Tiny Deathstars of Foulness

I covered managing devices based on policy in One of those policies is “modern authentication”, Azure Passthrough Authentication, or OAuth if you will. To enable it, log into Exchange Online via PowerShell and run the set-OrganizationConfig to set -OAuth2ClientProfileEnabled to True:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

If you’re using Skype, do an override:

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

Now check that OAuth was enabled properly:


And viola, you’ve caught up to where WordPress was at with OAuth 8 years ago! Next, check the global ADFS authentication rule:


And you can use Set-AdfsAdditionalAuthenticationRule. Now, you should be able to check the ADFS rules required for a given MFA requirement:

Get-AdfsRelyingPartyTrust –Name "Krypted"

And then if necessary, set them:

Set-AdfsRelyingPartyTrust –TargetRelyingParty Krypted –AdditionalAuthenticationRules ‘c: [Type == "", Value == "S-1-5-21-Insert your Group SID here"] && [Type == "", Value == "false"] => issue(Type = "", Value = "");’

You can then check groups:

GetADGroup -Identity "Krypted Users"

May 9th, 2017

Posted In: Microsoft Exchange Server, Network Infrastructure, Windows Server

Tags: , , , , ,

Leave a Comment

The logs for Outlook are… Interesting… Diagnostics are difficult without logs. They used to be at ~/Library/Containers/ Data/Library/Logs/ or

To enable logs, open Outlook and then click on Window and then click Sync Errors.


From there, click on the cogwheel and then check the box for “Turn on logging for troubleshooting”


Now go ahead and quit Outlook and open it again. When prompted, click “Leave Logging On” and then when you get errors, open the logs.


Once enabled, you’ll see logs at ~/Library/Group Containers/UBF8T346G9.Office/OfficeLogging/. You can edit a maximum size for the log files using defaults to send a EWSMaxLogLength key to using the following command:

defaults write ~/Library/Preferences/ EWSMaxLogLength 64

November 30th, 2016

Posted In: Mac OS X, Microsoft Exchange Server

Exchange Online and Exchange 2010-2016 can block a device from accessing ActiveSync using a policy. To do so, first grab a list of all operating systems you’d like to block. To do so, first check which ones are out there using the Get-ActiveSyncDevice command, and looking at devicetype, deviceos, and deviceuseragent. This can be found using the following command:

Get-ActiveSyncDevice | select devicetype,deviceos,deviceuseragent

The command will show each of the operating systems that have accessed the server, including the user agent. You can block access based on each of these. In the following command, we’ll block one that our server found that’s now out of date:

New-ActiveSyncDeviceAccessRule -Characteristic DeviceOS -QueryString "iOS 8.1 12A369" -AccessLevel Block

To see all blocked devices, use

Get-ActiveSyncDeviceAccessRule | where {$_.AccessLevel -eq 'Block'}

If you mistakenly block a device, remove the block by copying it into your clipboard and then pasting into a Remove-ActiveSyncDeviceAccessRule commandlet:

Remove-ActiveSyncDeviceAccessRule -Characteristic DeviceOS -QueryString "iOS 8.1 12A369" -AccessLevel Block

Or to remove all the policies:

Get-ActiveSyncDeviceAccessRule | Remove-ActiveSyncDeviceAccessRule

May 25th, 2016

Posted In: iPhone, Microsoft Exchange Server

Tags: , , , ,

Sometimes you need to manage policies in Exchange ActiveSync programmatically. For example, if a device shows up in a JSS, you can deploy policies to that device at the Exchange ActiveSync (EAS) level rather than using a mobileconfig. To manage these, Microsoft has provided a few pretty easy-to-use commandlets in Powershell.

