Video Screencast Help

EAS Proxy Server

Created: 30 Jul 2012 | 7 comments

In our environment the MDM solution enrolls EAS policies to the mobile devices.


We have no control which mobile devices uses EAS accounts without being managed by MDM.

Is it possible to control the EAS funciton with Mobile Management (like Proxy/Sentry Server) instead of rolling out just EAS policies?


Comments 7 CommentsJump to latest comment

MacBrinky's picture

Maybe I misunderstood your question but a device not managed by Mobile Management does not receive the EAS policies. Further could an unmanaged device not use these settings because it does not receive it.

Christoph Poisel's picture

Yes, thats true, the device does not receive a policy.

But a user can easily manual create a mail account on the device to sync to eas.

He sees all the information in the mailaccount from the policy on a managed device (exchange server address, username, domain)

So he has all the information to create an acccount be himself. without knowing of mobile management the this other device sync the company mails

Is this a security leak? How do you solve this?

MacBrinky's picture

Hello Christoph,

The only thing you could get from the policy that way is the server name and the email.
We do not have options available to hide any policy on mobile devices.

Best thing to do:
Configure your Exchange server to accept request from authenticated MDM services only.

dwebmdm's picture


Could you please elaborate on your recomendation

Best thing to do:
Configure your Exchange server to accept request from authenticated MDM services only.

Are you talking about EAS blocking with Exchange 2010?

thanks Daron

MacBrinky's picture

Hello dwebmdm,

This will only work for iOS and Android devices:
You can limit Exchange ActiveSync (EAS) access to only authorized devices. You can block unauthorized devices with either:

  • Exchange 2010 Allow/Block/Quarantine (ABQ) rules.

  • Integration with an F5 BIG-IP LTM server that is configured with Exchange blocking rules.



rscovel's picture

Enable your Exchange Server to authenticate only with devices that contain a specific SSL Certificate, in this case, the ones that you are enrolling your devices to the MDM Server with.

See the Implementation Guide at:

Visit a Microsoft Site that discusses Exchange and SSL Certificates:

There should be plenty of sites that will help you set this up further, if needed.


Russ Scovel
Inside Systems Engineer

Altiris SOS – Endpoint Management and Mobility
Symantec Corporation

dwebmdm's picture

thanks for the replies.

I think the Exchange 2010 blocking would better for us, just need to upgrade our Exchange CAS server from 2007 to 2010 which we should do anyway.


While your method would work we are in the middle of migrating users over. So unless I implemented the cert change after the users already had the SMM agent and EAS profile w/cert I would probably interupt service for many users. Also once they has the cert would they not be able to reconfigure their EAS settings manually even if they removed the agent? (since they have the cert now)

I know there are no perfect solutions in IT, just thinking out loud.

appreciated. Daron