Skip to main content
Matrix42 Self-Service Help Center

Exchange Protection Integration I: Exchange Online

PowerShell Integration I: Exchange Online

The PowerShell Integration establishes a remote connection to Exchange. Depending on your infrastructure design, the PowerShell interface will be utilized either on the Silverback Server or on your Cloud Connector Server. It means depending of your setup and settings, either the Silverback Server or your Cloud Connector Server establishes the remote connection to the Exchange Server via Remote Powershell and performs cmdlet commands to automatically allow only Silverback managed devices the access to ActiveSync. The option to use the Cloud Connector can be enabled in the Web Settings of Silverback, as shown in the Cloud Connector section. During this guide, we will set the execution policy and the authentication and perform a Service Account validation. Depending on your desired setup, perform this part either on your Silverback or Cloud Connector Server. Cloud Customers are not required to configure the execution policy and the authentication, but they can perform the Service Account Validation on any machine that is able to connect to Exchange.  

For Cloud Customers, we recommend to utilize the Silverback Server to establish the remote connection to Exchange, so in this case do not enable the Enable Exchange Protection Service in the Silverback Web Settings

Please review additionally the Knowledge Base Article for the Exchange Protection and Windows Remote Management

Requirements

  • Silverback / Cloud Connector Server is able to communicate to outlook.office.com over TCP Port 5985/5986
  • Access to Active Directory or Azure Active Directory
  • Access to Exchange Admin Center
  • Access to Silverback Server and Management Console
  • If Silverback is running on Windows Server 2012 R2, ensure that PowerShell 5.0 is installed
  • Enabled Organization Customization for Exchange Online

You can utilize the Service Account Validation section and login as an Administrator to execute the Enable-OrganizationCustomization cmdlet. To check if the Customization is already enabled, run  Get-OrganizationConfig | fl IsDehydrated . False means customization is enabled. Be patient as it may take a while until you can modify Roles

Supported 

Applications and Management Types

  • iOS with native Mail client on user and device enrollment
  • iPadOS with native Mail client on user and device enrollment
  • Android with Gmail client in device owner mode
  • SamsungSafe with Gmail client in device owner mode
  • Windows 10 with Microsoft Mail on all management modes

Not supported applications

  • Microsoft Outlook
  • Samsung Mail
  • macOS Mail

These applications does not grant access to interfere in Exchange ActiveSync Device ID 

Azure Active Directory

Create Service Account

Depending on your Azure Active Directory Connect configuration you may need to create the service account in your local Active Directory: Create Service Account

  • Navigate to Azure Active Directory
  • Select Users
  • Click + New User
  • Enter a User name
  • Enter a Name
    • e.g. Silverback Service
  • Select let me create the password
  • Enter a password
    • e.g. Pa$$w0rd
  • Add the account to Groups and roles (optional)
  • Click Create

Login and Update Password 

  • Open a new inkognito window
  • Open portal.azure.com
  • Enter as username silverback_exchange@imagoverum.com
  • Click Next
  • Enter your previously created password
  • Click Sign In
  • Update your password
  • Click Sign in
  • Your service account is ready to use

Exchange Admin Center

Create new Role and grant access

  • Select Roles
  • Click Admin roles
  • Select Add role group
  • Enter a Name: e.g. Exchange Protection
  • Enter a description (optional)
  • Click Next
  • Select the following permissions 
    • Mail Recipients
    • Organization Client Access
  • Click Next
  • Assign now your previously created service account
  • Click Next
  • Confirm with Add role Group
  • Click Done

It might take some time until the new role and permissions are successfully applied, please take this into account when performing the Access and Service Account Validation later on.

Create Device Mailbox Policy

  • Switch to the Classic Exchange Admin center

Currently not all relevant options are present in the new Exchange Admin center. This might change in the future. 

  • Navigate to mobile
  • Navigate to mobile device mailbox policies
  • Click +
  • Enter a name for the profile
    • e.g.  Silverback Exchange Protection Policy
  • Enable This is the default policy
  • Press Save

Access and Service Account Validation

The following section is designed to ensure that the Remote Powershell can connect from your desired source server (Silverback or Cloud Connector) to Exchange Online. Cloud Customers are not required to configure the execution policy and the authentication but you can perform the Service Account Validation on any machine that is able to connect to Exchange.

