Exchange: Restrict end users from using third party active sync enabled applications
Nowadays there are so many active sync enabled applications which end users can download, install on their mobile devices and access emails .
In this article lets have a look at some troubleshooting guidelines that we can perform to block users trying to access the emails from their mobile device through any third party active sync enabled application.
How to find the Active Sync connections coming from different mobile applications ?
You can filter and see the active-sync requests in the reverse-proxy/firewall. There should be a reverse proxy that sits in front of exchange for auth purposes.
This is the best way and you can find them easily.
To find the users who are using any app to access emails via active-sync perform the following :-
- 1) Filter the active sync requests in your firewall or reverse proxy accordingly and start the query.
- 2) Usually in most of the firewall and reverse proxy it will show you the source,destination and the request after the filter.
You need to concentrate on the request alone
Below is an example of normal active sync request
If the user device is connected through any application Eg: cloudmagic you can see the word “cloud magic” in the request URL. By this way you can identify the users . It should be easy.
Also you can use the exchange commands query string parameter and filter device access rule.This will help you to identify what type of devices are connecting .Use the below command to see the type of the connections through Active-sync
Get-ActivesyncDeviceAccessRule | Format-Table Name, Characteristic, QueryString, Accesslevel -AutoSize
**Note: **
You will get any output of the above only if you have created any device access rule for the same.
In the Query String parameter you can see the type of the software that the active sync is used for connecting.
There is one more method to identify the type of devices that connect through active-sync from the IIS logs
Just an example below of how the log entry shows for the android device type.
POST http://domain.com/Microsoft-Server-ActiveSync?
default.eascmd=sync&deviceID=5a5d4d5fg8755gf5gh5g&DeviceType=Andriod
Now how do we block all these types of connections and allow only Native client ?
Few points which will definitely help in address these kind of issues:
1. New device access rule
Create a new device access rule and block the applications through which end users should not connect through
In my example i have created a new device access rule to stop the connections coming from cloudmagic application.
New-ActiveSyncDeviceAccessRule -AccessLevel Block -Characteristic DeviceType -QueryString “CloudMagic”
2. Web.config file
Add a query string value in the web.config file to stop the connection from specific applications
Edit the web.config file on the mailbox server and add the below string to block the users accessing the emails through application in my case its cloud-magic
<denyStrings>
** <add string=”CloudMagic” />**
</denyStrings>
do an iisreset after this
Note: Make sure that you take a backup of the web.config file before making this change.
3. Firewall rule
Also additionally create a rule in the firewall,reverse proxy stating that any active-sync requests that come with the url “cloud magic” drop the connection and do not proceed.
After performing the above log into your reverse proxy perform a filter and see if this query type with cloud magic is getting blocked(definitely it should be).