HR wants us to prevent part-time hourly staff from checking email while off the clock.
Is it possble to disable Activesync and OWA via exchange policy for users in a particular group? I have looked in EAC, but can't seem to find an option for creating these types of rules for mobile devices.
Rather than going into EAC everytime a new user is created disabling those options, it would be easier if they were applied automatically and enabled on a as-needed basis.
Unfortunately I can't think of a good way to do this for Exchange ActiveSync. The problem you'll run into is that a device which is currently syncing with EAS won't stop just because you assign a new policy to the mailbox-- it will continue to be able to sync until the next time it authenticates. Imagine that Jane is a part-time staffer. She syncs her mailbox at 0800, which establishes an open sync channel. Depending on the particulars of her sync, she may not have to reauthenticate for 12 hours or more, in which case her device will keep synchronizing even after you disable her for EAS.
On the other hand, doing this with OWA is pretty straightforward. See http://technet.microsoft.com/en-us/library/dd351097(v=exchg.150).aspx. You just need to assign the user to the appropriate policy for the time of day, although if the user has an open session it will stay open too.
To fix either of these problems, you could use iisreset to dump all the existing connections on the CAS, but that may also interrupt other users, which might not be acceptable.