  • Change to your Silverback Server or Cloud Connector Server

Set Execution Policy

  • Run PowerShell with administrative privileges
  • Run the following command line to check your Status
    • get-executionpolicy
  • If the answer is RemoteSigned you are ready
  • If the answer is something else, please run the following command line
    • set-executionpolicy RemoteSigned
    • Confirm with Yes

Set Authentication

  • Run the following command to get authentication info
    • winrm get winrm/config/client/auth
  • If the value Basic=true is not set run the following command
    • winrm set winrm/config/client/auth @{Basic="true"}

Service Account Validation

  • Run the following command
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
  • Import now the session with
Import-PSSession $Session -DisableNameChecking 
  • To check functionality adjust and run the following command
get-casmailbox -Identity "tim.tober@imagoverum.com"

Additional commands  

  • Check the following commands to get familiar with the handling
Purpose Command
Get the default access level, e.g. allow, block, quarantine
Get-ActiveSyncOrganizationSettings | ft DefaultAccessLevel
Information about a mailbox, such as the size of the mailbox, the number of messages it contains, and the last time it was accessed
Get-MailboxStatistics -Identity username | fl
Retrieve the list of mobile devices configured to synchronize with a specified user's mailbox and return a list of statistics about the mobile devices.
Get-MobileDeviceStatistics -Mailbox username
Get a list of allowed and blocked device IDs and given Mailbox Policy
Get-CASMailbox -Identity username | fl *ActiveSync*
Filter to Active Sync Allowed Devices
Get-CASMailbox -Identity username | select {$_.ActiveSyncAllowedDeviceIDs}
Filter to Active Sync Blocked Devices
Get-CASMailbox -Identity username | select {$_.ActiveSyncBlockedDeviceIDs}
Get the list of devices in your organization that have active Exchange ActiveSync partnerships
Get-MobileDevice | select UserDisplayName,DeviceID,DeviceType,DeviceUserAgent,DeviceModel,Name
Get the list of devices in your organization that are currently quarantined
Get-MobileDevice -Filter {DeviceAccessState -eq 'Quarantined'}
Get the list of devices for a specific mailbox or user
Get-MobileDevice -Mailbox username -Filter {DeviceAccessState -eq 'Quarantined'}
Manually whitelist a device
Set-CASMailbox -Identity username –ActiveSyncAllowedDeviceIDs DeviceID
To export any of the above commands into an Excel Document for reporting purposes, simply add the following to the end of any of the above commands to export it into a CSV
file:
| Export-CSV C:\file.csv
  • To close the session execute the following command
 Remove-PSSession $Session

Silverback Management Console

  • Open your Silverback Management Console

Configure Exchange Protection

  • Login as an Administrator
  • Navigate to Admin
  • Navigate to Exchange Protection
  • Enable Exchange Protection
  • Select as Server Version Exchange Online
  • Enter the following Server Address
  • Enter as Username your Service Account
  • Enter the corresponding Service Account Password
    • e.g. Pa$$w0rd
  • Enter your previously created Device Mailbox Policy
    • e.g. Silverback Exchange Protection Policy
  • Change Auth. Mechanism to Basic
  • Click Save
  • Confirm with Yes

Cloud Connector

Skip this section if you are a Cloud Customer or if you do not have a Cloud Connector in use.

  • Logout as Administrator 
  • Login as Settings Administrator
  • Navigate to Cloud Connector
  • Enable Exchange Protection Service
  • Decrease the Exchange Task Interval (mins) to e.g. 1 Minute
  • Press Save
  • Confirm with OK
  • Restart all Silverback and Cloud Connector services

Exchange Admin Center

  • Navigate back to your Exchange Admin Center
    • Login with administrative credentials
    • Click In the left pane Show all
    • Scroll down and select Exchange

Enable Quarantine Mode

If you are enabling this on a pre-existing production ActiveSync fleet, please be aware that all current devices connected via Exchange ActiveSync are automatically moved to quarantine after enabling the Quarantine mode. As Silverback is moving managed devices with their Exchange ActiveSync identifiers to the ActiveSyncAllowedDeviceIDs list for specific users when an Exchange ActiveSync profile will be installed on the device, Administrators can move all current managed Silverback devices separately to the Allowed List. Please refer to Exchange Protection Allow managed devices for additional information

