How to Configure Access Control for Exchange using PowerShell Cmdlets

SAP How-to Guide
Mobile Device Management
SAP Afaria
How to Configure Access Control for Exchange using
PowerShell Cmdlets
A Step-by-Step guide
Applicable Releases:
SAP Afaria 7 SP3 HotFix 06, SAP Afaria 7 SP4
Version 2.0
December 2013
© Copyright 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form
or for any purpose without the express permission of SAP AG. The
information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered
trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p,
System p5, System x, System z, System z10, System z9, z10, z9, iSeries,
pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390,
OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power
Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER,
OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS,
HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex,
MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and
Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other
countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
trademarks or registered trademarks of Adobe Systems Incorporated in
the United States and/or other countries.
All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves
informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this
document may be reproduced, copied, or transmitted in any form or for
any purpose without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license
agreement or any other agreement with SAP. This document contains
only intended strategies, developments, and functionalities of the SAP®
product and is not intended to be binding upon SAP to any particular
course of business, product strategy, and/or development. Please note
that this document is subject to change and may be changed by SAP at
any time without notice.
SAP assumes no responsibility for errors or omissions in this document.
SAP does not warrant the accuracy or completeness of the information,
text, graphics, links, or other items contained within this material. This
document is provided without a warranty of any kind, either express or
implied, including but not limited to the implied warranties of
merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without
limitation direct, special, indirect, or consequential damages that may
result from the use of these materials. This limitation shall not apply in
cases of intent or gross negligence.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open
Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame,
and MultiWin are trademarks or registered trademarks of Citrix Systems,
Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks
of W3C®, World Wide Web Consortium, Massachusetts Institute of
Technology.
The statutory liability for personal injury and defective products is not
affected. SAP has no control over the information that you may access
through the use of hot links contained in these materials and does not
endorse your use of third-party Web pages nor provide any warranty
whatsoever relating to third-party Web pages.
SAP “How-to” Guides are intended to simplify the product implementtation. While specific product features and procedures typically are
explained in a practical business context, it is not implied that those
features and procedures are the only approach in solving a specific
business problem using SAP Afaria. Should you wish to receive additional
information, clarification or support, please refer to SAP Consulting.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used
under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
BusinessObjects Explorer, StreamWork, and other SAP products and
services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and other
countries.
Business Objects and the Business Objects logo, BusinessObjects,
Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other
Business Objects products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of Business
Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,
and other Sybase products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of Sybase, Inc.
Sybase is an SAP company.
Any software coding and/or code lines / strings (“Code”) included in this
documentation are only examples and are not intended to be used in a
productive system environment. The Code is only intended better explain
and visualize the syntax and phrasing rules of certain coding. SAP does
not warrant the correctness and completeness of the Code given herein,
and SAP shall not be liable for errors or damages caused by the usage of
the Code, except if such damages were caused by SAP intentionally or
grossly negligent.
Disclaimer
Some components of this product are based on Java™. Any code change
in these components may cause unpredictable and severe malfunctions
and is therefore expressively prohibited, as is any decompilation of these
components.
Any Java™ Source Code delivered with this product is only to be used by
SAP’s Support Services and may not be modified or altered in any way.
Document History
Document Version
Description
1.0
First official release
2.0
Updated to include information about Exchange 2010 and 2013
Typographic Conventions
Icons
Type Style
Description
Icon
Example Text
Words or characters quoted
from the screen. These
include field names, screen
titles, pushbuttons labels,
menu names, menu paths,
and menu options.
Cross-references to other
documentation
Example text
Emphasized words or
phrases in body text, graphic
titles, and table titles
Example text
File and directory names and
their paths, messages,
names of variables and
parameters, source text, and
names of installation,
upgrade and database tools.
Example text
User entry texts. These are
words or characters that you
enter in the system exactly
as they appear in the
documentation.
<Example
text>
Variable user entry. Angle
brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.
EXAMPLE TEXT
Keys on the keyboard, for
example, F2 or ENTER.
Description
Caution
Note or Important
Example
Recommendation or Tip
Table of Contents
1.
About This Document ............................................................................................................1
2.
Business Scenario ..................................................................................................................1
3.
Prerequisites ..........................................................................................................................1
4.
Supported Devices .................................................................................................................1
5.
Access Control Requirements for Exchange PowerShell Cmdlets........................................1
6.
Finding Current Exchange ActiveSync Setting in Office 365 ................................................ 2
7.
Finding Current Access State of Device in Office 365 .......................................................... 3
8.
Finding Current Exchange ActiveSync Settings for Exchange 2010 .................................... 4
9.
Finding Current Exchange ActiveSync Settings for Exchange 2013 .................................... 5
10.
Finding the Current Access State of Device.......................................................................... 5
11.
Setting Up Access Control for Email using Exchange PowerShell Cmdlets ......................... 7
How to Configure Access Control for Exchange using PowerShell Cmdlets
1.
About This Document
This document discusses how to configure access control for local or hosted Microsoft Exchange
using Exchange PowerShell cmdlets.
2.
Business Scenario
Use Exchange API (a.k.a Exchange PowerShell cmdlets) to control email access for the mobile
devices under management in these following scenarios:



