Exchange Protection Integration II: Exchange Online with Basic Authentication
PowerShell Integration I: Exchange Online
The PowerShell Integration establishes a remote connection to Exchange. Depending on your infrastructure design, the PowerShell interface will be utilized either on the Silverback Server or on your Cloud Connector Server. It means depending of your setup and settings, either the Silverback Server or your Cloud Connector Server establishes the remote connection to the Exchange Server via Remote Powershell and performs cmdlet commands to automatically allow only Silverback managed devices the access to ActiveSync. The option to use the Cloud Connector can be enabled in the Web Settings of Silverback, as shown in the Cloud Connector section. During this guide, we will set the execution policy and the authentication and perform a Service Account validation. Depending on your desired setup, perform this part either on your Silverback or Cloud Connector Server. Cloud Customers are not required to configure the execution policy and the authentication, but they can perform the Service Account Validation on any machine that is able to connect to Exchange.
For Cloud Customers, we recommend to utilize the Silverback Server to establish the remote connection to Exchange, so in this case do not enable the Enable Exchange Protection Service in the Silverback Web Settings
Please review additionally the Knowledge Base Article for the Exchange Protection and Windows Remote Management
Requirements
- Silverback / Cloud Connector Server is able to communicate to outlook.office.com over TCP Port 5985/5986
- Access to Active Directory or Azure Active Directory
- Access to Exchange Admin Center
- Access to Silverback Server and Management Console
- If Silverback is running on Windows Server 2012 R2, ensure that PowerShell 5.0 is installed
- Enabled Organization Customization for Exchange Online
You can utilize the Service Account Validation section and login as an Administrator to execute the Enable-OrganizationCustomization cmdlet. To check if the Customization is already enabled, run Get-OrganizationConfig | fl IsDehydrated . False means customization is enabled. Be patient as it may take a while until you can modify Roles
Supported
Applications and Management Types
- iOS with native Mail client on user and device enrollment
- iPadOS with native Mail client on user and device enrollment
- Android with Gmail client in device owner mode
- Samsung Knox with Gmail client in device owner mode
- Windows 10 with Microsoft Mail on all management modes
Not supported applications
- Microsoft Outlook
- Samsung Mail
- macOS Mail
These applications does not grant access to interfere in Exchange ActiveSync Device ID
Azure Active Directory
- Start on your Azure Active Directory
- Open https://portal.azure.com
- Sign in with Administrator credentials
Create Service Account
Depending on your Azure Active Directory Connect configuration you may need to create the service account in your local Active Directory: Create Service Account
- Navigate to Azure Active Directory
- Select Users
- Click + New User
- Enter a User name
- Enter a Name
- e.g. Silverback Service
- Select let me create the password
- Enter a password
- e.g. Pa$$w0rd
- Add the account to Groups and roles (optional)
- Click Create
Login and Update Password
- Open a new inkognito window
- Open portal.azure.com
- Enter as username silverback_exchange@imagoverum.com
- Click Next
- Enter your previously created password
- Click Sign In
- Update your password
- Click Sign in
- Your service account is ready to use
Exchange Admin Center
- Open admin.exchange.microsoft.com
- Login with Administrator credentials
Create new Role and grant access
- Select Roles
- Click Admin roles
- Select Add role group
- Enter a Name: e.g. Exchange Protection
- Enter a description (optional)
- Click Next
- Select the following permissions
- Mail Recipients
- Organization Client Access
- Click Next
- Assign now your previously created service account
- Click Next
- Confirm with Add role Group
- Click Done
It might take some time until the new role and permissions are successfully applied, please take this into account when performing the Access and Service Account Validation later on.
Create Device Mailbox Policy
- Navigate to Mobile
- Select Mobile device mailbox policies
- Click + New
- Enter a name for the profile
- e.g. Silverback Exchange Protection Policy
- Enable This is the default policy
- Press Next
- Press Create
- Press Save
Access and Service Account Validation
The following section is designed to ensure that the Remote Powershell can connect from your desired source server (Silverback or Cloud Connector) to Exchange Online. Cloud Customers are not required to configure the execution policy and the authentication but you can perform the Service Account Validation on any machine that is able to connect to Exchange.
