either only affect new users / phones or affect the company as a whole since it appears to be an organization-wide setting. However, I will do some more research into this.
it will be new devices. so all users will need to remove email from their phones and start fresh, and if they dont remove it you can threaten to wipe device to remove it via Exchange. exchange wipe the device to remove the email profile but it will perform a factory reset on their device , so that is also an option if they choose not to remove it.
ASKER
OK thanks again for the help. What a pain :-)
yes it can be a pain. good luck man.
That policy only works for new devices
We used that policy to block all active sync connectivity except outlook for ios and Android, you can set exceptions there in policy
Set above policy without exception and then don't allow access unless its company approved /owned device
Intune can be used to block non company devices
For now you need to manually block existing android and ios outlook
We used that policy to block all active sync connectivity except outlook for ios and Android, you can set exceptions there in policy
Set above policy without exception and then don't allow access unless its company approved /owned device
Intune can be used to block non company devices
For now you need to manually block existing android and ios outlook
ASKER
anyone know if you can manipulate the DeviceAccessState setting? If so, I can set it to 'blocked' for those users on iOS or Android Outlook app which would prevent them from getting email.
So I have a CSV with all Get-CASMailbox info, including device ID. I am thinking I can import a text file with Device IDs or set a variable to pull in the device IDs and add them to the ActiveSyncBlockedDeviceIDs list. Though, I am thinking I would also somehow need to match the DeviceID to a user mailbox and I am not sure how to do that.
I tried this and waiting to see if it works. If so, I will just need to figure out how to script in for 200 users.
$MobileDevice = Get-MobileDevice -Mailbox user@company.com
Set-CASMailbox -Identity user@company.com -ActiveSyncBlockedDeviceID s $MobileDevice.DeviceId
So I have a CSV with all Get-CASMailbox info, including device ID. I am thinking I can import a text file with Device IDs or set a variable to pull in the device IDs and add them to the ActiveSyncBlockedDeviceIDs
I tried this and waiting to see if it works. If so, I will just need to figure out how to script in for 200 users.
$MobileDevice = Get-MobileDevice -Mailbox user@company.com
Set-CASMailbox -Identity user@company.com -ActiveSyncBlockedDeviceID
ASKER
It worked. So https://www.experts-exchange.com/members/alexgreen312.html suggested here
https://www.experts-exchange.com/questions/29139140/Help-blocking-and-disabling-mobile-access-to-office-365-email.html?anchor=a42820886¬ificationFollowed=225659862&anchorAnswerId=42820886#a42820886
a better way and should allow me to import the information of several users. Just need to figure out how to import PrimarySmtpAddress as well as DeviceID and have it match each user.
https://www.experts-exchange.com/questions/29139140/Help-blocking-and-disabling-mobile-access-to-office-365-email.html?anchor=a42820886¬ificationFollowed=225659862&anchorAnswerId=42820886#a42820886
a better way and should allow me to import the information of several users. Just need to figure out how to import PrimarySmtpAddress as well as DeviceID and have it match each user.
ASKER
OK so after not being able to figure out nor wanting to deal with device IDs, based on Mahesh's direction I ended up blocking EWS / Outlook for iOS and Android (in addition to already having blocked EAS / OWA). Below are the commands I used.
Based on timgreen7077 input, I am looking to set up a quarantine policy for new users / devices.
Thanks all.
