Sentry preferences
Using Services > Sentry > Preferences in the Admin Portal, you can set the following preferences for the integration with ActiveSync:
•Auto Block Unregistered (unlinked) Devices
See Auto blocking unregistered devices.
•Strict ActiveSync to device linking
See Configuring strict ActiveSync to device linking
•Integrated Sentry Sync Interval
See Setting the Integrated Sentry Sync Interval.
•Service Account Notification Email
See Setting the Service Account Notification Email
•Default ActiveSync behavior
See Changing the default ActiveSync policy behavior
•Regenerate attachment key
See Regenerating the encryption key
Auto blocking unregistered devices
By default, Sentry allows unregistered devices to access the ActiveSync server. Use this setting to change Sentry’s behavior to block unregistered devices from access.
When you select Yes for Auto Block Unregistered(unlinked) Devices, Sentry will not block existing unregistered devices. The sync status in the ActiveSync page will continue to display as Allowed for unregistered devices. Ivanti EPMM does not re-evaluate the sync status for existing unregistered devices. To block access to existing unregistered devices, Remove the devices from the ActiveSync page. When the device tries to access the ActiveSync server the new rule will be applied.
Blocking unregistered devices automatically blocks Windows 7 and other devices that cannot register with Ivanti EPMM. Windows 7, Windows 8 Pro, and Windows 8 RT devices cannot register with Ivanti EPMM because these devices do not have device management features. To allow these devices to sync with the ActiveSync server, Auto Block Unregistered Devices must be set to No.
When you change this setting, Ivanti Standalone Sentry immediately changes its behavior to reflect the setting. Integrated Sentry informs the Microsoft Exchange Server to change its behavior the next time Integrated Sentry syncs with Ivanti EPMM.
Procedure
1. | In the Admin Portal, go to Services > Sentry > Preferences. |
2. | Select Yes for Auto Block Unregistered Devices. |
3. | Click Save to save the changes. |
For other methods for blocking devices from accessing the ActiveSync server, see the following:
•Block.
•“Working with security policies” in the Ivanti EPMM Device Management Guide.
Configuring strict ActiveSync to device linking
In case Ivanti Standalone Sentry cannot successfully link an ActiveSync record to a managed device record using the ActiveSync ID, it makes additional attempts using username and email information. This may, in some cases, result in an incorrect association. Enable Use Strict ActiveSync to Device Linking to avoid incorrect association between an ActiveSync record and a Device record.
The default setting for Use Strict ActiveSync to Device Linking is No. This means that Standalone Sentry will make additional attempts to associate the ActiveSync record to a managed device.
Procedure
1. | In the Admin Portal, go to Services > Sentry > Preferences. |
2. | For Use Strict ActiveSync to Device Linking, select Yes. |
3. | Click Save. |
With strict linking, some ActiveSync records may not be automatically linked to a managed device. In these cases, you can use the Link To action in the ActiveSync page to manually associate the ActiveSync record to the managed device record.
Setting the Integrated Sentry Sync Interval
The Sentry Sync Interval is only applicable to Integrated Sentry. This setting tells how often Integrated Sentry performs a periodic differential sync.
Procedure
1. | In the Admin Portal, go to Services > Sentry > Preferences. |
2. | Set the Sentry Sync Interval to the preferred interval. |
Setting the Service Account Notification Email
Configure this setting if you use a Standalone Sentry that uses Kerberos for device authentication. This setting specifies the email addresses to notify if the Kerberos service account is locked, disabled, or about to expire.
Procedure
1. | In the Admin Portal, go to Services > Sentry > Preferences. |
2. | In the Service Account Notification Email field, enter one or more email addresses. Separate the email addresses with commas. |
For more information, see Authentication Using Kerberos Constrained Delegation.
Changing the default ActiveSync policy behavior
The Default Active Sync policy is applied if an ActiveSync policy is not applied to the device.
The Default ActiveSync Policy behavior setting determines whether Sentry applies the ActiveSync server’s policy to the device syncing with the ActiveSync server.
•It may take up to twenty-four hours for any changes to the Default ActiveSync Policy behavior to take effect.
•As best practice, Ivanti recommends disabling the Refresh Interval on the client access server’s (CAS) ActiveSync policy
Procedure
1. | In the Admin Portal, go to Services > Sentry > Preferences. |
Figure 1. Default ActiveSync policy behavior
2. | For Default ActiveSync Policy behavior, set the default behavior. |
Item |
Description |
Remove AS Server policy |
The ActiveSync server’s policy is not applied to the device. |
Apply AS Server policy |
The ActiveSync server’s policy is applied to the device. |
3. | Click Save. |