This issue needs a solution.

EAS Proxy Server

Created: 30 Jul 2012
cpoisel's picture
cpoisel
Login to vote
0 0 Votes

In our environment the MDM solution enrolls EAS policies to the mobile devices.

BUT

We have no control which mobile devices uses EAS accounts without being managed by MDM.

 

Is it possible to control the EAS funciton with Mobile Management (like Proxy/Sentry Server) instead of rolling out just EAS policies?

 

Thanks

Filed Under

Tags:
, , ,

Comments

MacBrinky
Symantec Employee
Accredited
03
Aug
2012
Votes
0

Maybe I misunderstood your

Maybe I misunderstood your question but a device not managed by Mobile Management does not receive the EAS policies. Further could an unmanaged device not use these settings because it does not receive it.

Login or register to post comments
Christoph Poisel
03
Aug
2012
Votes
0

EAS

Yes, thats true, the device does not receive a policy.

But a user can easily manual create a mail account on the device to sync to eas.

He sees all the information in the mailaccount from the policy on a managed device (exchange server address, username, domain)

So he has all the information to create an acccount be himself. without knowing of mobile management the this other device sync the company mails

Is this a security leak? How do you solve this?

Login or register to post comments
MacBrinky
Symantec Employee
Accredited
13
Aug
2012
Votes
0

Hello Christoph, The only

Hello Christoph,

The only thing you could get from the policy that way is the server name and the email.
We do not have options available to hide any policy on mobile devices.

Best thing to do:
Configure your Exchange server to accept request from authenticated MDM services only.

 

Login or register to post comments
dwebmdm
18
Dec
2012
Votes
0

MacBrinky Could you please

MacBrinky

Could you please elaborate on your recomendation

 

Best thing to do:
Configure your Exchange server to accept request from authenticated MDM services only.

Are you talking about EAS blocking with Exchange 2010?

 

thanks Daron

Login or register to post comments
MacBrinky
Symantec Employee
Accredited
07
Jan
2013
Votes
0

Hello dwebmdm, This will only

Hello dwebmdm,

This will only work for iOS and Android devices:
You can limit Exchange ActiveSync (EAS) access to only authorized devices. You can block unauthorized devices with either:

  • Exchange 2010 Allow/Block/Quarantine (ABQ) rules.

  • Integration with an F5 BIG-IP LTM server that is configured with Exchange blocking rules.

Thanks

MacBrinky

Login or register to post comments
rscovel
Symantec Employee
Accredited
06
Jan
2013
Votes
0

Enable your Exchange Server

Enable your Exchange Server to authenticate only with devices that contain a specific SSL Certificate, in this case, the ones that you are enrolling your devices to the MDM Server with.

See the Implementation Guide at: http://www.symantec.com/docs/DOC3493

Visit a Microsoft Site that discusses Exchange and SSL Certificates:

http://technet.microsoft.com/en-us/library/cc164345(v=EXCHG.80).aspx

There should be plenty of sites that will help you set this up further, if needed.

Regards.

Russ Scovel
Inside Systems Engineer

Altiris SOS – Endpoint Management and Mobility
Symantec Corporation 
www.symante

Login or register to post comments
dwebmdm
07
Jan
2013
Votes
0

thanks for the replies. I

thanks for the replies.

I think the Exchange 2010 blocking would better for us, just need to upgrade our Exchange CAS server from 2007 to 2010 which we should do anyway.

Rscovel.

While your method would work we are in the middle of migrating users over. So unless I implemented the cert change after the users already had the SMM agent and EAS profile w/cert I would probably interupt service for many users. Also once they has the cert would they not be able to reconfigure their EAS settings manually even if they removed the agent? (since they have the cert now)

I know there are no perfect solutions in IT, just thinking out loud.

appreciated. Daron 

Login or register to post comments