ActiveSync Access Control

wperry1
Here to help

ActiveSync Access Control

How does everyone here control ActiveSync access to Exchange to ensure users are on Meraki and not manually entering their ActiveSync server settings? Right now we are controlling access by manually auditing compliant Meraki devices against Exchange ActiveSync devices but it's time consuming and not 100% accurate since there is no attribute that both Meraki and Exchange expose which can be used as a key field.

 

I have worked with a different MDM provider that had a proxy which sat between Exchange and the Internet and only allowed managed devices through but Meraki doesn't seem to have this. 

 

 

 

10 REPLIES 10
PhilipDAth
Kind of a big deal
Kind of a big deal

I'm not clear on the issue.

Are you worried about a user with a non-MDM controlled device setting up their own device with ActiveSync so they can get their email on their personal smart device?

That's exactly the issue. 

 

We quarantine all new devices on Exchange and confirm they are compliant on Meraki before we authorize them, but some users have figured out that they can remove Meraki right after doing this. They then add back the ActiveSync connection manually. The device is already authorized in Exchange so they get their mail without the device being fully managed. Users are allowed more than one device, so I can, through a very manual process, reconcile the number of compliant devices a user has on Meraki against the number of devices they have on Exchange but there is no key field in the data from Meraki that can be used to explicitly identify the same device on both Meraki SM and in Exchange.

 

 

According to the Apple developer docs, there is an attribute, EASDeviceIdentifier, which is the DeviceId for Exchange and should be accessible via MDM. If Meraki SM passed this through via the web interface or API, it could be used to reconcile compliant devices against Exchange. It is documented on the page below.

https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/MobileDeviceManage...

 

Sorry if I got a bit verbose and I welcome any help on this. I really want to lock things down and reduce the management overhead on this.

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Are the users mostly connecting via WiFi?  If so, configure the WiFi to only allow devices with the Systems Manager installed.  If they don't have it on their mobile device it makes you install it to continue on.

 

https://documentation.meraki.com/MR/Splash_Page/Systems_Manager_Sentry_Enrollment

 

Thank you for the response. Unfortunately, most of our users are in the field on mobile data so restricting WiFi access would not help.
PatrickL
Meraki Alumni (Retired)
Meraki Alumni (Retired)

You could look into setting up client certificate authentication. This would require generating certificates for your device owners, which allows you to only authenticate devices enrolled in SM and assigned to your owner entries in Dashboard. 

This is one solution I have looked into and, while I could automate the process of generating carts for the users, I would need to manually manage assigning the certificates to each owner/device. Is there any (semi)automated way of assigning certificates to users through Meraki?
PhilipDAth
Kind of a big deal
Kind of a big deal

Systems Manager has an option were it will automatically deploy certificates onto managed devices using SCEP - and it takes care of the whole process for you.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Certificate-based_WiFi_authenticat...

I actually tried this, unsuccessfully. I signed the Meraki CA cert so internal systems will recognize the SCEP certs as valid. The problem is there is no way, that I'm aware of, to associate the SCEP cert with the user account so Exchange could use it for authentication. 

PatrickL
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Exchange email owner certs can be uploaded individually or in bulk through the Owners page: https://documentation.meraki.com/SM/Other_Topics/Owners#Managing_Owners


@PatrickL wrote:

Exchange email owner certs can be uploaded individually or in bulk through the Owners page: https://documentation.meraki.com/SM/Other_Topics/Owners#Managing_Owners


I hadn't seen that you could do a bulk upload. This may be the answer I am looking for. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels