Skip to main content
Matrix42 Self-Service Help Center

Exchange Protection Integration V: Exchange 2010

Exchange Protection For Exchange 2010

The PowerShell Integration establishes a remote connection to Exchange. Depending on your infrastructure design, the PowerShell interface will be utilized either on the Silverback Server or on your Cloud Connector Server. It means depending of your setup and settings, either the Silverback Server or your Cloud Connector Server establishes the remote connection to the Exchange Server via Remote Powershell and performs cmdlet commands to automatically allow only Silverback managed devices the access to ActiveSync. The option to use the Cloud Connector can be enabled in the Web Settings of Silverback, as shown in the Cloud Connector section. During this guide, we will set the execution policy and the authentication and perform a Service Account validation. Depending on your desired setup, perform this part either on your Silverback or Cloud Connector Server. Cloud Customers are not required to configure the execution policy and the authentication, but they can perform the Service Account Validation on any machine that is able to connect to Exchange.

As Exchange Server 2010 reached its end of support on October 13, 2020 by Microsoft, the functionality is still present in Silverback and might keep working but is out of support in case of issues. 

Please review additionally the Knowledge Base Article for the Exchange Protection and Windows Remote Management

Requirements

  • Silverback / Cloud Connector Server can communicate to your Exchange Server over TCP Port 5985/5986
  • Access to Active Directory for creating a service account
  • Access to Exchange 2010 Server, Exchange Management Console and Exchange Control Panel
  • Access to Silverback Server and Management Console

Supported

Applications and Management Types

  • iOS with native Mail client on user and device enrollment
  • iPadOS with native Mail client on user and device enrollment
  • Android with Gmail client in device owner mode
  • Samsung Knox with Gmail client in device owner mode
  • Windows 10 with Microsoft Mail on all management modes

Not supported applications

  • Microsoft Outlook
  • Samsung Mail
  • macOS Mail

These applications does not grant access to interfere in Exchange ActiveSync Device ID 

Active Directory

Start on your Active Directory

Create Service Account

  • Open your Active Directory
  • Open Active Directory Users and Computers
  • Navigate to a Organization Unit
  • Right Click in the right pane 
  • Select New
  • Click User
  • Add user object information according to your company guidelines
  • Click Next
    • Enter and confirm a Password
      • e.g. Pa$$w0rd
    • Disable User must change password at next login
    • Enable Password never expires
  • Click Next
  • Click Finish

Add a description

  • Right Click your created service account
  • Select Properties
  • Add as description e.g. Service Account for Silverback Exchange Protection

Grant Permissions

  • Navigate to Member Of Tab
  • Click Add
  • Add the following Groups
    • Organization Management
    • Server Management
    • Recipient Management
  • Click OK
  • Click Apply
  • Click OK

To define a more granular access management, utilize the Exchange Toolbox and access the Role Based Access Control User Editor and create a new Role Group with the relevant roles Mail Recipients, Organization Client Access, and Recipient Policies. Add the Service Account you created previously under the Members section and press Save. 

Exchange Server

  • Change to your Exchange Server

Set Execution Policy

  • Run PowerShell with administrative privileges
  • Run the following command line to check your Status
    • get-executionpolicy
  • If the answer is RemoteSigned you are ready
  • If the answer is something else, please run the following command line
    • set-executionpolicy RemoteSigned
    • Confirm with Yes

Configure IIS

  • Open Internet Information Services (IIS) Manager
  • Expand your Server
  • Expand Sites
  • Expand Default Web Site
  • Select PowerShell
  • Double Click Authentication
  • Select Basic Authentication
  • Press Enable in the Actions Pane

Access and Service Account Validation

The following section is designed to ensure that the Remote Powershell can connect from your desired source server (Silverback or Cloud Connector) to Exchange. Cloud Customers are not required to configure the execution policy and the authentication but you can perform the Service Account Validation on any machine that is able to connect to Exchange.