  • The New-MobileDeviceMailboxPolicy commandlet in Powershell will create a policy based on some attributes that you define.
  • The Get-MobileDeviceMailboxPolicy commandlet in Powershell will show what the contents of a given policy are.
  • The Set-MobileDeviceMailboxPolicy commandlet will set a policy, and has the same structure s the New-MailboxDeviceMailboxPolicy, but applies to existing policies.
  • The Remove-MobileDeviceMailboxPolicy commandlet in Powershell will delete a policy.
  • The Get-MobileDeviceMailboxPolicy commandlet in Powershell will show all the devices that are associated with a given user.
  • The Remove-MobileDevice commandlet in Powershell will remove a partnership between an account and a device.
  • The Clear-MobileDevice commandlet in Powershell will wipe a device.

To put these in practice, let’s create a policy called “MarketingEAS” and set a few common password/passcode policies, like requiring a password and requiring an alphanumeric policy. The following New-MobileDeviceMailboxPolicy commandlet creates the Mobile Device mailbox policy MarketingEAS, using -DevicePasswordEnabled and AlphanumeicDevicePasswordRequired as options:

New-MobileDeviceMailboxPolicy -Name:"MarketingEAS" -DevicePasswordEnabled:$true -AlphanumericDevicePasswordRequired:$true

There are lots of other policies, like -AllowBluetooth -AllowCamera -MaxEmailAgeFilter -DevicePasswordHistory etc. Once set, you can look at the contents of the policy using Get-MobileDeviceMailboxPolicy:

Get-MobileDeviceMailboxPolicy -Identity "MarketingEAS"

To then remove a Mailbox Policy, use Remove-MobileDeviceMailboxPolicy. The following removes the policy, bypassing prompts:

Remove-MobileDeviceMailboxPolicy -Identity "MarketingEAS" -Confirm:$false -Force $true

To see what mailbox policy is enforced for a user, you can then run Get-MobileDevice, followed by -Identity and then the short name of the user (e.g. CharlesEdge):

Get-MobileDevice -Identity "CharlesEdge"

Or to see a list of devices associated with my mailbox:

Get-MobileDevice -Mailbox "JAMF\CharlesEdge"

Or unpartner a device (e.g. kryptedipad) from my mailbox, use Remove-MobileDevice, bypassing with -Confirm:

Remove-MobileDevice -Identity kryptedipad -Confirm:$false

To to wipe that iPad and send me an email confirmation, use Clear-MobileDevice:

Clear-MobileDevice -Identity kryptedipad -NotificationEmailAddresses ""

May 18th, 2016

Posted In: Microsoft Exchange Server

Tags: , , , ,

I have another article up on the world webs. This one is on cloud use in small businesses, with IT Business Edge. Check it out at

Screen Shot 2016-01-20 at 3.24.36 PM

January 20th, 2016

Posted In: cloud, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Microsoft Exchange Server

Tags: ,

This is my 3,000th post on The past 3,000 posts have primarily been about OS X Server, Mac automation, Mac deployment, scripting, iOS deployments, troubleshooting, Xsan, Windows Servers, Exchange Server, Powershell, security, and other technical things that I have done in my career. I started the site in response to a request from my first publisher. But it took on a mind of its own. And I’m happy with the way it’s turned out.

My life has changed a lot over these past 11 years. I got married and then I got divorced. I now have a wonderful daughter. I became a partner and the Chief Technology Officer of 318 and helped to shape it into what was the largest provider of Apple services, I left Los Angeles and moved to Minnesota, left 318 to help start up a new MDM for small businesses at JAMF Software called Bushel, and now I have become the Consulting Engineering Manager at JAMF. In these 11 years, I have made a lot of friends along the way. Friends who helped me so much. I have written 14 more books, spoken at over a hundred conferences, watched the Apple community flourish, and watched the emergence of the Post-PC era.

