We are currently planning installing SMC on a customer's site as a replacement solution for Blackberry Enterprise Server. The customer is active in finance business and so their IT policies are very restrictive. ActiveSync was turned off completely in the past, the users were only able to access their mails within the "shut" blackberry environment.
We set up a SMC testing environment inhouse and were testing different settings (with actual IOS iPhones) for the last days but we found no satisfying solution...
The plan was to only allow the mail container being configured automatically on the devices but as we found out it is still possible to configure ActiveSync profiles in IOS' Mail app using the public resolvable host name of the smc server.
Is there any way to configure it like we planned? ActiveSync itself isn't open to the internet, only the https for the SMC server is open through NAT. I read something here configuring the IIS on Exchange side to only accept connections from MDM-controlled devices, but the solution in this project should be to completely deactivate the possibility to use ActiveSync to connect to the Exchange server. Other ActiveSync connections (e.g. office365, exchange online) should still be possible on the devices.
Would this eventually be possible with the WAF of a Sophos UTM instead of NATing the port to the SMC?
Speaking of UTM is a good spot, I tried activating NAC on the SMC and using the SMC integration on the UTM, but I never got this to work. Are there any special requirements like "only with a customer and not 'superadmin', or a user with a special role on the SMC server" that I missed?
This thread was automatically locked due to age.