Hi Alonzo
Without your account ID to hand I can't confirm what I am going to say to you, maybe you can verify this. Please do not reply on a public forum with your account ID.
If you go to Settings / Cloud Extender settings you will see the settings configured which might have been modified at time of installation of Cloud Extender. This would determine whether AutoQuarantine was being used on Cloud Extender, or on the Exchange server, or not at all.
The devices that report "Mailbox Managed" means that the device actually has 2 records in the MaaS360 platform - an MDM record (enrolled device) and/or an Exchange AS device (coming through Cloud Extender from Exchange). When the platform receives records from activated mail devices, it compares these with existing enrolled devices using specific criteria, and if appropriate merges them so that what you see is actually the result of the merge, where you have an MDM and an Exchange record together. The proof of this would be where in the device in Inventory, you go into the device and can see actions (top-right) for both Device actions (MDM) and Exchange actions. To see any devices where this merge process did not happen you can go to Devices > Exceptions and merge them manually. These occur where the information coming from the Cloud Extender / Exchange integration doesn't provide conclusive evidence to be able to merge the records with confidence.
If you need help in terms of whether anything is not actually working correctly please raise a Support ticket and the team will follow up. Alternatively without your account ID - which should not be posted here to respect your privacy - I can answer any more general questions you have.
Best regards
------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland
------------------------------
Original Message:
Sent: Tue March 05, 2024 12:55 PM
From: Alonzo Leavitt
Subject: Exchange ActiveSync with IOS
Hello everyone,
I'm working with an organization that utilizes Cloud Extender for user authentication, visibility and Exchange ActiveSync. We haven't configured anything within the IOS policy for ActiveSync however we're noticing that many of the IOS devices enrolled are reporting their mailbox as managed by Exchange ActiveSync. There is an ActiveSync policy in the portal but it doesn't contain any of the server information or user settings. Our question is whether simply setting up the ActiveSync policy and the Cloud Extender's default policy with Exchange integrated using Cloud Extender provisions this automatically?
My thinking is that:
- IOS device enrolls and Cloud Extender communicates to the on-prem Exchange that the device is enrolled.
- Cloud Extender creates a record of the device but does not have a user to attach to it yet until the user attempts to sign into Exchange.
- User of the device signs into the IOS Mail app with their AD/Exchange credentials.
- Since the device record was already sent to Exchange via Cloud Extender from MaaS360, the device is authenticated because it's treated as an "existing device" and not an "enrolled device" for AQ.
That last step is what I presume the key is - as Auto Quarantine is setup and enabled. All enrolled devices are set to quarantine but automatically approve existing devices is not. If the users previously signed in before AQ was setup, even though an ActiveSync configuration wasn't being pushed from the policy, would that account for the devices we're seeing that already have their mailbox managed?
------------------------------
Alonzo Leavitt
------------------------------