I covered managing devices based on policy in http://krypted.com/microsoft-exchange-server/manage-activesync-policies-on-ios-using-powershell-in-exchange-2016/. One of those policies is “modern authentication”, Azure Passthrough Authentication, or OAuth if you will. To enable it, log into Exchange Online via PowerShell and run the set-OrganizationConfig to set -OAuth2ClientProfileEnabled to True:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
If you’re using Skype, do an override:
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
Now check that OAuth was enabled properly:
And viola, you’ve caught up to where WordPress was at with OAuth 8 years ago! Next, check the global ADFS authentication rule:
And you can use Set-AdfsAdditionalAuthenticationRule. Now, you should be able to check the ADFS rules required for a given MFA requirement:
Get-AdfsRelyingPartyTrust –Name "Krypted"
And then if necessary, set them:
Set-AdfsRelyingPartyTrust –TargetRelyingParty Krypted –AdditionalAuthenticationRules ‘c: [Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-Insert your Group SID here"] && [Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");’
You can then check groups:
GetADGroup -Identity "Krypted Users"
krypted May 9th, 2017
Posted In: Microsoft Exchange Server, Network Infrastructure, Windows Server
azure passthrough authentication, eas, Enable Conditional Access, exchange online, Policies, Skype online
Sometimes you need to manage policies in Exchange ActiveSync programmatically. For example, if a device shows up in a JSS, you can deploy policies to that device at the Exchange ActiveSync (EAS) level rather than using a mobileconfig. To manage these, Microsoft has provided a few pretty easy-to-use commandlets in Powershell.
- The New-MobileDeviceMailboxPolicy commandlet in Powershell will create a policy based on some attributes that you define.
- The Get-MobileDeviceMailboxPolicy commandlet in Powershell will show what the contents of a given policy are.
- The Set-MobileDeviceMailboxPolicy commandlet will set a policy, and has the same structure s the New-MailboxDeviceMailboxPolicy, but applies to existing policies.
- The Remove-MobileDeviceMailboxPolicy commandlet in Powershell will delete a policy.
- The Get-MobileDeviceMailboxPolicy commandlet in Powershell will show all the devices that are associated with a given user.
- The Remove-MobileDevice commandlet in Powershell will remove a partnership between an account and a device.
- The Clear-MobileDevice commandlet in Powershell will wipe a device.
To put these in practice, let’s create a policy called “MarketingEAS” and set a few common password/passcode policies, like requiring a password and requiring an alphanumeric policy. The following New-MobileDeviceMailboxPolicy commandlet creates the Mobile Device mailbox policy MarketingEAS, using -DevicePasswordEnabled and AlphanumeicDevicePasswordRequired as options:
New-MobileDeviceMailboxPolicy -Name:"MarketingEAS" -DevicePasswordEnabled:$true -AlphanumericDevicePasswordRequired:$true
There are lots of other policies, like -AllowBluetooth -AllowCamera -MaxEmailAgeFilter -DevicePasswordHistory etc. Once set, you can look at the contents of the policy using Get-MobileDeviceMailboxPolicy:
Get-MobileDeviceMailboxPolicy -Identity "MarketingEAS"
To then remove a Mailbox Policy, use Remove-MobileDeviceMailboxPolicy. The following removes the policy, bypassing prompts:
Remove-MobileDeviceMailboxPolicy -Identity "MarketingEAS" -Confirm:$false -Force $true
To see what mailbox policy is enforced for a user, you can then run Get-MobileDevice, followed by -Identity and then the short name of the user (e.g. CharlesEdge):
Get-MobileDevice -Identity "CharlesEdge"
Or to see a list of devices associated with my mailbox:
Get-MobileDevice -Mailbox "JAMF\CharlesEdge"
Or unpartner a device (e.g. kryptedipad) from my mailbox, use Remove-MobileDevice, bypassing with -Confirm:
Remove-MobileDevice -Identity kryptedipad -Confirm:$false
To to wipe that iPad and send me an email confirmation, use Clear-MobileDevice:
Clear-MobileDevice -Identity kryptedipad -NotificationEmailAddresses "firstname.lastname@example.org"
krypted May 18th, 2016
Posted In: Microsoft Exchange Server
ActiveSync Policies, eas, Exchange, MobileDeviceMailboxPolicy, set passcode
The first presentation I’ll be doing at MacSysAdmin today is on Windows Server in Mac OS X and iOS environments, which can be found here:
The second presentation I’ll be doing today at MacSysAdmin is on iOS deployment, which can be found here:
If you’re not able to attend then I hope you will enjoy. I’ll try and get them to Tycho for uploading to the official site asap.
krypted September 13th, 2012
Posted In: public speaking
DHCP, eas, exchange server, ExtremeZ-IP, GroupLogic, ios, Lion, Mac OS X, MacSysAdmin, mountain lion, OS X Server, windows server 2003, Windows Server 2008