How does everyone here control ActiveSync access to Exchange to ensure users are on Meraki and not manually entering their ActiveSync server settings? Right now we are controlling access by manually auditing compliant Meraki devices against Exchange ActiveSync devices but it's time consuming and not 100% accurate since there is no attribute that both Meraki and Exchange expose which can be used as a key field.
I have worked with a different MDM provider that had a proxy which sat between Exchange and the Internet and only allowed managed devices through but Meraki doesn't seem to have this.
That's exactly the issue.
We quarantine all new devices on Exchange and confirm they are compliant on Meraki before we authorize them, but some users have figured out that they can remove Meraki right after doing this. They then add back the ActiveSync connection manually. The device is already authorized in Exchange so they get their mail without the device being fully managed. Users are allowed more than one device, so I can, through a very manual process, reconcile the number of compliant devices a user has on Meraki against the number of devices they have on Exchange but there is no key field in the data from Meraki that can be used to explicitly identify the same device on both Meraki SM and in Exchange.
According to the Apple developer docs, there is an attribute, EASDeviceIdentifier, which is the DeviceId for Exchange and should be accessible via MDM. If Meraki SM passed this through via the web interface or API, it could be used to reconcile compliant devices against Exchange. It is documented on the page below.
Sorry if I got a bit verbose and I welcome any help on this. I really want to lock things down and reduce the management overhead on this.
Are the users mostly connecting via WiFi? If so, configure the WiFi to only allow devices with the Systems Manager installed. If they don't have it on their mobile device it makes you install it to continue on.
https://documentation.meraki.com/MR/Splash_Page/Systems_Manager_Sentry_Enrollment
You could look into setting up client certificate authentication. This would require generating certificates for your device owners, which allows you to only authenticate devices enrolled in SM and assigned to your owner entries in Dashboard.
Systems Manager has an option were it will automatically deploy certificates onto managed devices using SCEP - and it takes care of the whole process for you.
I actually tried this, unsuccessfully. I signed the Meraki CA cert so internal systems will recognize the SCEP certs as valid. The problem is there is no way, that I'm aware of, to associate the SCEP cert with the user account so Exchange could use it for authentication.
Exchange email owner certs can be uploaded individually or in bulk through the Owners page: https://documentation.meraki.com/SM/Other_Topics/Owners#Managing_Owners
@PatrickL wrote:Exchange email owner certs can be uploaded individually or in bulk through the Owners page: https://documentation.meraki.com/SM/Other_Topics/Owners#Managing_Owners
I hadn't seen that you could do a bulk upload. This may be the answer I am looking for.