Integration - EMail

Linked Articles

EMail Integration Schema EMail Integration Schema

Subsections of Integration - EMail

Boxer and SCL Restrictions

What needs to be checked to restrict transfer of mail attachments and files transmission between Boxer and SCL for iOS and Android:

1.  To restrict transfer of documents in specific controlled apps, on Organization Group level: a. Allow DLP – SCL-step2 functionality

b.  Search for and add Boxer for iOS/Android – SCL-step3

  1. Next step for devices in Organization Group: a.  Create a new profile for all devices of a group – SLC-step4.

b.  Turn off “Allow documents from managed sources in unmanaged destinations”  – SCL-step5

1.  To restrict transfer of files from SCL into Boxer the file share, connected to SCL, has to be configured in the Security tab - SCL-step6:

a.  Allow Open in Email = OFF b.  Allow Opent in Third Party Apps = ON

2.  Check that in the security profile properties, Enable Composing Email = No (SCL-step7).

Boxer and SSL for PoC

Boxer has 2 types of accounts:

  • main – is being added on install, is usually configured with policies. Cannot be deleted.
  • additional – is added by users if this is allowed by policies. Can be configured manually.
Warning

(15.08.2017) For policies which are being distributed centrally for the main account there is no possibility to configure “Ignore SSL errors”. If in a PoC of Boxer you have to connect to a private/test mail server, this may pose a problem.

Variant 1 (recommended): server is signed by a cert, which was given by a inner CA (issued by =/= issued to)

Solution: on all devices in the test, you have to manually deploy the certificate chain in the trusted section:

iOShttp://longwhiteclouds.com/2013/01/03/installing-corporate-ca-certificates-on-iphone-or-ipad-for-use-with-vmware-view/

Androidhttps://support.google.com/nexus/answer/2844832?hl=en

Warning

In Android 7.0+, by default, apps don’t work with CA certificates that you add. But app developers can choose to let their apps work with manually added CA certificates. https://support.google.com/nexus/answer/2844832?hl=en

Variant 2: server is signed by a self-signed cert (issued by == issued to)

Solution: use the first account to distribute policies from any public EMail. For example, Office365 from our VMTestDrive

Note

Account can be only one for all devices - this account will not be used

  1. After Boxer installation connect to the account provided by policies (VMTestDrive)
  2. Choose Add Account (“Добавить аккаунт”) in Boxer left menu (IMG_1455.jpg)
  3. Insert an address (IMG_1456.jpg) and later choose Manual configuration (“Ручная настройка”). Type -> Exchange Server.
  4. See config in IGM_1457.jpg ang IGM_1458.jpg as an example of such a connection. It is important to choose SSL (Accept any certificates / “принимать любые сертификаты”).
Warning

After adding the account first time, Inbox may sync for a long time (>30min)

  1. Choose the default account (IMG_1459.jpg)

Boxer Copy-Paste

Boxer Copy&Paste restrictions in two ways

Unlike all other WS1 SDK-enabled Apps, Boxer has two different approaches to restrict Copy&Paste:


At the Assignment stage in App Policies, there is a Copy Paste setting. As a result, copy&paste functions will be denied in ANY directions

❗️Unrestricted personal mail accounts in Boxer still can be troublmakers in this case. Recommend to disable it

Copy&Paste Total restrict Copy&Paste Total restrict


If you need to do more granular restriction you need to implement this on SDK profile

  • Recommended to set Native Boxer DLP capability to Unrestricted. It can be Restricted for potential more secure way, but SDK settings must be enabled after this settings
  • The Boxer App must be published with SDK-profile enable. We use the Default profile, but it should work with Custom SDK-profile as well
  • Before actual install Apps on devices, you need setup SDK-profile: Authentication Type =/= Disable; SSO must be enabled
  • In DLP section (Security Policies) you may enable Copy&Paste Into to get user possibility to copy from unmanaged messengers/notes/etc into Boxer emails

As a result, copy&paste functions will be denied only in the desired way: into or out from managed Apps Copy&Paste Total unrestrict Copy&Paste Total unrestrict Enable SDK Enable SDK SSO enable SSO enable Copy&Paste In and Out Copy&Paste In and Out

Boxer for Android Fingerprint

  • VMware Boxer v 4.5+ for Android 
  • AirWatch Console 9.0.5+

Following are the steps for fingerprint authentication on the Android Boxer app:

  • In the Apps SDK settings (Groups & Settings > All Settings > Apps > Settings and Polices > Security Polices), enable the Biometric Mode.
  • While deploying the Boxer app, enable the Application to use AirWatch SDK and Select the Global SDK for Android.
  • In the Email settings, enable the Application Configuration and enter “AppForceActivateSSO” (without the quotes) under Configuration Key and Value Type as Boolean and Configuration Type as True.
  • Make sure passcode is set as None 
  • Push the boxer app to the device and download it from the Play Store

Boxer via Fiddler

From time to time it may be useful to troubleshoot Boxer, Inbox, and native mail issues using Fiddler. Fiddler will let you log all of the traffic between the device and the email server/SEG, etc, end-point. This is useful in proving that communication is happening and that some errors are being generated externally from the device (401, 403, etc…).

Configure the Windows 10 computer (which will act as the proxy) and an example Android device.

  • Set your Windows 10 computer up as a mobile hotspot. On Windows 10, click on the start menu and type in “Mobile Hotspot”.
  • Select “Change mobile hotspot settings”

• Configure your hotsptot settings and turn on the hotspot.

  • Download and install Fiddler from https://www.telerik.com/fiddler

  • In Fiddler, go to Tools\Options make these changes. See HTTPS sub-option

  • Make these changes on the Connections sub-heading

  • You will need your Proxy servers IP address to enter on the mobile device for later. To get this hover over the “online” option and view the list of IP addresses. In this example, I’ll be using 10.84.145.96.

Android

  • On the mobile device, go to your wireless settings and long tap the right-hand side of the connection you want to connect to. This will by the wireless connection you set up on your computer. On Android, click on “Modify Network”.

  • Enter the proxy hostname and proxy port information. The port will be 8888 if you kept the default settings for Fiddler.

iOS

On iOS use the following process to set the proxy

How to configure your iPad/iPhone proxy settings

  1. Start the iPhone/iPad.
  2. Tap on the Settings app. …
  3. Tap on the Wi-Fi settings category. …
  4. You will now be at the Wi-Fi network settings screen for the connected network. … 5. Tap on the Manual button. …
  5. When you are done setting up your proxy server, tap on the Wi-Fi Networks button.

