brendanz.net

I was working with one of the security guys at work on a report about the risks of implementing the iPhone in an organisation. Their are a number of reasons why IT managers should carefully consider these security risks. A few of these are

• Policies cannot be controlled at a granular level (compared to Windows Mobile or Blackberry)
• Lack of support for all of Exchange 2007 SP1 device policies (disable camera, disable WiFi, etc)
• Therefore split connections cannot be stopped (for example, connect to a WiFi network while connected to a VPN at the same time)
• Cannot control application exclusivity
• iTunes must be used to install updates.
• Known security vulnerabilities have been discovered and widely publicised.

To combat this, you can run a Powershell command on your Exchange 2007 CAS box to bind only one DeviceID to a user’s device.

To find all the DeviceID’s (and more) associated with a mailbox, type in

Get-ActiveSyncDeviceStatistics -mailbox <mailbox name> | fl *device*

You can then use the DeviceID here to input at the end of the following command

Set-Casmailbox <mailbox> -ActiveSyncAllowedDeviceIds <DeviceID>

I don’t think there’s an easier way to do this at anything beyond a per-user level. Please leave a comment if you know a way (Powershell script maybe?).

Now, you may notice in the above screenshot that there is a DeviceType listed. Unfortunately, I don’t believe there is Powershell command available that can allow the blocking a device by the DeviceType. The same goes with the DeviceUserAgent.

However, if you have an ISA2006 server, the guys over at the You Had Me At EHLO have posted a great article explaining how to block a device based on its User-Agent type.

Hi all, just a quick update to let you all know that I am now officially a Microsoft Certified Technical Specialist: Exchange 2007 (Configuration).

The exam was difficult. A lot of Powershell commands to remember, a fair amount of clustering based questions, and also quite a few questions about initial installation with the correct switches to use. There was also some questions about how to recover each of the roles.  Lots of hard work but it’s all worth it.

I used the CBT Nuggets 70-236 training video pack which were quite good. I also spent a fair amount of time in my lab to make sure I understood each command as it was applied. If you are thinking about studying for it, start using Powershell. It’s not a scary as what you may think. The commands make sense (get-mailbox, will give you a list of mailboxes for example), and you can get to the point where you do some seriously cool stuff with piping the results from one command to another.

A big thanks goes out to Derrick and Craig who helped me out considerably with my annoying questions, and my girlfriend Sarah for putting up with my grumpy moods when I was studying!