  • Change to your Silverback Server or Cloud Connector Server

Set Execution Policy

  • Run PowerShell with administrative privileges
  • Run the following command line to check your Status
    • get-executionpolicy
  • If the answer is RemoteSigned you are ready
  • If the answer is something else, please run the following command line
    • set-executionpolicy RemoteSigned
    • Confirm with Yes

Set Authentication

  • Run the following command to get authentication info
    • winrm get winrm/config/client/auth
  • If the value Basic=true is not set run the following command
    • winrm set winrm/config/client/auth @{Basic="true"}

Service Account Validation

Start Session
  • Run now the following command
$UserCredentials = Get-Credential
  • Enter your Service Account, e.g. IMAGOVERUM\silverback_exchange 
  • Enter your Password, e.g. Pa$$w0rd
  • Click OK
  • Adjust and run now the following command
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://eas.imagoverum.com/powershell/ -Authentication Basic -Credential $UserCredentials
  • Import now the session with
Import-PSSession $Session
  • To check functionality adjust and run the following command
get-casmailbox -Identity "tim.tober@imagoverum.com"
Grant rights
  • To enable Remote PowerShell Access to Exchange, we need to grant him the rights
  • Adjust the Service Account name  and run the following command
Set-User silverback_exchange -RemotePowerShellEnabled $true

Additional commands

  • Check the following commands to get familiar with the handling
Purpose Command
Get the default access level, e.g. allow, block, quarantine
Get-ActiveSyncOrganizationSettings | ft DefaultAccessLevel
Information about a mailbox, such as the size of the mailbox, the number of messages it contains, and the last time it was accessed
Get-MailboxStatistics -Identity username | fl
Get a list of allowed and blocked device IDs and given Mailbox Policy
Get-CASMailbox -Identity username | fl *ActiveSync*
Filter to Active Sync Allowed Devices
Get-CASMailbox -Identity username | select {$_.ActiveSyncAllowedDeviceIDs}
Retrieve the list of mobile devices configured to synchronize with a specified user's mailbox and return a list of statistics about the mobile devices.
Get-ActiveSyncDeviceStatistics -Mailbox username
Get the list of devices in your organization that have active Exchange ActiveSync partnerships
Get-ActiveSyncDeviceStatistics | select UserDisplayName,DeviceID,DeviceType,DeviceUserAgent,DeviceModel,Name
To export any of the above commands into an Excel Document for reporting purposes, simply add the following to the end of any of the above commands to export it into a CSV
file:
| Export-CSV C:\file.csv

Exchange Management Console

  • Navigate to your Exchange Management Console

Edit Default Mailbox Policy

  • Expand the left tree
  • Expand Organization Configuration
  • Click Client Access
  • Select and perform a right click on your Default Mailbox Policy
  • Click Properties
  • Ensure that Allow non-provisionable devices is enabled
  • Configure additional settings (optional)
  • Click Apply
  • Click OK

Silverback Management Console

  • Open your Silverback Management Console

Configure Exchange Protection

  • Login as an Administrator
  • Navigate to Admin
  • Navigate to Exchange Protection
  • Enable Exchange Protection
  • Select as Server Version Exchange Server 2010
  • Enter your Exchange Server Address with Powershell at the end as following

Ensure that you are using http

  • Enter as Username your Service Account
    • e.g. IMAGOVERUM\silverback_exchange 
  • Enter the corresponding Service Account Password
    • e.g. Pa$$w0rd
  • Enter the name of your Default Mailbox Policy
    • e.g. Default
  • Set Auth. Mechanism to Basic
  • Click Save
  • Confirm with Yes
  • If you are running Silverback with a Cloud Connector

Cloud Connector

Skip this section if you are a Cloud Customer or if you do not have a Cloud Connector in use.

  • Logout as Administrator 
  • Login as Settings Administrator
  • Navigate to Cloud Connector
  • Enable Exchange Protection Service
  • Decrease the Exchange Task Interval (mins) to e.g. 1 Minute
  • Press Save
  • Confirm with OK
  • Restart all Silverback and Cloud Connector services

Microsoft Exchange Control Panel 

Enable Quarantine Mode

If you are enabling this on a pre-existing production ActiveSync fleet, please be aware that all current devices connected via Exchange ActiveSync are automatically moved to quarantine after enabling the Quarantine mode. As Silverback is moving managed devices with their Exchange ActiveSync identifiers to the ActiveSyncAllowedDeviceIDs list for specific users when an Exchange ActiveSync profile will be installed on the device, it might be required to remove and reassign Exchange ActiveSync profiles to your existing device fleet. As an alternative contact your Exchange Administrator to find the best approach. Please refer to Exchange Protection Allow managed devices for reviewing the approach for newer Exchange versions.

