Better EAS control for Office 365
Currently SMC 7.0 EAS proxy works with "SMC Managed" devices only; by sending the appropriate PowerShell commands to Office 365 back-end to deny/allow EAS functionality on non-compliant/compliant devices accordingly.
However the downside of this approach is that Exchange Autodiscover is set-up in DNS to point to Office 365 (as this is where the users mailbox now exists) and not the SMC server.
The end result is that if a user wants to set-up their mobile device and connect to Office 365 without the intervention and control of SMC, then they can do this very easily.
Resulting in uncontrolled access to corporate data.
This is basically what our users are doing right now to circumvent the SMC controls.
Whilst one can set-up minimum connectivity requirements in Office 365 directly, these out of the box controls aren’t as granular and secure as a dedicated MDM/EMM solution.
The preferred approach would be to link the SMC solution to an Active Directory group of ALL Office 365 users, and pull the users email addresses from that group membership. In turn, SMC would have the required information to link these users to both SMC and Office 365, as they would have common attributes, and control devices whether they are in SMC or not.
1. SMC to extract email address from AD group. Example user; Joe.email@example.com
2. SMC to lookup that user in SMC and list their assigned and managed devices
3. SMC would then manage EAS access on the know devices as appropriate – compliant / non-compliant
4. EXTRA STEP SMC would lookup the user in Office 365 and simply deny EAS access to unmanaged devices – that is until they become both managed and compliant
Under review for Sophos Mobile 9.5
Daniel Conley commented
For office 365 deployments, it would be great to have this integrated directly with central without the need for an external EAS proxy.
As a side note; Office 365 sees the built-in mobile OS email client and the downloaded Outlook mobile email client as two separate devices in EAS beccause of a different Active Sync ID.
HOWEVER, this looks easier to implement in SMC than I originally thought...
Sophos SMC already holds the required information about unknown devices in the file 'accessLog_ProxyEAS.xml.' - Each unknown device is listed as:
<deniedMessage>unknown active sync id</deniedMessage>
So surely this is quite achievable...