Exchange Protection Integration III: Exchange 2013
Exchange Protection For Exchange 2013
Requirements
- Silverback Server can communicate to your Exchange Server over TCP Port 5985
- Access to Active Directory for creating a service account
- Access to Exchange 2013 Server and Exchange Admin Center
- Access to Silverback Server and Management Console
Supported
Applications and Management Types
- iOS with native Mail client on user and device enrollment
- iPadOS with native Mail client on user and device enrollment
- Android with Gmail client in device owner mode
- SamsungSafe with Gmail client in device owner mode
- Windows 10 with Microsoft Mail on all management modes
Not supported applications
- Microsoft Outlook
- Samsung Mail
- macOS Mail
These applications does not grant access to interfere in Exchange ActiveSync Device ID
Active Directory
Start on your Active Directory
Create Service Account
- Open your Active Directory
- Open Active Directory Users and Computers
- Navigate to a Organization Unit
- Right Click in the right pane
- Select New
- Click User
- Add user object information according to your company guidelines
- e.g. First name: Silverback
- e.g. Last name: Exchange
- e.g. User logon name: silverback_exchange@imagoverum.com
- e.g. SamAccountName: IMAGOVERUM\silverback_exchange
- Click Next
- Enter and confirm a Password
- e.g. Pa$$w0rd
- Disable User must change password at next login
- Enable Password never expires
- Enter and confirm a Password
- Click Next
- Click Finish
Add a description
- Right Click your created service account
- Select Properties
- Add as description e.g. Service Account for Silverback Exchange Protection
Grant Permissions
- Navigate to Permissions
- Select Organization Management
- Click Edit
- Scroll down to Members
- Click +
- Search your previously created service account
- e.g. silverback_exchange
- Select the account
- Click add
- Click OK
- Press Save
- Select Recipient Management
- Click Edit
- Scroll down to Members
- Click +
- Search your previously created service account
- e.g. silverback_exchange
- Select the account
- Click add
- Click OK
- Press Save
- Select Server Management
- Click Edit
- Scroll down to Members
- Click +
- Search your previously created service account
- e.g. silverback_exchange
- Select the account
- Click add
- Click OK
- Press Save
Create Device Mailbox Policy
- Navigate to mobile
- Navigate to mobile device mailbox policies
- Click +
- Enter a name for the profile
- e.g. Silverback Exchange Protection Policy
- Enable This is the default policy
- Press Save
Exchange Server
- Change to your Exchange Server
Set Execution Policy
- Run PowerShell with administrative privileges
- Run the following command line to check your Status
- get-executionpolicy
- If the answer is RemoteSigned you are ready
- If the answer is something else, please run the following command line
- set-executionpolicy RemoteSigned
- Confirm with Yes
Configure IIS
- Open Internet Information Services (IIS) Manager
- Expand your Server
- Expand Sites
- Expand Default Web Site
- Select PowerShell
- Double Click Authentication
- Select Basic Authentication
- Press Enable in the Actions Pane
Silverback Server
- Change to your Silverback Server
Set Execution Policy
- Run PowerShell with administrative privileges
- Run the following command line to check your Status
- get-executionpolicy
- If the answer is RemoteSigned you are ready
- If the answer is something else, please run the following command line
- set-executionpolicy RemoteSigned
- Confirm with Yes
Set Authentication
- Run the following command to get authentication info
- winrm get winrm/config/client/auth
- If the value Kerberos=true is not set run the following command
- winrm set winrm/config/client/auth @{Kerberos="true"}
Service Account Validation
Start Session
- Run now the following command
$UserCredentials = Get-Credential
- Enter your Service Account, e.g. IMAGOVERUM\silverback_exchange
- Enter your Password, e.g. Pa$$w0rd
- Click OK
- Adjust and run now the following command
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://eas.imagoverum.com/powershell/ -Authentication Basic -Credential $UserCredentials
- Import now the session with
Import-PSSession $Session
- To check functionality adjust and run the following command
get-casmailbox -Identity "tim.tober@imagoverum.com"
Grant rights
- To enable Remote PowerShell Access to Exchange for the service accont, we need to grant permissions
- Adjust the Service Account name and run the following command
Set-User silverback_exchange -RemotePowerShellEnabled $true
Typically the permissions are set by default to true.
