You can use the XenMobile Mail Manager Configuration utility to extend the capabilities of XenMobile Device Manage to create access control rules that can either allow or block Exchange ActiveSync (EAS) devices from accessing Exchange services. You can build dynamic and static rules that enforce corporate email policies, allowing you to block those users in violation of compliance standards. You can also use the utility to perform an EAS wipe on out of compliance devices.
The XenMobile Mail Manager also provides the ability to access information about Blackberry devices and to perform control operations such as Wipe and ResetPassword.
The first task in configuring the XenMobile Mail Manager requires configuring a connection to the database it will be using to store data.
Configuring a Mobile Service Provider (MSP) is optional and needed only if the Device Manager server is also configured to use the Mobile Service Provider interface to query unmanaged devices; for example: BlackBerry devices from a BlackBerry Enterprise Server (BES).
Once you have configured the XMM to use the Mobile Service Provider web service interface to query unmanaged devices (if you want to manager ActiveSync traffic of BlackBerry devices from the BES 5 server), then you need to configure the Device Manager server to connect to the XMM server.
Note: If Windows Integrated is selected, this test uses the current logged in user and not the XenMobile Mail Manager Service user and therefore does not accurately test SQL authentication.
The Xenmobile Mail Manager can be indepensible when configured in conjunction with Microsoft Exchange's “Quarantine” mode, which allows an Exchange admin to quarantine a user's device until that device can be determined to be compliant. (In Exchange quarantine mode, a user's email inbox is blocked, but the user can still see their calendar, appointments, and contacts.)
For example, when a user configures a corporate email account on their person device, as soon as the user connects to the Exchange server, the user's new device is placed into quarantine mode. Exchange allows the administrator to have a mail sent to a new user telling them they need to enroll their new device in XenMobile Device Manager.
When the new device is then enrolled in Device Manager, the Device Manager will then notify the XenMobile Mail Manager to un-quarantine (or Allow) the device, provided the device is compliant with Device Manager policy. This policy is defined in Device Manager’s SMG Options dialog box.
Each rule contains and a desired access state (Allow or Block), and a criteria for matching an ActiveSync device. The matching criteria may match a particular device or a set of devices.
XDM (Device Manager) Rules
The Default Rule matches the set of all devices. The Default Rule’s desired state may be set to Allow, Block, or Unchanged. If the latter is selected, the effect will be that XenMobile Mail Manager will not modify the state of any devices that are not matched explicitly by a Local or XDM rule.
For each ActiveSync device known to the Exchange server, the rules are evaluated in order: first Local Rules, then XDM Rules, then the Default Rule. If a match is found it any rule, the rule’s desired state is then enacted for the device and no further rules are evaluated for the device.
Rule enactment results in a Powershell command being sent by XenMobile Mail Manager to Exchange to change the access state. However, if the current known access state of the device is already equal to the desired state, no action is taken.
Whenever the rules, or the set of known devices changes, the rules are re-evaluated.
Additionally, the XenMobile Mail Manager can be configured in Simulation mode. In this mode, Powershell commands are not issued to modify the access state. Instead, XenMobile Mail Manager records in its database that such an action was simulated.
Default access control rules serve as a 'catch-all' rules that can be set to allow or deny a device that does not meet the criteria of either XDM rules or local rules. For example, if you set the Default rules to Allow, then any device that does not meet the criteria set to block a device in either XDM or Local rules will be allowed to connect to Exchange.
You can use XDM (from Device Manager) rules in XenMobile Mail Manager to work in combination with Local and Default rules. Device Manager rules provide control over devices that do not meet your corporate device compliance standards, such as the ability to block devices that have blacklisted apps, device that have been rooted or jailbroken, or that meet some other condition.
Device Manager rules are configured in the Device Manager web console, in the Options dialog box.
Device Manager rules are evaulated by XenMobile Device Manager after Local rules, and before Default rules.
Local rules are those you create from and that are specific to the XenMobile Mail Manager utility, and provide an extra layer of filtering and control over your company email access policies. When used in combination with Default access rules and Device Manager Secure Mobile Gateway Rules (XDM rules), you can create useful combinations of filters to ensure that you have control over email access according to company policy.
You can build local rules to allow or block access by device ID, Device Type (all Android devices, for example), specific user, Active Directory group, or even agent version (device platform version).
In XenMobile Mail Manager, local rules are evaluated first, followed by XDM rules, and then followed by Default rules, from top to bottom as they are listed in the user interface.
To choose between the two, in the XenMobile Mail Manager utility, click the Configure > Access Rules tab. Then, under Activesync Access Control Rules on the Default Rule tab, select either Simulation or Powershell from the ActiveSync Command Mode drop-down list.