- EWS Access can be controlled on organization level or
per user level
- During the testing it is recommended to run on per user
level first till confirm all is working fine then to apply to organization level.
- User level access can be controlled using the command
Set-CASMailbox
Example: Set-CASMailbox "Asif Gohar" -EwsBlockList @{Add="Outlook-iOS/*","Outlook-Android/*"}
- The Block/Allow lists work on the basis of the User
Agent Strings generated by the EWS client. So, if you are looking to get a
list of strings to block, you can take a look at your IIS logs.
A Log Parser command such as the following
can be used:
logparser.exe “SELECT date,time,c-ip,cs-username,cs-uri-stem,cs(User-Agent)
INTO C:\Temp\EWSLog FROM “\\EXCHSERVER01\c$\inetpub\logs\logfiles\W3SVC1\u_ex1207*.log”
WHERE cs-uri-stem LIKE ‘/EWS/Exchange.asmx’ AND cs-username IS NOT NULL”
–I:IISW3C –o:TSV –headers:Auto –filemode:1
|
Explanation of the LogParser
command:
WHERE cs-uri-stem LIKE
‘/EWS/Exchange.asmx’ – Ensures we are dealing with the EWS access parts of the IIS
logs.
AND cs-username IS NOT NULL –
Ensures we get userIDs back
-o:TSV – outputs to a
tab-delimited file
-filemode:1 –
overwrites the output file if it exists
If subsequent date from other Exchange
Servers is required to be amended to the output file, set filemode to ‘0’
You can then load the resulting TSV into
Excel, and create a pivot table showing the User Agents that are accessing EWS.
- The below link contain more information about how to
use this command to allow or block apps
- Also you can check below link which should provide some
help with no guarantee form our side as it non-Microsoft website
- To manage this settings on organization level you can
use below commands
-
To check default configuration before
you start apply
[PS]
C:\windows\system32>Get-OrganizationConfig | fl *EWS*
-
Example below to block Outlook for
iOS and Outlook for android and how to verify settings has been applied
[PS]
C:\windows\system32>Set-OrganizationConfig -EwsBlockList
@{Add="Outlook-iOS/*","Outlook-Android/*"}
[PS]
C:\windows\system32>Get-OrganizationConfig | fl *EWS*
No comments:
Post a Comment