On the mobile device, go to the IP address of the proxy followed by :8888/fiddler. See the example below. Click on “FiddlerRoot Certificate” to download and install the certificate.

• In the Fiddler application, click on Tools\WinNet Options.

  • Click on “Lan settings” and uncheck the “Use a proxy server…” from the following window.

  • Click OK and OK. This will show a yellow bar on the Fiddler application indicating that it’s not collecting any traffic from the local computer in the logs. For your test, you will only want device traffic.

  • You can clear the current logs by doing a CTRL-A and selecting everything.

  • Now you can begin your replication testing.

ENS Basic Troubleshooting

Warning

Database for ENSv2 must be named “ENS”.

Alive Check

Cloud-hosted ENS: https://ens-eu.getboxer.com/api/ens https://ens-eu.getboxer.com/api/ens/alive

Steps:

  1. publickey request
    a. The device requests a public key to encrypt the account credentials with. It sends a hash of the email address as the userid. This helps identify the user and link together all user devices

  2. subscribe
    a. device sends encrypted creds, user id (server created) and device apns token so ENS server has all the necessary pieces to subscribe and get notifications of new emails

  3. push subscription
    a. ENS discovers endpoint based on creds and subscribes to exchange using a webhook link that contains the encrypted credentials ie: ens.airwatch.com/notify?id=&creds=<Base64(RSAEncrypted(username:password))>

  4. new email notification
    a. Exchange sends notification of changes to the provided url.
    b. ENS extracts and decrypt creds and prepares call to fetch email

  5. email fetch
    a. ENS performs a fetch for the email

  6. push email
    a. ENS finds user devices with the user id and pushes email details to CNS for delivery to all user devices

On-prem ENS: https://_ENS_HOST/MailNotifications/api/ens https://_ENS_HOST/MailNotifications/api/ens/alive

Registration Interaction

The following diagram shows in more detail a registration/new email interaction between the client, ENSv2 and the exchange server. This diagram shows in more detail how we can use credentials without keeping them saved inside the ENSv2 environment.

ENSv2 Database Details - see Article

Locale

Warning

ENS may cause errors in case of date mismatch Ensure that server, DB, etc have US English locate!

Boxer - Add Assingment

Network

ENSLINKAddress On-Premise, should point to the externally accessible hostname pointed to ENS service. A support ticket has to be made with VMware Airwatch to request API token (internally the support reaches out to Boxer product manager and requests API key).

MS Exchange Server

User agent is configured for ENSv2 on MS Exchange Server CAS role. User agent must have access to receive data from MS Exchange, or ENS will not be able to receive PUSH notifications.

Troubleshooting

ENSLINKAddress for On-Premise installation should point it correctly to the customer’s externally accessible hostname pointed to ENS service.

Autodiscovery errors showing on logs.

  • Make sure that the EWSUrl key is configured in the console with a correct value for the EWS url for their exchange environments.
    Test it out by opening it on the browser and making sure you are prompted for credentials.
    Tip

    Alternatively they can just turn ON autodiscovery on their environment.

Authentication errors (401s)

  • Check what type of authentication is enabled in EWS? Make sure it has parity with whatever they are using for ActiveSync (Basic, OAuth, CBA) as Boxer will be the one to pass whatever type of credentials it has to ENS to use against EWS.
  • Verify the EWSUrl is correct and resolves to Exchange environment and test the credentials used by navigating to the EWS URL and testing them there.
  • Run “Outlook Connectivity Tests” on https://testconnectivity.microsoft.com
    Tip

    Try the Exchange Server or Office 365 tabs accordingly

ENSv2 not sending notifications but no logs found on help portal.

  • Verify the ENSAPIToken key is correct in the console configuration.

  • Verify the ENSLinkAddress key is correct in the console configuration

    Tip

    Try appending the “alive” endpoint for the environment and make sure it responds.

  • Verify the EWSUrl is correctly configured with a valid EWS value.

  • Verify that ENSv2 servers have inbound access to their EWS environment (firewall may be blocking access, they need to open the corresponding IPs)

  • Verify that EWS can send outbound traffic to the corresponding ENSv2 domain (https://.getboxer.com/api/ens)

General FAQ

  • **How are credentials or authentications tokens handled?
    **
    • Although the client does share the credentials/tokens with the ENSv2 environment upon registration, they are not kept (saved anywhere) by AirWatch servers. Rather, the Exchange server passes them back to AirWatch, encrypted, as part of a notification it sends whenever a new email is available. From that notification (Exchange -> ENSv2), ENS decrypts the credentials and uses them to make any requests necessary to the Exchange server. After performing any necessary requests, the credentials are once again discarded.
Warning

Bug in MS Exchange detected: Exchange returns the email information even though the user is not the owner. This results in the notification payload being created for the wrong user and ultimately another user seeing the notification. 

With ENSv2 1.2+, a new service object is created for each EWS request. This will prevent the application from making a request to the EWS endpoint with different credentials.

Patch for Exchange needed from Microsoft on this, since this is unexpected Exchange behavior.

  • If credentials are not persisted, is there any data persistent at all by ENS? How is it secured?
    • There is a secure database that keeps a list of devices and a list of public private key pairs used to unencrypt the credentials when they come from Exchange;
    • Logs are also kept to aide in debugging issues and monitoring the system. These don’t contain any customer’s private information and access to them is also tightly secured via account permissions.
  • What data is transmitted through the ENS server without being persisted? How is it secured?
    • User credentials (encrypted with RSA encryption)
    • Email subject and sender (sent via HTTPS)
    • All communication is done via HTTPS
  • What additional cloud services does ENS depend on?
    • AWS Simple Notification Service (SNS) for push notification handling.
    • Apple Push Notification Service (APNS) as it is the only way to pass notifications to Apple devices.
    • AWS Relational database service (RDS) for data persistence.
  • What is the user agent used by ENSv2 when sending requests to Exchange?
    • MailNotificationService/v2 (ExchangeServicesClient/15.00.0913.015+ (will change as new libraries from Microsoft are released)
  • What email folders does ENSv2 monitor for incoming messages and actions?
    • Currently, ENSv2 only monitors each user’s Inbox folder.

Load Balancing ENSv2

For HA, it is recommended to load balance several ENS web servers as needed following the Hardware Requirements. All web servers should point to the same database server as this will be their shared source of state for each of the clients.

Since the ENS web application itself is stateless there are no requirements to configure any session handling (stickiness) in the loadbalancer so a straightforward configuration should suffice.