  • Navigate to mobile
  • Navigate to mobile device access
  • Press above and right to Quarantined Devices edit 
  • Select Quarantine - Let me decide to block or allow later
  • Click +
  • Select the receiver of Notification Email Messages
  • Click add
  • Click OK
  • Enter a text to include in-emails
    • e.g. This device is unknown and will be blocked until it will be enrolled in the Mobile Device Management Solution
  • Click Save
  • A list of Quarantined Devices will now get visible to you
  • Administrators will receive a Notification Email Message
  • All quarantined devices users  will receive the previously configured Notification Email Message
Recipient Administrators Users
Subject A device that belongs to Maria Miller (mmiller) has been quarantined. Exchange ActiveSync will be blocked until you take action. Your device is temporarily blocked from synchronizing using Exchange ActiveSync until your administrator grants it access.
Message

The Exchange ActiveSync service has quarantined the mobile device listed below. It won't be able to synchronize Exchange content until you take action.

To perform an action for this mobile device, go to the following page in the Exchange Administration Center: https://outlook.office365.com/ecp/UsersGroups/EditMobileMailbox.aspx?id=cbc646cc-a767-4057-8360-155de50b978f&dtm=Isolation&Realm=m45dev.onmicrosoft.com&exsvurl=1

Information about the device that triggered this notice:

User: maria.miller@imagoverum.com
Device model: iPhone7C2
Device type: iPhone
Device ID: QGK92S76M54UN3U26R361DQ4BC
Device OS: iOS 12.4.5 16G161
Device user agent: Apple-iPhone7C2/1607.161
Device phone number:  
Device IMEI:  
Exchange ActiveSync version: 16.1
Device policy applied: imagoverum\Exchange Protection Policy
Device policies status: NotApplied
Device access state: Quarantined
Device access state reason: Global
Device access control rule:  

 

Sent at 2/20/2020 4:00:34 PM to tim.tober@imagoverum.com.

This device is a unknown device and will be blocked until it will be Enrolled in the Mobile Device Management Solution

Your device is temporarily blocked from accessing content via Exchange ActiveSync because the device has been quarantined. You don't need to take any action. Content will automatically be downloaded as soon as access is granted by your administrator.

Information about your device:

Device model: iPhone7C2
Device type: iPhone
Device ID: QGK92S76M54UN3U26R361DQ4BC
Device OS: iOS 12.4.5 16G161
Device user agent: Apple-iPhone7C2/1607.161
Device IMEI:  
Exchange ActiveSync version: 16.1
Device access state: Quarantined
Device access state reason: Global

 

Sent at 2/20/2020 4:00:34 PM to tim.tober@imagoverum.com.

Performance Check 

After configuring  Exchange ActiveSync Access Settings with enabling quarantine, try the feature with devices. 

Check for managed devices  

  • Enroll a device and assign an Exchange Active Profile 
  • Follow the configuration on your device as usual
  • Check if you have access to emails, calendar and contacts
  • Your newly enrolled device should now be whitelisted automatically
    • Navigate back to your Exchange Admin Center
    • Check that the device is not in quarantined state

Check for restricted devices  

  • Use a different unenrolled device
  • On the device, add your Exchange ActiveSync account manually 
    • For iOS and iPadOS devices,
      • Open Settings 
      • Navigate to Passwords & Accounts
      • Tab Add Account
      • Select Microsoft Exchange
      • Finish your configuration
    • For Android and Samsung devices
      • Open Gmail 
      • Tab on your current account
      • Choose Add another account
      • Select Exchange and Office 365
      • Finish your configuration
  • Your unenrolled device should now be quarantined automatically
    • Navigate back to your Exchange Admin Center
    • Check that the device is in quarantined state

Additional Notes

  • If your device will not get whitelisted, please check your Silverback Logs
  • Also please review all previously made steps 
  • Check your security rule set 
  • Please also note the following
    • Devices may download folder structure, but don't see any mails due to Quarantined Status
    • Devices may also get blocked
      • In this case the mail content will be completely empty or they can't establish a connection to ActiveSync at all
    • You can at any time grant access to devices manually
  • By executing a Delete Business Data or Factory Wipe action on managed devices, the Exchange ActiveSync Device ID will be moved to Blocked state
  • Was this article helpful?