Disable EAS / OWA for multiple users
$Users = gc "PATH TO TEXT (.txt) FILE WITH USER’S PrimarySmtpAddress"
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -OWAEnabled $false}
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -OWAforDevicesEnabled $false}
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -ActiveSyncEnabled $false}
Reenable EAS / OWA for multiple users
$Users = gc "PATH TO TEXT (.txt) FILE WITH USER’S PrimarySmtpAddress"
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -OWAEnabled $true}
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -OWAforDevicesEnabled $true}
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -ActiveSyncEnabled $true}
Disable / reenable EAS / OWA for individual user
DISABLE
Set-CASMailbox -Identity "User PrimarySmtpAddress" -OWAforDevicesEnabled $false
Set-CASMailbox -Identity "User PrimarySmtpAddress" -OWAEnabled $false
Set-CASMailbox -Identity "User PrimarySmtpAddress" -ActiveSyncEnabled $false
REENABLE
Set-CASMailbox -Identity "User PrimarySmtpAddress" -OWAforDevicesEnabled $true
Set-CASMailbox -Identity "User PrimarySmtpAddress" -OWAEnabled $true
Set-CASMailbox -Identity "User PrimarySmtpAddress" -ActiveSyncEnabled $true
CONFIRM EAS/OWA STATUS INDIVIDUAL USER
Get-CASMailbox -identity "User PrimarySmtpAddress"
DISABLE EWS MULTIPLE USERS
$Users = gc "PATH TO TEXT (.txt) FILE WITH USER’S PrimarySmtpAddress"
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -EwsBlockList @{Add="Outlook-iOS/*","Out look-Andro id/*"}}
DISABLE EWS SINGLE USER
Set-CASMailbox -Identity "User PrimarySmtpAddress" -EwsBlockList @{Add="Outlook-iOS/*","Out look-Andro id/*"}
REENABLE EWS MULTIPLE USERS
$Users = gc "PATH TO TEXT (.txt) FILE WITH USER’S PrimarySmtpAddress"
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -EwsBlockList @{Remove="Outlook-iOS/*"," Outlook-An droid/*"}}
REENABLE EWS SINGLE USER
Set-CASMailbox -Identity "User PrimarySmtpAddress" -EwsBlockList @{Remove="Outlook-iOS/*"," Outlook-An droid/*"}
CONFIRM EWS
Get-CASMailbox "User PrimarySmtpAddress" | Select *EWS*
Based on timgreen7077 input, I am looking to set up a quarantine policy for new users / devices.
Thanks all.
Disable EAS / OWA for multiple users
$Users = gc "PATH TO TEXT (.txt) FILE WITH USER’S PrimarySmtpAddress"
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -OWAEnabled $false}
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -OWAforDevicesEnabled $false}
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -ActiveSyncEnabled $false}
Reenable EAS / OWA for multiple users
$Users = gc "PATH TO TEXT (.txt) FILE WITH USER’S PrimarySmtpAddress"
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -OWAEnabled $true}
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -OWAforDevicesEnabled $true}
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -ActiveSyncEnabled $true}
Disable / reenable EAS / OWA for individual user
DISABLE
Set-CASMailbox -Identity "User PrimarySmtpAddress" -OWAforDevicesEnabled $false
Set-CASMailbox -Identity "User PrimarySmtpAddress" -OWAEnabled $false
Set-CASMailbox -Identity "User PrimarySmtpAddress" -ActiveSyncEnabled $false
REENABLE
Set-CASMailbox -Identity "User PrimarySmtpAddress" -OWAforDevicesEnabled $true
Set-CASMailbox -Identity "User PrimarySmtpAddress" -OWAEnabled $true
Set-CASMailbox -Identity "User PrimarySmtpAddress" -ActiveSyncEnabled $true
CONFIRM EAS/OWA STATUS INDIVIDUAL USER
Get-CASMailbox -identity "User PrimarySmtpAddress"
DISABLE EWS MULTIPLE USERS
$Users = gc "PATH TO TEXT (.txt) FILE WITH USER’S PrimarySmtpAddress"
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -EwsBlockList @{Add="Outlook-iOS/*","Out
DISABLE EWS SINGLE USER
Set-CASMailbox -Identity "User PrimarySmtpAddress" -EwsBlockList @{Add="Outlook-iOS/*","Out
REENABLE EWS MULTIPLE USERS
$Users = gc "PATH TO TEXT (.txt) FILE WITH USER’S PrimarySmtpAddress"
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -EwsBlockList @{Remove="Outlook-iOS/*","
REENABLE EWS SINGLE USER
Set-CASMailbox -Identity "User PrimarySmtpAddress" -EwsBlockList @{Remove="Outlook-iOS/*","
CONFIRM EWS
Get-CASMailbox "User PrimarySmtpAddress" | Select *EWS*
ASKER
If I can do that in powershell, would it prevent them from getting email?
And if possible, would you share the powershell command to do so?
Thanks!