Integration - Microsoft IRM-RMS

RMS features in Boxer

According to Boxer User Guide for iOS 4.5.1, Boxer User Guide for Android 4.5.0

Main features

  • Edit
  • Reply
  • Reply All
  • Forward
  • Copy-Paste
  • Modify recipients
  • Extract
  • Print
  • Export
  • Content Expiry Date

Other Features

  • Press and hold an email message to copy and paste it into the application.
  • You cannot copy data from the Boxer application and paste anywhere outside the application. However, you can copy data from outside the application and paste into the Boxer application.
  • If your email message has contact number details, tap hold on the number to immediately dial it.
  • If restricted by your administrator, attachments may open through the VMware Content Locker and other AirWatch approved apps. Hyperlinks may open only through the VMware Browser.
  • If configured by your administrator, you can preview emails and their attachments within Boxer (See Boxer supported files’ types).
  • On the attachment preview screen, the Share icon will be unavailable. When tapped on Share icon, you are presented with a toast message “Disabled by your admin”.
  • After performing an action on an email while viewing it, you can have Boxer either advance to the next message, the previous message, or return to the conversation list. This setting can be configured from Mail settings (navigate to Settings > Mail > More mail settings > Auto Advance).

RMS Attachments

Boxer does not open RMS-restricted attachments - it transmits them to Content Locker. To use Content Locker on iOS device, the following has to be done:

  1. Root certificate must be placed on device

  2. In new iOS version the root Trust has to be ACTIVATED in a special menu option

  3. In order for Content Locker to access RMS attachments, it must be registered on the ADFS server with this command:

Add-AdfsClient -Name "<App name>" -ClientId "<ID name>" -RedirectUri "<RedirectUri>"

Example: Client ID for VMware Content Locker for iOS is e9fcfce0-a20b-4d34-b580-909332723090

Tip

Client ID of application can be found in ADFS logs: every error Content Locker gives while trying to read a RMS-secured attachment is followed by its’ current Client ID.

Powershell for MEM

Linked Articles

EMail Architectures

Common Powershell Commands

Initializing a Session

This command is used for AirWatch to initialize a session. The two parameters required as the $creds and the PowerShell endpoint.

> $cred = Get-Credential

> $session = New-PSSession ConfigurationName Microsoft.Exchange -ConnectionUri https://<mailserver>/powershell Credential  
$cred Authentication Basic AllowRedirection

> Import-PSSession $session

Look at a user’s basic mailbox information

This command pulls basic information about a mailbox using an email address as the identity.

> Get-CASMailbox identity userguy | fl

Viewing a user’s list of devices

This command will list each device partnered with the CasMailbox.

> Get-ActiveSyncDevice mailbox userguy | fl (2010)  
> Get-MobileDevice mailbox userguy | fl (2013+)  

Additional device information

WS1 UEM does not pull from this listing, however, you can find some additional details (ex: when the device last synced) from this table.

> Get-ActiveSyncDeviceStatistics mailbox userguy | fl

Setting ActiveSync Devices to Allowed/Blocked

This is the form of a cmdlet used to issue an Allow/Block command to Exchange. This will insert “DeviceIDX” into the appropriate list.

> Set-CasMailbox identity userguy ActiveSyncAllowedDeviceIDs @{Add = DeviceId1} 
> Set-CasMailbox identity userguy ActiveSyncBlockedDeviceIDs @{Add = DeviceId2}

Selecting specific information or exporting data

This command is helpful when comparing AirWatch data to Exchange data.

> Get-ActiveSyncDevice ResultSize Unlimited | Select-Object  
DeviceID, DistinguishedName, DeviceType | Export-CSV  
ASD_selection.csv

WS1 UEM with Office 365

Disable the native access in O365 -> redirect to WS1 UEM First-time access will be denied, PowerShell command will be sent to O365 to whitelist the device, 2-3min later the email will flow

Set WS1 UEM as IDP to control other ways of accessing (Exchange Web Access, OWA etc)

This lacks some features (encrypt attachments, strip attachments etc), but can be mitigated using Boxer Needs ESC between Cloud AW and On-Prem Exchange

AW-PS Service Account
Remote Shell access to the Exchange Server associated mailbox on the server to issue remote commands

Required PowerShell roles: Mail Recipients Organization Client Access Recipient Policies Settings –> Email –> Email Settings Configure - Direct

Features:

  • Configure email over-the-air
  • Block unmanaged devices
  • Discover existing unmanaged devices
  • Require device encryption
  • Prevent compromised devices
  • Block mail client, user, device model or OS
  • Integrate or revoke certificates

Subsections of Powershell for MEM

Allowlist and Blacklist

ADMIN ACTIONS (BLOCKLIST)

Actions from Email dashboard:

  1. User selects device and clicks allowlist/ blocklist action
  2. Meg Queue Service sendsends allowlist/ blocklist powershell command to Exchange server appropriately 3. Meg Queue Service updates database to show your device status on email dashboard

Webconsole Log

Blocklist event:

After admin click Blocklist action for device, webconsole receives blocklist event for processing. Log prints device properties as described below:

MEMConfig - Email Settings used Device Count - Total number of devices blocklisted

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.PeristDeviceAccessStateChanged Received device access state change. MEMConfig: 48 Device Count: 1 935c3f93-3f33-49fb-b6c9-a07d0bcc8619

Event written to Microsoft Messaging Queue:

Webconsole writes blocklist event to Microsoft Messaging Queue. MEG Queue will read the queue and will process event.

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.Util.DeviceStateChangeTypeMessageQueue.PersistGenericPayload Writing change device access state payload for LG '646' to queue: 'Name: AWSegCompliance, Protocol: Tcp, Address: .\Private$\, Encoding: Binary, QueueLocation: Local, BulkReadLimit: 1, ConnectionRetryCount: 3, ReadTimeout: -1, RetryInterval: 30, AutoCreate: False, ' 935c3f93-3f33-49fb-b6c9-a07d0bcc8619

MEG Que Log

Blocklist event received:

MEG Queue receives blocklist event for processing from webconsole. Device properties are printed in log identifying your device as shown below.

