Thursday, March 29, 2018

Disable Exchange EWS for Mobile Applications (Enable Secure ActiveSync)



  1. EWS Access can be controlled on organization level or per user level
  2. During the testing it is recommended to run on per user level first till confirm all is working fine then to apply to organization level.
  3. User level access can be controlled using the command Set-CASMailbox
https://technet.microsoft.com/en-us/library/bb125264(v=exchg.160).aspx

Example: Set-CASMailbox "Asif Gohar" -EwsBlockList @{Add="Outlook-iOS/*","Outlook-Android/*"}

  1. The Block/Allow lists work on the basis of the User Agent Strings generated by the EWS client. So, if you are looking to get a list of strings to block, you can take a look at your IIS logs.

A Log Parser command such as the following can be used:
logparser.exe “SELECT date,time,c-ip,cs-username,cs-uri-stem,cs(User-Agent) INTO C:\Temp\EWSLog FROM “\\EXCHSERVER01\c$\inetpub\logs\logfiles\W3SVC1\u_ex1207*.log” WHERE cs-uri-stem LIKE ‘/EWS/Exchange.asmx’ AND cs-username IS NOT NULL” –I:IISW3C –o:TSV –headers:Auto –filemode:1

Explanation of the LogParser command:
WHERE cs-uri-stem LIKE ‘/EWS/Exchange.asmx’ – Ensures we are dealing with the EWS access parts of the IIS logs.
AND cs-username IS NOT NULL – Ensures we get userIDs back
-o:TSV – outputs to a tab-delimited file
-filemode:1 – overwrites the output file if it exists
If subsequent date from other Exchange Servers is required to be amended to the output file, set filemode to ‘0’
You can then load the resulting TSV into Excel, and create a pivot table showing the User Agents that are accessing EWS.

  1. The below link contain more information about how to use this command to allow or block apps
https://blogs.technet.microsoft.com/matabra/2012/08/23/block-mobile-apps-that-use-exchange-web-services/

  1. Also you can check below link which should provide some help with no guarantee form our side as it non-Microsoft website
https://practical365.com/clients/mobile-devices/outlook-for-ios-android-still-able-to-connect-after-disabling-activesync/

  1. To manage this settings on organization level you can use below commands
-        To check default configuration before you start apply

[PS] C:\windows\system32>Get-OrganizationConfig | fl *EWS*



-        Example below to block Outlook for iOS and Outlook for android and how to verify settings has been applied

[PS] C:\windows\system32>Set-OrganizationConfig -EwsBlockList @{Add="Outlook-iOS/*","Outlook-Android/*"}
[PS] C:\windows\system32>Get-OrganizationConfig | fl *EWS*


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)