In these 11 years, a lot has happened. Twitter and Facebook have emerged. Microsoft has hit hard times. Apple has risen like a phoenix from those dark ashes. Unix has proved a constant. Open Source has come into the Mac world. The Linux gurus are still waiting for Linux on the desktop to take over the world. Apps. iOS. iPad. Mobility. Android. Wearables. Less certifications. More admins. And you can see these trends in the traffic for the site. For example, the top post I’ve ever written is now a list of Fitbit badges. The second top post is a list of crosh commands. My list of my favorite hacking movies is the third top post. None of these have to do with scripting, Apple, or any of the articles that I’ve spent the most time writing.

That’s the first 3,000 posts. What’s next? 3,000 more posts? Documenting the unfolding of the Post-PC era? Documenting the rise and fall of more technologies? I will keep writing, that’s for sure. I will continue doing everything I can to help build out the Apple community. And I will enjoy it. I’ve learned a lot about writing along this path. But I have a lot more to learn.


The past 3,000 posts have mostly been technical in nature. I’ve shown few of my opinions, choosing to keep things how-to oriented and very technical. Sure, there’s the occasional movie trailer when I have a “squee” moment. But pretty technical, overall. I’ve been lucky to have been honored to speak at many conferences around the world. One thing I’ve noticed over the past few years is that when people ask me to speak at conferences, they ask me to speak about broader topics. They don’t want me doing a technical deep dive. People use the term thought leader. And while I don’t necessarily agree, maybe it’s time I step up and write more of those kinds of articles here and there.

I’ve learned so much from you these 11 years. But I feel like I’ve barely scratched the surface. I look forward to learning together over the course of the next 3,000 posts! Thank you for your support. Without it, I’d have probably stopped at 10 articles!

November 16th, 2015

Posted In: 318, Apps, Articles and Books, Bushel, Business, certifications, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Microsoft Exchange Server, Minneapolis

Tags: , , , , ,

I recently got the announcement of the new official Microsoft Office Accreditation through MacTech. I was lucky enough to sit in on the previous version of this, so thought I’d push out the information on it. It’s attached to the MacTech Pro Events that MacTech has been running:


As you know, Microsoft released a public preview of Office 2016 for Mac. MacTech and Microsoft have created a new accreditation for Apple techs called “Microsoft Office for Mac and iOS Accredited Support Professional, 2015.” Prior to the public Office 2016 announcement, we did a preview of this new course under NDA in Seattle earlier this month.

We’re now announcing the new accreditation — which covers not only Office for Mac (2011 and 2016), but also Office for iOS and Office 365. In short, anyone that supports others using Microsoft Offie on OS X or iOS should get attend and get this accreditation.

If you’re interested, check it out here

PS – You can actually hear Neal’s voice when you read it! 😉

March 20th, 2015

Posted In: certifications, iPhone, Mac OS X, Microsoft Exchange Server

Tags: , , , , ,

There are 3 registry keys that admins in the Windows world use to enable automatic logins, often required for deployments that require a logged in user to setup user environments, such as configuring app deployments as part of a mass deployment.

The required keys in the registry are:

December 8th, 2014

Posted In: Active Directory, Mass Deployment, Microsoft Exchange Server, VMware, Windows Server, Windows XP

Mail is one of the hardest services to manage. Actually, mail is pretty simple in and of itself: there’s protocols people use to access their mail (such as IMAP and POP), protocols used to communicate between mail servers and send mail (SMTP, SMTPS) and then there’s a database of mail and user information. In Mavericks Server, all of these are represented by a single ON button, so it really couldn’t be easier. But then there’s the ecoysystem and the evil spammers.

As a systems administrator of a large number of mail servers, I firmly believe that there is a special kind of hell where only spam is served at every meal for spammers. Here, the evil spammers must also read every piece of spam ever sent for eternity. By the end (aka Ragnarok), they should have the chemically induced stamina of a 16 year old with the latest Sports Illustrated Swimsuit issue, enough pills of other types to not be able to use that stamina, plenty of African princes looking to donate large sums of money if only they can be helped out of their country (which should cost about 100,000 compared to a 5,000,000 payout, not a bad ROI, right?!?!?), have their conflicting stamina situation at the top of the search engines and of course, have lost all of the money made from their African princes due to getting their credit card hijacked by about 9,000 phishing scams. All in all, a special kind of hell…