MemConfig Id - Email Settings used MEMDevice Id - Email Device Record Id number of devices - Total number of devices blocklisted EasDeviceIdentifier - Exchange Device ID User - Email user AccessLevel - Email access status Reasons - Reason for allow\block device Lg - Location Group ID Device Id - AirWatch device id

Debug AW.Meg.Queue.Service.Util.EndpointQueueManager._SplitByType Received 'DeviceAccessChangedPayload' message. MemConfig Id: '48', MEMDevice Id: '5744' 

Debug AW.Meg.Queue.Service.Util.EndpointQueueManager._ReceiveDeviceAccessChangedPayload Received 'DeviceAccessChangedPayload' message. MemConfigId: '48', number of devices: '1'.

Debug AW.Meg.Queue.Service.Processors.Office365DeviceAccessChangedProcessor.ProcessPayload Device access state changed. Device Id: '29'. Process ActiveSync command. Lg: '646', EasDeviceIdentifier: 'R4SQG79G556LPB3LFEVP66VO98', User: 'airwatchqa@airwatchpm.onmicrosoft.com', AccessLevel: 'Blocked', Reasons: Device is blacklisted: 29  

Debug WanderingWiFi.AirWatch.BusinessImpl.EnterpriseIntegrationHelper.SetBulkEasDeviceAccess BulkDeviceRequest - MemConfigId: 48, IsRunCompliance: False.

Powershell Admin details:

MEG Queue loads Powershell admin account details.

Debug WanderingWiFi.AirWatch.BusinessImpl.EnterpriseIntegrationHelper.DoSetBulkEasDeviceAccess Loading Exchange settings for MEMConfig: 48  

Debug WanderingWiFi.AirWatch.BusinessImpl.EnterpriseConfigurationProvider.LoadExchangeServiceConfiguration Loading exchange settings. MEMConfig: 48

Powershell Session creation:

MEG Queue creates powershell session to execute powershell command.

Debug AirWatch.CloudConnector.Common.PowerShell.SessionHelper.InitializeSession Initializing PowerShell session for Microsoft.Exchange @ PowerShell endpoint https://ps.outlook.com/powershell using Authentication type: Basic,  
User: airwatchadmin@airwatchpm.onmicrosoft.com, using service credentials: False, ViewEntireForest enabled: False  

Debug AirWatch.CloudConnector.Common.PowerShell.SessionHelper.InitializeSession Creating session for Microsoft.Exchange @ PowerShell endpoint https://ps.outlook.com/powershell using Authentication type: Basic, User: airwatchadmin@airwatchpm.onmicrosoft.com, using service credentials: False, ViewEntireForest enabled: False

Blocklisting device: MEQ Queue sends powershell block command to exchange so that email requests will be blocked.

Debug AirWatch.CloudConnector.Common.PowerShell.CommandHelper.SetActiveSyncDeviceIds Invoking command Set-CASMailbox -Identity 'airwatchqa@airwatchpm.onmicrosoft.com' -ActiveSyncBlockedDeviceIDs @{Add='R4SQG79G556LPB3LFEVP66VO98'} against the  
endpoint: SingleDeviceActionWithNormalPriority_airwatchadmin@airwatchpm.onmicrosoft.com@Microsoft.Exchange@https://ps.outlook.com/powershell

Powershell Session removal:

MEG Queue removes powershell session from memory.

Debug AirWatch.CloudConnector.Common.PowerShell.SessionHelper.InitializeSession PowerShell session successfully initialized for Microsoft.Exchange @ PowerShell endpoint https://ps.outlook.com/powershell using Authentication type: Basic,  
User: airwatchadmin@airwatchpm.onmicrosoft.com, using service credentials: False, ViewEntireForest enabled: False  

Debug AirWatch.CloudConnector.Common.PowerShell.SessionHelper.RemoveSession Removing session for Microsoft.Exchange @ PowerShell endpoint https://ps.outlook.com/powershell using Authentication type: Basic, User: airwatchadmin@airwatchpm.onmicrosoft.com, using service credentials: False, ViewEntireForest enabled: False

Database Update:

MEM Device Activity is saved to database so that Email List view reflects change.

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmail.MobileEmailDataHandler.SaveMemDeviceActivitiesForPSRunCompliance() MEM Device Activity Saved Successfully... 1

Log files

aw.meg.queue.serviceblacklist.log weblogfile-blacklist.txt

Mailbox sync

Sync Mailboxes flow:

  1. Sync Mailboxes action is processed by webcosole and sent to MEG Queue for processing.
  2. MEG Queue Service invokes powershell fucntion to retrive all mailboxes.
  3. It then invokes powershell fucntion to retrive all EAS devices.
  4. Mailboxes and devices and reconciled and MEG Queue saves EAS device data to AirWatch database.

WEB CONSOLE LOG

Sync Mailboxes Event processing:

After admin clicks Sync Mailboxes action, webconsole receives event for processing.
Webconsole writes Sync Mailboxes event to Microsoft Messaging Queue. MEG Queue will read the queue and will process event.

2017/03/10 14:42:29.637 MEMCON 3c749df0-c28d-409e-84ac-0a2d29cc5566 [0000068-0000000] (28) Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.Util.DeviceStateChangeTypeMessageQueue.PersistGenericPayload Writing sync eas mailbox payload for LG '627' to queue: 'Name: AWSegCompliance, Protocol: Tcp, Address: .\Private$\, Encoding: Binary, QueueLocation: Local, BulkReadLimit: 1, ConnectionRetryCount: 3, ReadTimeout: -1, RetryInterval: 30, AutoCreate: False, ' 9525ac55-84d8-4ae2-b8e1- b7b183f84afd

MEG QUE LOG

Sync Mailboxes event received:

MEG Queue receives Sync Mailboxes event for processing from webconsole.
Sync Mailboxes operation is initiated.

Debug AW.Meg.Queue.Service.Util.EndpointQueueManager._SplitByType Received 'SyncEasDevicesPayload' message. MemConfig Id: '30' Info AW.Meg.Queue.Service.Util.SyncAllMailboxesTask.PerformTask Sync Mailboxes task will initiate for MEMConfig '30'.

Retrieving Mailboxes:

MEG Queue prepares to retrieve Mailboxes. It prints filter if applicable.

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.SyncEasDevices Retrieving CAS mailboxes. MEMConfig: 30  

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.SyncEasDevices Sync Result Type : None; No Filter Provided.

Powershell Admin details:

MEG Queue loads Powershell admin account details. It also loads ACC details if any.

Debug WanderingWiFi.AirWatch.BusinessImpl.EnterpriseConfigurationProvider.LoadExchangeServiceConfiguration Loading exchange settings. MEMConfig: 30  

Debug WanderingWiFi.AirWatch.BusinessImpl.EnterpriseConfigurationProvider.LoadExchangeServiceConfiguration Getting service relay configuration. ACC location group overridden by MEM configuration: False. Location group:'627'

Powershell Session creation:

MEG Queue creates powershell session to execute powershell command.

