Set up email access control through PowerShell

When you set up the standalone EAS proxy in PowerShell mode, it connects to your Exchange mail server through PowerShell and sets email access based on the device’s compliance status.

In PowerShell mode, mail traffic goes directly from the Exchange mail server to your devices without a proxy. For a schematic of the communication flow, see the Sophos Mobile technical guide.

Advantages of the PowerShell mode:

  • You do not need to open a port on your Sophos Mobile server for incoming email traffic from your devices.
  • You can prevent devices that are not enrolled with Sophos Mobile from accessing email.

The Exchange mail server can be either Exchange Server or Exchange Online, which is part of Office 365. Supported versions are:

  • Exchange Server 2013
  • Exchange Server 2016
  • Office 365 with an Exchange Online plan
Restriction Because macOS doesn’t support the ActiveSync protocol, you can’t use PowerShell to control email access by Macs.

To set up email access control through PowerShell, do as follows.

Configure PowerShell

  1. Optional If required, install Windows PowerShell on the computer on which you are going to install the EAS proxy.
  2. Open PowerShell as an administrator and run the following command: 
    Set-ExecutionPolicy RemoteSigned
Exchange Server requires additional configuration:
  1. Open the Exchange Management Shell.
  2. Set the PowerShell execution policy: 
    Set-ExecutionPolicy RemoteSigned
  3. Get the name of the PowerShell virtual directory: 
    Get-PowerShellVirtualDirectory -Server <server name>

    <server name> is the name of the computer on which Exchange Server is installed.

    In a standard installation, the PowerShell virtual directory is PowerShell (Default Web Site).

  4. Set basic authentication for the PowerShell virtual directory: 
    Set-PowerShellVirtualDirectory -Identity "PowerShell (Default Web Site)" -BasicAuthentication $true

Create a service account

A service account is a special user account on the Exchange mail server that Sophos Mobile uses to execute PowerShell commands.

  1. Sign in to the relevant admin console:
    • For Exchange Server: Exchange Admin Center
    • For Exchange Online: Office 365 Admin Center
  2. Create a user account.
    • Use a username like smc_powershell that identifies the account purpose.
    • Turn off the setting to make the user change their password the next time they log in.
    • Remove any Office 365 license that was automatically assigned to the new account. Service accounts don’t require a license.
  3. Create a new role group and assign it the required permissions.
    • Use a role group name like smc_powershell.
    • Add the Mail Recipients and Organization Client Access roles.
    • Add the user account as a member.

Configure the PowerShell connection

  1. Use the setup assistant as if you’re installing a standalone EAS proxy. On the EAS Proxy instance setup page, configure the following settings:
    • Instance type: Select PowerShell Exchange/Office 365.
    • Instance name: A name to identify the instance.
    • Exchange server: For Exchange Server, enter the name or IP address of your server.

      For Exchange Online, enter outlook.office365.com if you’re using the global Office 365 service. For other services, for example Office 365 Germany, you can find the address in the Microsoft document Connect to Exchange Online PowerShell.

      Don’t enter the protocol https:// or the suffix /powershell-liveid to the name. The setup wizard adds these automatically.

    • Allow all certificates: The EAS proxy doesn’t verify the server certificate. Select this for example if you’re using Exchange Server with a self-signed certificate.
      Warning This setting reduces the security of mail server connections. Only select it if required by your network environment.
    • Service account: The name of the user account you created in the Exchange Server or Exchange Online admin console.
    • Password: The password of the user account.
  2. Click Add to add the instance to the Instances list.
  3. Repeat the previous steps to set up PowerShell connections to other Exchange Server instances.
  4. Complete the setup.
  5. Optional If required, configure a proxy server that the EAS proxy uses to connect to Exchange Server or Exchange Online. On the computer on which you’ve installed the EAS proxy, open a command prompt using the Run as administrator option and type the following command:

    netsh winhttp set proxy <server name or IP>:<port>

    Warning This command configures a system-wide proxy. Other programs running on the computer might be affected by this.

Upload the PowerShell certificate

Upload the certificate of the PowerShell connection to Sophos Mobile.

  1. Sign in to Sophos Central Admin and go to Mobile.
  2. On the menu sidebar, under SETTINGS, click Setup > Sophos setup, and then click the EAS proxy tab.
  3. Optional Under General, select Restrict to Sophos Secure Email to restrict email access to the Sophos Secure Email app, available for Android and iOS.
  4. Under External, click Upload a file. Upload the certificate created during configuration.

    If you have set up more than one instance, repeat this for all instance certificates.

  5. Click Save.
  6. In Windows, open the Services dialog and restart the EASProxy service.