But back to the point of the article, setting up mail. The things that mail administrators need to focus on to keep that mail server flowing mail to and from everyone else in the world:

  • Static IP address. The WAN (and LAN probably) address should be static.
  • Port Forwards. Port forwards need to be configured on the gateway for the SMTP port at a minimum and more than likely other ports used to access mail on client devices (25, 143, etc)
  • DNS records. An MX record and some kind of type of record should definitely be configured for the DNS servers that are authoritative for the domain. There should also be reverse records for the address of the server, usually created by the Internet Services Provider, or ISP, that match that record.
  • Check the RBLs. If you have a new IP address you’ll be putting a DNS server on, check all the major Realtime BlackLists to make sure that some evil spammer hasn’t squatted on the IP before you got to it. This is true whether you’re in a colo, hosted on an IP you own or moving into space formerly occupied by a very standup company. A lot of IP addresses are blocked, as are blocks of IPs, so before moving mail to an IP, check it.
  • Mail filtration (message hygiene). OS X Server has a number of mail filters built in, including clam for viruses, the ability to leverage RBLs, block specific addresses and of course RBL checking. However, this is often not enough. Third party services such as MXLogic help to keep mail from coming into your network. You also end up with an external IP to send mail that can cache mail in the event the server is down and keep mail off your network in the event that it’s spam.
  • Backup. I am firmly of the belief that I’d rather not have data than not have that data backed up…

Once all of that is taken care of (I’ll add more as I think about it) then it’s time to enable the mail service in the Server app running on Yosemite. Actually, first let’s setup our SSL certificates. To do so, open the Server app and click on Certificates in the SERVER section of the sidebar. Here, use the “Secure services using” drop-down list and click on Custom… for each protocol to select the appropriate certificate to be used for the service.


Click OK when they’re all configure. Now let’s enable the mail service (or outsource mail). To do so, open the Server app and click on Mail in the SERVICES list in the sidebar.


At the configuration screen is a sparse number of settings:

  • Provide mail for: Configures all of the domains the mail server will listen for mail for. Each account on the server has a short name and each domain name will be available for each short name. For example, an account with a shortname of charles will be available for email addresses of and per the Domain Name listing below.Mail3
  • Authentication: Click Edit for a list of sources that accounts can authenticate against (e.g. Active Directory, Open Directory, Custom, Local, etc) and in some cases the specific password algorithms used for mail.Mail4
  • Push Notifications: If Push is configured previously there’s no need to use this option. Otherwise, use your institutional APNS account to configure Push Notifications.Mail5
  • Relay outgoing mail through ISP: Provide a server that all mail will get routed through from the server. For example, this might be an account with your Internet Services Provider (ISP), an account on an appliance that you own (such as a Barracuda) or with an external filtering service (such as MXLogic).Mail6
  • Limit mail to: Configure the total amount of mail a user can have in the mail store, in Megabytes.
  • Edit Filtering Settings: Configure antivirus, spam assassin and junk mail filters. The “Enable virus filtering” checkbox enables clam. The “Enable blacklist filtering” checks the RBL (or RBLs) of your choice to check whether a given server is a “known” spammer and the “Enable junk mail filtering” option enables spam assassin on the host, configuring it to block based on a score as selected using the slider.