Debug AirWatch.CloudConnector.Common.PowerShell.SessionHelper.InitializeSession Initializing PowerShell session for Microsoft.Exchange @ PowerShell endpoint https://mail-mem13.ssdevrd.com/powershell using Authentication type: Basic, User: mem13\svcPSTest, using service credentials: False, ViewEntireForest enabled: False  

Debug AirWatch.CloudConnector.Common.PowerShell.SessionHelper.InitializeSession Creating session for Microsoft.Exchange @ PowerShell endpoint https://mail-mem13.ssdevrd.com/powershell using Authentication type: Basic, User: mem13\svcPSTest, using service credentials: False, ViewEntireForest enabled: False

Debug AirWatch.CloudConnector.Common.PowerShell.SessionHelper.InitializeSession PowerShell session successfully initialized for Microsoft.Exchange @ PowerShell endpoint https://mail-mem13.ssdevrd.com/powershellusing Authentication type: Basic, User: mem13\svcPSTest, using service credentials: False, ViewEntireForest enabled: False

Sending powershell command to Retrieve Mailboxes:

MEQ Queue calls powershell function to Retrieve Mailboxes from exchange. Number of mailboxes retrieved are listed in log as shown.

Debug WanderingWiFi.AirWatch.BusinessImpl.EnterpriseIntegrationHelper.ListCasMailboxes Retrieving CAS mailbox list records 1 to 25000 at ExchangeService https://mail-mem13.ssdevrd.com/powershell.  

Debug AirWatch.CloudConnector.ExchangeServices.MailboxManagementService.ListCasMailboxes Retrieving CAS mailbox list records 1 to 25000.  
Debug AirWatch.CloudConnector.Common.PowerShell.CommandHelper.ListCasMailboxes Invoking command 'AW-Get-CASMailboxList'. Endpoint: 'BulkDeviceAction_mem13\svcPSTest@Microsoft.Exchange@https://mail-mem13.ssdevrd.com/powershell'  

Debug AirWatch.CloudConnector.ExchangeServices.MailboxManagementService.ListCasMailboxes Retrieved CAS mailbox list records 1 to 23 of 23.  

Debug WanderingWiFi.AirWatch.BusinessImpl.EnterpriseIntegrationHelper.ListCasMailboxes Retrieved CAS mailbox list records 1 to 23 of 23 at ExchangeService https://mail-mem13.ssdevrd.com/powershell.

Powershell Session removal:

MEG Queue removes powershell session from memory.

Debug AirWatch.CloudConnector.Common.PowerShell.SessionHelper.RemoveSession Removing session for Microsoft.Exchange @ PowerShell endpoint https://mail-mem13.ssdevrd.com/powershell using Authentication type: Basic, User: mem13\svcPSTest, using service credentials: False, ViewEntireForest enabled: False  

Debug AirWatch.CloudConnector.Common.PowerShell.SessionHelper.RemoveSession Session removed for Microsoft.Exchange @ PowerShell endpoint https://mail-mem13.ssdevrd.com/powershell using Authentication type: Basic, User: mem13\svcPSTest, using service credentials: False, ViewEntireForest enabled: False

Retrieving ActiveSync devices:

MEQ Queue calls powershell function to Retrieve Mailboxes from exchange. Number of devices retrieved are listed in log as shown.

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.SyncEasDevices Retrieving ActiveSync devices. MEMConfig: 30  

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.SyncEasDevices Sync Result Type : None; No Filter Provided.

Debug AirWatch.CloudConnector.Common.PowerShell.CommandHelper.ListActiveSyncDevices Invoking command 'AW-Get- ActiveSyncDeviceList'. Endpoint: 'BulkDeviceAction_mem13\svcPSTest@Microsoft.Exchange@https://mail-mem13.ssdevrd.com/powershell', PowerShellDeploymentType: '5'.

Debug AirWatch.CloudConnector.ExchangeServices.MailboxManagementService.ListActiveSyncDevices Retrieved ActiveSync device list records 1 to 217 of 217.  
Debug WanderingWiFi.AirWatch.BusinessImpl.EnterpriseIntegrationHelper.ListActiveSyncDevices Retrieved ActiveSync device list records 1 to 217 of 217 at ExchangeService https://mail-mem13.ssdevrd.com/powershell.

Reconciling Devices:

MEG Queue compare AirWatch MEM Devices with EAS devices retreived from exchange.
If EAS device retrived from exchange matches with one of AirWatch device, MEG Queue will update AirWatch MEM Device with latest status. Otherwise new unmanged device record is created.

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.SyncEasDevices Reconciling EAS devices with known devices in AirWatch. MEMConfig: 30

Updating Managed Device:

Below statement shows that there is 1 matched device after reconcilation process.

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.ReconcileEasDevices Updating '1' known managed EAS devices. MEMConfig: '30'

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateManagedDevices Finding managed devices from payloads.  
Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateManagedDevices Finding unmanaged devices from payloads.

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmail.MobileEmailDataHandler.SaveMemDevices() Save MEM Device  

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmail.MobileEmailDataHandler.SaveMemDevices() Save MemDevice for ActiveSyncPayload Instance: MEMDeviceId: 5614, LocationGroupID: 627, MEMConfigId: 30, IsManaged: True, EasDeviceIdentifier: 0EANTNG9L56LL8FLD1SFVFNK64, DeviceId: 19, SyncAllowed: True  
, EasDeviceType: iPod, EasDeviceUserAgent: Apple-iPod5C1/1307.36, EasmailboxIdentity: MEM13.ORG/Users/MEM2, EasMailboxDisplayName: MEM2, EmailAddress: MEM2@mem13.ssdevrd.com  
, UserName: MEM2, Command: Reconciled Access State, GatewayHostName:  
, CreateNewUnmanaged: False, UpdateManaged: True, EmailClient: , TimeOfRequest: Friday, March 10, 2017  
, Allowed Reason: AllowedByDefault

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmail.MobileEmailDataHandler.SaveMemDevices() MEM Devices Saved Successfully Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateManagedDevices Updated managed devices. '1' Updated successfully.

Updating MemDeviceActivity:

MEG Queue updates MemDeviceActivity record with appropriate status.

