Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
New Contributor
Posts: 4
Registered: ‎06-18-2012
My Device: n/a
My Carrier: Verizon

Prevent direct ActiveSync

Hi All.  It appears that Mobile Fusion does most of everything that I expected it to do.  One question though....If I were a savvy end user, what would be in place to stop me from simply setting up ActiveSync directly to the Exchange Server and bypassing MobileFusion altogether?  Suggestions?

 

thank you in advance.

Guru III
Posts: 32,126
Registered: ‎06-25-2008
My Device:

I'm rockin the BlackBerry PRIV, Passport, Z30, Z10, Q10, BlackBerry Mini Stereo Speaker, 64 gig PlayBook,BT Headset HS-700

My Carrier: I am on AT&T. Please edit your Personal Profile with your DEVICE TYPE, DEVICE OS and Carrier

Re: Prevent direct ActiveSync

I ave this issue now with Exchange 2003.

 

Not much we can do until we get on 2010 which can filter out devices you dont want on it.

 

I also dont let SSL certs out, no cert no email. we had an emergency need on a ithing and that profile was distributed to everyone.

 

going to be fun when they have to use a new cert with 2010 and they can just add what they want.

 

 




Click here to Backup the data on your BlackBerry Device! It's important, and FREE!


Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals

BESAdmin's, please make a signature with your BES environment info.


SIM Free BlackBerry Unlocking FAQ
Follow me on Twitter @knottyrope


Want to thank me? Buy my KnottyRope App here


BES 12 and BES 5.0.4 with Exchange 2010 and SQL 2012 Hyper V


Contributor
Posts: 29
Registered: ‎04-18-2012
My Device: did have a BlackBerry Storm 2
My Carrier: Telstra

Re: Prevent direct ActiveSync

You can enable certificate based authentication for EAS 2003.

The user certificate is then pushed to the iOS device via the Active Synch profile in UDS.

New Contributor
Posts: 2
Registered: ‎07-05-2012
My Device: 9700
My Carrier: Rogers

Re: Prevent direct ActiveSync

Could you please ellaborate on this.

 

I have Exchange 2007 installed. Activesync enable for Playbooks, ios and andriod devices.

 

If I change EAS to certificate based, how does it know which certificate is valid?

 

Contributor
Posts: 49
Registered: ‎05-30-2008
My Device: Not Specified

Re: Prevent direct ActiveSync

I have the same issue with Exchange 2007 and activesync.  How can you prevent the clients from going around UDS and activating with ActiveSync directly?  Still searching for a solution

New Contributor
Posts: 4
Registered: ‎06-18-2012
My Device: n/a
My Carrier: Verizon

Re: Prevent direct ActiveSync

unfortunately I came to the conclusion that there's absolutely no easy way to do this with Exchange 2007 and UDS.  The solution is that I've had to replace my plans for implementing Mobile Fusion and gone instead with a competitor.  This competitor can be set to auto quarantine new devices (ie block further access to the Exchange server until an administrator approves the device).

 

I hope this is helpful to someone.

Contributor
Posts: 29
Registered: ‎04-18-2012
My Device: did have a BlackBerry Storm 2
My Carrier: Telstra

Re: Prevent direct ActiveSync

I meant to post a reply to this a while back, but have been tied up with work.

 

You can stop a user from using EAS by configuring the Exchange features on the user in AD. There will be an option to enable/disable Outlook Mobile Access'

Contributor
Posts: 26
Registered: ‎05-10-2011
My Device: PB
My Carrier: TELUS

Re: Prevent direct ActiveSync

Yes you can prevent a user from accessing EAS - but the point is to prevent a non -authorized device ----

perhaps a certificate based authentication would work - and then push certificate via UDS - but .... if user removes device from uds - they would keep the cert by default I believe ?

New Contributor
Posts: 4
Registered: ‎06-18-2012
My Device: n/a
My Carrier: Verizon

Re: Prevent direct ActiveSync

exactly.  Thanks for clarifying that for everyone Rebootin.

 

EAS is either on or off.  Mobile Fusion requires that it be set to on to allow the deployed profile to work (the profile simply tells your device where to go to get mail),  This won't stop anybody from adding as many devices as they want to with a direct connect to the Exchange Server.  Apple devices for instance will ask you if you want to set up your new iPad like your iPhone which leads to the Exchange specific settngs being input into the new device (minus the device being enrolled with mobilefusion).

 

I haven't looked into controlling this via certificates, generally because there is already a competing solution that takes care of this for me.  If anyone is interested, they can PM me for more details.

 

Highlighted
Contributor
Posts: 29
Registered: ‎04-18-2012
My Device: did have a BlackBerry Storm 2
My Carrier: Telstra

Re: Prevent direct ActiveSync

All user in our AD have Outlook Mobile access disabled.

 

Only users who are in our UDS have it enabled.

 

That, in conjunction with certfifcate based authentication via our UDS locks the access down to only endorsed users.