Introduction to PowerShell Integration Overview The PowerShell integrated deployment is a direct model of integration that requires a simple setup with less infrastructure. In the PowerShell model, AirWatch adopts a PowerShell administrator role and issues commands to the Exchange ActiveSync (EAS) infrastructure to permit or deny email access based on the policies defined in the AirWatch Admin Console. PowerShell deployments do not require a separate email proxy server and the installation process is simple. In This Guide Before you Begin - This section covers the basic requirements and other topics that would help you to get started with the solution. Configuring PowerShell - Describes how to set up PowerShell for Microsoft Exchange 2010/2013 and Microsoft Office 365. Implementing PowerShell - Explains the steps required for implementing PowerShell. Managing Email through PowerShell - This section covers the features available in AirWatch to manage your device fleet effectively with this integration type. PowerShell Appendix A - Explains how to setup a server side connection from your local computer. PowerShell Appendix B - Lists out the commands to set up a remote PowerShell session. 1
Before You Begin Overview The Before you Begin topic provides the information that helps you with the initial setup, configuration, and understanding of the requirements essential for a smooth user experience. In This Section Requirements - Lists the basic requirements required to get started with PowerShell Integration. Recommended Reading - This section provides helpful background and supporting information available from other AirWatch guides. PowerShell and System Requirements AirWatch uses a service account that has Remote Shell access to Exchange Server and has an associated mailbox on the Exchange Server. AirWatch requires the following minimum roles to integrate with PowerShell: o Organization Client Access Role o Mail Recipients Role o Recipient Policies Role (only needed when managing Windows Phone 7 and BlackBerry devices) Note: Selecting the roles enables all required resources/permissions needed for AirWatch to operate. AirWatch recommends creating a custom role group with these roles. AirWatch requires access to the server-side session in order to execute Exchange commands. AirWatch communicates using port 443 or 80. Create Exchange Active Sync profiles to associate in the MEM Configuration Wizard. Deploy this model from both cloud-based or on-premise solutions provided that the AirWatch server can communicate with the respective email infrastructure. 2
Recommended Reading AirWatch Mobile Email Management Administration Guide - A comprehensive guide to the AirWatch's mobile email management functionality. AirWatch Mobile Device Management Guide - A comprehensive guide to the AirWatch's device management functionality. 3
Architecture Overview In the PowerShell model of deployment, AirWatch adopts a PowerShell administrator role and issues commands to the Exchange ActiveSync (EAS) infrastructure to permit or deny email access based on the settings defined in the AirWatch Admin Console. PowerShell deployments do not require a separate email proxy server, and the installation process is simple. Once installed, AirWatch sends commands to PowerShell in accordance with the established email policies, and PowerShell executes the actions. Note:The PowerShell model is for organizations using Microsoft Exchange 2010/2013 or Office 365 environments. In This Section Cloud-Based Deployment of Exchange 2010 - Provides a schematic representation of the deployment model. On-Premise Deployments of Exchange 2010 - Provides a schematic representation of the deployment model. Office 365 deployment - Provides a schematic representation of the deployment model. Deploy this model from both cloud-based or on-premise solutions provided that the AirWatch server can communicate with the respective email infrastructure. 4
Configuring Exchange 2010/2013 for AirWatch Cloud-Based Deployments The following diagram highlights the communications flow for a cloud-based implementation with hosted Exchange 2010/2013 deployments. Configuring Exchange 2010/2013 for AirWatch On-Premise Deployments The following diagram highlights the communications flow for an on-premise implementation with hosted Exchange 2010/2013 deployments. Configuring Office 365 The following diagram highlights the communications flow for an implementation with Office 365. 5
Note: If you want to enable PowerShell with an outbound proxy, then you need to configure WinHTTP on the AirWatch server to use the proxy. AirWatch automatically uses WinHTTP proxy configuration to establish a PowerShell session. 6
