Blocking Exchange Web Services by User-Agent

Let’s say you want to block ActiveSync for mobile devices. Did you know that some clients will use Exchange Web Services as a fallback?

If you just gasped, this post is for you! (Also: calm down)

Disabling EWS isn’t really an option, as quite a lot of Outlook functionality relies on EWS. However, we have a few lesser-known pieces of functionality to block EWS for certain applications, based on their User Agent Strings.

…The Block/Allow lists work on the basis of the User Agent Strings generated by the EWS client. So, if you are looking to get a list of strings to block, you can take a look at your IIS logs.

Matthew Abraham shares some tips on extracting the User Agent (client app name) string from your EWS IIS logs with LogParser (aka the most amazing tool ever written, ever), and using Exchange PowerShell cmdlets to prevent access.

Without meaning to spoil the really good bit:

And the best bit, The parameters accept WildCard entries!

Drat. Next time I’ll be less spoilery.

Note on image selection: It was a product logo, or a picture of user agent strings. If you’re disappointed because you really wanted to see pictures of user-agents, here you go!

Posted by Tristan Kington, a new MSPFE Editor

Comments (0)

Skip to main content