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateMEMDeviceActivity ++UpdateMEMDeviceActivity Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateMEMDeviceActivity  
ActiveSyncPayload Instance: MEMDeviceId: 5614, LocationGroupID: 627, MEMConfigId: 30, IsManaged: True, EasDeviceIdentifier: 0EANTNG9L56LL8FLD1SFVFNK64, DeviceId: 19, SyncAllowed: True, EasDeviceType: iPod, EasDeviceUserAgent: Apple-iPod5C1/1307.36, EasmailboxIdentity: MEM13.ORG/Users/MEM2, EasMailboxDisplayName: MEM2, EmailAddress: MEM2@mem13.ssdevrd.com

UserName: MEM2, Command: Reconciled Access State, GatewayHostName:  
CreateNewUnmanaged: False, UpdateManaged: True, EmailClient: , TimeOfRequest: Friday, March 10, 2017
Allowed Reason: AllowedByDefault

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmail.MobileEmailDataHandler.SaveMEMDeviceActivities() Saving MEM Device Activity  

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmail.MobileEmailDataHandler.SaveMEMDeviceActivities() MEM Device Activity Saved Successfully... 1

Updating MemDeviceConfig:

MEG Queue updates MemDeviceConfig record with appropriate status.

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateMEMDeviceConfig MemDeviceConfig for Managed Device: MemDeviceId: 5614, MemConfigId: 30  

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateMEMDeviceConfig Total Mem Device Config Records Count: 1

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmail.MobileEmailDataHandler.SaveMemDeviceConfig ++SaveMemDeviceConfig

Creating unmanaged devices:

If EAS device retrived from exchange do not match with one of AirWatch device, MEG Queue will create unmanaged AirWatch MEM Device.

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.ReconcileEasDevices Updating '216' discovered unmanaged EAS devices. MEMConfig: '30'  

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateDeviceStatus Updating access state for '216' devices in database.

Creating unmanaged MemDevice:

MEG Queue creates unmanaged MEMDevice records as shown below.

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.CreateUnmanagedMEMDevices ++CreateUnmanagedMEMDevices

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmail.MobileEmailDataHandler.SaveMemDevices() Save MemDevice for ActiveSyncPayload Instance: MEMDeviceId: 0, LocationGroupID: 627, MEMConfigId: 30, IsManaged: False, EasDeviceIdentifier: boxer1485882972781, DeviceId: 0, SyncAllowed: True  
, EasDeviceType: Android, EasDeviceUserAgent: AirWatch Boxer (Nexus 6P; Android 6.0.1) Version 4.1.0.12/352, EasmailboxIdentity: MEM13.ORG/Users/TBurgess, EasMailboxDisplayName: TBurgess, EmailAddress: TBurgess@mem13.ssdevrd.com

, UserName: TBurgess, Command: Discovered EAS Device, GatewayHostName:  
, CreateNewUnmanaged: True, UpdateManaged: False, EmailClient: , TimeOfRequest: Friday, March 10, 2017 , Allowed Reason: AllowedByDefault

Creating unmanaged MEMDeviceActivity:

MEG Queue creates unmanaged MEMDeviceActivity records as shown below.

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateMEMDeviceActivity ++UpdateMEMDeviceActivity Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateMEMDeviceActivity  
ActiveSyncPayload Instance: MEMDeviceId: 5748, LocationGroupID: 627, MEMConfigId: 30, IsManaged: False, EasDeviceIdentifier: boxer1485882972781, DeviceId: 0, SyncAllowed: True

, EasDeviceType: Android, EasDeviceUserAgent: AirWatch Boxer (Nexus 6P; Android 6.0.1) Version 4.1.0.12/352, EasmailboxIdentity: MEM13.ORG/Users/TBurgess, EasMailboxDisplayName: TBurgess, EmailAddress: TBurgess@mem13.ssdevrd.com  
, UserName: TBurgess, Command: Discovered EAS Device, GatewayHostName:  
, CreateNewUnmanaged: True, UpdateManaged: False, EmailClient: , TimeOfRequest: Friday, March 10, 2017

, Allowed Reason: AllowedByDefault

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmail.MobileEmailDataHandler.SaveMEMDeviceActivities() Saving MEM Device Activity  

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmail.MobileEmailDataHandler.SaveMEMDeviceActivities() MEM Device Activity Saved Successfully... 100

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmail.MobileEmailDataHandler.SaveMEMDeviceActivities() MEM Device Activity Saved Successfully... 200  

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmail.MobileEmailDataHandler.SaveMEMDeviceActivities() MEM Device Activity Saved Successfully... 216

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateMEMDeviceActivity Saved device activities. '216' Saved successfully.

Creating unmanaged MEMDeviceConfig:

MEG Queue creates MEMDeviceConfig records for unmanaged devices as shown below.

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateMEMDeviceConfig Collecting Managed MEM Device Config Records.  

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateMEMDeviceConfig Collecting Unmanaged MEM Device Config Records.  

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateMEMDeviceConfig MemDeviceConfig for Unmanaged Device: MemDeviceId: 5748, MemConfigId: 30

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateMEMDeviceConfig MemDeviceConfig for Unmanaged Device: MemDeviceId: 5762, MemConfigId: 30

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateMEMDeviceConfig Total Mem Device Config Records Count: 216

Discovered Mail Clients:

MEQ Queue collects all mail client names and saves in AirWatch database. These mailclients are presented to user for selection in Mail Client policy for configuring policy rules.

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmailGateway.ActiveSyncBusiness Finding new mail clients.  

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmailGateway.MailClientDataHandler Look for mail client list in cache.  

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmailGateway.MailClientDataHandler Mail client list not found in cache. Loading from database.  
Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmailGateway.ActiveSyncBusiness Found '17' new mail clients.  

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmailGateway.ActiveSyncBusiness Saving new mail clients.  

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmailGateway.ActiveSyncBusiness Save mail client successful for LG : '627'  

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmailGateway.ActiveSyncBusiness Saved new mail clients. '1' Saved successfully. '0' had errors.

Discovered User Accounts:

MEQ Queue collects all User Accounts and saves in AirWatch database.
These User Accounts are presented to user for selection in User policy for configuring policy rules.

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmailGateway.ActiveSyncBusiness Finding new email account users.  

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmailGateway.ActiveSyncDataHandler.LoadAccountUserNames Look for account user list in cache.  

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmailGateway.ActiveSyncDataHandler.LoadAccountUserNames Account user list not found in cache. Loading from database.  

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmailGateway.ActiveSyncBusiness Found '2' new email account users.  

