2

We have some user in our company is constantly locked in the Active Directory via ActiveSync. We are reading logs and doing various tests. We was found out:

  1. We see logon attempts with the wrong password from IP of mobile operator.
  2. Phone brand is Nokia.
  3. Phone isn't listed in partnership list of Exchange ActiveSync. Maybe it was there, but we clean the entire list, when try to resolve the problem.
  4. We know a phone ID, but it's impossible to block.
  5. We don't know the location of the phone.

What else can we do to resolve this problem?

We can't just turn off ActiveSync, because user have another phone synchronized.

tpml7
  • 479
  • 1
  • 5
  • 21
Konstantin Bratulin
  • 21
  • 1
  • Block the IP instead of the user ? (If that's possible - I don't know much about Activesync) –  Jan 04 '15 at 11:57
  • Impossible. In logs we see, that the IP frequently changes. – Konstantin Bratulin Jan 04 '15 at 12:59
  • You could try changing the username of the user. – AWippler Jan 04 '15 at 14:24
  • I know. But isn't a good solution. I think, should be a way to do this via Exchange. – Konstantin Bratulin Jan 04 '15 at 14:36
  • @KonstantinBratulin Can you post the output of: `Get-ActiveSyncDevice -Mailbox | Select *`? – EliadTech Jan 04 '15 at 17:24
  • `RunspaceId : db447de1-6cb0-4e7f-8329-4349645f174d FriendlyName : Nexus 5 DeviceId : android1415967835201 DeviceImei : 352136064472596 DeviceMobileOperator : ORANGE (42501) DeviceOS : Android 5.0.1 DeviceOSLanguage : DeviceTelephoneNumber : DeviceType : Android DeviceUserAgent : Android/5.0.1-EAS-2.0 DeviceModel : Nexus 5 FirstSyncTime : 12/30/2014 7:26:56 AM...` – Konstantin Bratulin Jan 05 '15 at 06:34
  • @EliadTech User have only one ActiveSync device-Nexus5. We run `Get-ActiveSyncDeviceStatistics -mailbox user | Select-Object Identity | Remove-ActiveSyncDevice` End re-add nexus. But it's not a problem device. We power off nexus and after this see lockouts. – Konstantin Bratulin Jan 05 '15 at 07:39

1 Answers1

0
  1. You might be able to do a specific filter with a firewall rule, but that would probably require SSL inspection which could prove quite a headache.
  2. Here's an option to block ActiveSync devices (through ECP), but as far as I can tell there's no way to block a specific device, but a type.
    http://blogs.technet.com/b/exchange/archive/2010/11/15/3411539.aspx
  3. You can try contact the mobile operator, and ask their help.

If the options above have failed (or just irrelevant), then I'd go with AWippler suggestion and change the username - it's the simplest and surest option.

EDIT:
I've just found a blog that demonstrates how to block specific device by ID, but I haven't tested it myself.

EliadTech
  • 1,230
  • 9
  • 14