PowerShell Integration Overview The AirWatch Admin Console Server issues PowerShell commands to Office 365 and Exchange Server 2010/2013 environments. Set up PowerShell integration according to the steps mentioned in the below sections. In This Section Setting up the PowerShell Admin User - Explains the steps for setting up the powershell admin user. Configuring the PowerShell Endpoint in IIS - Explains how to configure the PowerShell Endpoint in IIS. Installing and Configuring Windows PowerShell - Explains the steps to install and configure PowerShell on the servers. Enable PowerShell Integration in AirWatch - Enabling+ PowerShell integration in AirWatch. Starting PowerShell Integration - Explains how to begin integrating from the AirWatch Admin Console. Enabling Exchange to Block New Devices - Enable Exchange to block new devices. Step 1: Setting up the PowerShell Admin User Set up the PowerShell Admin User in the Exchange Console on the Administration tab. Prerequisites Use permissions that can set up the PowerShell Admin user roles. Typically, an Exchange Administrator has these permissions. On Exchange 2010/2013 Note: For Microsoft Exchange 2013, use the Exchange Admin Center to create a custom role. 1. In the Exchange Management Console, navigate to Toolbox and access the Role Based Access Control User Editor. 2. Once the Internet browser opens, enter in the credentials (domain\user and password) of the Exchange Administrator with relevant permissions. Signing in as the Exchange Administrator creates a test role group, along with the roles associated to this group: 7
3. Select the New button to create New Role Groups. 4. Addthe relevant roles; Mail Recipients, Organization Client Access, and Recipient Policies. Then, selectsave to create a new role group specific to AirWatch PowerShell Integration. Step 2: Configuring the PowerShell Endpoint in IIS Ensure that the PowerShell endpoint in IIS on the Exchange Server is configured to accept either Basic Authentication or Windows Authentication credentials. 8
Enter the following command on the Exchange Management Shell on the Exchange Server and on the Remote Shell on the AirWatch Console Server: PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned Step 3: Installing and Configuring Windows PowerShell On Your AirWatch Servers Note: For additional help with configuration, see http://help.outlook.com/en-us/140/cc952756.aspx In order for the commands to be issued from the AirWatch Console server, the Windows environment needs to be capable of issuing remote Shell commands. By default the execution policy on Windows 2008 is set to Restricted script execution. Change the script execution mode to RemoteSigned. To change the script execution mode, use the Set- ExecutionPolicy command from the Shell to change the mode. The following command changes the execution policy to RemoteSigned mode: PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned See Appendix A: Testing Client-side Connection on page 17 to test that you have enabled this correctly. Step 4: Enabling PowerShell Integration in AirWatch 1. Navigate to Email Settings in the AirWatch Admin Console and click Configure.The MEM Configuration wizard form displays. 9
2. Here, select Microsoft version as Exchange 2010/2013 or Office 365 and Exchange PowerShell as the Mobile Email Management deployment type. Click Next. 3. The MEM deployment wizard form displays. Enter a friendly name for the PowerShell deployment. This name gets displayed on the MEM dashboard screen for devices managed by PowerShell. PowerShell Settings: o Enter the PowerShell URL which is the PowerShell instance on the email server in relation to the AirWatch Server. Typically, the PowerShell URL is in the form of https://<emailserver>/powershell. o Optionally, you may choose to Ignore SSL Errors to allow devices to ignore Secure Socket Layer (SSL) certificate errors between AirWatch and Exchange server. Note: AirWatch recommends that a valid SSL trust should always be established between AirWatch and Exchange server using valid certificates. o (Multi MEM scenario) If you have enabled the Support Multiple ACC option available on Groups & Settings Settings System Advanced Other, you can choose with which ACC server the PowerShell deployment should integrate using the ACC Configuration for PowerShell Integration field. PowerShell Authentication: 10
