I covered managing devices based on policy in http://krypted.com/microsoft-exchange-server/manage-activesync-policies-on-ios-using-powershell-in-exchange-2016/. One of those policies is “modern authentication”, Azure Passthrough Authentication, or OAuth if you will. To enable it, log into Exchange Online via PowerShell and run the set-OrganizationConfig to set -OAuth2ClientProfileEnabled to True:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
If you’re using Skype, do an override:
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
Now check that OAuth was enabled properly:
And viola, you’ve caught up to where WordPress was at with OAuth 8 years ago! Next, check the global ADFS authentication rule:
And you can use Set-AdfsAdditionalAuthenticationRule. Now, you should be able to check the ADFS rules required for a given MFA requirement:
Get-AdfsRelyingPartyTrust –Name "Krypted"
And then if necessary, set them:
Set-AdfsRelyingPartyTrust –TargetRelyingParty Krypted –AdditionalAuthenticationRules ‘c: [Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-Insert your Group SID here"] && [Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");’
You can then check groups:
GetADGroup -Identity "Krypted Users"
krypted May 9th, 2017
Sometimes you need to manage policies in Exchange ActiveSync programmatically. For example, if a device shows up in a JSS, you can deploy policies to that device at the Exchange ActiveSync (EAS) level rather than using a mobileconfig. To manage these, Microsoft has provided a few pretty easy-to-use commandlets in Powershell.
To put these in practice, let’s create a policy called “MarketingEAS” and set a few common password/passcode policies, like requiring a password and requiring an alphanumeric policy. The following New-MobileDeviceMailboxPolicy commandlet creates the Mobile Device mailbox policy MarketingEAS, using -DevicePasswordEnabled and AlphanumeicDevicePasswordRequired as options:
New-MobileDeviceMailboxPolicy -Name:"MarketingEAS" -DevicePasswordEnabled:$true -AlphanumericDevicePasswordRequired:$true
There are lots of other policies, like -AllowBluetooth -AllowCamera -MaxEmailAgeFilter -DevicePasswordHistory etc. Once set, you can look at the contents of the policy using Get-MobileDeviceMailboxPolicy:
Get-MobileDeviceMailboxPolicy -Identity "MarketingEAS"
To then remove a Mailbox Policy, use Remove-MobileDeviceMailboxPolicy. The following removes the policy, bypassing prompts:
Remove-MobileDeviceMailboxPolicy -Identity "MarketingEAS" -Confirm:$false -Force $true
To see what mailbox policy is enforced for a user, you can then run Get-MobileDevice, followed by -Identity and then the short name of the user (e.g. CharlesEdge):
Get-MobileDevice -Identity "CharlesEdge"
Or to see a list of devices associated with my mailbox:
Get-MobileDevice -Mailbox "JAMF\CharlesEdge"
Or unpartner a device (e.g. kryptedipad) from my mailbox, use Remove-MobileDevice, bypassing with -Confirm:
Remove-MobileDevice -Identity kryptedipad -Confirm:$false
To to wipe that iPad and send me an email confirmation, use Clear-MobileDevice:
Clear-MobileDevice -Identity kryptedipad -NotificationEmailAddresses "firstname.lastname@example.org"
krypted May 18th, 2016
Posted In: Microsoft Exchange Server
The first presentation I’ll be doing at MacSysAdmin today is on Windows Server in Mac OS X and iOS environments, which can be found here:
The second presentation I’ll be doing today at MacSysAdmin is on iOS deployment, which can be found here:
If you’re not able to attend then I hope you will enjoy. I’ll try and get them to Tycho for uploading to the official site asap.
krypted September 13th, 2012
Posted In: public speaking