Once you’ve configured the settings for the Mail service, click on the ON slider to enable the service. At this point, you should be able to telnet into port 25 of the host to verify that SMTP is listening, preferably from another mail server:

telnet 25

You can also check that the mail services are running using the serveradmin command along with the fullstatus option for the mail service:

sudo serveradmin fullstatus mail

Which returns with some pretty verbose information about the service, including state, connections, running protocols and the rest of the following:

mail:startedTime = ""
mail:setStateVersion = 1
mail:state = "STOPPED"
mail:protocolsArray:_array_index:0:status = "ON"
mail:protocolsArray:_array_index:0:kind = "INCOMING"
mail:protocolsArray:_array_index:0:protocol = "IMAP"
mail:protocolsArray:_array_index:0:state = "STOPPED"
mail:protocolsArray:_array_index:0:service = "MailAccess"
mail:protocolsArray:_array_index:0:error = ""
mail:protocolsArray:_array_index:1:status = "ON"
mail:protocolsArray:_array_index:1:kind = "INCOMING"
mail:protocolsArray:_array_index:1:protocol = "POP3"
mail:protocolsArray:_array_index:1:state = "STOPPED"
mail:protocolsArray:_array_index:1:service = "MailAccess"
mail:protocolsArray:_array_index:1:error = ""
mail:protocolsArray:_array_index:2:status = "ON"
mail:protocolsArray:_array_index:2:kind = "INCOMING"
mail:protocolsArray:_array_index:2:protocol = "SMTP"
mail:protocolsArray:_array_index:2:state = "STOPPED"
mail:protocolsArray:_array_index:2:service = "MailTransferAgent"
mail:protocolsArray:_array_index:2:error = ""
mail:protocolsArray:_array_index:3:status = "ON"
mail:protocolsArray:_array_index:3:kind = "OUTGOING"
mail:protocolsArray:_array_index:3:protocol = "SMTP"
mail:protocolsArray:_array_index:3:state = "STOPPED"
mail:protocolsArray:_array_index:3:service = "MailTransferAgent"
mail:protocolsArray:_array_index:3:error = ""
mail:protocolsArray:_array_index:4:status = "OFF"
mail:protocolsArray:_array_index:4:kind = "INCOMING"
mail:protocolsArray:_array_index:4:protocol = ""
mail:protocolsArray:_array_index:4:state = "STOPPED"
mail:protocolsArray:_array_index:4:service = "ListServer"
mail:protocolsArray:_array_index:4:error = ""
mail:protocolsArray:_array_index:5:status = "ON"
mail:protocolsArray:_array_index:5:kind = "INCOMING"
mail:protocolsArray:_array_index:5:protocol = ""
mail:protocolsArray:_array_index:5:state = "STOPPED"
mail:protocolsArray:_array_index:5:service = "JunkMailFilter"
mail:protocolsArray:_array_index:5:error = ""
mail:protocolsArray:_array_index:6:status = "ON"
mail:protocolsArray:_array_index:6:kind = "INCOMING"
mail:protocolsArray:_array_index:6:protocol = ""
mail:protocolsArray:_array_index:6:state = "STOPPED"
mail:protocolsArray:_array_index:6:service = "VirusScanner"
mail:protocolsArray:_array_index:6:error = ""
mail:protocolsArray:_array_index:7:status = "ON"
mail:protocolsArray:_array_index:7:kind = "INCOMING"
mail:protocolsArray:_array_index:7:protocol = ""
mail:protocolsArray:_array_index:7:state = "STOPPED"
mail:protocolsArray:_array_index:7:service = "VirusDatabaseUpdater"
mail:protocolsArray:_array_index:7:error = ""
mail:logPaths:Server Error Log = "/Library/Logs/Mail/mail-err.log"
mail:logPaths:IMAP Log = "/Library/Logs/Mail/mail-info.log"
mail:logPaths:Server Log = "/Library/Logs/Mail/mail-info.log"
mail:logPaths:POP Log = "/Library/Logs/Mail/mail-info.log"
mail:logPaths:SMTP Log = "/var/log/mail.log"
mail:logPaths:List Server Log = "/Library/Logs/Mail/listserver.log"
mail:logPaths:Migration Log = "/Library/Logs/MailMigration.log"
mail:logPaths:Virus Log = "/Library/Logs/Mail/clamav.log"
mail:logPaths:Amavisd Log = "/Library/Logs/Mail/amavis.log"
mail:logPaths:Virus DB Log = "/Library/Logs/Mail/freshclam.log"
mail:imapStartedTime = ""
mail:postfixStartedTime = ""
mail:servicePortsRestrictionInfo = _empty_array
mail:servicePortsAreRestricted = "NO"
mail:connectionCount = 0
mail:readWriteSettingsVersion = 1
mail:serviceStatus = "DISABLED"

