none
ActiveSync Allowed/Blocked Applications RRS feed

  • Question

  • Please clarify how the ActiveSync Allowed/Blocked applications should work since little to no documentation can be found on my end. The [MS-ASPROV].pdf document is a little too vague on this. When trying to block an application I first found the executable on the device using the Microsoft ActiveSync "Explore" option.  I then added this exact filename including the .exe  extension to the Blocked Application list when editing a policy.  After applying my changes, and syncing it prompted my Windows Mobile 6.5 device to restart.  After the restart on the device I was still able to open the executable on the device.

    I was able to pull up the Provisioning-WBXML to view what is being sent by the server.  Inside the UnapprovedInROMApplicationList tag the ApplicationName tag had the exact value I added to the blocked application list.  How is the device meant to use this value? It doesn’t seem to actually be blocking the program from executing. Please provide more detail about what this ApplicationName string is and how the device should use it to block applications from executing on the device.

    While on this topic a full explanation of how the allowed feature is meant to work would be much appreciated.

    J. Phillips
    Software Engineer
    Notify Technology Corporation

     

    Tuesday, February 9, 2010 8:18 PM

Answers

  • Hi Greg, only in-memory applications that are included in the ApprovedApplicationList (MS-ASPROV section 2.2.2.21) element SHOULD be allowed to execute on the device if this element is sent to the client, all other in-memory applications SHOULD NOT be allowed to run. In-memory applications are any that are not included in the base client image such as ones that are installed by the user or downloaded from an external source or marketplace. I am using 'SHOULD' instead of 'MUST' (see description below) because the ApprovedApplicationList element only tells the client what is allowed to execute. Unfortunately, it is possible for the client to acknowledge the policy but not actually enforce it. The enforcement of the policy is outside the scope of the protocol documentation and questions about that should be directed to the client/device specific support channels.

     

    2.2.2.21 ApprovedApplicationList
    The ApprovedApplicationList element is an optional container ([MS-ASDTYPE] section 2.2) element that specifies a list of in-memory applications that are approved for execution. It is a child of the EASProvisionDoc element (section 2.2.2.27). Only in-memory applications are affected by this element. This element does not apply to in-ROM applications. If present, the client MUST only allow the in-memory applications specified by this element to execute.


    Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

    Monday, February 11, 2013 7:35 PM
    Moderator
  • J. Phillips,

    The UnapprovedInROMApplicationList contains the exe name in question (e.g. “TMAIL.exe”). When the device launches an application, it checks in the unapproved list and denies the apps that match via this list. Now, this only applies to apps (exe, dll) that are already installed on the device (in-memory apps).

    Does this answer your question?

    Dominic Michael Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team

    Wednesday, March 3, 2010 8:33 PM
  • J. Phillips,

    An in-memory application is a user installed app. An In-ROM application is an application included with the OS image.

    Dominic Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team

    Thursday, May 6, 2010 1:49 PM
  • Eddie,

    This could be implemented on any device as ActiveSync is a wire protocol (a client implementation). There are other devices that are not Windows Mobile Devices that support the ActiveSync protocol. 

    Dominic Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team

     

    Thursday, May 6, 2010 2:06 PM
  • Eddie,

    As long as the application in question is an in-memory application, then the application itself can be blocked.

    Dominic Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team

     

    Friday, May 7, 2010 9:05 AM
  • Hi Michbar89, There are 2 elements that tell the client which applications are allowed or disallowed. UnapprovedInROMApplicationList specifies which in-ROM applications are not approved for execution while ApprovedApplicationList explicitly defines which in-memory applications are allowed to run on the device. Note that in-ROM refers to applications that are pre-installed and in-memory applications are typically ones installed by the user.

    This is the extent of what is covered by the protocol. Defining the list of applications that are part of either of those lists is not part of the documentation and instead is part of the Mobile Device Mailbox Policy which is controlled and configured on Exchange Server, or a server that implements the Exchange Server Protocols. Similarly, it is up to the client implementation how to handles applications that are approved or unapproved.


    Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

    Tuesday, September 10, 2013 5:49 PM
    Moderator

All replies

  • J. Phillips,

    I am the engineer who has taken ownership of your issue. I am currently investigating this and will update you as things progress.

    Dominic Michael Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team
    Tuesday, February 9, 2010 8:45 PM
  • J. Phillips,

    I am still investigating this issue and will update you as things progress.

    Dominic Michael Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team
    Tuesday, February 16, 2010 5:15 PM
  • J. Phillips,

    I am still investigating this issue and will have an answer for you shortly.

    Dominic Michael Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team

    Thursday, February 25, 2010 8:36 PM
  • J. Phillips,

    The UnapprovedInROMApplicationList contains the exe name in question (e.g. “TMAIL.exe”). When the device launches an application, it checks in the unapproved list and denies the apps that match via this list. Now, this only applies to apps (exe, dll) that are already installed on the device (in-memory apps).

    Does this answer your question?

    Dominic Michael Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team

    Wednesday, March 3, 2010 8:33 PM
  • Can you define what an in-memory app is?  In the reply you say that the app must already be installed on the device.  Does this mean that the app is considered an app on a factory setup or can you go to the Marketplace, download and app and install it onto the device?

    I’ve noticed that Exchange 2007 and 2010 ActiveSync only blocks executables ran from the WINDOWS folder on both WM 6.1 and 6.5 devices.  Would this be expected behavior?  If so this should be noted in the documentation; otherwise if this is unexpected behavior please let me know.

    This does not include executables stored in subdirectories of the device WINDOWS folder.  In a test of my own, I’ve copied executables stored in Program files and dropped them in the WINDOWS folder.  When attempting to block this app it was successful when the executable was located inside the WINDOWS folder.

    Again, a full explanation of how the allowed applications feature is meant to work would also be much appreciated.

     

    J. Phillips
    Software Engineer
    Notify Technology Corporation

    Wednesday, March 10, 2010 7:48 PM
  • J. Phillips,

    I am looking into your follow-up questions.

    Dominic Michael Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team

    Friday, March 12, 2010 3:15 PM
  • Hi!

    I´m also investigating this Allowed/Blocked applications function and have not found any usable information/documentation regarding this.

    Dominic, how is it going with the investigation/documentation?

    In my tests I have managed to block applications in the \windows folder. When I apply the policy the end user needs to restart their phones, this is normal. But with this block policy applied the users need to restart their phones every 24h (the refresh interval set on the policy).

    This is very strange and an answer to why this happens would also be nice :)

    Wednesday, March 31, 2010 12:35 PM
  • J. Phillips,

    I am still investigating this and will update you as things progress.

    Dominic Michael Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team

    Thursday, April 1, 2010 5:43 PM
  • Does it only block applications for device running windows mobile? What about other devices that support Exchange ActiveSync? Will I be able to block applications on those?
    Monday, May 3, 2010 3:27 PM
  • Eddie,

    I am currently researching this for you.

    Dominic Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team

    Monday, May 3, 2010 8:37 PM
  • J. Phillips,

    An in-memory application is a user installed app. An In-ROM application is an application included with the OS image.

    Dominic Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team

    Thursday, May 6, 2010 1:49 PM
  • Eddie,

    This could be implemented on any device as ActiveSync is a wire protocol (a client implementation). There are other devices that are not Windows Mobile Devices that support the ActiveSync protocol. 

    Dominic Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team

     

    Thursday, May 6, 2010 2:06 PM
  • Dominic,

    Can you provide steps to block facebook mobile app using Exchange ActiveSync policy? This will block facebook on any device that is able to connect with ActiveSync correct?

    Thanks,

    Eddie

    Friday, May 7, 2010 1:52 AM
  • Eddie,

    As long as the application in question is an in-memory application, then the application itself can be blocked.

    Dominic Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team

     

    Friday, May 7, 2010 9:05 AM
  • Dominic,

    Would you be able to provide detailed instructions on how do block an application?

