Forum Discussion

veredgf_96123's avatar
veredgf_96123
Icon for Nimbostratus rankNimbostratus
Feb 07, 2017

deviceid for exchange activesync

We have APM set up for exchange activesync - we are also using the deviceid parameter as an added security measure. This is giving me a lot of grief, as this ID is relevant to the email client being used by the device and not to the device itself. With most phones the built in client identifier can be located when you set up the server details, but it's not so with the LG3 built-in client. I need to check the logs for a blocked user in order to locate this ID and it is proving impossible with the LG3. (using other non-built-in clients is possible but the users are not happy with their experience).

 

I am wondering if instead of the email client ID, I could use the actual device ID of the phone (IMEI or UUID).

 

If so, how can this be done?

 

Thanks,

 

Vered

 

active sync
BIG-IP Access Policy Manager (APM)
device id
exchange
security
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Feb 07, 2017

    Hi,

    I wrote this irule (based on codes I found on devcentral) to log on /var/log/ltm unknown device id in the expected format of external data group.

    when CLIENT_ACCEPTED {
    set ASDeviceId ""
    set ASUser ""
    set activesyncCheck 1
}
when ACCESS_SESSION_STARTED {
    if { [ACCESS::session data get session.server.landinguri] starts_with "/Microsoft-Server-ActiveSync" } {
        if { [class match [ACCESS::session data get session.user.activesync.device-id] contains devices]} {
            ACCESS::session data set session.user.activesync.device-id-result "allow"
        } else {
            ACCESS::session data set session.user.activesync.device-id-result "deny"
            log local0.  "Activesync error [ACCESS::session data get session.user.activesync.device-id]"
        }

    }
}

when ACCESS_POLICY_COMPLETED {
    if { ([ACCESS::session data get session.user.activesync.device-id-result] equals "deny")} {    
        log local0.info "Activesync_Failed:\"[ACCESS::session data get session.user.activesync.device-id]\" := \"[ACCESS::session data get session.logon.last.username]\","
    } 
}

 Use this event to create external data group
  grep "ACCESS_ACL_ALLOWED" /var/log/ltm | awk -F "Activesync:" '{print $2}' | sort -fu
when ACCESS_ACL_ALLOWED {
    if {[HTTP::path] == "/Microsoft-Server-ActiveSync" } {
        if { $ASDeviceId ne ""} {
            log local0.info "Activesync:\"$ASDeviceId\" := \"$ASUser\","
        } else {
            set ASDeviceId [ACCESS::session data get session.user.activesync.device-id]
            set ASUser [ACCESS::session data get session.logon.last.username]
            log local0.info "Activesync:\"$ASDeviceId\" := \"$ASUser\","
        }
    }
}

    you can then use the following command to extract lines from /var/log/ltm

    grep "ACCESS_ACL_ALLOWED" /var/log/ltm | awk -F "Activesync:" '{print $2}' | sort -fu
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 07, 2017

    Hi veredgf,

     

    the IMEI or UUID is not passed as a parameter by your ActiveSync clients. So its unfortunately not possible to use those information to allow/disallow your individual clients.

     

    For further reading you may take a look to the two destinct ActiveSync protocol specifications and the description of the Device ID parameter.

     

    Plain Text Query Value (for ActiveSync v2.5 and v12.0)

     

    https://msdn.microsoft.com/en-us/library/ee160227(v=exchg.80).aspx

     

    Base64-Encoded Query Value (for ActiveSync v12.1, v14.0, v14.1, and v16.0)

     

    https://msdn.microsoft.com/en-us/library/hh475686(v=exchg.80).aspx

     

    Device ID parameter

     

    https://msdn.microsoft.com/en-us/library/ee219270(v=exchg.80).aspx

     

    Cheers, Kai