o Use Service Account Credentials - Optionally, enable this option to extract the PowerShell Service Account credentials from the App pool of the server on which the ACC is installed. o Authentication Type - Select the authentication type based on the Exchange Server settings. The options available are: Basic AirWatch connects to the remote PowerShell endpoint using the basic authentication type. NTLM (Negotiate) AirWatch connects to the remote PowerShell endpoint using the negotiate authentication type. Kerberos The email server uses Kerberos to authenticate a domain account and NTLM for a local computer account o Admin Username and Admin Password - Enter the Username and Password of the PowerShell Service Account if the Use Service Account Credentials option is not enabled. Domain users should specify the username in the form of domain\username. Local users on a server computer should specify the username in the form of servername\username PowerShell Sync o One time sync after configuration - Enable this option to sync with PowerShell soon after configuration. o Limit sync results - You may choose to restrict this to certain filtered groups only. You can choose the User Group Configuration option and then select the user group DN. You may also choose to add Custom groups. Only the user groups belonging to the specific DN can sync. Click Next. 4. The MEM Profile Deployment wizard form displays. This is highly recommended for new installs and upgrades. o Select a device platform from the available list. o Select a Email Client from the available list. o Create a new profile or associate an existing profile of the above chosen platform and email client. o Assign a profile from the displayed list. 5. Click Next. The Summary form provides a quick overview of the basic configuration you have just created for the PowerShell deployment. Save the settings. 11
Step 5: Starting the PowerShell Integration Begin managing email for mobile devices connecting to your Exchange environment by following the process outlined below: 1. Sync all mailboxes (from the AirWatch Email Dashboard) with Exchange to pull in all devices having an EAS partnership. 2. Allow devices to begin enrollments and continue to sync on a daily basis to check for devices that convert from Unmanaged to Managed status. 3. At any point, choose to create and apply an AirWatch Email Policy (refer Managing Email through PowerShell Integration section for details) to block unmanaged devices. Note: For migration from SEG deployments to PowerShell deployments, please work with your AirWatch contact to identify an optimum solution for your enterprise. Step 6: Enabling Exchange to Block New Devices For AirWatch to manage the new devices trying to connect to email for the first time, configure Exchange to either Block or Quarantine devices from an organizational level. Set this up in either an Exchange PowerShell session or through the web interface. For Office 365 and Microsoft Exchange 2010/2013 users, access the web UI through an Administrator s Outlook Web Access (OWA) portal. The first step to configure Exchange through PowerShell is to configure your organizational settings so that they Block or Quarantine devices. Blocking devices blocks the device outright while quarantining provides you more visibility to unknown devices. AirWatch recommends using quarantining, however, this also uses more processing power. Open the Exchange PowerShell command window from the Exchange Server and enter the following command: PS C:\Windows\system32> Set-ActiveSyncOrganizationSettings DefaultAccessLevel quarantine Alternatively, you can use the following command: PS C:\Windows\system32> Set-ActiveSyncOrganizationSettings DefaultAccessLevel Block Warning: The above instructions block or quarantine new devices until they enroll in the AirWatch Console, at which point, AirWatch issues relevant PowerShell cmdlets to allow email access for the newly enrolled devices. Use caution while enforcing device block or quarantine at the Global level on the Exchange server. While using this setting in a production environment, please ensure that all your devices are enrolled. Typically, this setting is not used during a trial or evaluation. The cmdlet might also temporarily block or quarantine enrolled devices until they check into AirWatch. Quarantining or Blocking devices from accessing email over ActiveSync allows organizations to ensure that only approved (i.e. AirWatch managed) devices are allowed for email access. Without this enforcement, there is the possibility that un-managed devices may gain temporary access to corporate email until the next PowerShell sync process discovers and blocks them. AirWatch recommends defining a custom email message for users with blocked devices. Microsoft Exchange can then automatically send users a notification to enroll, when their blocked device attempts to access email. For further information, see here. 12
