Standalone EAS proxy

You can set up an EAS proxy to control the access of your managed devices to an email server. Email traffic of your managed devices is routed through that proxy. You can block email access for devices, for example a device that violates a compliance rule.

The devices must be configured to use the EAS proxy as email server for incoming and outgoing emails. The EAS proxy will only forward traffic to the actual email server if the device is known in Sophos Mobile and matches the required policies. This guarantees higher security as the email server does not need to be accessible from the Internet and only devices that are authorized (correctly configured, for example with passcode guidelines) can access it. Also, you can configure the EAS proxy to block access from specific devices.

The EAS proxy is downloaded and installed separately from Sophos Mobile. It communicates with the Sophos Mobile server through an HTTPS web interface.

For a list of mail servers that the standalone EAS proxy supports, see the Sophos Mobile release notes.

Note Because macOS doesn’t support the ActiveSync protocol, you can’t use the EAS proxy to filter email traffic coming from Macs.


  • Support for multiple Microsoft Exchange or IBM Notes Traveler email servers. You can set up one EAS proxy instance per email server.
  • Load balancer support. You can set up standalone EAS proxy instances on several computers and then use a load balancer to distribute the client requests among them.
  • Support for certificate-based client authentication. You can select a certificate from a certification authority (CA), from which the client certificates must be derived.
  • Support for email access control through PowerShell. In this scenario, the EAS proxy service communicates with the email server through PowerShell to control the email access of your managed devices. Email traffic happens directly from the devices to the email server and is not routed through a proxy. See Set up email access control through PowerShell.
  • The EAS proxy remembers the device status for 24 hours. If the Sophos Mobile server is offline, for example during an update, email traffic is filtered based on the last known device status. After 24 hours, all email traffic is blocked.
Note For non-iOS devices, filtering abilities of the standalone EAS proxy are limited due to the specifics of the IBM Notes Traveler protocol. Traveler clients on non-iOS devices do not send the device ID with every request. Requests without a device ID are still forwarded to the Traveler server, even though the EAS proxy is not able to verify that the device is authorized.