- Change to your Silverback Server or Cloud Connector Server
Set Execution Policy
- Run PowerShell with administrative privileges
- Run the following command line to check your Status
- get-executionpolicy
- If the answer is RemoteSigned you are ready
- If the answer is something else, please run the following command line
- set-executionpolicy RemoteSigned
- Confirm with Yes
Set Authentication
- Run the following command to get authentication info
- winrm get winrm/config/client/auth
- If the value Basic=true is not set run the following command
- winrm set winrm/config/client/auth @{Basic="true"}
Service Account Validation
- Run the following command
$UserCredential = Get-Credential
- Enter your Service Account, e.g. silverback_exchange@imagoverum.com
- Enter your updated password, e.g. Pa$$w0rd
- Click OK
- Create a new Session:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
- Import now the session with
Import-PSSession $Session -DisableNameChecking
- To check functionality adjust and run the following command
get-casmailbox -Identity "tim.tober@imagoverum.com"
Additional commands
- Check the following commands to get familiar with the handling
Purpose | Command |
---|---|
Get the default access level, e.g. allow, block, quarantine |
Get-ActiveSyncOrganizationSettings | ft DefaultAccessLevel |
Information about a mailbox, such as the size of the mailbox, the number of messages it contains, and the last time it was accessed |
Get-MailboxStatistics -Identity username | fl |
Retrieve the list of mobile devices configured to synchronize with a specified user's mailbox and return a list of statistics about the mobile devices. |
Get-MobileDeviceStatistics -Mailbox username |
Get a list of allowed and blocked device IDs and given Mailbox Policy |
Get-CASMailbox -Identity username | fl *ActiveSync* |
Filter to Active Sync Allowed Devices |
Get-CASMailbox -Identity username | select {$_.ActiveSyncAllowedDeviceIDs} |
Filter to Active Sync Blocked Devices |
Get-CASMailbox -Identity username | select {$_.ActiveSyncBlockedDeviceIDs} |
Get the list of devices in your organization that have active Exchange ActiveSync partnerships |
Get-MobileDevice | select UserDisplayName,DeviceID,DeviceType,DeviceUserAgent,DeviceModel,Name |
Get the list of devices in your organization that are currently quarantined |
Get-MobileDevice -Filter {DeviceAccessState -eq 'Quarantined'} |
Get the list of devices for a specific mailbox or user |
Get-MobileDevice -Mailbox username -Filter {DeviceAccessState -eq 'Quarantined'} |
Manually whitelist a device |
Set-CASMailbox -Identity username –ActiveSyncAllowedDeviceIDs DeviceID |
To export any of the above commands into an Excel Document for reporting purposes, simply add the following to the end of any of the above commands to export it into a CSV file: |
| Export-CSV C:\file.csv |
- To close the session execute the following command
Remove-PSSession $Session
Silverback Management Console
- Open your Silverback Management Console
Configure Exchange Protection
- Login as an Administrator
- Navigate to Admin
- Navigate to Exchange Protection
- Enable Exchange Protection
- Select as Server Version Exchange Online
- Enter the following Server Address
- Enter as Username your Service Account
- Enter the corresponding Service Account Password
- e.g. Pa$$w0rd
- Enter your previously created Device Mailbox Policy
- e.g. Silverback Exchange Protection Policy
- Change Auth. Mechanism to Basic
- Click Save
- Confirm with Yes
Cloud Connector
Skip this section if you are a Cloud Customer or if you do not have a Cloud Connector in use.
