Exchange Protection Integration III: Exchange 2016
Exchange Protection For Exchange 2016
The PowerShell Integration establishes a remote connection to Exchange. Depending on your infrastructure design, the PowerShell interface will be utilized either on the Silverback Server or on your Cloud Connector Server. It means depending of your setup and settings, either the Silverback Server or your Cloud Connector Server establishes the remote connection to the Exchange Server via Remote Powershell and performs cmdlet commands to automatically allow only Silverback managed devices the access to ActiveSync. The option to use the Cloud Connector can be enabled in the Web Settings of Silverback, as shown in the Cloud Connector section. During this guide, we will set the execution policy and the authentication and perform a Service Account validation. Depending on your desired setup, perform this part either on your Silverback or Cloud Connector Server. Cloud Customers are not required to configure the execution policy and the authentication, but they can perform the Service Account Validation on any machine that is able to connect to Exchange.
Please review additionally the Knowledge Base Article for the Exchange Protection and Windows Remote Management
Requirements
- Silverback / Cloud Connector Server can communicate to your Exchange Server over TCP Port 5985/5986
- Access to Active Directory for creating a service account
- Access to Exchange 2016 Server and Exchange Admin Center
- Access to Silverback Server and Management Console
Supported
Applications and Management Types
- iOS with native Mail client on user and device enrollment
- iPadOS with native Mail client on user and device enrollment
- Android with Gmail client in device owner mode
- Samsung Knox with Gmail client in device owner mode
- Windows 10 with Microsoft Mail on all management modes
Not supported applications
- Microsoft Outlook
- Samsung Mail
- macOS Mail
These applications does not grant access to interfere in Exchange ActiveSync Device ID
Active Directory
Start on your Active Directory
Create Service Account
- Open your Active Directory
- Open Active Directory Users and Computers
- Navigate to a Organization Unit
- Right Click in the right pane
- Select New
- Click User
- Add user object information according to your company guidelines
- e.g. First name: Silverback
- e.g. Last name: Exchange
- e.g. User logon name: silverback_exchange@imagoverum.com
- e.g. SamAccountName: IMAGOVERUM\silverback_exchange
- Click Next
- Enter and confirm a Password
- e.g. Pa$$w0rd
- Disable User must change password at next login
- Enable Password never expires
- Enter and confirm a Password
- Click Next
- Click Finish
Add a description
- Right Click your created service account
- Select Properties
- Add as description e.g. Service Account for Silverback Exchange Protection
Exchange Admin Center
- Open Exchange Admin Center
- Login with Administrator credentials
Create new Role and grant access
- Select permissions
- Click +
- Enter a Name: e.g. Exchange Protection
- Enter a description (optional)
- Under Roles, click + and add the following roles
- Mail Recipients
- Organization Client Access
- Click ok
- Under Members, click +
- Select your previously created service account
- Click add
- Click ok
- Press save
It might take some time until the new role and permissions are successfully applied, please take this into account when performing the Access and Service Account Validation later on
Create Device Mailbox Policy
- Navigate to mobile
- Navigate to mobile device mailbox policies
- Click +
- Enter a name for the profile
- e.g. Silverback Exchange Protection Policy
- Enable This is the default policy
- Press Save
Exchange Server
- Change to your Exchange Server
Set Execution Policy
- Run PowerShell with administrative privileges
- Run the following command line to check your Status
- get-executionpolicy
- If the answer is RemoteSigned you are ready
- If the answer is something else, please run the following command line
- set-executionpolicy RemoteSigned
- Confirm with Yes
Configure IIS
- Open Internet Information Services (IIS) Manager
- Expand your Server
- Expand Sites
- Expand Default Web Site
- Select PowerShell
- Double Click Authentication
- Ensure that Windows Authentication is enabled
Access and Service Account Validation
The following section is designed to ensure that the Remote Powershell can connect from your desired source server (Silverback or Cloud Connector) to Exchange. Cloud Customers are not required to configure the execution policy and the authentication but you can perform the Service Account Validation on any machine that is able to connect to Exchange.