To stop the service:

sudo serveradmin stop mail

And to start it back up:

sudo serveradmin start mail

To configure some of the settings no longer in the GUI from previous versions, let’s look at the full list of options:

sudo serveradmin settings mail

One that is commonly changed is the subject line added to messages that are marked as spam by spam assassin. This is stored in mail:postfix:spam_subject_tag, so changing would be:

sudo serveradmin settings mail:postfix:spam_subject_tag = "***DIEEVILSPAMMERSDIE*** "

A number of admins also choose to disable greylisting, done using the mail:postfix:greylist_disable option:

sudo serveradmin settings mail:postfix:greylist_disable = no

To configure an email address for quarantined mail to go, use mail:postfix:virus_quarantine:

sudo serveradmin settings mail:postfix:virus_quarantine = ""

The administrator, by default, doesn’t get an email when an email containing a file infected with a virus is sent through the server. To enable this option:

sudo serveradmin settings mail:postfix:virus_notify_admin = yes

I also find a lot of Mac environments want to accept email of pretty much any size. By default, message size limits are enabled. To disable:

sudo serveradmin settings mail:postfix:message_size_limit_enabled = yes

Or even better, just set new limit:

sudo serveradmin settings mail:postfix:message_size_limit = 10485760

And to configure the percentage of someone’s quota that kicks an alert (soft quota):

sudo serveradmin settings mail:imap:quotawarn = 75

Additionally, the following arrays are pretty helpful, which used to have GUI options:

  • mail:postfix:mynetworks:_array_index:0 = “″ – Add entries to this one to add “local” clients
  • mail:postfix:host_whitelist = _empty_array – Add whitelisted hosts
  • mail:postfix:blacklist_from = _empty_array – Add blacklisted hosts
  • mail:postfix:black_hole_domains:_array_index:0 = “” – Add additional RBL Servers

The client side of the mail service is straight forward enough. If you are wondering where in this article we discuss using webmail, er, that’s not installed by default any longer. But the open source project previously used, roundcube, is still available for download and easily installed (the pre-reqs are all there, already). Check out the roundcube wiki installation page here for more info on that. Also, mail groups. I hope to have a post about that soon enough. Unless, of course, I get sidetracked with having a life. Which is arguably not very likely…

October 17th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Microsoft Exchange Server

Tags: , , , , , , , , , , , , , ,

When migrating mailboxes to Exchange 2013, you can run into an error the regarding maximum number of bad items. This causes the import to fail:

Error code: -2146233088
This mailbox exceeded the maximum number of corrupted items that were specified for this move request.
The message exceeds the maximum allowed size for submission to the target mailbox.

A bad item can be one whose size is a bit large. The New-MailboxImportRequest commandlet can be called with the -BadItemLimit option, specifying a number of items> when using that option you must also specify the -AcceptLargeDataLoss option. For example, to import a mailbox called john.doe using a pst of john.doe.pst, the command would look as follows:

New-MailboxImportRequest -Mailbox john.doe -FilePath "\\myserver\E$\john.doe.pst" -BadItemLimit 1000000 -AcceptLargeDataLoss

If you have a number of mailboxes that have already failed, use the Get-MailboxImportRequest commandlet and pipe the items that match the Failed Status setting to a Set-MailboxImportRequest option defining a larger -BadItemLimit setting as follows:

Get-MailboxImportRequest -Status Failed | Set-MailboxImportRequest -BadItemLimit 1000000

April 30th, 2014

Posted In: Microsoft Exchange Server

Tags: , ,

Next Page »