Currently SMC 7.0 EAS proxy works with "SMC Managed" devices only (Devices that it knows about); by SMC sending the appropriate PowerShell commands to Office 365 cloud to deny/allow EAS functionality on non-compliant/compliant devices accordingly.
However, the downside of this approach is that Exchange Autodiscover is set-up in DNS to point to Office 365 in the MS cloud (as this is where the users mailbox now exists) and not the SMC server on the customer premise / managed Sophos cloud.
The end result is that if a user wants to set-up their mobile device and connect to Office 365 without the intervention and control of SMC, then they can do this very easily. - They just set-up a new mail account, adding in their email address, all without having to go via SMC.
Effectively bypassing SMC, resulting in uncontrolled access to corporate data
This is basically what our users are doing right now to circumvent the SMC controls.
Whilst one can set-up minimum EAS connectivity requirements in Office 365 directly (e.g. PIN requirement, etc.), these out of the box controls aren’t as granular and secure as a dedicated MDM/EMM solution.
The preferred approach would be to link the SMC solution to an Active Directory group of ALL Office 365 users, and pull the users email addresses from that group membership. In turn, SMC would have the required information to link these users to both SMC and Office 365, as they would have common attributes, and control devices whether they are in SMC or not.
Example 1:
1. SMC to extract email address from AD group. Example user; Joe.bloggs@domain.com
2. SMC to lookup that user in SMC and list their assigned and managed devices by Active Sync ID.
3. As normal, SMC would then manage EAS access on the known devices as appropriate – compliant / non-compliant
4. *EXTRA STEP* SMC would lookup the user in Office 365 and simply deny EAS access to unmanaged devices (Devices it doesn't have listed under the control of SMC) – that is until they become both managed and compliant
As a side note; Office 365 sees the built-in mobile OS email client and the downloaded Outlook mobile email client as two separate devices in EAS because of a different Active Sync ID.
HOWEVER, this looks easier to implement in SMC than I originally thought...
Sophos SMC already holds the required information about unknown devices in the file 'accessLog_ProxyEAS.xml.' - Each unknown device is listed as:
<deniedMessage>unknown active sync id</deniedMessage>
So surely this is quite achievable by Sophos to stop people easily circumventing SMC!?
I'm happy to demonstrate this to Sophos.
Sophos?
This thread was automatically locked due to age.