3.
When a device comes under management, add it to the "Allow" list. Exchange will allow it to
get email.
If a device is found to be out of compliance, add it to the "Blocked" list. Exchange will
prevent it from getting email.
When a device comes back into compliance, remove it from the "Blocked" list. Exchange
allows it to get email again.
Prerequisites
Install Afaria 7 SP3 release Hotfix 6. Ensure that Access Control for E-mail component is not
installed.
4.
Supported Devices
PowerShell Exchange Cmdlets is supported only for Android, iOS, Windows Mobile Professional,
Windows Mobile Standard, and Windows Phone 8 devices. For more information, see the Afaria 7
System Requirements document of the required service pack that is available on the Sybase Mobile
Enterprise Technical Support Web site.
5.
Access Control Requirements for Exchange
PowerShell Cmdlets
For the Afaria Access Control for Email feature, you can use a cmdlet. This implementation uses
Exchange PowerShell commands for controlling device access for email.
Component
Description
Local Email Server
Access Control for Email supports Microsoft
Exchange Server 2010 and Microsoft Exchange
Server 2013.
December 2013
1
How to Configure Access Control for Exchange using PowerShell Cmdlets
Hosted Email
Microsoft Office 365
PowerShell Host Server
Microsoft PowerShell Version 2.0
The PowerShell virtual directory is created when
you install Exchange. Enable the powershell
remoting by enabling Basic Authentication on
the virtual directory in IIS.
6.
Finding Current Exchange ActiveSync Setting in
Office 365
1.
Login to office 365 using admin credentials.
2. Click mobile and click edit.
December 2013
2
How to Configure Access Control for Exchange using PowerShell Cmdlets
7.
Finding Current Access State of Device in Office
365
Note: This is applicable for local Cmdlets implementation also.
1.
Login to the 365 user account you have configured in device.
2. Click on Settings. Now, click Options.
3. Click phone and then select your device. Click on Edit.
December 2013
3
How to Configure Access Control for Exchange using PowerShell Cmdlets
8.
Finding Current Exchange ActiveSync Settings
for Exchange 2010
1. Enter the URL https://<your exchange server>/ecp/ on the Web browser.
2. Login using admin credentials.
3. Click Phone & Voice and click edit.
December 2013
4
How to Configure Access Control for Exchange using PowerShell Cmdlets
9.
Finding Current Exchange ActiveSync Settings
for Exchange 2013
1. Enter the URL https://<your exchange server>/ecp/on the Web browser.
2. Login using admin credentials.
3. Click Mobile and click edit.
10. Finding the Current Access State of Device
1.
Login to the user account you have configured in device (URL:https://<your exchange
server>/owa/.
2. Select Options > See all options.
December 2013
5
How to Configure Access Control for Exchange using PowerShell Cmdlets
3. Click phone and then select your device. Click Details.
December 2013
6
How to Configure Access Control for Exchange using PowerShell Cmdlets
11. Setting Up Access Control for Email using
Exchange PowerShell Cmdlets
Afaria server must reflect the settings of 365 server or local Exchange server. Set up access control
for local or hosted email by configuring Office 365 (Microsoft Exchange 2010 or 2013 that uses
Exchange 2010 or 2013 PowerShell cmdlets respectively).
Prerequisites

Ensure that the Access Control for Email filter is not installed.

The PowerShell virtual directory is created when you install Exchange. Enable the
PowerShell remoting by enabling Basic Authentication on the virtual directory in IIS.
Task
E-mail services are available locally, where a local Exchange server is used. E-mail services are also
hosted by a third-party and are available to users from the Internet, without any e-mail servers or
related Afaria components inside the enterprise network or DMZ. Afaria server communicates with
Exchange 365 for updating device status.
Note: Configure access control for local email by either using the Exchange 2010 PowerShell
cmdlets or by installing the Access Control for Email filter. If you have installed the filter, then do
not follow this procedure. Also, these settings are tenant-specific.
1.
Log in to the Afaria Administrator Web console.
2. Navigate to the Server > Configuration > MS Exchange 365 page.
Note:
In Afaria 7 SP4 release, the page name is changed to Server > Configuration > MS Exchange
page.
Devices with ISAPI account and MS Exchange 365 account cannot co-exist in a tenant as
this configuration is not supported. Ensure that this page is empty if the tenant is supposed
to be used for local exchange.
3. Click New.
4. Enter the following information:

URL – Enter the URL of the hosted or local Exchange server.

Account Username – Enter the hosted or local Exchange Admin User ID. Create a
user that is a member of the Exchange Organization Managers group so that the
user will have minimum permission to execute PowerShell commands.

Password – Enter the hosted or local Exchange Admin password.
Note:
Ensure that MS Exchange 365 account credentials have Administrator privileges.
December 2013
7
How to Configure Access Control for Exchange using PowerShell Cmdlets
5. Click Test MS Exchange 365 connection to authenticate the account credentials and test
connectivity for the local Exchange or hosted accounts.
If the account credentials are valid, you see a success message; otherwise, you see an error
message.
Note: In Afaria 7 SP4 release, the link name is changed to Test connection.
6. Click Save.
When Exchange 365 triggers e-mail blocking using access control, it may take as long as 10
minutes for Exchange 365 to block e-mail messages.
7. To specify local or hosted service's Exchange ActiveSync Access Settings, select one of:

Always allow – allow users who have enrolled in Afaria management to access
hosted or local MS Exchange 365.

Always block or quarantine – prevent all users who are not enrolled in Afaria
management from accessing hosted or local MS Exchange 365.
Note:
Afaria sends a device enablement message when it is enrolled in the Always allow
mode for enhanced security.
8. Click Save.
9. (Optional) Change or delete a record by selecting it and clicking Edit or Delete.
After a device is enrolled in Afaria, it will use the access policy that is set for the device.
December 2013
8
How to Configure Access Control for Exchange using PowerShell Cmdlets
December 2013
9
www.sap.com/contactsap
www.sdn.sap.com/irj/sdn/howtoguides