Endpoint Security Complete

 View Only

  • 1.  EAS Proxy Server

    Posted Jul 30, 2012 09:02 AM

    In our environment the MDM solution enrolls EAS policies to the mobile devices.

    BUT

    We have no control which mobile devices uses EAS accounts without being managed by MDM.

     

    Is it possible to control the EAS funciton with Mobile Management (like Proxy/Sentry Server) instead of rolling out just EAS policies?

     

    Thanks



  • 2.  RE: EAS Proxy Server

    Posted Aug 03, 2012 12:16 PM

    Maybe I misunderstood your question but a device not managed by Mobile Management does not receive the EAS policies. Further could an unmanaged device not use these settings because it does not receive it.



  • 3.  RE: EAS Proxy Server

    Posted Aug 03, 2012 01:59 PM

    Yes, thats true, the device does not receive a policy.

    But a user can easily manual create a mail account on the device to sync to eas.

    He sees all the information in the mailaccount from the policy on a managed device (exchange server address, username, domain)

    So he has all the information to create an acccount be himself. without knowing of mobile management the this other device sync the company mails

    Is this a security leak? How do you solve this?



  • 4.  RE: EAS Proxy Server

    Posted Aug 13, 2012 08:29 AM

    Hello Christoph,

    The only thing you could get from the policy that way is the server name and the email.
    We do not have options available to hide any policy on mobile devices.

    Best thing to do:
    Configure your Exchange server to accept request from authenticated MDM services only.

     



  • 5.  RE: EAS Proxy Server

    Posted Dec 18, 2012 10:43 AM

    MacBrinky

    Could you please elaborate on your recomendation

     

    Best thing to do:
    Configure your Exchange server to accept request from authenticated MDM services only.

    Are you talking about EAS blocking with Exchange 2010?

     

    thanks Daron



  • 6.  RE: EAS Proxy Server

    Broadcom Employee
    Posted Jan 07, 2013 01:21 AM

    Enable your Exchange Server to authenticate only with devices that contain a specific SSL Certificate, in this case, the ones that you are enrolling your devices to the MDM Server with.

    See the Implementation Guide at: http://www.symantec.com/docs/DOC3493

    Visit a Microsoft Site that discusses Exchange and SSL Certificates:

    http://technet.microsoft.com/en-us/library/cc164345(v=EXCHG.80).aspx

    There should be plenty of sites that will help you set this up further, if needed.

    Regards.



  • 7.  RE: EAS Proxy Server

    Posted Jan 07, 2013 09:25 AM

    Hello dwebmdm,

    This will only work for iOS and Android devices:
    You can limit Exchange ActiveSync (EAS) access to only authorized devices. You can block unauthorized devices with either:

    • Exchange 2010 Allow/Block/Quarantine (ABQ) rules.

    • Integration with an F5 BIG-IP LTM server that is configured with Exchange blocking rules.

    Thanks

    MacBrinky



  • 8.  RE: EAS Proxy Server

    Posted Jan 07, 2013 11:15 AM

    thanks for the replies.

    I think the Exchange 2010 blocking would better for us, just need to upgrade our Exchange CAS server from 2007 to 2010 which we should do anyway.

    Rscovel.

    While your method would work we are in the middle of migrating users over. So unless I implemented the cert change after the users already had the SMM agent and EAS profile w/cert I would probably interupt service for many users. Also once they has the cert would they not be able to reconfigure their EAS settings manually even if they removed the agent? (since they have the cert now)

    I know there are no perfect solutions in IT, just thinking out loud.

    appreciated. Daron