- Change to your Silverback Server or Cloud Connector Server
Set Execution Policy
- Run PowerShell with administrative privileges
- Run the following command line to check your Status
- get-executionpolicy
- If the answer is RemoteSigned you are ready
- If the answer is something else, please run the following command line
- set-executionpolicy RemoteSigned
- Confirm with Yes
Set Authentication
- Run the following command to get authentication info
- winrm get winrm/config/client/auth
- If the value Kerberos=true is not set run the following command
- winrm set winrm/config/client/auth @{Kerberos="true"}
Service Account Validation
Start Session
- Run now the following command
$UserCredentials = Get-Credential
- Enter your Service Account, e.g. IMAGOVERUM\silverback_exchange
- Enter your Password, e.g. Pa$$w0rd
- Click OK
- Adjust and run now the following command
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://eas.imagoverum.com/powershell/ -Authentication Kerberos -Credential $UserCredentials
Be advised the method shown above is not universal. Depending on your target environment configuration, you may be required to specify a different authentication method as an argument like -Authentication Basic or connect via http instead of https.
- Import now the session with
Import-PSSession $Session
- To check functionality adjust and run the following command
get-casmailbox -Identity "tim.tober@imagoverum.com"
Grant rights
- To enable Remote PowerShell Access to Exchange for the service accont, we need to grant permissions
- Adjust the Service Account name and run the following command
Set-User silverback_exchange -RemotePowerShellEnabled $true
Typically the permissions are set by default to true.
Additional commands
- Check the following commands to get familiar with the handling
Purpose | Command |
---|---|
Get the default access level, e.g. allow, block, quarantine |
Get-ActiveSyncOrganizationSettings | ft DefaultAccessLevel |
Information about a mailbox, such as the size of the mailbox, the number of messages it contains, and the last time it was accessed |
Get-MailboxStatistics -Identity username | fl |
Retrieve the list of mobile devices configured to synchronize with a specified user's mailbox and return a list of statistics about the mobile devices. |
Get-MobileDeviceStatistics -Mailbox username |
Get a list of allowed and blocked device IDs and given Mailbox Policy |
Get-CASMailbox -Identity username | fl *ActiveSync* |
Filter to Active Sync Allowed Devices |
Get-CASMailbox -Identity username | select {$_.ActiveSyncAllowedDeviceIDs} |
Filter to Active Sync Blocked Devices |
Get-CASMailbox -Identity username | select {$_.ActiveSyncBlockedDeviceIDs} |
Get the list of devices in your organization that have active Exchange ActiveSync partnerships |
Get-MobileDevice | select UserDisplayName,DeviceID,DeviceType,DeviceUserAgent,DeviceModel,Name |
Manually whitelist a device |
Set-CASMailbox -Identity username –ActiveSyncAllowedDeviceIDs DeviceID |
To export any of the above commands into an Excel Document for reporting purposes, simply add the following to the end of any of the above commands to export it into a CSV file: |
| Export-CSV C:\file.csv |
- To close the session execute the following command
Remove-PSSession $Session
Silverback Management Console
- Open your Silverback Management Console
Configure Exchange Protection
- Login as an Administrator
- Navigate to Admin
- Navigate to Exchange Protection
- Enable Exchange Protection
- Select as Server Version Exchange Server 2016
- Enter your Exchange Server Address with Powershell at the end as following
- Enter as Username your Service Account
- e.g. IMAGOVERUM\silverback_exchange
- Enter the corresponding Service Account Password
- e.g. Pa$$w0rd
- Enter your previously created Device Mailbox Policy
- e.g. Silverback Exchange Protection Policy
- Set Auth. Mechanism to Default or Kerberos
- Click Save
- Confirm with Yes
- If you are running Silverback with a Cloud Connector
- please proceed with Cloud Connector Setup
- otherwise proceed with Exchange Admin Center
Cloud Connector
Skip this section if you are a Cloud Customer or if you do not have a Cloud Connector in use.