Email Management through PowerShell Overview After you complete PowerShell integration and setup, you can manage the connected devices email traffic, set email policies, and take appropriate actions on the devices from the AirWatch Admin console. In This Section Email Dashboard - This section covers the features available on the Email Dashboard to help you manage and monitor devices effectively. List View - This section covers the features available from the List View screen that help you perform administrative actions on devices. Securing with Policies Enable the below policies from Email Compliance Policies.You can activate or deactivate the policies using the colored buttons under the Active column. Use the edit policy icon under the Actions column to allow or block a policy. Managed Device Policies Inactivity Allows you to prevent inactive, managed devices from accessing email. You can specify the number of days a device shows up as inactive (i.e. does not check-in to AirWatch), before email access is cut off. Device Compromised Allows you to prevent compromised devices from accessing email. Note that this policy does not block email access for devices that have not reported compromised status to AirWatch. Encryption Allows you to prevent email access for unencrypted devices. Note that this policy is applicable only to devices that have reported data protection status to AirWatch. Model Allows you to restrict email access based on the Platform and Model of the device. Operating System Allows you to restrict email access to a set of operating systems for specific platforms. Managing Through Email Dashboard Gain visibility into the email traffic and monitor the devices through the AirWatch Email Dashboard. This dashboard gives you a real-time summary of the status of the devices connected to the email traffic. You can access the dashboard from Email Dashboard. The email dashboard enables you to: Whitelist or blacklist a device to allow or deny access to email respectively. View the devices which are managed, unmanaged, compliant, non- compliant, blocked, or allowed. View the device details such as OS, Model, Platform, Phone Number, IMEI, and IP address. 13
From the Dashboard, you can also use the available graphs to filter your search. For example, if you want to view all the managed devices of that organization group, select the Managed Devices graph. This displays the results in the List View screen. Managing Through List View View all the real-time updates of your end user devices that you are managing with AirWatch MEM. You can access the List View from Email List View. You can view the device or user specific information by switching between the two tabs: Device and User. You can change the Layout to either view the summary or the detailed list of the information based on your requirement. The List View screen provides detailed information that include: Last Request - In PowerShell integration, this column displays the last state change of the device either from AirWatch or from Exchange. User - The user account name. Friendly Name - The friendly name of the device. MEM Config - The configured MEM deployment that is managing the device. Email Address - The email address of the user account. Identifier - The unique alpha-numeric identification code associated with the device. Mail Client - The email client syncing the emails on the device. Last Command - The last command sent to email server to manage the device. This populates the Last Request column. Status - The real time status of the device and whether email is blocked or allowed on it as per the defined policy. Reason - The reason code for allowing or blocking email on a device. Please note that the reason code displays 'Global' and 'Individual' only when the access state of the email is changed by an entity other than AirWatch (for example, an external administrator). 14
Platform, Model, OS, IMEI, EAS Device Type, IP Address - The device information displays in these fields. Mailbox Identity - The location of the user mailbox in the Active Directory. Filters for Quick Search From here, using the Filter option,you can narrow-down your device search based on: Last Seen: All, less than 24 hours, 12 hours, 6 hours, 2 hours. Managed: All, Managed, Unmanaged. Allowed: All, Allowed, Blocked. Policy Override: All, Blacklisted, Whitelisted, Default. Policy Violation: Compromised, Device Inactive, Not data Protected/Enrolled/MDM Compliant, Unapproved EAS Device Type/Email Account/Mail Client/Model/OS. MEM Config - Filter devices based on the configured MEM deployments. Performing Actions The Override, Actions and Administration dropdown menu provides a single location to perform multiple actions on the device. Override Select the check box corresponding to a device to perform actions on it. Whitelist - Allows a device to receive emails. Blacklist - Blocks a device from receiving emails. Default - Allows or blocks a device based on whether the device is compliant or non compliant. 15
