Sentry preferences

Using Services > Sentry > Preferences in the Admin Portal, you can set the following preferences for the integration with ActiveSync:

Auto Block Unregistered (unlinked) Devices

See Auto blocking unregistered devices.

Strict ActiveSync to device linking

See Configuring strict ActiveSync to device linking

Integrated Sentry Sync Interval

See Setting the Integrated Sentry Sync Interval.

Service Account Notification Email

See Setting the Service Account Notification Email

Default ActiveSync behavior

See Changing the default ActiveSync policy behavior

Regenerate attachment key

See Regenerating the encryption key

Auto blocking unregistered devices

By default, Sentry allows unregistered devices to access the ActiveSync server. Use this setting to change Sentry’s behavior to block unregistered devices from access.

When you select Yes for Auto Block Unregistered(unlinked) Devices, Sentry will not block existing unregistered devices. The sync status in the ActiveSync page will continue to display as Allowed for unregistered devices. Core does not re-evaluate the sync status for existing unregistered devices. To block access to existing unregistered devices, Remove the devices from the ActiveSync page. When the device tries to access the ActiveSync server the new rule will be applied.

Blocking unregistered devices automatically blocks Windows 7 and other devices that cannot register with Core. Windows 7, Windows 8 Pro, and Windows 8 RT devices cannot register with Core because these devices do not have device management features. To allow these devices to sync with the ActiveSync server, Auto Block Unregistered Devices must be set to No.

When you change this setting, Standalone Sentry immediately changes its behavior to reflect the setting. Integrated Sentry informs the Microsoft Exchange Server to change its behavior the next time Integrated Sentry syncs with Core.

Procedure 

1. In the Admin Portal, go to Services > Sentry > Preferences.
2. Select Yes for Auto Block Unregistered Devices.
3. Click Save to save the changes.

For other methods for blocking devices from accessing the ActiveSync server, see the following:

Block.

“Working with security policies” in the Core Device Management Guide.

Configuring strict ActiveSync to device linking

In case Standalone Sentry cannot successfully link an ActiveSync record to a managed device record using the ActiveSync ID, it makes additional attempts using username and email information. This may, in some cases, result in an incorrect association. Enable Use Strict ActiveSync to Device Linking to avoid incorrect association between an ActiveSync record and a Device record.

The default setting for Use Strict ActiveSync to Device Linking is No. This means that Standalone Sentry will make additional attempts to associate the ActiveSync record to a managed device.

Procedure 

1. In the Admin Portal, go to Services > Sentry > Preferences.
2. For Use Strict ActiveSync to Device Linking, select Yes.
3. Click Save.

With strict linking, some ActiveSync records may not be automatically linked to a managed device. In these cases, you can use the Link To action in the ActiveSync page to manually associate the ActiveSync record to the managed device record.

Setting the Integrated Sentry Sync Interval

The Sentry Sync Interval is only applicable to Integrated Sentry. This setting tells how often Integrated Sentry performs a periodic differential sync.

Procedure 

1. In the Admin Portal, go to Services > Sentry > Preferences.
2. Set the Sentry Sync Interval to the preferred interval.

Setting the Service Account Notification Email

Configure this setting if you use a Standalone Sentry that uses Kerberos for device authentication. This setting specifies the email addresses to notify if the Kerberos service account is locked, disabled, or about to expire.

Procedure 

1. In the Admin Portal, go to Services > Sentry > Preferences.
2. In the Service Account Notification Email field, enter one or more email addresses. Separate the email addresses with commas.

For more information, see Authentication Using Kerberos Constrained Delegation.

Changing the default ActiveSync policy behavior

The Default Active Sync policy is applied if an ActiveSync policy is not applied to the device.

The Default ActiveSync Policy behavior setting determines whether Sentry applies the ActiveSync server’s policy to the device syncing with the ActiveSync server.

 

It may take up to twenty-four hours for any changes to the Default ActiveSync Policy behavior to take effect.

As best practice, Ivanti, Inc recommends disabling the Refresh Interval on the client access server’s (CAS) ActiveSync policy

Procedure 

1. In the Admin Portal, go to Services > Sentry > Preferences.

Figure 1. Default ActiveSync policy behavior

2. For Default ActiveSync Policy behavior, set the default behavior.

Item

Description

Remove AS Server policy

The ActiveSync server’s policy is not applied to the device.

Apply AS Server policy

The ActiveSync server’s policy is applied to the device.

3. Click Save.

Regenerating the attachment key

See Regenerating the encryption key.