http://blogs.technet.com/b/exchange/archive/2008/09/05/3406212.aspxMany companies and users consider mobile access to Exchange data an essential feature. Exchange ActiveSync (EAS) is very popular as it allows this access and many devices have licensed and implemented EAS (including Windows Mobile). Some companies useen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/exchange/archive/2008/09/05/3406212.aspx#3406475Wed, 12 Nov 2008 04:55:54 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3406475DnalorThis article has some serious flaws <br> <br>What about the concept of least privilege? <br> <br>You should deny all access first thewn make exceptions for your known mobiles and servers. I think you should rewrite this<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3406475" width="1" height="1">http://blogs.technet.com/b/exchange/archive/2008/09/05/3406212.aspx#3406410Mon, 20 Oct 2008 20:15:38 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3406410Patrick ButlerIntresting article. Makes me wonder if this can be done to control Iphone usage as well. While we do want to allow users to use an iphone we want to control WHO is using them. I figure if we place the rule with an exception........ Also I wonder if the User-Agent string is known for the Iphone?<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3406410" width="1" height="1">http://blogs.technet.com/b/exchange/archive/2008/09/05/3406212.aspx#3406333Sun, 21 Sep 2008 06:00:42 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3406333F. Andy SeidlAs a webmaster, you definitely should use user-agent headers to manager server traffic. But understand that this is purely a pragmatic tactic and not a serious security measure. <br> <br>I wrote more about this here: <br> <br>Webmaster Tips: Blocking Selected User-Agents <br>&lt;a href=&quot;<a rel="nofollow" target="_new" href="http://faseidl.com/public/item/213126&quot;&gt;http://faseidl.com/public/item/213126&lt;/a&gt;">http://faseidl.com/public/item/213126&quot;&gt;http://faseidl.com/public/item/213126&lt;/a&gt;</a><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3406333" width="1" height="1">http://blogs.technet.com/b/exchange/archive/2008/09/05/3406212.aspx#3406232Thu, 11 Sep 2008 17:50:50 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3406232Brian WingHi Peter, <br>We disallow all of our users access via ActiveSync, and then we lock them down to a single device when they request access. <br> <br>One quesiton, if you lock them down using the set-casmailbox &lt;userid&gt; -ActiveSyncAllowedDeviceIds &lt;deviceID&gt; how do you remove the ID from thier cas-mailbox settings? <br> <br>I know you can remove device partnerships with OWA, ps, or EMC, but it doesn't remove the deviceID you manually set. <br> <br>Thanks <br>Brian<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3406232" width="1" height="1">http://blogs.technet.com/b/exchange/archive/2008/09/05/3406212.aspx#3406225Mon, 08 Sep 2008 21:04:03 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3406225Adam GlickHi Peter, <br>The issue you refer to happens on devices that don't have any policy set. &nbsp;Since the remote wipe is sent down with/as a policy, if no policy is set, then it prompts for one. &nbsp;The most common is PIN policy which is why you see it ask for a password to be set up (you could define a policy where a PIN wasn't required but you would still get a policy prompt). &nbsp;In Exchange Server 2007 SP1, we introduced a &quot;Default&quot; policy that Admins could set. &nbsp;With a default policy, you will not run into the &quot;prompt for policy&quot; on a wipe as all device that connect will automatically have policies pushed down to them (even if that policy has no PIN requirements in it). &nbsp;It is always a good idea to have some policies applied to all devices that connect to your Exchange Server. &nbsp;Using the Default policy in SP1 will make this simple and the prompt issue experienced by organizations that didn't previously apply policies will become a thing of the past. &nbsp;If you are not on Exchange Server 2007 SP1 I’d recommend upgrading or setting a policy that you apply to all users and this will avoid the situation you are referring to. <br><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3406225" width="1" height="1">http://blogs.technet.com/b/exchange/archive/2008/09/05/3406212.aspx#3406222Mon, 08 Sep 2008 15:24:01 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3406222bdayExcellent. We're about to upgrade to ISA 2006 fom 2004 so this is nice to see. Now if we could only find a way to block specific models. : ) A great start!<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3406222" width="1" height="1">http://blogs.technet.com/b/exchange/archive/2008/09/05/3406212.aspx#3406221Sat, 06 Sep 2008 22:14:07 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3406221PeterOn a somewhat related note, why is it necessary to require a password on a mobile device in order to remotely wipe it? <br>Obviously, using a password on the device is more secure regardless of whether you use ActiveSync or not. &nbsp;But it is exactly the non-protected devices that I am most concerned about and want to be able to remotely wipe. <br>I would love to be able to wipe lost devices but I know I would get a huge amount of resistance if it also meant requiring a password on the device. <br>Is there any way to remotely wipe a device without requiring a password also? <br>Thanks.<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3406221" width="1" height="1">