Deny Access to email if sophos control app is not installed.

Under compliance policies (SMC) you can define a minimal SMC-App version and/or max synchronisation period from SMC-App. If that has been not mached from mobile device, SMC can lock a mail delivery or send a job packet you defined.

Hi koolkuiet,

as a pre-requisite to successfully use the "Deny email" options within the compliance rules mentioned by Josip you have to use the Sophos Mobile Control server as EAS Proxy. This way, all email synchronization tries are first hitting the SMC server which will verify if the device / user is allowed to retrieve emails from the mail server.

If that is given, you can use the compliance rules to dynamically grant or deny email access.

You can define required apps which devices must have installed or you can also use the minimum SMC client version or the sync interval as stated by Josip.

Best regards
Stefan

thanks Josip

Thanks Stefan,

About this how I have to setup the smc as eas proxy and what about exchange, i have to redirect activesync to smc server?, there's not info or any guide about that just info how to setup but not how to accomplish what I require.

Do you have some guide or step by step that you would share with me, I'd appreciate that.

I agree too, there is nearly nothing about connecting SMC with an Exchange server behind. Here should Sophos Guys improve a guides and manuals. (especially Sophos Container and Secure functions)

Neverthenless, there is lot of stuff in SMC training lesson, where you can find realy usable how tos.

When I was setting up our system, we implemented an internal EAS proxy server with the Compliance rule set to Deny email to force the access to be checked through the Exchange server while we were testing and getting the SSL cert and DNS setup for the external EAS proxy server. Then we converted to the external server. It worked out pretty well doing that.

I found the information for the Internal EAS proxy server configuration in section 12 of the "Super Admin Guide". The External EAS proxy server is discussed in the "Installation Guide", but there is a separate manual for the External EAS proxy server called "Setting up the Sophos Mobile Control External EAS Proxy" that can be found in the SMC manuals section.

Hi All,

to connect the internal EAS Proxy to an Exchange Server, log in as the super administrator of your SMC server.
Then, go to the "Setup | System setup" section and switch to the "EAS Proxy" tab. Within the "Exchange/groupware server URL" enter the name of your Exchange / ActiveSync server. You can test if the SMC server is able to reach the server by using the "Test connection" button.

Once that is done, your SMC server will forward all traffic coming in for the page https://smcserver.company.com/Microsoft-Server-ActiveSync to your configured email server.

Within your email profiles / policies, enter as the email server the SMC server and the proxy functionality of the SMC server can be used.

Hope that helps

Best regards
Stefan

Stefan,

That's ok I already done that, but the problem is if the user know the exchange server path he's still able to bypass the SMC and just download email directly without have smc installed, my question is if I have to redirect the activesync to the smc server to deny access to email server and if that's all i have to do and how to do it.

Hi koolkuiet,

if there is an externally accessible URL for the mail server, either deny access for that on the firewall or you can restrict access based on the IP to the ActiveSync website directly on the Exchange server..

How to do this is described in this article.

Hope this helps

Best regards
Stefan

Hi,

Stefan,

That was helpful and that's what I need, just last question it only work on Exchange 2010 as I read it, but you know if it'd work on Exchange 2007 too?.