- Logout as Administrator
- Login as Settings Administrator
- Navigate to Cloud Connector
- Enable Exchange Protection Service
- Decrease the Exchange Task Interval (mins) to e.g. 1 Minute
- Press Save
- Confirm with OK
- Restart all Silverback and Cloud Connector services
Exchange Admin Center
- Navigate back to your Exchange Admin Center
- Login with administrative credentials
- Click In the left pane Show all
- Scroll down and select Exchange
Enable Quarantine Mode
If you are enabling this on a pre-existing production ActiveSync fleet, please be aware that all current devices connected via Exchange ActiveSync are automatically moved to quarantine after enabling the Quarantine mode. As Silverback is moving managed devices with their Exchange ActiveSync identifiers to the ActiveSyncAllowedDeviceIDs list for specific users when an Exchange ActiveSync profile will be installed on the device, Administrators can move all current managed Silverback devices separately to the Allowed List. Please refer to Exchange Protection Allow managed devices for additional information
- Navigate to Mobile
- Navigate to Mobile device access
- Press in the Device access rules tab Edit
- Select Quarantine - Let me decide to block or allow later
- Select your receivers of Quarantine Notification Email Messages
- e.g. Tim Tober
- Enter a text to include in-emails
- e.g. This device is unknown and will be blocked until it will be enrolled in the Mobile Device Management Solution
- Click Save
- Close the window with X
- A list of Quarantined Devices will now get visible to you
- Administrators will receive a Notification Email Message
- All quarantined devices users will receive the previously configured Notification Email Message
Recipient | Administrators | Users | ||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Subject | A device that belongs to Maria Miller (mmiller) has been quarantined. Exchange ActiveSync will be blocked until you take action. | Your device is temporarily blocked from synchronizing using Exchange ActiveSync until your administrator grants it access. | ||||||||||||||||||||||||||||||||||||||||||||||
Message |
The Exchange ActiveSync service has quarantined the mobile device listed below. It won't be able to synchronize Exchange content until you take action. To perform an action for this mobile device, go to the following page in the Exchange Administration Center: https://outlook.office365.com/ecp/UsersGroups/EditMobileMailbox.aspx?id=cbc646cc-a767-4057-8360-155de50b978f&dtm=Isolation&Realm=m45dev.onmicrosoft.com&exsvurl=1 Information about the device that triggered this notice:
Sent at 2/20/2020 4:00:34 PM to tim.tober@imagoverum.com. |
This device is a unknown device and will be blocked until it will be Enrolled in the Mobile Device Management Solution Your device is temporarily blocked from accessing content via Exchange ActiveSync because the device has been quarantined. You don't need to take any action. Content will automatically be downloaded as soon as access is granted by your administrator. Information about your device:
Sent at 2/20/2020 4:00:34 PM to tim.tober@imagoverum.com. |
Performance Check
After configuring Exchange ActiveSync Access Settings with enabling quarantine, try the feature with devices.
Check for managed devices
- Enroll a device and assign an Exchange Active Profile
- Follow the configuration on your device as usual
- Check if you have access to emails, calendar and contacts
- Your newly enrolled device should now be whitelisted automatically
- Navigate back to your Exchange Admin Center
- Check that the device is not in quarantined state
Check for restricted devices
- Use a different unenrolled device
- On the device, add your Exchange ActiveSync account manually
- For iOS and iPadOS devices,
- Open Settings
- Navigate to Passwords & Accounts
- Tab Add Account
- Select Microsoft Exchange
- Finish your configuration
- For Android and Samsung devices
- Open Gmail
- Tab on your current account
- Choose Add another account
- Select Exchange and Office 365
- Finish your configuration
- For iOS and iPadOS devices,
- Your unenrolled device should now be quarantined automatically
- Navigate back to your Exchange Admin Center
- Check that the device is in quarantined state
Additional Notes
- If your device will not get whitelisted, please check your Silverback Logs
- Also please review all previously made steps
- Check your security rule set
- Please also note the following
- Devices may download folder structure, but don't see any mails due to Quarantined Status
- Devices may also get blocked
- In this case the mail content will be completely empty or they can't establish a connection to ActiveSync at all
- You can at any time grant access to devices manually
- By executing a Delete Business Data or Factory Wipe action on managed devices, the Exchange ActiveSync Device ID will be moved to Blocked state