MS Exchange Active Sync Multi Device Auth

Problem this snippet solves:

Utilizes the Exchange extended attributes to store multiple devices per client, (i.e. iPhone, iPad, etc.) to validate the device as approved for the assigned user.

Code :

when HTTP_REQUEST {

  # Apply DeviceID restriction to all ActiveSync directory traffic
  if {[HTTP::path] == "/Microsoft-Server-ActiveSync"} {

    # Capture DeviceID attributes stored in user mailbox settings Custom Attribute1 - Custom Attribute3  Managed via EMC
    set mblDeviceID1 [string toupper [ACCESS::session data get "session.user.deviceid1"]]
    set mblDeviceID2 [string toupper [ACCESS::session data get "session.user.deviceid2"]]
    set mblDeviceID3 [string toupper [ACCESS::session data get "session.user.deviceid3"]]

    # Determine whether connection is Base64 encoded, (Windows Phone) and if necessary begin decoding process
    set string_b64encoded [HTTP::query]
    if {[catch {b64decode $string_b64encoded} string_b64decoded] == 0 and $string_b64decoded ne ""} {
      binary scan $string_b64decoded x4H2 IDlenHEX
      scan $IDlenHEX %x IDlenDEC
      set IDlen [expr "$IDlenDEC * 2"]
      binary scan $string_b64decoded x5H$IDlen HEXdeviceID
      set string_sentid [string toupper $HEXdeviceID]
    } else {
      set string_sentid [string toupper [URI::query [HTTP::uri]]]
    }

    # compare deviceID presented in HTTP::query with stored deviceID attribute
    if {$string_sentid contains $mblDeviceID1} {
      log local0.info "Successful login with deviceID: $string_sentid"
    } elseif {$string_sentid contains $mblDeviceID2} {
      log local0.info "Successful login with deviceID: $string_sentid"
    } elseif {$string_sentid contains $mblDeviceID3} {
      log local0.info "Successful login with deviceID: $string_sentid"
    } else {
      log local0.info "Failed login with deviceID: $string_sentid"
      ACCESS::session remove              
    }
  }
}