9/23/2020 Owa Client For Mac
We all know that with Exchange 2007 and Exchange 2010, ActiveSync is the preferred option for Mobile Devices to connect and synchronize mail. However, some business do not wish ActiveSync devices to connect, preferring to opt for a solution such as BES or Good sync. These businesses will often disable ActiveSync at the user account level, and then allow access to a small number of users who are permitted to use their non-corporate standard mobile device.
However, Some mobile apps use an alternative way to collect their email from the Exchange Environment. They will use Exchange Web Services to pull the email from Exchange, bypassing the security policies and control afforded by ActiveSync.
Disabling EWS isn’t really an option, as quite a lot of Outlook functionality relies on EWS. However, we have a few lesser-known pieces of functionality to block EWS for certain applications, based on their User Agent Strings.
![]()
We can control the usage of EWS by using the Set-CASMailbox cmdlet for a single user, or the Set-OrganizationConfig cmdlet to set the settings for the organization.
The Parameters to use with both of these cmdlets are below:
OWA Webmail is an iOS mail client app. It can connect to an Outlook Web App (OWA) server. What is an OWA server? If you have access to a Microsoft Exchange server you usually use Microsoft Outlook on your desktop PC.
By using these parameters, we can either Allow or Block EWS by default, and turn on/off certain applications. In the case of blocking specific applications from using EWS, we would allow EWS by default, and block these offending apps. Of course, the opposite can be completed as well, Block EWS by default, and allow required apps.
The Block/Allow lists work on the basis of the User Agent Strings generated by the EWS client. So, if you are looking to get a list of strings to block, you can take a look at your IIS logs.
A Log Parser command such as the following can be used:
Explanation of the LogParser command:
WHERE cs-uri-stem LIKE ‘/EWS/Exchange.asmx’ – Ensures we are dealing with the EWS access parts of the IIS logs.
AND cs-username IS NOT NULL – Ensures we get userIDs back
-o:TSV – outputs to a tab-delimited file
-filemode:1 – overwrites the output file if it exists
Owa Mail App For Mac
If subsequent date from other Exchange Servers is required to be amended to the output file, set filemode to ‘0’
You can then load the resulting TSV into Excel, and create a pivot table showing the User Agents that are accessing EWS.
Interestingly in here, we can see that the BES is using EWS, and a lot of OWA/*Darwin style entries. From research, these appear to be Iphone apps syncing with EWS rather than ActiveSync.
So.. How can we block these?
Well , We can use the EWSBlocklist parameters. And the best bit, The parameters accept WildCard entries
We can set these at both the individual mailbox level, and at the organization level. It is strongly recommended to do a test with a test user first, and then ensure everything is working before rolling out on an organization wide basis.
Email Client For Mac
By default, the EWS config settings will look like this
To block for instance all the OWA/* apps, you can run the following commands
At this point, I would recommend running a full suite of tests against this test mailbox. Outlook 2010 access (focusing on Mailtips, OOF and freebusy, which all use EWS) Outlook for Mac (everything uses EWS) Blackberry (calendaring can use EWS).
Then try to connect the offending applications, and see if they are successfully blocked.
If this passes the testing, you can then look to run a wider test, and then when complete, run the Set-OrganizationConfig command to set this for the whole org.
Set-OrganizationConfig –identity “TestMailbox' –EWSApplicationAccessPolicy:EnforceBlockList –EWSBlockList:”OWA/*”
–EWSAllowOutlook:$True –EWSAllowMacOutlook:$true –EWSAllowEntourage:$true –EWSEnabled:$true
When complete, check the following settings with Get-OrganizationConfig
Torrent Client For Mac
I would strongly recommend a communication to your user community before blocking this, as some users may have a relevant business reason to connect their ActiveSync device to the org. Also, remember that by using ActiveSync rather than EWS, users will be subject to the security policies set, and functionality such as Remote Wipe becomes available.
If you have found this useful, or if you have any questions, please let me know in the comments below!
Owa App For Macbook Pro
Many thanks to Ed Crossley for his assistance with the images and some of the great content in this post.
Best Owa App For Mac
Ed runs his own blog too, which you can find at http://exchangehero.tumblr.com/
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |