Exchange module

The Cloud Extender® integrates with Exchange servers and provides complete visibility to all ActiveSync devices that are connected to the mail system.

With the Exchange integration, the Cloud Extender functions in the following ways:

  • Queries the Exchange server by using Microsoft PowerShell commands to discover ActiveSync devices and ActiveSync policies.
  • Uploads the device list and policy configurations to the MaaS360® Portal for reporting and management functions.
  • Supports all ActiveSync device actions such as approve, block, or remove a device from the mailbox and wipes devices that are initiated by the MaaS360 Portal, either through administrative action or automated rules.
  • Supports ActiveSync policy assignments to connected devices.
  • Enables Auto-Quarantine to prevent new devices from connecting to Exchange servers. Since existing ActiveSync devices are approved, existing connections are not affected by the quarantine process.
  • Supports pre-approval of Secure Mail connections and approval of connections from enrolled devices.
  • Supports granular integration against specific mailbox servers and domains.
  • Supports automated cleanup of old ActiveSync connections from the environment.
Important: The Cloud Extender integration with Exchange does not affect the flow of email traffic because the Cloud Extender is not an email proxy. The Cloud Extender instance does not sit between email and devices. This integration provides visibility only to your Exchange environment where you can manage devices. If the Cloud Extender is unavailable, users can continue to send and receive email messages.

Supported versions of Exchange

The Cloud Extender integrates with both the on-premises and cloud versions of Exchange. The Cloud Extender supports the following versions of Exchange:
  • On-Premises: Exchange 2010, 2013, or 2016
  • Cloud: BPOS-dedicated (BPOS-shared not supported) and Office 365
Note: For Exchange 2010 and later, and for all cloud versions of Exchange, the Cloud Extender uses Remote PowerShell for integration.

Requirements and scaling

The MaaS360 Portal offers a Cloud Extender Scaling Tool at Setup > Services > Enterprise Email Integration. Enter the number of mailboxes and devices that you plan to enroll for MaaS360 and determine how many Cloud Extenders you might need to support integration with Exchange.

Consider the following guidelines for scaling the Exchange integration:
  • Gather times for device data does not exceed 60 minutes and averages 25 - 40 minutes for 5,000 devices. Current and average gather times are available on the Cloud Extender Status page in the MaaS360 Portal.
  • To determine the number of Cloud Extender instances that you need for your environment, divide the potential number of ActiveSync connected devices by 5,000 and the number of Mailboxes by 10,000 and use the higher of the two values.
  • To minimize latency, regional Cloud Extenders might be more appropriate to use.
Table 1. Scaling requirements for the Exchange Integration module
Item Requirement
Exchange 2010, 2013, 2016, and BPOS-D (for less than 10,000 mailboxes) Mailboxes: less than 10,000 mailboxes
Devices: less than 5,000 devices
CPU: 2 cores
Memory: 8 GB
Exchange 2010, 2013, 2016, and BPOS-D (for more than 10,000 mailboxes) Mailboxes: more than 10,000 mailboxes
Devices: more than 5,000 devices
CPU: Use more Cloud Extenders
Memory: N/A
Scaling:
  • Supports installation on multiple instances of the Cloud Extender, but does not support High Availability (HA). Each Cloud Extender that implements Exchange Integration must have an exclusive scope and must not overlap with other instances of the Cloud Extender that implement Exchange Integration.
  • Install on a dedicated Cloud Extender or enabled on Cloud Extender with the User Authentication service enabled.

For accurate scaling of your environment, see the Cloud Extender scaling document at Setup > Services > Enterprise Email Integration.
Office 365 using Remote PowerShell Mailboxes: All / Devices: All
CPU: 2 cores
Memory: 8 GB
Scaling: Office 365 supports multiple instances of the Cloud Extender.
Requires multiple service accounts for load distribution for more than 500 mailboxes.

For accurate scaling of your environment, see the Cloud Extender scaling document at Setup > Services > Enterprise Email Integration.
Network traffic Traffic exchange between the Cloud Extender and the Exchange server:
  • First-time upload data usage: 3.35 MB
  • Steady state data usage per month: 8872.75 MB
Traffic exchange between the Cloud Extender and MaaS360:
  • First-time upload data usage: 1 MB
  • Steady state data usage per month: 95.75 MB
Test metrics (usage based on 1,000 devices):
  • Incremental data uploads frequency = 15 minutes
  • Heartbeat frequency = 1 hour
  • Full data uploads frequency = 1 week with environment change
  • Every incremental query, 1 percent of devices have attribute changes
  • Average data packet size per device: 3 KB
  • Average data packet size for heartbeat: 0.3 KB
  • Average data packet size for policy = 50 KB (assuming 10 policies)
  • Average ratio of encryption and compression of data upload to MaaS360 = 70 percent

Exchange Integration requirements

The Exchange Integration module requires the following versions and service accounts:
Table 2. Version and service account requirements for the Exchange Integration module
Item Requirement
Version
  • Exchange Server 2010, 2013, or 2016
  • Office 365 and BPOS-Dedicated
Service account
  • Domain user
  • Local Administrator access on the Cloud Extender server
Service account Exchange permissions
  • 2010/2013/2016/BPOS-D: Member of Organization Management security group
  • Office 365: Global Administrator rights
Role-based access control (RBAC)
  • If your organization supports Organization Management or Global Administrator accounts, create RBAC accounts based on specific access rights.
  • Supports Exchange 2010 and later, and Office 365
  • See About Exchange role-based access control (RBAC) for detailed information.
Office 365 only
  • Requires multiple service accounts configured on the Cloud Extender. Follow these guidelines:
    • One Global Administrator account per 500 mailboxes for device discovery.
    • Two dedicated Global Administrator accounts: One account reserved for gathering mailbox data and another account reserved for MaaS360 Portal actions.
    • Service account requires a Global Administrator account
    • Service account does not support multi-factor authentication (MFA) or two-factor authentication (2FA), but does support modern authentication.

    For example: If you have 2,000 mailboxes, you need four service accounts for device discovery and two dedicated service accounts for a total of six required accounts. See About Office 365 Budgets for detailed information.

PowerShell
  • PowerShell 3.0+
ExchangeOnlineManagement
  • ExchangeOnlineManagement 2.0.5