    Thanks,

    Eddie

    Friday, May 7, 2010 12:58 PM
  • Eddie,

    The specification documents for the ActiveSync Protocol can be found on the Exchange Server Protocols Section of the Open Specifications Documentation Library . The wire protocol itself exists within the documentation, but client implementation details are not covered in the documentation and are considered out of scope .

    Dominic Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team

    Monday, May 10, 2010 2:58 PM
  • I can't believe that in ~2.5 years that there is not a better answer to this question. Say we issue smartphones to our employees. We don't want them installing any apps. At all. Is there a way to just block all and only let in-rom apps work?

    I hope this thread is still working.

    Wednesday, February 6, 2013 12:03 AM
  • Hi GregRowley

    Thanks for contacting Microsoft Support. A support engineer will be in touch to assist further.

    Regards


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Thursday, February 7, 2013 1:39 AM
  • Hi Tarun,

    Some information on this would be helpful for general knowledge but upon further inspection, the Android ActiveSync client doesn't seem to fully support all of the Exchange ActiveSync capabilities. It would be most helpful to know if you whitelist an app, does that mean that there is an implicit deny on all non-whitelisted apps?

    Thanks,

    Greg

    Thursday, February 7, 2013 2:59 PM
  • Hi Greg, only in-memory applications that are included in the ApprovedApplicationList (MS-ASPROV section 2.2.2.21) element SHOULD be allowed to execute on the device if this element is sent to the client, all other in-memory applications SHOULD NOT be allowed to run. In-memory applications are any that are not included in the base client image such as ones that are installed by the user or downloaded from an external source or marketplace. I am using 'SHOULD' instead of 'MUST' (see description below) because the ApprovedApplicationList element only tells the client what is allowed to execute. Unfortunately, it is possible for the client to acknowledge the policy but not actually enforce it. The enforcement of the policy is outside the scope of the protocol documentation and questions about that should be directed to the client/device specific support channels.

     

    2.2.2.21 ApprovedApplicationList
    The ApprovedApplicationList element is an optional container ([MS-ASDTYPE] section 2.2) element that specifies a list of in-memory applications that are approved for execution. It is a child of the EASProvisionDoc element (section 2.2.2.27). Only in-memory applications are affected by this element. This element does not apply to in-ROM applications. If present, the client MUST only allow the in-memory applications specified by this element to execute.


    Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

    Monday, February 11, 2013 7:35 PM
    Moderator
  • I would like to block applications on iphone devices. Say for instance, I want to block facebook that has a package "com.facebook.app" with id = 284882215.

    (https://itunes.apple.com/mt/app/facebook/id284882215?mt=8). Please specify exactly how I should do this?

     Out of all the replies in this form, none of them just gave a simple example of how to do this. Thank you in advance.




    • Edited by michbar89 Thursday, September 5, 2013 7:20 AM
    Thursday, September 5, 2013 7:18 AM
  • Hi Michbar89:

    I have alerted The Open Specifications Team regarding your inquiry. A member of the team will be in touch soon.


    Regards, Obaid Farooqi

    Thursday, September 5, 2013 6:22 PM
    Owner
  • Hi michbar89, I am the engineer who will be working with you on this issue. I am currently researching the problem and will provide you with an update soon. Thank you for your patience.


    Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

    Thursday, September 5, 2013 9:36 PM
    Moderator
  • Hi Michbar89, There are 2 elements that tell the client which applications are allowed or disallowed. UnapprovedInROMApplicationList specifies which in-ROM applications are not approved for execution while ApprovedApplicationList explicitly defines which in-memory applications are allowed to run on the device. Note that in-ROM refers to applications that are pre-installed and in-memory applications are typically ones installed by the user.

    This is the extent of what is covered by the protocol. Defining the list of applications that are part of either of those lists is not part of the documentation and instead is part of the Mobile Device Mailbox Policy which is controlled and configured on Exchange Server, or a server that implements the Exchange Server Protocols. Similarly, it is up to the client implementation how to handles applications that are approved or unapproved.


    Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

    Tuesday, September 10, 2013 5:49 PM
    Moderator