Prevent MAC from connection to Exchange

[theravager]

Morning all,

I've been tasked with working out how to prevent the new MAC os from connecting to Exchange via EWS and I don't really have any thoughts on how to do this apart from via networking security.

Anyone got any ideas, I'm pretty sure this is going to come up a bit fom a security perspective for a lot of organisations.

 

[baddos]

Is it one user in particular or just anyone hopping on that mac?

 

[Zelandakh]

Stop the Mac VLAN from hitting the server VLAN on port 135, only allow them port 80?

 

[theravager]

Its a collection of mac's that are randomly all over the place.

Can't really do it at a network level, was hoping for possible something in exchange or something via IIS

 

[Zelandakh]

If you can check the version number that gets presented to Exchange you might be able to filter it that way?

 

[theravager]

New MAC's use EWS so you can't prevent them via mapi version as you previously could

 

[strongm]

I'm interesdted to know why we want to block Macs (and note that Mac is short for Macintosh, it is not an acronym or initialism so doesn't need to be in upper case)

 

[strongm]

Also I'm pretty certain that the EWS version of Entourage can be run on versions of OS X 10.4 or so and later (fx: google - yes, 10.4.9).So any Mac capable of running an OS from 2005 can use EWS, not just new ones.

 

[Zelandakh]

You can install Entourage EWS to 10.4.9 onwards but Snow Leopard comes with a MAPI connector out of the box according to the blurb. About time!

 

[theravager]

I thought i read that snow leopard doesn't have a MAPI connector but went with ews as microsoft is eventually going to give mapi the axe.

Reason to prevent MAC's is mainly around corp policies around security, group policy etc.

There also historically been some pretty big issues around mac's causing high cpu usage on exchange due to flawed code implementations.

 

[strongm]

>snow leopard doesn't have a MAPI connector

Macs have never natively had MAPI since MAPI rather relies on Windows APIs that the Mac obviously does not have... and the only MAPI client I am aware of was Outlook 2001 (which predated OS X). Later versions, and Entourage, use webDAV. Oh, and Macs came with an IMAP connector for their Mail.app software

Snow Leopard comes with an EWS connector instead of IMAP (although I assume iot still includes an IMAP connector). And the latest version of Entourage use EWS instead of webDAV, rather than instead of MAPI (although I'd assume that it still includes webDAV).

One problem you would have in blocking Macs connecting via EWS is that I'm note sure that there is a way of identifying the application or platform making use of EWS. About the only thing you are guaranteed to know are the user credentials.

>microsoft is eventually going to give mapi the axe

Not any day soon. And certainly not during the lifetime of Snow Leopard ...

>Snow Leopard comes with a MAPI connector out of the box according to the blurb

Sadly not, Zel, The blurb I've seen simply says it has out the box support for Exchange Server - which isn't quite the same thing; a more close read shows that that is support for Exchange Server 2007, and that that support is provided through EWS ...

>There also historically been some pretty big issues around mac's causing high cpu usage on exchange

Have to say I have not been aware of Macs doing this. There was an issue with IMAP clients (of which Macs would be an example) causing high CPU usage, but this was actually a problem at the Exchange end. But we don't use a lot of Macs, so I may have missed this issue.

 

[Zelandakh]

I meant "comes with an Exchange connector out of the box". Sorry for any confusion.

I've not seen high CPU from Macs either and have run a lot of them.