[horde] Blocking Active Sync Client
Arjen de Korte
arjen+horde at de-korte.org
Fri Mar 13 14:24:49 UTC 2015
Citeren Jan Schneider <jan at horde.org>:
> Zitat von Samuel Wolf <samuel at sheepflock.de>:
>
>> Zitat von Klaus Steinberger <klaus.steinberger at physik.uni-muenchen.de>:
>>
>>> Hi,
>>>
>>> we want to block for all users some types of Client. Especially the
>>> Microsoft/Accompli Outlook App.
>>>
>>> I can block a client for a single user after he has connected, but
>>> I want to
>>> block this App for any user and forever.
>>>
>>> Reason: The APP doesn't access Actice Sync directly, instead they
>>> use a bunch
>>> of servers at the Amazon Cloud. The bad thing is that the password will be
>>> stored at the Amazon Cloud.
>>>
>>>
>>> The App (or better the servers behind) show up like this (the ID is user
>>> dependent):
>>>
>>>
>>> Id: 289C17FE1CA68940
>>> Policy Key: 0
>>> Programm: Outlook-iOS-Android/1.0
>>> Modell: Outlook for iOS and Android
>>> Eindeutiger Name: Outlook for iOS and Android
>>> OS: Outlook for iOS and Android 1.0
>>> EAS Version: 14.1
>>> Gespeicherter Heartbeat (Sekunden): 540
>>>
>>> Sincerly,
>>> Klaus
>>>
>>> - --
>>> Rechnerbetriebsgruppe / IT, Fakultät für Physik
>>> Klaus Steinberger
>>> FAX: +49 89 28914280
>>> Tel: +49 89 28914287--
>>> Horde mailing list
>>> Frequently Asked Questions: http://horde.org/faq/
>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>
>> Hi Klaus,
>>
>> not exactly what you want, but may be a idea.
>> I allow only special clients via Apache config:
>>
>> ##########################################################################
>> <Directory /var/www/https/horde/>
>> Order Deny,Allow
>> Deny from All
>>
>> <Files "rpc.php">
>> SetEnvIf User-Agent "Android/4.0.4-EAS-1.3" smartphone
>> SetEnvIf User-Agent "motorola-XT910/1.0" smartphone
>> SetEnvIf User-Agent "motorola-XT890/1.0" smartphone
>> SetEnvIf User-Agent "Android/4.1.1-EAS-1.3" smartphone
>> SetEnvIf User-Agent "Android/5.0.2-EAS-2.0" smartphone
>> Order Deny,Allow
>> Deny from All
>> Allow from env=smartphone
>> </Files>
>>
>> </Directory>
>> ##########################################################################
>>
>> Samuel
>>
>> --
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>
> Alternatively you can create a preauthenticate hook that sniffs on
> the global $browser object.
I don't think either of these solutions will prevent from happing what
the topic starter intends to do. The username and password may have
been stored in the Amazon Cloud before the connection is made (and
probably even if the connection fails).
To make sure that the username/password combinations can't be abused,
you'd need to block user accounts once you find that they are accessed
through this service, rather than just blocking ActiveSync sessions
(the damage has been done already by that time).
Be sure to inform your users (and helpdesk) about this policy, since
my guess is that this will lead to users calling support why their
accounts have been blocked.
--
This message was sent from a mailinglist subscription address.
For off-list replies, you must remove the address extension.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 11647 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20150313/a2c9b184/attachment.bin>
More information about the horde
mailing list