Exchange module

The Cloud Extender® integrates with Exchange servers and provides complete visibility to all ActiveSync devices that are connected to the mail system.

With the Exchange integration, the Cloud Extender functions in the following ways.

  • Queries the Exchange server by using Microsoft PowerShell commands to discover ActiveSync devices and ActiveSync policies.
  • Uploads the device list and policy configurations to the IBM® MaaS360® Portal for reporting and management functions.
  • Supports all ActiveSync device actions, including approving, blocking, or removing a device from the mailbox. It also wipes devices that are initiated through the IBM MaaS360 Portal, whether through administrative actions or automated rules.
  • Supports ActiveSync policy assignments to connected devices.
  • Enables Auto-Quarantine to prevent new devices from connecting to Exchange servers. Since existing ActiveSync devices are approved, existing connections are not affected by the quarantine process.
  • Supports pre-approval of MaaS360 Mail connections and approval of connections from enrolled devices.
  • Supports granular integration against specific mailbox servers and domains.
  • Supports automated cleanup of old ActiveSync connections from the environment.
Important: The Cloud Extender integration with Exchange does not affect the flow of email traffic because the Cloud Extender is not an email proxy. The Cloud Extender instance does not sit between email and devices. This integration provides visibility only to your Exchange environment where you can manage devices. If the Cloud Extender is unavailable, users can continue to send and receive email messages.

Supported versions of Exchange

The Cloud Extender integrates with both the on-premises and cloud versions of Exchange. The Cloud Extender supports the following versions of Exchange.
On-Premises
Exchange 2016 or later
Cloud
Office 365
Note: For Exchange 2016 or later, and for all cloud versions of Exchange, the Cloud Extender uses Remote PowerShell for integration.

Requirements and scaling

The IBM MaaS360 Portal offers a Cloud Extender Scaling Tool at Setup > Services > Enterprise Email Integration. Enter the number of mailboxes and devices that you plan to enroll for MaaS360 and determine how many Cloud Extenders you might need to support integration with Exchange.

Consider the following guidelines for scaling the Exchange integration.
  • Gather times for device data does not exceed 60 minutes and averages 25 - 40 minutes for 5,000 devices. Current and average gather times are available on the Cloud Extender Status page in the IBM MaaS360 Portal.
  • For optimal Cloud Extender instance allocation, divide ActiveSync devices by 5,000 and Mailboxes by 10,000. Select the larger value to ensure efficient environment performance.
  • To minimize latency, regional Cloud Extenders might be more appropriate to use.
Table 1. Scaling requirements for the Exchange Integration module
Item Requirement
Exchange (2016 or later) Mailboxes: less than 10,000 mailboxes
Devices: less than 5,000 devices
CPU: 2 cores
Memory: 8 GB
Exchange (2016 or later) Mailboxes: more than 10,000 mailboxes
Devices: more than 5,000 devices
CPU: Use more Cloud Extenders
Memory: N/A
Scaling:
  • Supports installation on multiple instances of the Cloud Extender, but does not support High Availability (HA). Each Cloud Extender that implements Exchange Integration must have an exclusive scope and must not overlap with other instances of the Cloud Extender that implement Exchange Integration.
  • Install on a dedicated Cloud Extender or enabled on Cloud Extender with the User Authentication service enabled.

For accurate scaling of your environment, see the Cloud Extender scaling document at Setup > Services > Enterprise Email Integration.
Office 365 using Remote PowerShell Mailboxes: All / Devices: All
CPU: 2 cores
Memory: 8 GB
Scaling: Office 365 supports multiple instances of the Cloud Extender.
Requires multiple service accounts for load distribution for more than 500 mailboxes.

For accurate scaling of your environment, see the Cloud Extender scaling document at Setup > Services > Enterprise Email Integration.
Network traffic Traffic exchange between the Cloud Extender and the Exchange server:
  • First-time upload data usage: 3.35 MB
  • Steady state data usage per month: 8872.75 MB
Traffic exchange between the Cloud Extender and MaaS360:
  • First-time upload data usage: 1 MB
  • Steady state data usage per month: 95.75 MB
Test metrics (usage based on 1,000 devices):
  • Incremental data uploads frequency = 15 minutes
  • Heartbeat frequency = 1 hour
  • Full data uploads frequency = 1 week with environment change
  • Every incremental query, 1 percent of devices have attribute changes
  • Average data packet size per device: 3 KB
  • Average data packet size for heartbeat: 0.3 KB
  • Average data packet size for policy = 50 KB (assuming 10 policies)
  • Average ratio of encryption and compression of data upload to MaaS360 = 70 percent

Exchange Integration requirements

The Exchange Integration module requires the following versions and service accounts:
Table 2. Version, service account, and certificate authentication requirements for the Exchange Integration module
Item Requirement
Version
  • Exchange Server 2016 or later
  • Office 365
Service account
  • Domain user
  • Local Administrator access on the Cloud Extender server
Service account Exchange permissions
  • 2016 or later
  • Office 365: Global Administrator rights
Role-based access control (RBAC)
  • If your organization supports Organization Management or Global Administrator accounts, create RBAC accounts based on specific access rights.
  • Supports Exchange 2016 and later, and Office 365
  • See About Exchange role-based access control (RBAC) for detailed information.
Office 365 with service accounts
  • Requires multiple service accounts configured on the Cloud Extender. Follow these guidelines:
    • One Global Administrator account per 500 mailboxes for device discovery.
    • Two dedicated Global Administrator accounts: One account reserved for gathering mailbox data and another account reserved for IBM MaaS360 Portal actions.
    • Service account requires a Global Administrator account
    • Service account does not support multi-factor authentication (MFA) or two-factor authentication (2FA), but does support modern authentication.

    For example: If you have 2,000 mailboxes, you need four service accounts for device discovery and two dedicated service accounts for a total of six required accounts. See About Office 365 Budgets for detailed information.

Office 365 with certificates
  • Requires registration of the application in the Microsoft Entra ID portal.
  • Requires the application to have the Application API permission for Exchange.ManageAsApp.
  • Requires generating a self-signed certificate.
  • Requires assigning Microsoft Entra roles to the application. For more information, see About Exchange role-based access control (RBAC).
PowerShell
  • PowerShell 3.0+
ExchangeOnlineManagement
  • ExchangeOnlineManagement 3.1.0