Configure permissions for gatekeeping
To use
Exchange ActiveSync
gatekeeping, you must create a user account in Microsoft Exchange
Server
or Microsoft 365
and give it the necessary permissions for gatekeeping.If you are using
Microsoft 365
, create a Microsoft 365
user account and assign it the Mail Recipients and Organization Client Access roles.If you are using
Microsoft Exchange
Server
, follow the instructions below to configure management roles with the correct permissions to manage mailboxes and client access for Exchange ActiveSync
. To perform this task, you must be a Microsoft
Exchange
administrator with the appropriate permissions to create and change management roles.- On the computer that hostsMicrosoft Exchange, create an account and mailbox to manage gatekeeping inBlackBerry UEM(for example, BUEMAdmin). You must specify the login information for this account when you create anExchange ActiveSyncconfiguration. Note the name of this account, you will specify it at the end of the task below.
- WinRM must be configured with the default settings on the computer that hosts theMicrosoft Exchange Serverthat you configure for gatekeeping. You must run the commandWinrm quickconfigfrom a command prompt as an administrator. When the tool displaysMake these changes [y/n], typey. After the command is successful, you see the following message.WinRM has been updated for remote management. WinRM service type changed to delayed auto start. WinRM service started. Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
- Open theMicrosoft Exchange Management Shell.
- TypeNew-ManagementRole -Name ". Press ENTER.<name_new_role_mail_recipients>" -Parent "Mail Recipients"
- TypeNew-ManagementRole -Name ". Press ENTER.<name_new_role_org_ca>" -Parent "Organization Client Access"
- TypeNew-ManagementRole -Name ". Press ENTER.<name_new_role_exchange_servers>" -Parent "Exchange Servers"
- TypeGet-ManagementRoleEntry ". Press ENTER.<name_new_role_mail_recipients>\*" | Where {$_.Name -ne "Get-ADServerSettings"} | Remove-ManagementRoleEntry
- TypeGet-ManagementRoleEntry ". Press ENTER.<name_new_role_org_ca>\*" | Where {$_.Name -ne "Get-CasMailbox"} | Remove-ManagementRoleEntry
- TypeGet-ManagementRoleEntry ". Press ENTER.<name_new_role_exchange_servers>\*" | Where {$_.Name -ne "Get-ExchangeServer"} | Remove-ManagementRoleEntry
- TypeAdd-ManagementRoleEntry ". Press ENTER.<name_new_role_mail_recipients>\Get-ActiveSyncDeviceStatistics" -Parameters Mailbox
- TypeAdd-ManagementRoleEntry ". Press ENTER.<name_new_role_mail_recipients>\Get-ActiveSyncDevice" -Parameters Identity
- TypeAdd-ManagementRoleEntry “. Press ENTER.<name_new_role_mail_recipients>\Get-MobileDeviceStatistics” –Parameters Mailbox
- TypeAdd-ManagementRoleEntry “. Press ENTER.<name_new_role_mail_recipients>\Get-MobileDevice” –Parameters Mailbox
- TypeAdd-ManagementRoleEntry ". Press ENTER.<name_new_role_org_ca>\Set-CasMailbox" -Parameters Identity, ActiveSyncBlockedDeviceIDs, ActiveSyncAllowedDeviceIDs
- TypeNew-RoleGroup ". Press ENTER.<name_new_group>" -Roles "<name_new_role_mail_recipients>", "<name_new_role_org_ca>", "<name_new_role_exchange_servers>"
- TypeAdd-RoleGroupMember -Identity ". Press ENTER.<name_new_group>" -Member "BUEMAdmin"
- TypeAdd-ManagementRoleEntry ". Press ENTER.<name_new_role_mail_recipients>\Set-AdServerSettings"
- TypeAdd-ManagementRoleEntry ". Press ENTER.<name_new_role_mail_recipients>\Remove-ActiveSyncDevice" -Parameters Identity,Confirm
- TypeAdd-ManagementRoleEntry ". Press ENTER.<name_new_role_mail_recipients>\Remove-MobileDevice" -Parameters Identity,Confirm
- If your organization usesMicrosoft Exchange Server, see Configure Microsoft Exchange to allow only authorized devices to access Exchange ActiveSync.
- If your organization usesMicrosoft 365, see Configure the mobile device access policy in Microsoft 365.