Skip to main content
Matrix42 Self-Service Help Center

Exchange Protection Integration IV: Exchange 2010

Exchange Protection For Exchange 2010

Requirements

  • Silverback Server can communicate to your Exchange Server over TCP Port 5985
  • Access to Active Directory for creating a service account
  • Access to Exchange 2010 Server, Exchange Management Console and Exchange Control Panel
  • Access to Silverback Server and Management Console

Supported

Applications and Management Types

  • iOS with native Mail client on user and device enrollment
  • iPadOS with native Mail client on user and device enrollment
  • Android with Gmail client in device owner mode
  • SamsungSafe with Gmail client in device owner mode
  • Windows 10 with Microsoft Mail on all management modes

Not supported applications

  • Microsoft Outlook
  • Samsung Mail
  • macOS Mail

These applications does not grant access to interfere in Exchange ActiveSync Device ID 

Active Directory

Start on your Active Directory

Create Service Account

  • Open your Active Directory
  • Open Active Directory Users and Computers
  • Navigate to a Organization Unit
  • Right Click in the right pane 
  • Select New
  • Click User
  • Add user object information according to your company guidelines
  • Click Next
    • Enter and confirm a Password
      • e.g. Pa$$w0rd
    • Disable User must change password at next login
    • Enable Password never expires
  • Click Next
  • Click Finish

Add a description

  • Right Click your created service account
  • Select Properties
  • Add as description e.g. Service Account for Silverback Exchange Protection

Grant Permissions

  • Navigate to Member Of Tab
  • Click Add
  • Add the following Groups
    • Organization Management
    • Server Management
    • Recipient Management
  • Click OK
  • Click Apply
  • Click OK

Exchange Server

  • Change to your Exchange Server

Set Execution Policy

  • Run PowerShell with administrative privileges
  • Run the following command line to check your Status
    • get-executionpolicy
  • If the answer is RemoteSigned you are ready
  • If the answer is something else, please run the following command line
    • set-executionpolicy RemoteSigned
    • Confirm with Yes

Configure IIS

  • Open Internet Information Services (IIS) Manager
  • Expand your Server
  • Expand Sites
  • Expand Default Web Site
  • Select PowerShell
  • Double Click Authentication
  • Select Basic Authentication
  • Press Enable in the Actions Pane

Silverback Server

  • Change to your Silverback Server

Set Execution Policy

  • Run PowerShell with administrative privileges
  • Run the following command line to check your Status
    • get-executionpolicy
  • If the answer is RemoteSigned you are ready
  • If the answer is something else, please run the following command line
    • set-executionpolicy RemoteSigned
    • Confirm with Yes

Set Authentication

  • Run the following command to get authentication info
    • winrm get winrm/config/client/auth
  • If the value Kerberos=true is not set run the following command
    • winrm set winrm/config/client/auth @{Kerberos="true"}

Service Account Validation

Start Session
  • Run now the following command
$UserCredentials = Get-Credential
  • Enter your Service Account, e.g. IMAGOVERUM\silverback_exchange 
  • Enter your Password, e.g. Pa$$w0rd
  • Click OK
  • Adjust and run now the following command
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://eas.imagoverum.com/powershell/ -Authentication Basic -Credential $UserCredentials
  • Import now the session with
Import-PSSession $Session
  • To check functionality adjust and run the following command
get-casmailbox -Identity "tim.tober@imagoverum.com"
Grant rights
  • To enable Remote PowerShell Access to Exchange, we need to grant him the rights
  • Adjust the Service Account name  and run the following command
Set-User silverback_exchange -RemotePowerShellEnabled $true

Additional commands

  • Check the following commands to get familiar with the handling
Purpose Command
Get the default access level, e.g. allow, block, quarantine
Get-ActiveSyncOrganizationSettings | ft DefaultAccessLevel
Information about a mailbox, such as the size of the mailbox, the number of messages it contains, and the last time it was accessed
Get-MailboxStatistics -Identity username | fl
Get a list of allowed and blocked device IDs and given Mailbox Policy
Get-CASMailbox -Identity username | fl *ActiveSync*
Filter to Active Sync Allowed Devices
Get-CASMailbox -Identity username | select {$_.ActiveSyncAllowedDeviceIDs}
Retrieve the list of mobile devices configured to synchronize with a specified user's mailbox and return a list of statistics about the mobile devices.
Get-ActiveSyncDeviceStatistics -Mailbox username
Get the list of devices in your organization that have active Exchange ActiveSync partnerships
Get-ActiveSyncDeviceStatistics | select UserDisplayName,DeviceID,DeviceType,DeviceUserAgent,DeviceModel,Name
To export any of the above commands into an Excel Document for reporting purposes, simply add the following to the end of any of the above commands to export it into a CSV
file:
| Export-CSV C:\file.csv

Exchange Management Console

  • Navigate to your Exchange Management Console

Edit Default Mailbox Policy

  • Expand the left tree
  • Expand Organization Configuration
  • Click Client Access
  • Select and perform a right click on your Default Mailbox Policy
  • Click Properties
  • Ensure that Allow non-provisionable devices is enabled
  • Configure additional settings (optional)
  • Click Apply
  • Click OK

Silverback Management Console

  • Open your Silverback Management Console

Configure Exchange Protection

  • Login as an Administrator
  • Navigate to Admin
  • Navigate to Exchange Protection
  • Enable Exchange Protection
  • Select as Server Version Exchange Server 2010
  • Enter your Exchange Server Address with Powershell at the end as following

