Tiny Deathstars of Foulness

I covered managing devices based on policy in One of those policies is “modern authentication”, Azure Passthrough Authentication, or OAuth if you will. To enable it, log into Exchange Online via PowerShell and run the set-OrganizationConfig to set -OAuth2ClientProfileEnabled to True:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

If you’re using Skype, do an override:

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

Now check that OAuth was enabled properly:


And viola, you’ve caught up to where WordPress was at with OAuth 8 years ago! Next, check the global ADFS authentication rule:


And you can use Set-AdfsAdditionalAuthenticationRule. Now, you should be able to check the ADFS rules required for a given MFA requirement:

Get-AdfsRelyingPartyTrust –Name "Krypted"

And then if necessary, set them:

Set-AdfsRelyingPartyTrust –TargetRelyingParty Krypted –AdditionalAuthenticationRules ‘c: [Type == "", Value == "S-1-5-21-Insert your Group SID here"] && [Type == "", Value == "false"] => issue(Type = "", Value = "");’

You can then check groups:

GetADGroup -Identity "Krypted Users"

May 9th, 2017

Posted In: Microsoft Exchange Server, Network Infrastructure, Windows Server

Tags: , , , , ,

Leave a Comment

Sometimes you need to manage policies in Exchange ActiveSync programmatically. For example, if a device shows up in a JSS, you can deploy policies to that device at the Exchange ActiveSync (EAS) level rather than using a mobileconfig. To manage these, Microsoft has provided a few pretty easy-to-use commandlets in Powershell.

  • The New-MobileDeviceMailboxPolicy commandlet in Powershell will create a policy based on some attributes that you define.
  • The Get-MobileDeviceMailboxPolicy commandlet in Powershell will show what the contents of a given policy are.
  • The Set-MobileDeviceMailboxPolicy commandlet will set a policy, and has the same structure s the New-MailboxDeviceMailboxPolicy, but applies to existing policies.
  • The Remove-MobileDeviceMailboxPolicy commandlet in Powershell will delete a policy.
  • The Get-MobileDeviceMailboxPolicy commandlet in Powershell will show all the devices that are associated with a given user.
  • The Remove-MobileDevice commandlet in Powershell will remove a partnership between an account and a device.
  • The Clear-MobileDevice commandlet in Powershell will wipe a device.

To put these in practice, let’s create a policy called “MarketingEAS” and set a few common password/passcode policies, like requiring a password and requiring an alphanumeric policy. The following New-MobileDeviceMailboxPolicy commandlet creates the Mobile Device mailbox policy MarketingEAS, using -DevicePasswordEnabled and AlphanumeicDevicePasswordRequired as options:

New-MobileDeviceMailboxPolicy -Name:"MarketingEAS" -DevicePasswordEnabled:$true -AlphanumericDevicePasswordRequired:$true

There are lots of other policies, like -AllowBluetooth -AllowCamera -MaxEmailAgeFilter -DevicePasswordHistory etc. Once set, you can look at the contents of the policy using Get-MobileDeviceMailboxPolicy:

Get-MobileDeviceMailboxPolicy -Identity "MarketingEAS"

To then remove a Mailbox Policy, use Remove-MobileDeviceMailboxPolicy. The following removes the policy, bypassing prompts:

Remove-MobileDeviceMailboxPolicy -Identity "MarketingEAS" -Confirm:$false -Force $true

To see what mailbox policy is enforced for a user, you can then run Get-MobileDevice, followed by -Identity and then the short name of the user (e.g. CharlesEdge):

Get-MobileDevice -Identity "CharlesEdge"

Or to see a list of devices associated with my mailbox:

Get-MobileDevice -Mailbox "JAMF\CharlesEdge"

Or unpartner a device (e.g. kryptedipad) from my mailbox, use Remove-MobileDevice, bypassing with -Confirm:

Remove-MobileDevice -Identity kryptedipad -Confirm:$false

To to wipe that iPad and send me an email confirmation, use Clear-MobileDevice:

Clear-MobileDevice -Identity kryptedipad -NotificationEmailAddresses ""

May 18th, 2016

Posted In: Microsoft Exchange Server

Tags: , , , ,

The first presentation I’ll be doing at MacSysAdmin today is on Windows Server in Mac OS X and iOS environments, which can be found here:


The second presentation I’ll be doing today at MacSysAdmin is on iOS deployment, which can be found here:


If you’re not able to attend then I hope you will enjoy. I’ll try and get them to Tycho for uploading to the official site asap.

September 13th, 2012

Posted In: public speaking

Tags: , , , , , , , , , , , ,