Additional commands
- Check the following commands to get familiar with the handling
Purpose | Command |
---|---|
Get the default access level, e.g. allow, block, quarantine |
Get-ActiveSyncOrganizationSettings | ft DefaultAccessLevel |
Information about a mailbox, such as the size of the mailbox, the number of messages it contains, and the last time it was accessed |
Get-MailboxStatistics -Identity username | fl |
Retrieve the list of mobile devices configured to synchronize with a specified user's mailbox and return a list of statistics about the mobile devices. |
Get-MobileDeviceStatistics -Mailbox username |
Get a list of allowed and blocked device IDs and given Mailbox Policy |
Get-CASMailbox -Identity username | fl *ActiveSync* |
Filter to Active Sync Allowed Devices |
Get-CASMailbox -Identity username | select {$_.ActiveSyncAllowedDeviceIDs} |
Filter to Active Sync Blocked Devices |
Get-CASMailbox -Identity username | select {$_.ActiveSyncBlockedDeviceIDs} |
Get the list of devices in your organization that have active Exchange ActiveSync partnerships |
Get-MobileDevice | select UserDisplayName,DeviceID,DeviceType,DeviceUserAgent,DeviceModel,Name |
Manually whitelist a device |
Set-CASMailbox -Identity username –ActiveSyncAllowedDeviceIDs DeviceID |
To export any of the above commands into an Excel Document for reporting purposes, simply add the following to the end of any of the above commands to export it into a CSV file: |
| Export-CSV C:\file.csv |
Silverback Management Console
- Open your Silverback Management Console
Configure Exchange Protection
- Login as an Administrator
- Navigate to Admin
- Navigate to Exchange Protection
- Enable Exchange Protection
- Select as Server Version Exchange Server 2013
- Enter your Exchange Server Address with Powershell at the end as following
- Enter as Username your Service Account
- e.g. IMAGOVERUM\silverback_exchange
- Enter the corresponding Service Account Password
- e.g. Pa$$w0rd
- Enter your previously created Device Mailbox Policy
- e.g. Silverback Exchange Protection Policy
- Set Auth. Mechanism to Default or Kerberos
- Click Save
- Confirm with Yes
- If you are running Silverback with a Cloud Connector
- please proceed with Cloud Connector Setup
- otherwise proceed with Exchange Admin Center
Cloud Connector Setup
Skip this if you do not have a cloud connector in use
- Logout as Administrator
- Login as Settings Administrator
- Navigate to ActiveSync
- Enable Exchange Protection
- Decrease the Exchange Task Interval (mins) to e.g. 1 Minute
- Press Save
- Confirm with OK
- Restart the Silverback Maintenance Service
Exchange Admin Center
- Open Exchange Admin Center
Enable Quarantine Mode
If you are enabling this on a pre-existing production ActiveSync fleet, please make sure that all your devices are enrolled into Silverback. Ensure all the devices have a device id set in users’ mailbox settings. If a user does not have this set they will not be able to connect to ActiveSync.
-
- Navigate to mobile device access
- Press above and right to Quarantined Devices edit
- Select Quarantine - Let me decide to block or allow later
- Click +
- Select the receiver of Notification Email Messages
- Click add
- Click OK
- Enter a text to include in-emails
- e.g. This device is unknown and will be blocked until it will be enrolled in the Mobile Device Management Solution
- Click Save
- A list of Quarantined Devices will now get visible to you
- Administrators will receive a Notification Email Message
- All quarantined devices users will receive the previously configured Notification Email Message
Recipient | Administrators | Users | ||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Subject | A device that belongs to Maria Miller (mmiller) has been quarantined. Exchange ActiveSync will be blocked until you take action. | Your device is temporarily blocked from synchronizing using Exchange ActiveSync until your administrator grants it access. | ||||||||||||||||||||||||||||||||||||||||||||||
Message |
The Exchange ActiveSync service has quarantined the mobile device listed below. It won't be able to synchronize Exchange content until you take action. To perform an action for this mobile device, go to the following page in the Exchange Administration Center: https://outlook.office365.com/ecp/UsersGroups/EditMobileMailbox.aspx?id=cbc646cc-a767-4057-8360-155de50b978f&dtm=Isolation&Realm=m45dev.onmicrosoft.com&exsvurl=1 Information about the device that triggered this notice:
Sent at 2/20/2020 4:00:34 PM to tim.tober@imagoverum.com. |
This device is a unknown device and will be blocked until it will be Enrolled in the Mobile Device Management Solution Your device is temporarily blocked from accessing content via Exchange ActiveSync because the device has been quarantined. You don't need to take any action. Content will automatically be downloaded as soon as access is granted by your administrator. Information about your device:
Sent at 2/20/2020 4:00:34 PM to tim.tober@imagoverum.com. |
Performance Check
After configuring Exchange ActiveSync Access Settings with enabling quarantine, try the feature with devices.
Check for managed devices
- Enroll a device and assign an Exchange Active Profile
- Follow the configuration on your device as usual
- Check if you have access to emails, calendar and contacts
- Your newly enrolled device should now be whitelisted automatically
- Navigate back to your Exchange Admin Center
- Check that the device is not in quarantined state
Check for restricted devices
- Use a different unenrolled device
- On the device, add your Exchange ActiveSync account manually
- For iOS and iPadOS devices,
- Open Settings
- Navigate to Passwords & Accounts
- Tab Add Account
- Select Microsoft Exchange
- Finish your configuration
- For Android and Samsung devices
- Open Gmail
- Tab on your current account
- Choose Add another account
- Select Exchange and Office 365
- Finish your configuration
- For iOS and iPadOS devices,
- Your unenrolled device should now be quarantined automatically
- Navigate back to your Exchange Admin Center
- Check that the device is in quarantined state
Additional Notes
- If your device will not get whitelisted, please check your Silverback Logs
- Also please review all previously made steps
- Check your security rule set
- Please also note the following
- Devices may download folder structure, but don't see any mails due to Quarantined Status
- Devices may also get blocked
- In this case the mail content will be completely empty or they can't establish a connection to ActiveSync at all
- You can at any time grant access to devices manually