  • Open Microsoft Exchange Control Panel 
  • On Top select Manage My Organization
  • Navigate to Phone & Voice
  • On Exchange ActiveSync Access Settings click Edit
  • Select Quarantine - Let me decide to block or allow later
  • Click Add
    • Select the Administrative Users which will receive E-Mail Alerts
    • Click OK
  • Enter a text to include in-emails
    • e.g. This device is unknown and will be blocked until it will be enrolled in the Mobile Device Management Solution
  • Click Save
  • A list of Quarantined Devices maybe will get visible to you
  • Administrators will receive a Notification Email Message
  • All quarantined devices users will receive the previously configured Notification Email Message
Recipient Administrators Users
Subject A device that belongs to Maria Miller (mmiller) has been quarantined. Exchange ActiveSync will be blocked until you take action. Your device is temporarily blocked from synchronizing using Exchange ActiveSync until your administrator grants it access.
Message

The Exchange ActiveSync service has quarantined the mobile device listed below. It won't be able to synchronize Exchange content until you take action.

To perform an action for this mobile device, go to the following page in the Exchange Administration Center: https://outlook.office365.com/ecp/UsersGroups/EditMobileMailbox.aspx?id=cbc646cc-a767-4057-8360-155de50b978f&dtm=Isolation&Realm=m45dev.onmicrosoft.com&exsvurl=1

Information about the device that triggered this notice:

User: maria.miller@imagoverum.com
Device model: iPhone7C2
Device type: iPhone
Device ID: QGK92S76M54UN3U26R361DQ4BC
Device OS: iOS 12.4.5 16G161
Device user agent: Apple-iPhone7C2/1607.161
Device phone number:  
Device IMEI:  
Exchange ActiveSync version: 16.1
Device policy applied: imagoverum\Exchange Protection Policy
Device policies status: NotApplied
Device access state: Quarantined
Device access state reason: Global
Device access control rule:  

 

Sent at 2/20/2020 4:00:34 PM to tim.tober@imagoverum.com.

This device is a unknown device and will be blocked until it will be Enrolled in the Mobile Device Management Solution

Your device is temporarily blocked from accessing content via Exchange ActiveSync because the device has been quarantined. You don't need to take any action. Content will automatically be downloaded as soon as access is granted by your administrator.

Information about your device:

Device model: iPhone7C2
Device type: iPhone
Device ID: QGK92S76M54UN3U26R361DQ4BC
Device OS: iOS 12.4.5 16G161
Device user agent: Apple-iPhone7C2/1607.161
Device IMEI:  
Exchange ActiveSync version: 16.1
Device access state: Quarantined
Device access state reason: Global

 

Sent at 2/20/2020 4:00:34 PM to tim.tober@imagoverum.com.

Performance Check

After configuring  Exchange ActiveSync Access Settings with enabling quarantine, try the feature with devices. 

Check for managed devices

  • Enroll a device and assign an Exchange Active Profile 
  • Follow the configuration on your device as usual
  • Check if you have access to emails, calendar and contacts
  • Your newly enrolled device should now be whitelisted automatically
    • Navigate back to your Microsoft Exchange Control Panel
    • Check that the device is not in quarantined state

Check for restricted devices

  • Use a different unenrolled device
  • On the device, add your Exchange ActiveSync account manually 
    • For iOS and iPadOS devices,
      • Open Settings 
      • Navigate to Passwords & Accounts
      • Tab Add Account
      • Select Microsoft Exchange
      • Finish your configuration
    • For Android and Samsung devices
      • Open Gmail 
      • Tab on your current account
      • Choose Add another account
      • Select Exchange and Office 365
      • Finish your configuration
  • Your unenrolled device should now be quarantined automatically
    • Navigate back to your Microsoft Exchange Control Panel 
    • Check that the device is in quarantined state

Additional Notes 

  • If your device will not get whitelisted, please check your Silverback Logs
  • Also please review all previously made steps 
  • Check your security rule set 
  • Please also note the following
    • Devices may download folder structure, but don't see any mails due to Quarantined Status
    • Devices may also get blocked
      • In this case the mail content will be completely empty or they can't establish a connection to ActiveSync at all
    • You can at any time grant access to devices manually
  • By executing a Delete Business Data or Factory Wipe action on managed devices, the Exchange ActiveSync Device ID will be moved to Blocked state
  • Was this article helpful?