Meraki

Community

ActiveSync Access Control

wperry1
Here to help
‎Sep 26 2017 9:55 AM
‎Sep 26 2017 9:55 AM

ActiveSync Access Control

How does everyone here control ActiveSync access to Exchange to ensure users are on Meraki and not manually entering their ActiveSync server settings? Right now we are controlling access by manually auditing compliant Meraki devices against Exchange ActiveSync devices but it's time consuming and not 100% accurate since there is no attribute that both Meraki and Exchange expose which can be used as a key field.

 

I have worked with a different MDM provider that had a proxy which sat between Exchange and the Internet and only allowed managed devices through but Meraki doesn't seem to have this. 

 

 

 

0 Kudos
10 Replies 10
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 26 2017 12:33 PM
‎Sep 26 2017 12:33 PM

I'm not clear on the issue.

Are you worried about a user with a non-MDM controlled device setting up their own device with ActiveSync so they can get their email on their personal smart device?
In response to PhilipDAth
wperry1
Here to help
‎Oct 5 2017 3:25 PM
‎Oct 5 2017 3:25 PM

That's exactly the issue. 

 

We quarantine all new devices on Exchange and confirm they are compliant on Meraki before we authorize them, but some users have figured out that they can remove Meraki right after doing this. They then add back the ActiveSync connection manually. The device is already authorized in Exchange so they get their mail without the device being fully managed. Users are allowed more than one device, so I can, through a very manual process, reconcile the number of compliant devices a user has on Meraki against the number of devices they have on Exchange but there is no key field in the data from Meraki that can be used to explicitly identify the same device on both Meraki SM and in Exchange.

 

 

According to the Apple developer docs, there is an attribute, EASDeviceIdentifier, which is the DeviceId for Exchange and should be accessible via MDM. If Meraki SM passed this through via the web interface or API, it could be used to reconcile compliant devices against Exchange. It is documented on the page below.

https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/MobileDeviceManage...

 

Sorry if I got a bit verbose and I welcome any help on this. I really want to lock things down and reduce the management overhead on this.

 

0 Kudos
In response to wperry1
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 5 2017 3:37 PM
‎Oct 5 2017 3:37 PM

Are the users mostly connecting via WiFi?  If so, configure the WiFi to only allow devices with the Systems Manager installed.  If they don't have it on their mobile device it makes you install it to continue on.

 

https://documentation.meraki.com/MR/Splash_Page/Systems_Manager_Sentry_Enrollment

 

In response to PhilipDAth
wperry1
Here to help
‎Oct 9 2017 11:57 AM
‎Oct 9 2017 11:57 AM

Thank you for the response. Unfortunately, most of our users are in the field on mobile data so restricting WiFi access would not help.
0 Kudos
In response to wperry1
PatrickL
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Oct 6 2017 10:56 AM
‎Oct 6 2017 10:56 AM

You could look into setting up client certificate authentication. This would require generating certificates for your device owners, which allows you to only authenticate devices enrolled in SM and assigned to your owner entries in Dashboard. 

In response to PatrickL
wperry1
Here to help
‎Oct 9 2017 12:00 PM
‎Oct 9 2017 12:00 PM

This is one solution I have looked into and, while I could automate the process of generating carts for the users, I would need to manually manage assigning the certificates to each owner/device. Is there any (semi)automated way of assigning certificates to users through Meraki?
0 Kudos
In response to wperry1
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 9 2017 1:39 PM
‎Oct 9 2017 1:39 PM

Systems Manager has an option were it will automatically deploy certificates onto managed devices using SCEP - and it takes care of the whole process for you.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Certificate-based_WiFi_authenticat...

In response to PhilipDAth
wperry1
Here to help
‎Oct 10 2017 8:28 AM
‎Oct 10 2017 8:28 AM

I actually tried this, unsuccessfully. I signed the Meraki CA cert so internal systems will recognize the SCEP certs as valid. The problem is there is no way, that I'm aware of, to associate the SCEP cert with the user account so Exchange could use it for authentication. 

0 Kudos
In response to wperry1
PatrickL
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Oct 10 2017 10:26 AM
‎Oct 10 2017 10:26 AM

Exchange email owner certs can be uploaded individually or in bulk through the Owners page: https://documentation.meraki.com/SM/Other_Topics/Owners#Managing_Owners

In response to PatrickL
wperry1
Here to help
‎Oct 10 2017 1:56 PM
‎Oct 10 2017 1:56 PM

@PatrickL wrote:

Exchange email owner certs can be uploaded individually or in bulk through the Owners page: https://documentation.meraki.com/SM/Other_Topics/Owners#Managing_Owners

I hadn't seen that you could do a bulk upload. This may be the answer I am looking for. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.