cancel
Showing results for 
Search instead for 
Did you mean: 

ActiveSync Access Control

Here to help

ActiveSync Access Control

How does everyone here control ActiveSync access to Exchange to ensure users are on Meraki and not manually entering their ActiveSync server settings? Right now we are controlling access by manually auditing compliant Meraki devices against Exchange ActiveSync devices but it's time consuming and not 100% accurate since there is no attribute that both Meraki and Exchange expose which can be used as a key field.

 

I have worked with a different MDM provider that had a proxy which sat between Exchange and the Internet and only allowed managed devices through but Meraki doesn't seem to have this. 

 

 

 

10 REPLIES 10
Kind of a big deal

Re: ActiveSync Access Control

I'm not clear on the issue.

Are you worried about a user with a non-MDM controlled device setting up their own device with ActiveSync so they can get their email on their personal smart device?
Here to help

Re: ActiveSync Access Control

That's exactly the issue. 

 

We quarantine all new devices on Exchange and confirm they are compliant on Meraki before we authorize them, but some users have figured out that they can remove Meraki right after doing this. They then add back the ActiveSync connection manually. The device is already authorized in Exchange so they get their mail without the device being fully managed. Users are allowed more than one device, so I can, through a very manual process, reconcile the number of compliant devices a user has on Meraki against the number of devices they have on Exchange but there is no key field in the data from Meraki that can be used to explicitly identify the same device on both Meraki SM and in Exchange.

 

 

According to the Apple developer docs, there is an attribute, EASDeviceIdentifier, which is the DeviceId for Exchange and should be accessible via MDM. If Meraki SM passed this through via the web interface or API, it could be used to reconcile compliant devices against Exchange. It is documented on the page below.

https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/MobileDeviceManage...

 

Sorry if I got a bit verbose and I welcome any help on this. I really want to lock things down and reduce the management overhead on this.

 

Kind of a big deal

Re: ActiveSync Access Control

Are the users mostly connecting via WiFi?  If so, configure the WiFi to only allow devices with the Systems Manager installed.  If they don't have it on their mobile device it makes you install it to continue on.

 

https://documentation.meraki.com/MR/Splash_Page/Systems_Manager_Sentry_Enrollment

 

Meraki Employee

Re: ActiveSync Access Control

You could look into setting up client certificate authentication. This would require generating certificates for your device owners, which allows you to only authenticate devices enrolled in SM and assigned to your owner entries in Dashboard. 

Here to help

Re: ActiveSync Access Control

Thank you for the response. Unfortunately, most of our users are in the field on mobile data so restricting WiFi access would not help.
Highlighted
Here to help

Re: ActiveSync Access Control

This is one solution I have looked into and, while I could automate the process of generating carts for the users, I would need to manually manage assigning the certificates to each owner/device. Is there any (semi)automated way of assigning certificates to users through Meraki?
Kind of a big deal

Re: ActiveSync Access Control

Systems Manager has an option were it will automatically deploy certificates onto managed devices using SCEP - and it takes care of the whole process for you.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Certificate-based_WiFi_authenticat...

Here to help

Re: ActiveSync Access Control

I actually tried this, unsuccessfully. I signed the Meraki CA cert so internal systems will recognize the SCEP certs as valid. The problem is there is no way, that I'm aware of, to associate the SCEP cert with the user account so Exchange could use it for authentication. 

Meraki Employee

Re: ActiveSync Access Control

Exchange email owner certs can be uploaded individually or in bulk through the Owners page: https://documentation.meraki.com/SM/Other_Topics/Owners#Managing_Owners

Here to help

Re: ActiveSync Access Control


@PatrickL wrote:

Exchange email owner certs can be uploaded individually or in bulk through the Owners page: https://documentation.meraki.com/SM/Other_Topics/Owners#Managing_Owners


I hadn't seen that you could do a bulk upload. This may be the answer I am looking for. 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels