BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 02-26-2009, 09:18 AM   #1 (permalink)
Thumbs Must Hurt
 
Join Date: Feb 2006
Model: 8330
Carrier: Verizon
Posts: 142
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default iPhone requests... And more...

Please Login to Remove!

Hi guys. While I realize this is the BlackBerryforums, I figured some of you BES admins must be running into the same thing I am: users are setting up their iPhones to connect to Exchange, and receive email.

In my company, this is a big, big problem. I work at one of the Am Law top 100 law firms (we pop in and out of that chart, anyway), and as such all of our data is sensitive. Passwords are mandatory on BB's, and we're pushing through an encryption policy in the near future.

I'm a BES admin. I don't know anything about iPhones. I know that it's a potential issue that users are just synching them up with Exchange, and we don't even know they're doing it. They aren't password protecting their devices, and if they're lost, it's a breach of sensitive and confidential information.

My question is 2 fold:

1. Is there a way to block iPhones from connecting to Exchange?
2. If not, is there a way to force security on iPhones like we can with BlackBerrys (such as mandatory passwords, and encryption)?

Thanks everyone
kx
__________________
8330 4.5.0.77 OS - PIN: 303297df
BES Admin:
5x4.1.6 Exchange - 700 Users
"Sink or Swim" Educated
Offline  
Old 02-26-2009, 10:14 AM   #2 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Z30
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,679
Post Thanks: 270
Thanked 281 Times in 266 Posts
Default

Are you using SSL for OMA and OWA remotely?
No cert No email

there is a way to enforce password with iphones by createing a custom install script. You should look at iphone website for it.
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Z30, Z10 and Q10

Last edited by knottyrope : 02-26-2009 at 10:15 AM.
Offline  
Old 02-26-2009, 10:26 AM   #3 (permalink)
Thumbs Must Hurt
 
Join Date: Feb 2006
Model: 8330
Carrier: Verizon
Posts: 142
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Yes on both. OMA/ActiveSync uses the same cert as OWA by default.

Is that bad? (I'm not an exchange guy - I don't know what this means - this reply was from our Exchange admin)
__________________
8330 4.5.0.77 OS - PIN: 303297df
BES Admin:
5x4.1.6 Exchange - 700 Users
"Sink or Swim" Educated
Offline  
Old 02-26-2009, 10:41 AM   #4 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Z30
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,679
Post Thanks: 270
Thanked 281 Times in 266 Posts
Default

Guess the cert was laying around and users found out how to put them in.
OR it is not setup correctly. Here I only give out the certs and delete after adding them.


If you dont want OMA to work then disable it at exchange level.

But for OWA might be more difficult on some devices.

But still some BB's can access OWA with just a BIS plan. To stop this you need to filer out RIM IP's on firewall.

Other thought is to not enable OWA or OMA and have users VPN in for outlook to work.
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Z30, Z10 and Q10

Last edited by knottyrope : 02-26-2009 at 10:48 AM.
Offline  
Old 02-26-2009, 10:56 AM   #5 (permalink)
Thumbs Must Hurt
 
Join Date: Feb 2006
Model: 8330
Carrier: Verizon
Posts: 142
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

We already use OWA and have many users who rely on it.

Is there a way to keep OWA while blocking ActiveSync / iPhones?
__________________
8330 4.5.0.77 OS - PIN: 303297df
BES Admin:
5x4.1.6 Exchange - 700 Users
"Sink or Swim" Educated
Offline  
Old 02-26-2009, 11:07 AM   #6 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Z30
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,679
Post Thanks: 270
Thanked 281 Times in 266 Posts
Default

You can disable OMA in exchange tasks but that will not block all phones from using OWA unless you know your carriers IP's and block them that way.
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Z30, Z10 and Q10
Offline  
Old 02-26-2009, 11:10 AM   #7 (permalink)
Thumbs Must Hurt
 
Join Date: Feb 2006
Model: 8330
Carrier: Verizon
Posts: 142
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thank you knotty. I'm specifically concerned with iPhones right now, as they're so pop.
__________________
8330 4.5.0.77 OS - PIN: 303297df
BES Admin:
5x4.1.6 Exchange - 700 Users
"Sink or Swim" Educated
Offline  
Old 02-26-2009, 11:40 AM   #8 (permalink)
Feeling Blue, Bigly ;->
 
stuwhite's Avatar
 
Join Date: Jan 2007
Location: U to the K
Model: 9000
PIN: 3, it's the magic number
Carrier: Most of them, it's a Global Village man!
Posts: 1,273
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

It's worth mentioning that the standard way for iPhones to do an Exchange sync is not OWA or OMA, it is EAS (Exchange ActiveSync aka Windows Mobile) and you are hopefully using that method, looks like it from the previous posts. It uses the same infrastructure but is not browser based.

You can leave OWA and OMA active for anyone you like (if they are using a browser to get email on the phone it's not ususally an issue as they could do this at an internet cafe anyway) and just disable EAS through ADUC. this is what we do so our users can all use OWA/OMA but only a select group get EAS access (using WM and iPhones). In a user's props disable User Initiated Sync and up to date notifications and they cannot use the EAS system for email.

As for passwords etc you can force a password to a Windows Mobile device (iPhones included) but the user can choose to decline it. If they do they can no longer sync (which is cool) but they may still have company data on the device. The password is global so every EAS user will get it, that can be tricky if you have a lot of existing users and they are execs :->.

You can also send a wipe to an EAS device and the key difference with the EAS wipe from the BB wipe is that it stays active in the ether till you stop it, which can be nice .
__________________
I was a BES and Exchange admin once.
Then my world turned Blue.
Offline  
Old 02-26-2009, 11:42 AM   #9 (permalink)
Feeling Blue, Bigly ;->
 
stuwhite's Avatar
 
Join Date: Jan 2007
Location: U to the K
Model: 9000
PIN: 3, it's the magic number
Carrier: Most of them, it's a Global Village man!
Posts: 1,273
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

BTW I should point out that we are still talking about blocking a user's EAS access, not a phone's. I know you said you are only concerned with iPhones but I am assuming that you won't have user using both an iPhone and another WM phone and then needing EAS access on the WM device but not on the iPhone :->.

I hope that made sense, it is well past beer o'clock here now (sorry knotty!).
__________________
I was a BES and Exchange admin once.
Then my world turned Blue.
Offline  
Old 02-26-2009, 11:45 AM   #10 (permalink)
Thumbs Must Hurt
 
Join Date: Feb 2006
Model: 8330
Carrier: Verizon
Posts: 142
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thank you stu! That's very helpful. Yes, I believe these users are using ActiveSync - not OMA!

Does EAS get disabled globally, or can it be disabled by the user?
__________________
8330 4.5.0.77 OS - PIN: 303297df
BES Admin:
5x4.1.6 Exchange - 700 Users
"Sink or Swim" Educated
Offline  
Old 02-26-2009, 12:00 PM   #11 (permalink)
BlackBerry Extraordinaire
 
Frank Castle's Avatar
 
Join Date: Jul 2005
Location: MA
Model: 9930
PIN: PM Me!
Carrier: VZW
Posts: 1,073
Post Thanks: 0
Thanked 4 Times in 3 Posts
Default

The settings Stu mentioned are exactly how we do this and it's per users. ESM has global settings for EAS policy and AD user level is where you adjust these settings under the Exchange Features tab.

We allow OWA/OMA as the data stays on our network but no syncing of data on personal liable device and we are about to suspend support for iPhone and remove access to EAS as we have a state regulation around encrypting data which iPhone cannot meet currently.

I also use a couple scripts that shows me who is enabled for EAS as well parse the OMA/OWA IIS logs to identify who is connecting and syncing.

Life is so much easier with BB and BES
Offline  
Old 02-26-2009, 12:43 PM   #12 (permalink)
Feeling Blue, Bigly ;->
 
stuwhite's Avatar
 
Join Date: Jan 2007
Location: U to the K
Model: 9000
PIN: 3, it's the magic number
Carrier: Most of them, it's a Global Village man!
Posts: 1,273
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by kpoland View Post
Thank you stu! That's very helpful. Yes, I believe these users are using ActiveSync - not OMA!

Does EAS get disabled globally, or can it be disabled by the user?
Well here's the kicker. You can enable them en masse but the default is enable and even once you disable everyone, new users get enabled by default. I think I read once that policy can be used but it was such an arse-ache that I just re-do the settings every now and again. Our helpdesk guys have been told to disable as part of user creation but it doesn't always get done. If you aren't familiar with making Exchange feature changes for groups of users, here's the MS blurb - How to Enable and Disable Exchange ActiveSync Features at the User Level

The user can't enable themselves but anyone with access to make changes using ADUC can so you might want to lock down your system if you have many admins and are worried about unauthorised changes.
__________________
I was a BES and Exchange admin once.
Then my world turned Blue.
Offline  
Old 02-26-2009, 12:43 PM   #13 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Dec 2004
Location: Boston area
Model: z10
Carrier: AT&T
Posts: 416
Post Thanks: 2
Thanked 4 Times in 4 Posts
Default

Quote:
Originally Posted by jletendre View Post
...remove access to EAS as we have a state regulation around encrypting data which iPhone cannot meet currently.
Can you elaborate on the regulation? Is this for MA?
__________________
z10 on AT&T (plus an HTC One X)
Offline  
Old 02-26-2009, 12:54 PM   #14 (permalink)
Feeling Blue, Bigly ;->
 
stuwhite's Avatar
 
Join Date: Jan 2007
Location: U to the K
Model: 9000
PIN: 3, it's the magic number
Carrier: Most of them, it's a Global Village man!
Posts: 1,273
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jletendre View Post
I also use a couple scripts that shows me who is enabled for EAS as well parse the OMA/OWA IIS logs to identify who is connecting and syncing.
That's a good point to make. kpoland you may not know yet but there is no lovely BBM-type app for this (if you are Exch 2003) and while MS provide some web-based tools (I think they call it the mobile admin pack, not at work now) they are not much fun. The sample SQL scripts out there from MS to show activity are truly naf but we got some nice code from MS under NDA (can't share but can tell you what to ask for if you have Premier etc). One of our guys built this into a nice web page and we now have a close as you can get to a usable interface the helpdesk can play on.

As for the enabled scripts, be careful coz I found a fun feature. While anyone who has had the feature toggled will have a valid "msExchOmaAdminwirelessEnable" attribute value (from memory I think its 1-7), new users who get the feature enabled by default don't have that attribute at all!! That's right, you can't tell by using that attribute if there are default-enabled users. jletendre if you have a way round this, let me know coz I could never dedicate enough time to play with examining other attributes to find a workround. Also I found that some existing users had a value of 32, which at the time (about 18 months ago), didn't exist in any doc anywhere on the web . I have never seen that value since the first time I blasted the whole org with disable and I think it came from the 2000->2003 upgrade and affected actively-enabled users only.

Quote:
Originally Posted by jletendre View Post
Life is so much easier with BB and BES
Tell me about it man. Setting up EAS and all the stuff I had to do to get a usable monitoring system really made me appreciate the BES and BBM, for all its little faults
__________________
I was a BES and Exchange admin once.
Then my world turned Blue.
Offline  
Old 02-26-2009, 01:07 PM   #15 (permalink)
Thumbs Must Hurt
 
Join Date: Feb 2006
Model: 8330
Carrier: Verizon
Posts: 142
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

You guys are way over my head with this. I'm just a BES admin. Don't know much about Exchange (any more than I need to for BES purposes), or AD or anything like that.

That said, your answers are very helpful and with a little assistance I think I could understand them. I'll have to bookmark this thread as I learn more about how ActiveSync works...

I think I have one final question: can we disable ActiveSync at the organization level (so itís turned off for everyone), and then just enabled it for one user? We have someone in IT who uses an iPhone and would like to continue to do so. Or if we need it enabled for anyone, we canít disable it on the organizational level?
__________________
8330 4.5.0.77 OS - PIN: 303297df
BES Admin:
5x4.1.6 Exchange - 700 Users
"Sink or Swim" Educated
Offline  
Old 02-26-2009, 01:29 PM   #16 (permalink)
Feeling Blue, Bigly ;->
 
stuwhite's Avatar
 
Join Date: Jan 2007
Location: U to the K
Model: 9000
PIN: 3, it's the magic number
Carrier: Most of them, it's a Global Village man!
Posts: 1,273
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by kpoland View Post
You guys are way over my head with this. I'm just a BES admin. Don't know much about Exchange (any more than I need to for BES purposes), or AD or anything like that.

That said, your answers are very helpful and with a little assistance I think I could understand them. I'll have to bookmark this thread as I learn more about how ActiveSync works...
No probs. There are probably ppl who know tons more than me on the Exchange forums who can help more but even as a serious Exchange admin, those boards scare me, so I hang out here instead . If you want more info just PM me and apols for going over your head, I assume everyone is a messaging admin and don't give a lot of thought to checking what I write for the wider audience, sorry!

Quote:
Originally Posted by kpoland View Post
I think I have one final question: can we disable ActiveSync at the organization level (so itís turned off for everyone), and then just enabled it for one user? We have someone in IT who uses an iPhone and would like to continue to do so. Or if we need it enabled for anyone, we canít disable it on the organizational level?
Nah that's the kicker I mentioned earlier. You can disable at the global level but it's all or nothing so you have to have it on then go and do a mass user-disable using the MS page I sent before. Trust me, explaining all this to your management should show them why only BBs should be allowed! Ours realise that they have to allow iPhone use but also aren't prepared to destroy our time with this work, so the EAS system is there but not officially supported (where BES is) and its access is tightly controlled.
__________________
I was a BES and Exchange admin once.
Then my world turned Blue.
Offline  
Old 02-26-2009, 01:53 PM   #17 (permalink)
BlackBerry Extraordinaire
 
Frank Castle's Avatar
 
Join Date: Jul 2005
Location: MA
Model: 9930
PIN: PM Me!
Carrier: VZW
Posts: 1,073
Post Thanks: 0
Thanked 4 Times in 3 Posts
Default

Yes for MA, NV and I believe CA and Washington are coming behind. Likely you will see similar regualations in every state. Any company of a considerable size is impacted as how do you track where your customers live?

If anything this helps solidify all the BES provides and when you have to hodgepodge this security onto WM/iPhone the TCO is way higher then BES / BB. Microsoft can tell me the joys of SCDM2008 all day but cost to cost it's not even close.
Offline  
Old 02-26-2009, 01:57 PM   #18 (permalink)
BlackBerry Extraordinaire
 
Frank Castle's Avatar
 
Join Date: Jul 2005
Location: MA
Model: 9930
PIN: PM Me!
Carrier: VZW
Posts: 1,073
Post Thanks: 0
Thanked 4 Times in 3 Posts
Default

I know EXACTLY what you are talking about and we too have a script that runs every month and disables everyone then enabled the few that were grandfathered in. If I make it to WES I'd love to hear more about this "web page" the only one I have is the one to disable and kill. I would love just some better reporting so I can mirror the usage patterns we track with Blackberry.

the IIS parsing is a royal PITA and as mentioned I doubt I can validate the budget for full SCDM2008 - MS should've included much of that functionality into Exchange to begin with .. but the typical MS way is to make yet another product, CAL that you have to manage.

While 85% of my time is dedicated to mobility I would strongly suggest anyone is this field get comfortable with whatever messaging platform BES attaches too (Exchange, Domino etc)
Offline  
Old 02-26-2009, 02:21 PM   #19 (permalink)
Feeling Blue, Bigly ;->
 
stuwhite's Avatar
 
Join Date: Jan 2007
Location: U to the K
Model: 9000
PIN: 3, it's the magic number
Carrier: Most of them, it's a Global Village man!
Posts: 1,273
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jletendre View Post
I know EXACTLY what you are talking about and we too have a script that runs every month and disables everyone then enabled the few that were grandfathered in. If I make it to WES I'd love to hear more about this "web page" the only one I have is the one to disable and kill. I would love just some better reporting so I can mirror the usage patterns we track with Blackberry.
Well WES is looking less likely by the day now. I wish they hadn't got my hopes up by mentioning the possibility coz the few (crappy) sessions at the EMEA virtual conf the other day made me realise just how much I got out of WES2007. If we don't make it to WES I will give you some details offline but it basically uses some clever MS scripting to do the parsing and some nice asp work from a colleague to display it the best you can. The beauty is that on the single page we display a table of all active users and have links to the mobile admin kill and disable pages so they can be locked down to admins while the monitor page is open to all IT. It's still not fantastic but better than anything I could find available commercially.

Quote:
Originally Posted by jletendre View Post
the IIS parsing is a royal PITA and as mentioned I doubt I can validate the budget for full SCDM2008 - MS should've included much of that functionality into Exchange to begin with .. but the typical MS way is to make yet another product, CAL that you have to manage.
Well the parsing we do is handled by the cool page but I think it's all down to us using the better code from MS and my coder mate knowing his stuff well. Yeah man, use our stuff then buy our stuff to monitor our stuff on our stuff . It took me a long time to learn to love the RIM philosophy but when you compare it to WM (for all the cool things WM can bring), it just pays for itself so much when you have hundreds of users spread round the world.

Quote:
Originally Posted by jletendre View Post
While 85% of my time is dedicated to mobility I would strongly suggest anyone is this field get comfortable with whatever messaging platform BES attaches too (Exchange, Domino etc)
hear hear. I guess I am lucky coz I worked with mobility before it was popular, then got into messaging heavily then when mobilty became cool, it was all pretty easy and old hat to me. I do feel for guys like kpoland though coz I know there are a lot of guys out there who are given things like the BES without the opportunity to work on/learn the messaging side and while there are a lot of damn fine mobility-only admins out there (just in case DarthBB is watching me!), it's gotta be nicer if you get to work on the messaging platform.
__________________
I was a BES and Exchange admin once.
Then my world turned Blue.
Offline  
Old 02-26-2009, 02:36 PM   #20 (permalink)
Thumbs Must Hurt
 
Join Date: Feb 2006
Model: 8330
Carrier: Verizon
Posts: 142
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

*nod* I know Exchange a fair bit more than I used to. Client side, anyway. Still, we have an Exchange Admin, so there's little opportunity for me to get my hands dirty with that.

But yeah, BES got dropped in my lap one day, because the Networking guy didn't want it anymore. I was a desk side support technician - I tore down PC's to fix them, and rolled out new images when we needed application updates and stuff. That was fun. Then BAM. We were a Domino shop then, so I had to learn Domino a bit. Then we merged with another law firm and moved to Exchange, so I had to learn Exchange a bit. Still, not enough to really do much, but definitely enough to do my job (as a BES Admin).
__________________
8330 4.5.0.77 OS - PIN: 303297df
BES Admin:
5x4.1.6 Exchange - 700 Users
"Sink or Swim" Educated
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright © 2004-2014 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.