Ensure that you are using http

  • Enter as Username your Service Account
    • e.g. IMAGOVERUM\silverback_exchange 
  • Enter the corresponding Service Account Password
    • e.g. Pa$$w0rd
  • Enter the name of your Default Mailbox Policy
    • e.g. Default
  • Set Auth. Mechanism to Default or Kerberos
  • Click Save
  • Confirm with Yes
  • If you are running Silverback with a Cloud Connector

Cloud Connector Setup 

Skip this if you do not have a cloud connector in use

  • Logout as Administrator 
  • Login as Settings Administrator
  • Navigate to ActiveSync
  • Enable Exchange Protection
  • Decrease the Exchange Task Interval (mins) to e.g. 1 Minute
  • Press Save
  • Confirm with OK
  • Restart the Silverback Maintenance Service

Microsoft Exchange Control Panel 

Enable Quarantine Mode

If you are enabling this on a pre-existing production ActiveSync fleet, please make sure that all your devices are enrolled into Silverback. Ensure all the devices have a device id set in users’ mailbox settings. If a user does not have this set they will not be able to connect to ActiveSync.

  • Open Microsoft Exchange Control Panel 
  • On Top select Manage My Organization
  • Navigate to Phone & Voice
  • On Exchange ActiveSync Access Settings click Edit
  • Select Quarantine - Let me decide to block or allow later
  • Click Add
    • Select the Administrative Users which will receive E-Mail Alerts
    • Click OK
  • Enter a text to include in-emails
    • e.g. This device is unknown and will be blocked until it will be enrolled in the Mobile Device Management Solution
  • Click Save
  • A list of Quarantined Devices maybe will get visible to you
  • Administrators will receive a Notification Email Message
  • All quarantined devices users will receive the previously configured Notification Email Message
Recipient Administrators Users
Subject A device that belongs to Maria Miller (mmiller) has been quarantined. Exchange ActiveSync will be blocked until you take action. Your device is temporarily blocked from synchronizing using Exchange ActiveSync until your administrator grants it access.
Message

The Exchange ActiveSync service has quarantined the mobile device listed below. It won't be able to synchronize Exchange content until you take action.

To perform an action for this mobile device, go to the following page in the Exchange Administration Center: https://outlook.office365.com/ecp/UsersGroups/EditMobileMailbox.aspx?id=cbc646cc-a767-4057-8360-155de50b978f&dtm=Isolation&Realm=m45dev.onmicrosoft.com&exsvurl=1

Information about the device that triggered this notice:

User: maria.miller@imagoverum.com
Device model: iPhone7C2
Device type: iPhone
Device ID: QGK92S76M54UN3U26R361DQ4BC
Device OS: iOS 12.4.5 16G161
Device user agent: Apple-iPhone7C2/1607.161
Device phone number:  
Device IMEI:  
Exchange ActiveSync version: 16.1
Device policy applied: imagoverum\Exchange Protection Policy
Device policies status: NotApplied
Device access state: Quarantined
Device access state reason: Global
Device access control rule:  

 

Sent at 2/20/2020 4:00:34 PM to tim.tober@imagoverum.com.

This device is a unknown device and will be blocked until it will be Enrolled in the Mobile Device Management Solution

Your device is temporarily blocked from accessing content via Exchange ActiveSync because the device has been quarantined. You don't need to take any action. Content will automatically be downloaded as soon as access is granted by your administrator.

Information about your device:

Device model: iPhone7C2
Device type: iPhone
Device ID: QGK92S76M54UN3U26R361DQ4BC
Device OS: iOS 12.4.5 16G161
Device user agent: Apple-iPhone7C2/1607.161
Device IMEI:  
Exchange ActiveSync version: 16.1
Device access state: Quarantined
Device access state reason: Global

 

Sent at 2/20/2020 4:00:34 PM to tim.tober@imagoverum.com.

Performance Check

After configuring  Exchange ActiveSync Access Settings with enabling quarantine, try the feature with devices. 

Check for managed devices

  • Enroll a device and assign an Exchange Active Profile 
  • Follow the configuration on your device as usual
  • Check if you have access to emails, calendar and contacts
  • Your newly enrolled device should now be whitelisted automatically
    • Navigate back to your Microsoft Exchange Control Panel
    • Check that the device is not in quarantined state

Check for restricted devices

  • Use a different unenrolled device
  • On the device, add your Exchange ActiveSync account manually 
    • For iOS and iPadOS devices,
      • Open Settings 
      • Navigate to Passwords & Accounts
      • Tab Add Account
      • Select Microsoft Exchange
      • Finish your configuration
    • For Android and Samsung devices
      • Open Gmail 
      • Tab on your current account
      • Choose Add another account
      • Select Exchange and Office 365
      • Finish your configuration
  • Your unenrolled device should now be quarantined automatically
    • Navigate back to your Microsoft Exchange Control Panel 
    • Check that the device is in quarantined state

Additional Notes 

  • If your device will not get whitelisted, please check your Silverback Logs
  • Also please review all previously made steps 
  • Check your security rule set 
  • Please also note the following
    • Devices may download folder structure, but don't see any mails due to Quarantined Status
    • Devices may also get blocked
      • In this case the mail content will be completely empty or they can't establish a connection to ActiveSync at all
    • You can at any time grant access to devices manually
  • Was this article helpful?