Actions Sync mailboxes - Syncs mailboxes of PowerShell integrated deployments. Note: AirWatch offers the Email Sync option within the Self Service Portal so that end users can sync their devices with the mail server and also run preconfigured compliance policies for all their devices. This process is typically much faster than the bulk sync performed on all the devices. Run Compliance - Triggers the compliance engine to run for the selected MEM configuration. Note: When the Direct PowerShell Model is configured, AirWatch communicates directly to the CAS array via remote signed PowerShell sessions established from the console server or AirWatch Cloud Connector (ACC) (depending on the deployment architecture). Using remote signed sessions, commands are sent to blacklist (block) and whitelist (allow) device ID s on a given users CAS mailbox in Exchange 2010/2013 based on the device s compliance status in AirWatch. The DefaultAccessLevel on the Exchange server does not change on running compliance. This setting applies only to known devices and overrides the access controls defined by DefaultAccessLevel. New unmanaged devices can access email if DefaultAccessLevel is set to allow. Devices can be manually blocked through the AirWatch Admin Console. It is a best practice to test expected PowerShell integration behavior without enforcing device blocking across the enterprise. Administration Enrollment Email - Sends an email to the user with all the details required for enrollment. Delete Unmanaged Devices - Deletes the selected unmanaged device record from the dashboard. Please note that this record may reappear after the next sync. Remote Wipe - Resets the device to factory settings. Migrate Devices - Migrates selected devices to other chosen MEM configurations by deleting the installed EAS profile and pushing the EAS profile of the chosen configuration on the device. Note: Please note that these actions once performed cannot be undone. 16
Appendix A: Testing Client-side Connection Connecting to Server-Side Session The Windows PowerShell session on your local computer is referred to as the client-side session and only has the basic Windows PowerShell commands available to it. In order to execute commands on Exchange 2010/2013 or in the cloudbased Office 365 service, you ll need to connect to the server environment, referred to as the server-side session. This session contains the commands used to control the Exchange mailbox properties. This following example shows how to connect to the server-side session and establish a new session: PS C:\Windows\system32> $cred = Get-Credential PS C:\Windows\system32> $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://exchange.server.url.com/powershell/"-credential $cred -Authentication Basic -AllowRedirection Note:Press enter after authentication to execute the $session command. To import the server-side session, issue the following command after successfully connecting to the server. PS C:\Windows\system32> Import-PSSession $session PS C:\Windows\system32> MailBox Queries During device enrollment in AirWatch, devices can be configured for exchange through profile distribution. When properly configured, the AirWatch Console will issue commands to enable Exchange ActiveSync for a user s mailbox on Exchange. The AirWatch console also issues a command to whitelist the device ID being enrolled. To see what devices are whitelisted for a mailbox, use the command Get-CASMailbox to select the allowed devices. The following example shows the device IDs that have been granted access to a specific user's mailbox. Command: PS C:\Windows\system32> get-casmailbox -Identity "user.name@mail.com" select {$_.ActiveSyncAllowedDeviceIDs} Result: $_.ActiveSyncAllowedDeviceIDs ----------------------------- {ApplDLXGL5FGDJHF, B058C150E57CC4004DA6B2E1BE4EE572} Likewise, query a user s mailbox to view the blacklisted or blocked device IDs as shown in the following example. Command: PS C:\Windows\system32> get-casmailbox -Identity "user.name@mail.com" select {$_.ActiveSyncBlockedDeviceIDs} Result: $_.ActiveSyncBlockedDeviceIDs 17
