Step 2: Configuring Exchange

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

The following instructions only describes locking down access to Exchange Active Sync using the ExchangeActiveSync protocol definition. You can expand the scope of the protocol lockdown per the Protocols definition referenced in the Client Access Rules in Exchange Online documentation from Microsoft.

If you have existing Client Access Rules defined, ensure that you set the priority number of the Jamf Connect's Zero Trust Network Access rules so as not to overwrite the existing configuration.

  1. Open a new Notepad file.
  2. Paste in the Cloud Internet Gateway IP addresses for Zero Trust Network Access. See Zero Trust Network Access Cloud Internet Gateways.
    1. For each IP address, create a new line with the following PowerShell command, replacing <Num> and <IP address> accordingly:
      New-ClientAccessRule -Name "Wandera SDP EAS Whitelist <Num>" -Action AllowAccess -AnyOfProtocols ExchangeActiveSync -AnyOfClientIPAddressesOrRanges <IP address> -Priority <num>
    2. On the final line, enter this PowerShell command to block all other IPs:
      New-ClientAccessRule -Name "Block Non-Wandera EAS Access" -Action BlockAccess -AnyOfProtocols ExchangeActiveSync -Priority 100

      The resulting configuration in Notepad should look as follows:

      New-ClientAccessRule -Name "Wandera SDP EAS Whitelist 1" -Action AllowAccess -AnyOfProtocols ExchangeActiveSync -AnyOfClientIPAddressesOrRanges 1.2.3.4 -Priority 1

New-ClientAccessRule -Name "Wandera SDP EAS Whitelist 2" -Action AllowAccess -AnyOfProtocols ExchangeActiveSync -AnyOfClientIPAddressesOrRanges 5.6.7.8 -Priority 2
...
New-ClientAccessRule -Name "Block Non-Wandera EAS Access" -Action BlockAccess -AnyOfProtocols ExchangeActiveSync -Priority 100
  3. Open a PowerShell terminal and log into Exchange as an administrator.
  4. Copy and paste each command from Notepad into the terminal to execute the settings, or upload the file and execute as a PowerShell script.