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmailGateway.ActiveSyncBusiness Saving new email account users.  

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmailGateway.ActiveSyncDataHandler.BulkSaveAccountUserName Saving Account User(s)...  

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmailGateway.ActiveSyncDataHandler.BulkSaveAccountUserName Saved Account User(s), index: 2  

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmailGateway.ActiveSyncBusiness Saved new email account user for location group: '627'  

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmailGateway.ActiveSyncBusiness Saved new email account users. '1' Saved successfully. '0' had errors.

Finished:

Info AW.Meg.Queue.Service.Util.SyncAllMailboxesTask.PerformTask Sync Mailboxes task finished for MEMConfig '30'.

Log Files

aw.meg.queue.service-syncmailboxes.log

Run Compliance

WEBCONSOLE LOG

Run Compliance Event processing:

After admin clicks Run Compliance action, webconsole receives event for processing.
Webconsole writes Sync Mailboxes event to Microsoft Messaging Queue. MEG Queue will read the queue and will process event.

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.PersistDeviceStateChangeByLg Received state change event. LG: 627 Type: PolicyPublish 6e76d060-02d6-4515-ab6d-1f90ff41ec1b  

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.Util.DeviceStateChangeTypeMessageQueue.PersistGenericPayload Writing device state change payload for LG '627' to queue: 'Name: AWSegCompliance, Protocol: Tcp, Address: .\Private$\, Encoding: Binary, QueueLocation: Local, BulkReadLimit: 1, ConnectionRetryCount: 3, ReadTimeout: -1, RetryInterval: 30, AutoCreate: False, ' 6e76d060-02d6-4515-ab6d-1f90ff41ec1b

MEG QUE LOG

Run Compliance event received:

MEG Queue receives Run Compliance event for processing from webconsole. Run Compliance operation is initiated.

Debug AW.Meg.Queue.Service.Util.EndpointQueueManager.Process A message is added to the queue for endpoint 'https://mail- mem13.ssdevrd.com/powershell-.-mem13\svcPSTest', for MemConfig Id: '30'.  

Debug AW.Meg.Queue.Service.Util.EndpointQueueManager._SplitByType Received 'DeviceStateChangePayload' message. MemConfig Id: '30', Device Id: '', StateChangeType: 'PolicyPublish'  

Debug AW.Meg.Queue.Service.Processors.Office365DeviceStateChangedProcessor.DoProcess Processing 'PolicyPublish' event for LG '627', Device Id: '', MEM Config Id: '30'

Powershell Admin details:

MEG Queue loads Powershell admin account details. It also loads ACC details if any.

Debug WanderingWiFi.AirWatch.BusinessImpl.EnterpriseConfigurationProvider.LoadExchangeServiceConfiguration Getting service relay configuration. ACC location group overridden by MEM configuration: False. Location group:'627'  

Debug WanderingWiFi.AirWatch.BusinessImpl.EnterpriseConfigurationProvider.LoadExchangeServiceConfiguration Loaded exchange settings. MEMConfig: 30

Debug WanderingWiFi.AirWatch.BusinessImpl.EnterpriseIntegrationHelper.TestExchangeConnection Load Exchange service configuration for location group 627

Policy Evaluation:

MEG Que evaluates policy and determine all devices that needs access state change (allow or block). Below log shows example of device evaluated to be blocked by user policy.

Debug AW.Meg.Queue.Service.Util.RunComplianceTask.ProcessUpdateDevicePolicies Total 1 policies retrieved from database for the process.  

Debug AW.Meg.Queue.Service.Util.RunComplianceTask.ProcessUpdateDevicePolicies Total 1 mailboxes were found with known devices. Debug AW.Meg.Queue.Service.Util.RunComplianceTask.ProcessUpdateDevicePolicies Known Policy: EasDeviceIdentifier 0EANTNG9L56LL8FLD1SFVFNK64, MemDeviceId: 5614, Allowed: False, MailboxIdentity: , LastCommand: Mail Server Update, DeviceAccessStateReason: , LastMailAccessAllowed: True

Debug AW.Meg.Queue.Service.Util.RunComplianceTask.ProcessUpdateDevicePolicies Evaluated device. DeviceId: '19', EasDeviceIdentifier: '0EANTNG9L56LL8FLD1SFVFNK64', Allowed: 'False', Reason(s): Account user mem2 is blocked

Powershell Session creation:

MEG Queue creates powershell session to execute powershell command.

Debug AirWatch.CloudConnector.Common.PowerShell.SessionHelper.InitializeSession Initializing PowerShell session for Microsoft.Exchange @ PowerShell endpoint https://mail-mem13.ssdevrd.com/powershell using Authentication type: Basic, User: mem13\svcPSTest, using service credentials: False, ViewEntireForest enabled: False  

Debug AirWatch.CloudConnector.Common.PowerShell.SessionHelper.InitializeSession PowerShell session successfully initialized for Microsoft.Exchange @ PowerShell endpoint https://mail-mem13.ssdevrd.com/powershellusing Authentication type: Basic, User: mem13\svcPSTest, using service credentials: False, ViewEntireForest enabled: False

Blacklisting device:

MEQ Queue sends powershell block command to exchange so that email requests will be blocked.

Debug AirWatch.CloudConnector.Common.PowerShell.CommandHelper.SetActiveSyncDeviceIds Invoking command Set-CASMailbox -Identity 'mem2@mem13.ssdevrd.com' -ActiveSyncBlockedDeviceIDs @{Add='0EANTNG9L56LL8FLD1SFVFNK64'} against the endpoint: BulkDeviceAction_mem13\svcPSTest@Microsoft.Exchange@https://mail-mem13.ssdevrd.com/powershell

Powershell Session removal:

MEG Queue removes powershell session from memory.

Debug AirWatch.CloudConnector.Common.PowerShell.SessionHelper.RemoveSession Removing session for Microsoft.Exchange @ PowerShell endpoint https://mail-mem13.ssdevrd.com/powershell using Authentication type: Basic, User: mem13\svcPSTest, using service credentials: False, ViewEntireForest enabled: False  

Debug AirWatch.CloudConnector.Common.PowerShell.SessionHelper.RemoveSession Session removed for Microsoft.Exchange @ PowerShell endpoint https://mail-mem13.ssdevrd.com/powershell using Authentication type: Basic, User: mem13\svcPSTest, using service credentials: False, ViewEntireForest enabled: False

Updating AirWatch Database:

After successfully blocking device, AirWatch database is updated with current status.