----------------------------- {Appl87049106A4S, DT095F898778SDF2E1B3453445DG56} Closing the Server-Side Session Always close the console-server session when troubleshooting is complete. To remove the server-side session, use the remove-pssession command. PS C:\Windows\system32> remove-pssession $session PS C:\Windows\system32> 18
Appendix B: Cmdlets Executed by AirWatch The Exchange Management Shell includes a number of cmdlets commends to configure everything from mailbox quotas to SMTP relay settings. Cmdlets are typically named with a <verb> - <noun> convention, such as in Get-CASMailbox. At their core, cmdlets are simply Microsoft.NET classes, making them easy to implement in.net applications such as AirWatch. AirWatch leverages the following PowerShell cmdlets to establish the remote PowerShell session: New-PSSession Creates a persistent PowerShell connection to a local or remote host. Once the session is open, the client can perform any number of PowerShell commands. Performs Set-CASMailbox and updates three distinct parameters for a mailbox when AirWatch uses this connection: ActiveSyncAllowedDeviceIDs, ActiveSyncBlockedDeviceIDs, and ActiveSyncEnabled. For Example: o New-PSSessionOption -SkipRevocationCheck -SkipCACheck -SkipCNCheck ProxyAccessType WinHttpConfig o New-PSSession ConfigurationName $configurationname -ConnectionUri $connectionuri -Credential $cred - Authentication $authentication-allowredirection -SessionOption $proxyoption Import-PSSession Provides the ability to import PowerShell commands from one PowerShell session to another. For example: o Import-PSSession AllowClobber -CommandName $commandtoimport -FormatTypeName Set-ExecutionPolicy Allows the client to modify its preferences for the PowerShell execution policy. Set-ExecutionPolicy also helps to determine if the client has the permissions necessary to perform certain PowerShell commands. Set-CASMailbox Provides the ability to block or allow client access to specific user s mailboxes over a number of different client applications, including ActiveSync. Using this cmdlet, AirWatch can block particular devices or users from accessing ActiveSync based on the device compliance and user compliance to MDM policies. AirWatch specifically leverages the following arguments to this cmdlet. For example: o Set-CASMailbox "acmeuser" - ActiveSyncAllowedDeviceIDs{Appl123456ABCD78} - ActiveSyncBlockedDeviceIDs $null - ActiveSyncEnabled $true Note: The Set-CASMailbox cmdlet operates on one mailbox at a time and can configure properties for Exchange ActiveSync. You can configure a single property or multiple properties by using one statement. o ActiveSyncAllowedDeviceIDs - Provides the ability to whitelist particular device IDs that can access the mailbox through ActiveSync. The ActiveSyncAllowedDeviceIDs parameter accepts a list of device IDs that are allowed to synchronize with the mailbox. 19
o ActiveSyncBlockedDeviceIDs - Provides the ability to blacklist particular device IDs that cannot access the mailbox via ActiveSync. The ActiveSyncBlockedDeviceIDs parameter accepts a list of device IDs that aren't allowed to synchronize with the mailbox. o ActiveSyncEnabled - Provides the ability to completely enable or disable ActiveSync access for a particular mailbox. TheActiveSyncEnabled parameter specifies whether to enable Exchange ActiveSync. Get-CASMailbox Returns a complete list of attributes of a mailbox. This is also used for performing one time sync of mailbox. For example: o Get-CASMailbox "acmeuser" Select ActiveSyncAllowedDeviceIDs,ActiveSyncBlockedDeviceIDs o Get-CASMailbox Filter $filter $ ResultSize Unlimited o Get-CasMailbox Identity $identity Set-ADServer Settings For example: o Set-AdServerSettings ViewEntireForest $true/$false Get-ActiveSyncDevice Retrieves a list of devices in your organization that have active Microsoft Exchange ActiveSync partnerships. This is also used for performing one time sync of mailbox. For example: o Get - ActiveSyncDevice - Mailbox "acmeuser" o Get-ActiveSyncDevice ResultSize Unlimited o Get-ActiveSyncDevice Mailbox $mailbox AW-Get-ADGroups The Get-ADGroup cmdlet gets a group or performs a search to retrieve multiple groups from an Active Directory. For example: o Get-OrganizationalUnit Clear-ActiveSyncDevice Deletes all user data from a mobile phone the next time that the device receives data from the server (for example, syncs with Microsoft Exchange Server 2010). Sets the DeviceWipeStatus parameter to $true in Exchange. For example: o Clear-ActiveSyncDevice Identity $identity Confirm $true/$false Remove-PSSession Closes or ends Windows PowerShell session(s). 20