This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

EAS Proxy and E-Mail Container

We are currently planning installing SMC on a customer's site as a replacement solution for Blackberry Enterprise Server. The customer is active in finance business and so their IT policies are very restrictive. ActiveSync was turned off completely in the past, the users were only able to access their mails within the "shut" blackberry environment.

We set up a SMC testing environment inhouse and were testing different settings (with actual IOS iPhones) for the last days but we found no satisfying solution...
The plan was to only allow the mail container being configured automatically on the devices but as we found out it is still possible to configure ActiveSync profiles in IOS' Mail app using the public resolvable host name of the smc server.

Is there any way to configure it like we planned? ActiveSync itself isn't open to the internet, only the https for the SMC server is open through NAT. I read something here configuring the IIS on Exchange side to only accept connections from MDM-controlled devices, but the solution in this project should be to completely deactivate the possibility to use ActiveSync to connect to the Exchange server. Other ActiveSync connections (e.g. office365, exchange online) should still be possible on the devices.

Would this eventually be possible with the WAF of a Sophos UTM instead of NATing the port to the SMC?

Speaking of UTM is a good spot, I tried activating NAC on the SMC and using the SMC integration on the UTM, but I never got this to work. Are there any special requirements like "only with a customer and not 'superadmin', or a user with a special role on the SMC server" that I missed?



This thread was automatically locked due to age.
  • So... I finally got an answer from SOPHOS support.

    To use a configuration as described above you have to use the standalone EAS proxy, which normally is used when acting for several customers/active sync connections. When configuring the standalone EAS you come to a point where to choose which mail user agent is allowed to use the EAS proxy. There you can configure, that only the Secure Mail App from SOPHOS is allowed.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • We have the same problem, and we are in production with sophos mdm an the internal EAS-Proxy. This is really an annoyance.

    If you have a static environment, you may be use the filter-function on exchange and only allow certain devices. Unfortunately you can not get any placeholders in the filter rule. You should forbid all and then allow for example (securePIM is the sophos client); (see Powershell "New-MobileDeviceMailboxPolicy" and "Get-MobileDeviceMailboxPolicy" for syntax)

    Allow:

    DeviceUserAgent         : SecurePIM 7.23.4 - iOS 10.2.1

     

    Other devices looks like:

    DeviceUserAgent         : Apple-iPhone5C2/1405.523900005

     

    I did not make it running (Exchange 2013 CAS) with palceholders like DeviceUserAgent "SecurePIM*"

     

     

    Viele Grüße

    Silvio

  • sorry, New-ActiveSyncDeviceAccessRule not New-MobileDeviceMailboxPolicy