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateMemDeviceActivitiesForPSRunCompliance ++UpdateMemDeviceActivitiesForPSRunCompliance  

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateMemDeviceActivitiesForPSRunCompliance Total 1 MEMDeviceActivity records will be updated.

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmail.MobileEmailDataHandler.SaveMemDeviceActivitiesForPSRunCompliance()

2 of 3 19.07.2022, 13:11

VMWare Workspace ONE MEM Team - PowerShell - Run Compliance https://onevmw.sharepoint.com/teams/VMWareAirWatchMEM/SitePage...

++SaveMemDeviceActivitiesForPSRunCompliance  
Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmail.MobileEmailDataHandler.SaveMemDeviceActivitiesForPSRunCompliance() MEM Device Activity Saved Successfully... 1  

Debug WanderingWiFi.AirWatch.ProviderImpl.MobileEmail.MobileEmailDataHandler.SaveMemDeviceActivitiesForPSRunCompliance() --SaveMemDeviceActivitiesForPSRunCompliance  

Debug WanderingWiFi.AirWatch.BusinessImpl.MobileEmail.MobileEmailBusiness.UpdateMemDeviceActivitiesForPSRunCompliance --UpdateMemDeviceActivitiesForPSRunCompliance

Finished:

Info AW.Meg.Queue.Service.Util.SyncAllMailboxesTask.PerformTask Run compliance task finished for MEMConfig '30'.

Log files

aw.meg.queue.service-runcompliance.log weblogfile-runcompliance.txt

SEG on Windows Proxy

SEG Guide - VMware AirWatch SEG Guide

Prevent usage of Native EMail on enrolled devices

Problem: Users can gain access to Exchange ActiveSync from uncontrolled devices and mail clients on them. Usage of SEG solves the problem of uncontrolled devices access.

You can enforce using Boxer/Inbox by creating an email compliance policy from the AirWatch console:

Email> Compliance Polices > General Email Policies > Mail Client

SEG as MS Exchange OWA Proxy

Warning

Article is for OLD separate SEG. NOT about SEG on UAG.

You can restrict mobile traffic to seg.company.com by installing IP and Domain restrictions on the IIS on the Exchange server, and then enable IP filtering to deny everyone but the SEG on the ActiveSync endpoint on IIS. This will ensure all enrolled mobile devices will access email through SEG. You can also implement email policies to ensure that unmanaged devices do not access the SEG.

AirWatch cannot block access to OWA for unenrolled mobile devices since SEG does not manage OWA. The only way to do so would be checking through the AD for unenrolled users and preventing them from webmail access from there.

Note

OWA traffic can be routed through the SEG however it will act as a simple pass through.

Warning

The OWA through SEG & proxying Webmail through SEG is not a supported setup as it could lead to a single point of failure for email access.

SEG Java Keystore

Warning

Article is for OLD separate SEG. NOT about SEG on UAG.

Default password for SEG Java Key store = changeit

SEG on Windows Java Memory

Warning

Article is for OLD separate SEG. NOT about SEG on UAG.

Zulu is the new Java Corporate middleware.

Resolution

  • Upgrade to latest version of SEG (2.18+);
  • Set the max heap size to 5Gb;
  • Use Shenandoah as the garbage collection method.

Follow these steps to apply the settings:

  1. Stop SEG service;
  2. Go to SEG install directory and edit file SecureEmailGateway-2.18/service/conf/segServiceWrapper.conf
  3. Update max heap to 5Gb, look for “Xmx” and update the property to: 

wrapper.java.additional.3=-Xmx5120m

  1. Use Shenandoah GC, look for “#wrapper.java.additional.38” and in the next line add: 

wrapper.java.additional.39=-XX:+UseShenandoahGC
wrapper.java.additional.40=-Xlog:gc=debug:file=tmp/gc-%p-%t.log:time,level,tags:filecount=10,filesize=50m*

  1. Save file and start the SEG service. 
  • Observe the system resources once this change is placed + enable GC logs in the above settings.

If no issue is seen, then remove the GC logging setting by following these steps: 

  1. Stop SEG service. 
  2. Go to SEG install directory and edit file SecureEmailGateway-2.18/service/conf/segServiceWrapper.conf
  3. Remove line: 

wrapper.java.additional.40=-Xlog:gc=debug:file=tmp/gc-%p-%t.log:time,level,tags:filecount=10,filesize=50m*

  1. Save and start SEG service.

SEG Clustering

If multiple SEG servers are load balanced, single policy broadcast messages apply to only one SEG. This includes the messages sent from the AirWatch Console to SEG upon enrollment, compliance violation, or correction. Use Delta Sync with a refresh interval of ten minutes to facilitate newly enrolled or compliant devices. These devices experience a waiting period of maximum ten minutes before email begins to sync. Benefits of this approach include:

  •  Updated policies from the same API source for all SEG servers. 
  • Smaller performance impact on API server.  
  • Reduced implementation or maintenance complexity compared to the SEG clustering model.   
  • Fewer failure points as each SEG is responsible for its own policy sets.
  •  Improved user experience. 
     

 SEG Clustering is also available to facilitate the sharing of single policy updates to all nodes of a SEG cluster.

SEG TLSv1

Please go through the following instructions in order to enable TLSv1.0 on SEG V2:

  • Go to SEG installation directory -> {SEG_DIRECTORTY}/service/conf
  • Edit file conf
  • Look for following properties:

Property 1

wrapper.java.additional.9=-Djdk.tls.disabledAlgorithms=MD5\, RC4\, TLSv1\, SSLv2Hello\, SSLv3\, DSA\, DESede\, DES\, 3DES\, DES40_CBC\, RC4_40\, MD5withRSA\, DH\, 3DES_EDE_CBC\, DHE\, DH keySize < 1024\, EC keySize < 224

set this property as: (Removing TLSv1 from the disabled list):

wrapper.java.additional.9=-Djdk.tls.disabledAlgorithms=MD5\, RC4\, SSLv2Hello\, SSLv3\, DSA\, DESede\, DES\, 3DES\, DES40_CBC\, RC4_40\, MD5withRSA\, DH\, 3DES_EDE_CBC\, DHE\, DH keySize < 1024\, EC keySize < 224

Property 2

wrapper.java.additional.12=-Dhttps.protocols=TLSv1.1\,TLSv1.2

set this property as:

wrapper.java.additional.12=-Dhttps.protocols= TLSv1\,TLSv1.1\,TLSv1.2

  • Restart SEG Service.