No good for Sherry, but if you *are* using ISA for your ActiveSync publishing, you should be able to simple have everyone enabled by default, then restrict access with a group in the Users part of the publishing rule on the ISA box. Manage the group from then on out and it's relatively dead simple.
From: Sherry Abercrombie [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 12:04 PM To: MS-Exchange Admin Issues Subject: Re: ActiveSync Set Up Veterans I have ISA in my environment, but it is not a part of the OWA/ActiveSync setup. I have a reverse proxy setup at my colo that is used for both OWA and ActiveSync. On 9/22/08, mqcarp <[EMAIL PROTECTED]> wrote: Sherry are you using ISA in your environment? On Mon, Sep 22, 2008 at 12:15 PM, Michael B. Smith <[EMAIL PROTECTED]> wrote: The below was current as of the release of Exchange Server 2003 sp2. Not sure if the attribute has additional documented values in Exchange 2007. You can also make the change globally easily using PowerShell or a tool like ADModify.Net. The final Exchange specific tab is Exchange Features, shown in Figure 9-9. The Mobile Services entries allow you to control, on a per-user basis, the mobile capabilities of Exchange. If you, by default, enable mobile services at the global level (Global Settings(r)Mobile Services(r)Properties(r)General) then this window allows you to disable the capabilities at the per-user level. Using the script made available in Microsoft KB 830188 (How to grant permission to use Outlook Mobile Access to specific users of Exchange Server 2003), you can globally disable all users and then pick and choose which specific users are to be allowed access to mobile service capabilities. The per-user AD attribute that controls these functions is named msExchOmaAdminWirelessEnable. If this attribute has a value of zero or the attribute is not present, then all mobile services are enabled. If Outlook Mobile Access (OMA) is disabled, but the other two features are enabled, then the attribute has a value of two (2). The other two items control specific features associated with Exchange ActiveSync (EAS). "User Initiated Synchronization" must be enabled for Up-to-date Notifications to be enabled; however Up-to-date Notifications may be disabled on its own. If only Up-to-date Notifications is disabled, then msExchOmaAdminWirelessEnable has a value of one (1). If both User Initiated Synchronization and Up-to-date Notifications are disabled, then msExchOmaAdminWirelessEnable has a value of five (5). If all three Mobile Services are disabled, then msExchOmaAdminWirelessEnable has a value of seven (7). If you search the Internet, you will find that other values can be specified for this attribute. However, the values described in the prior paragraph are the only values which Microsoft has documented. You are better off only using these values. Regards, Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP My blog: http://TheEssentialExchange.com/blogs/michael Link with me at: http://www.linkedin.com/in/theessentialexchange From: Sherry Abercrombie [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 12:55 PM To: MS-Exchange Admin Issues Subject: Re: ActiveSync Set Up Veterans The Exchange Features tab in AD for each account is the place to enable or disable additional Exchange features such as mobile and OWA. All these features are enabled by default and you will have to disable them. When we recently went through the process to setup OWA and ActiveSync, I had to manually disable everyone except those that had the proper approval for mobile and/or OWA. Check with your HR department because there are legal things to consider with employees checking or receiving email during non-business hours. In your IIS settings for ActiveSync you can set it to require SSL and I wouldn't recommend setting it up any other way. No SSL means that you're network credentials are being sent clear text.......very bad idea. Haven't had need to do any looking at logging for auditing at this point so I can't address that. On 9/22/08, mqcarp <[EMAIL PROTECTED]> wrote: Just have a few questions if some of you are using this feature. It seems frighteningly easy to set up on the server side and I want to ensure that the settings are secure. Here are a few observations for you vets on this: * The settings are activated for ALL users when it is enabled. Is it possible to disable it by default and enable specific users in AD? * Is there a log setting to enable for reviewing audit processes for pushes and troubleshooting in Exchange? * For iPhones, I have noticed that the config utility can require a certificate for the server side push set up, but if you set up a device manually, it will accept the connection without this validation. Can this be set to be required to avoid connections this way? This is on Exch 2003. TIA -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke This e-mail is intended for the use of the addressee(s) only and may contain privileged, confidential, or proprietary information that is exempt from disclosure under law. If you have received this message in error, please inform us promptly by reply e-mail, then delete the e-mail and destroy any printed copy. Thank you. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