- Logout as Administrator
- Login as Settings Administrator
- Navigate to Cloud Connector
- Enable Exchange Protection Service
- Decrease the Exchange Task Interval (mins) to e.g. 1 Minute
- Press Save
- Confirm with OK
- Restart all Silverback and Cloud Connector services
Exchange Admin Center
- Open Exchange Admin Center
Enable Quarantine Mode
If you are enabling this on a pre-existing production ActiveSync fleet, please be aware that all current devices connected via Exchange ActiveSync are automatically moved to quarantine after enabling the Quarantine mode. As Silverback is moving managed devices with their Exchange ActiveSync identifiers to the ActiveSyncAllowedDeviceIDs list for specific users when an Exchange ActiveSync profile will be installed on the device, Administrators can move all current managed Silverback devices separately to the Allowed List. Please refer to Exchange Protection Allow managed devices for additional information
-
- Navigate to mobile device access
- Press above and right to Quarantined Devices edit
- Select Quarantine - Let me decide to block or allow later
- Click +
- Select the receiver of Notification Email Messages
- Click add
- Click OK
- Enter a text to include in-emails
- e.g. This device is unknown and will be blocked until it will be enrolled in the Mobile Device Management Solution
- Click Save
- A list of Quarantined Devices will now get visible to you
- Administrators will receive a Notification Email Message
- All quarantined devices users will receive the previously configured Notification Email Message
Recipient | Administrators | Users | ||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Subject | A device that belongs to Maria Miller (mmiller) has been quarantined. Exchange ActiveSync will be blocked until you take action. | Your device is temporarily blocked from synchronizing using Exchange ActiveSync until your administrator grants it access. | ||||||||||||||||||||||||||||||||||||||||||||||
Message |
The Exchange ActiveSync service has quarantined the mobile device listed below. It won't be able to synchronize Exchange content until you take action. To perform an action for this mobile device, go to the following page in the Exchange Administration Center: https://outlook.office365.com/ecp/UsersGroups/EditMobileMailbox.aspx?id=cbc646cc-a767-4057-8360-155de50b978f&dtm=Isolation&Realm=m45dev.onmicrosoft.com&exsvurl=1 Information about the device that triggered this notice:
Sent at 2/20/2020 4:00:34 PM to tim.tober@imagoverum.com. |
This device is a unknown device and will be blocked until it will be Enrolled in the Mobile Device Management Solution Your device is temporarily blocked from accessing content via Exchange ActiveSync because the device has been quarantined. You don't need to take any action. Content will automatically be downloaded as soon as access is granted by your administrator. Information about your device:
Sent at 2/20/2020 4:00:34 PM to tim.tober@imagoverum.com. |
Performance Check
After configuring Exchange ActiveSync Access Settings with enabling quarantine, try the feature with devices.
Check for managed devices
- Enroll a device and assign an Exchange Active Profile
- Follow the configuration on your device as usual
- Check if you have access to emails, calendar and contacts
- Your newly enrolled device should now be whitelisted automatically
- Navigate back to your Exchange Admin Center
- Check that the device is not in quarantined state
Check for restricted devices
- Use a different unenrolled device
- On the device, add your Exchange ActiveSync account manually
- For iOS and iPadOS devices,
- Open Settings
- Navigate to Passwords & Accounts
- Tab Add Account
- Select Microsoft Exchange
- Finish your configuration
- For Android and Samsung devices
- Open Gmail
- Tab on your current account
- Choose Add another account
- Select Exchange and Office 365
- Finish your configuration
- For iOS and iPadOS devices,
- Your unenrolled device should now be quarantined automatically
- Navigate back to your Exchange Admin Center
- Check that the device is in quarantined state
Additional Notes
- If your device will not get whitelisted, please check your Silverback Logs
- Also please review all previously made steps
- Check your security rule set
- Please also note the following
- Devices may download folder structure, but don't see any mails due to Quarantined Status
- Devices may also get blocked
- In this case the mail content will be completely empty or they can't establish a connection to ActiveSync at all
- You can at any time grant access to devices manually
- By executing a Delete Business Data or Factory Wipe action on managed devices, the Exchange ActiveSync Device ID will be moved to Blocked state