We have a couple thousand BBs and a couple of dozen test EAS WM devices (despite policies to the contrary - guess some management folks are more equal than others).
We find (possibly due to lack of familiarity) just the opposite. Lots of tech and handholding to get EAS working (non-technical user community) and our user admins have the BES user admin role and can simply point and click to add users and set activation password. (No idea what profile Steve is referring to) Unless you are wide open as far as exchange server access and globally allow ANY user to attempt to connect their personal phone, you will have to specifically allow (or stop disallowing) each new user. The EAS comments are second hand so they may be a bit overstated. --------------------------------- Sent from my BlackBerry Wireless Handheld ----- Original Message ----- From: Steve Ens <[EMAIL PROTECTED]> To: MS-Exchange Admin Issues <[email protected]> Sent: Tue Sep 23 15:30:12 2008 Subject: Re: ActiveSync Set Up Veterans-GOING OT I use them both too...less admin with the EAS...no adding users, assigning profiles, etc... On Tue, Sep 23, 2008 at 4:26 PM, Sherry Abercrombie <[EMAIL PROTECTED]> wrote: I have both ActiveSync & BES, personally, I prefer BES, but have no real issues w/EAS. On Tue, Sep 23, 2008 at 4:16 PM, wjh <[EMAIL PROTECTED]> wrote: So, do people really like Activesync? Or is that free beats clunky? Connectivity and management through BB or Good seems so much easier. We use Good on our WM devices and the interface is so much better. Tasks and notes work fine, plus no certificate hoops to jump through. Bill mqcarp wrote: I think I have it. I do note that the server setting is very misleading. I ended up using the direct server address ie mail.domain.com instead of the direct OMA address like many documents online suggest ie mail.domain.com/oma I never could get it to work manually configuring the device, but did get it to work with the config utility (I use the web version). I think that portion is due to the certificate validation being included in the config. That said so far only portions of the contacts, no calendar, and only folder structure is coming across at this point. At least we are getting somewhere! On Tue, Sep 23, 2008 at 1:44 PM, mqcarp <[EMAIL PROTECTED]> wrote: Thank you for sharing Sherry. I still have a few quirks going on so I will keep testing. A dumb mistake was not including the domain name ahead of the user name! I have a feeling this may not suit our CEO either, as I keep reading about some limitations. Will see. On Tue, Sep 23, 2008 at 11:58 AM, Sherry Abercrombie <[EMAIL PROTECTED]> wrote: http://www.techsack.com/2008/08/19/getting-your-iphone-to-work-with-exchange-active-sync-ssl-certificate/ On 9/23/08, mqcarp <[EMAIL PROTECTED]> wrote: Interesting, well OMA works fine now both internally and externally, however ActiveSync will not. This is on an iPhone. Still reviewing On Tue, Sep 23, 2008 at 10:53 AM, mqcarp <[EMAIL PROTECTED]> wrote: I got it worked out but it is excruciatingly slow. Very odd. I will have to look at this. Thanks all On Tue, Sep 23, 2008 at 9:05 AM, Michael B. Smith <[EMAIL PROTECTED]> wrote: I did this the first time, long ago and far away. It's just part of the process now…here were my comments the first time I had to do it: http://theessentialexchange.com/blogs/michael/archive/2007/11/13/oma-amp-activesync-after-configuring-rpc-https-and-forms-based-authentication.aspx Regards, Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP My blog: http://TheEssentialExchange.com/blogs/michael Link with me at: http://www.linkedin.com/in/theessentialexchange From: mqcarp [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 23, 2008 8:48 AM To: MS-Exchange Admin Issues Subject: Re: ActiveSync Set Up Veterans Do you happen to use a front end Exchange server? We do not, and have come across a problem. In reading about the solution on MS site, this seems odd and insecure. Has anyone had to implement this fix? http://support.microsoft.com/kb/817379/EN-US/ On Mon, Sep 22, 2008 at 2:03 PM, Sherry Abercrombie <[EMAIL PROTECTED]> wrote: I have ISA in my environment, but it is not a part of the OWA/ActiveSync setup. I have a reverse proxy setup at my colo that is used for both OWA and ActiveSync. On 9/22/08, mqcarp <[EMAIL PROTECTED]> wrote: Sherry are you using ISA in your environment? On Mon, Sep 22, 2008 at 12:15 PM, Michael B. Smith <[EMAIL PROTECTED]> wrote: The below was current as of the release of Exchange Server 2003 sp2. Not sure if the attribute has additional documented values in Exchange 2007. You can also make the change globally easily using PowerShell or a tool like ADModify.Net. The final Exchange specific tab is Exchange Features, shown in Figure 9-9. The Mobile Services entries allow you to control, on a per-user basis, the mobile capabilities of Exchange. If you, by default, enable mobile services at the global level (Global Settings®Mobile Services®Properties®General) then this window allows you to disable the capabilities at the per-user level. Using the script made available in Microsoft KB 830188 (How to grant permission to use Outlook Mobile Access to specific users of Exchange Server 2003), you can globally disable all users and then pick and choose which specific users are to be allowed access to mobile service capabilities. The per-user AD attribute that controls these functions is named msExchOmaAdminWirelessEnable. If this attribute has a value of zero or the attribute is not present, then all mobile services are enabled. If Outlook Mobile Access (OMA) is disabled, but the other two features are enabled, then the attribute has a value of two (2). The other two items control specific features associated with Exchange ActiveSync (EAS). "User Initiated Synchronization" must be enabled for Up-to-date Notifications to be enabled; however Up-to-date Notifications may be disabled on its own. If only Up-to-date Notifications is disabled, then msExchOmaAdminWirelessEnable has a value of one (1). If both User Initiated Synchronization and Up-to-date Notifications are disabled, then msExchOmaAdminWirelessEnable has a value of five (5). If all three Mobile Services are disabled, then msExchOmaAdminWirelessEnable has a value of seven (7). If you search the Internet, you will find that other values can be specified for this attribute. However, the values described in the prior paragraph are the only values which Microsoft has documented. You are better off only using these values. Regards, Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP My blog: http://TheEssentialExchange.com/blogs/michael Link with me at: http://www.linkedin.com/in/theessentialexchange From: Sherry Abercrombie [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 12:55 PM To: MS-Exchange Admin Issues Subject: Re: ActiveSync Set Up Veterans The Exchange Features tab in AD for each account is the place to enable or disable additional Exchange features such as mobile and OWA. All these features are enabled by default and you will have to disable them. When we recently went through the process to setup OWA and ActiveSync, I had to manually disable everyone except those that had the proper approval for mobile and/or OWA. Check with your HR department because there are legal things to consider with employees checking or receiving email during non-business hours. In your IIS settings for ActiveSync you can set it to require SSL and I wouldn't recommend setting it up any other way. No SSL means that you're network credentials are being sent clear text.......very bad idea. Haven't had need to do any looking at logging for auditing at this point so I can't address that. On 9/22/08, mqcarp <[EMAIL PROTECTED]> wrote: Just have a few questions if some of you are using this feature. It seems frighteningly easy to set up on the server side and I want to ensure that the settings are secure. Here are a few observations for you vets on this: * The settings are activated for ALL users when it is enabled. Is it possible to disable it by default and enable specific users in AD? * Is there a log setting to enable for reviewing audit processes for pushes and troubleshooting in Exchange? * For iPhones, I have noticed that the config utility can require a certificate for the server side push set up, but if you set up a device manually, it will accept the connection without this validation. Can this be set to be required to avoid connections this way? This is on Exch 2003. TIA -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
